Creating a security vulnerbility report based on found date

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this
    Hi all,

I’m on 9.2.4.

I’ve been tasked with pulling all the security vulnerabilities, with their creation date and severity and creating a report.

the best I can do so far was
/api/issues/search?status=OPEN&additionalFields=_all&Types=VULNERABILITY&ps=500&severities=BLOCKER,CRITICAL,MAJOR

apparently all additional fields does not include creation date, who worked on it last, if any, Nor the severity or any other metrics that would show what we should prioritize and what has fallen behind.

Any advice would be GREATLY appreciated!

2

Hey there.

GET api/issues/search (using the exact query parameters you specified) returns creationDate, author, assignee, severity

// https://next.sonarqube.com/sonarqube/api/issues/search?status=OPEN&additionalFields=_all&Types=VULNERABILITY&ps=500&severities=BLOCKER,CRITICAL,MAJOR
{
   "total":18156,
   "p":1,
   "ps":500,
   "paging":{
      "pageIndex":1,
      "pageSize":500,
      "total":18156
   },
   "effortTotal":104212,
   "issues":[
      {
         "key":"AX-KL1oqEj49fBuLi7u0",
         "rule":"typescript:S4204",
         "severity":"MAJOR",
         "component":"sonarqube:server/sonar-web/src/main/js/helpers/users.ts",
         "project":"sonarqube",
         "line":32,
         "hash":"08051625ce5853ff16f5f2cf2ae24fad",
         "textRange":{
            "startLine":32,
            "endLine":32,
            "startOffset":32,
            "endOffset":35
         },
         "flows":[
            
         ],
         "resolution":"WONTFIX",
         "status":"RESOLVED",
         "message":"Unexpected any. Specify a different type.",
         "effort":"5min",
         "debt":"5min",
         "author":"philippe.perrin@sonarsource.com",
         "tags":[
            "pitfall"
         ],
         "transitions":[
            
         ],
         "actions":[
            
         ],
         "comments":[
            
         ],
         "creationDate":"2022-03-14T20:03:08+0000",
         "updateDate":"2022-03-14T20:52:07+0000",
         "type":"CODE_SMELL",
         "scope":"MAIN",
         "quickFixAvailable":true
      },
....

However, keep in mind status isn’t a valid query parameter. statuses should be used instead.

1 Like
3

You’re AWESOME! thanks!

1 Like