Vulnerabilities and VEX

After an SBOM is processed, the platform attaches known vulnerabilities to its components. You can list them through the API and record a VEX assessment for each one.

You need the environment ID (projectId) and version ID (sbomId). Get them from List Products and Versions.

List vulnerabilities

curl https://api.interlynk.io/lynkapi \
  -H "Authorization: Bearer $INTERLYNK_SECURITY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "query Vulns($projectId: Uuid!, $sbomId: Uuid!, $first: Int, $after: String) { sbom(projectId: $projectId, sbomId: $sbomId) { vulns(sbomId: $sbomId, first: $first, after: $after) { totalCount pageInfo { hasNextPage endCursor } nodes { id vuln { vulnId source sev cvssScore } component { name version } vexStatus { id name } } } } }",
    "variables": {
      "projectId": "1fade833-0603-4139-8ca0-26592264a4c9",
      "sbomId": "4e423fe0-d089-4025-b1e4-8fe9608138d6",
      "first": 25
    }
  }'

{
  "data": {
    "sbom": {
      "vulns": {
        "totalCount": 14,
        "pageInfo": { "hasNextPage": false, "endCursor": "MjU" },
        "nodes": [
          {
            "id": "5c11d0e2-0d27-484d-b04f-8df991082652",
            "vuln": {
              "vulnId": "GHSA-72hv-8253-57qq",
              "source": "GITHUB",
              "sev": "medium",
              "cvssScore": 6.9
            },
            "component": { "name": "jackson-core", "version": "2.15.2" },
            "vexStatus": null
          }
        ]
      }
    }
  }
}

The id on each node is the component vulnerability ID. It identifies one vulnerability on one component. You need it to set VEX.

vulns is paginated. When pageInfo.hasNextPage is true, request the next page with after set to endCursor. See Conventions.

Get the VEX status options

VEX statuses are referenced by ID. Fetch the list of valid statuses first:

curl https://api.interlynk.io/lynkapi \
  -H "Authorization: Bearer $INTERLYNK_SECURITY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"query": "query { vexStatuses { id name } }"}'

{
  "data": {
    "vexStatuses": [
      { "id": "28c61387-c85f-4f9b-b434-4b2d887b8915", "name": "In Triage" },
      { "id": "10cf7c16-b8fb-4731-8622-d874cd2680bc", "name": "Not Affected" },
      { "id": "303b6a94-995f-484d-8ae7-3df89dd4352b", "name": "Affected" },
      { "id": "7fbb2b21-c031-4578-b6e7-9bb78612b6f6", "name": "Fixed" }
    ]
  }
}

Fetch these IDs from your own organization. They are stable within an organization, so you can look them up once and reuse them.

Two more lookup queries return the other VEX option lists:

vexJustifications { id name } for justification IDs.
cdxResponses { id name } for response IDs.

Set a VEX status

componentVexUpdate records a VEX assessment on one component vulnerability. Pass the component vulnerability id as componentVulnId, the version as currentSbomId, and the status ID.

curl https://api.interlynk.io/lynkapi \
  -H "Authorization: Bearer $INTERLYNK_SECURITY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "mutation SetVex($componentVulnId: Uuid!, $currentSbomId: Uuid!, $vexStatusId: Uuid, $note: String) { componentVexUpdate(input: { componentVulnId: $componentVulnId, currentSbomId: $currentSbomId, vexStatusId: $vexStatusId, note: $note }) { componentVuln { id vexStatus { name } note } errors } }",
    "variables": {
      "componentVulnId": "5c11d0e2-0d27-484d-b04f-8df991082652",
      "currentSbomId": "4e423fe0-d089-4025-b1e4-8fe9608138d6",
      "vexStatusId": "10cf7c16-b8fb-4731-8622-d874cd2680bc",
      "note": "Vulnerable code path is not reachable in our usage."
    }
  }'

{
  "data": {
    "componentVexUpdate": {
      "componentVuln": {
        "id": "5c11d0e2-0d27-484d-b04f-8df991082652",
        "vexStatus": { "name": "Not Affected" },
        "note": "Vulnerable code path is not reachable in our usage."
      },
      "errors": []
    }
  }
}

componentVexUpdate inputs

Input

Type

Description

componentVulnId

Uuid

The component vulnerability ID. Required.

currentSbomId

Uuid

The version the vulnerability belongs to. Required.

vexStatusId

Uuid

A status ID from vexStatuses.

vexJustificationId

Uuid

A justification ID from vexJustifications.

cdxResponseId

Uuid

A response ID from cdxResponses.

note

String

Free-text note.

impact

String

Impact statement.

detail

String

Detail statement.

action

String

Action statement.

fixedIn

String

Version the issue is fixed in.

propagateVex

Boolean

Apply the same VEX to matching components in other SBOMs.

To update many vulnerabilities at once, use componentVexBulkUpdate, which takes a list of componentVulnIds and the same VEX fields.

Errors

Failures return in the errors list:

{
  "data": {
    "componentVexUpdate": {
      "componentVuln": null,
      "errors": ["Component vuln not found"]
    }
  }
}

See Errors.

PreviousEdit a Component NextConventions

Last updated 21 days ago