Skip to main content

REST APIs for 24.5

Vulnerability Exposure per Enforcement Mode

Before release 24.4, the vulnerability APIs allowed users to calculate vulnerability exposure only for the full enforcement mode.

The two new and several changed common schemas now support multiple calculated values for vulnerability exposure for each enforcement mode.

The UI is updated to allow users to see the exposure scores for different enforcement modes without changing the workload's enforcement mode.

These two new schemas are referenced from the other schemas.

common vulnerability_summary_exposure
{  
    "$schema": "http://json-schema.org/draft-04/schema#",  
    "type": "object",  
    "description": "Vulnerability exposure details",  
    "properties": {    
        "vulnerable_port_exposure": {      
            "description": "The aggregated vulnerability port exposure score of the workload in the specified mode across all the vulnerable ports",      
            "type": ["integer", "null"]    
},    
    "vulnerability_exposure_score": {      
        "description": "The aggregated vulnerability exposure score of the workload in the specified mode across all vulnerable ports",      
        "type": ["integer", "null"]    
        }  
    }
}
common workloads_detected_vulnerabilities_exposure
{  
    "$schema": "http://json-schema.org/draft-04/schema#",  
    "type": "object",  
    "description": "Vulnerability exposure details for workloads",  
    "properties": {    
       "vulnerable_port_exposure": {      
         "description": "The exposure of the port based on the current policy for the specified enforcement mode",      
         "type": ["integer", "null"]    
    },    
    "port_vulnerability_exposure_score": {      
        "description": "The vulnerability exposure score calculated for the port, based on the port exposure and vulnerability for the specified enforcement mode",      
        "type": ["integer", "null"]    
        }  
    }
}
APIs Affected

The following table shows the affected vulnerability APIs:

Table 2. Vulnerability API Changes

Method

URL

Description

GET

/orgs/:xorg_id//workloads/<:id>/detected_vulnerabilities

Four new columns are being added to the workload vulnerabilities tables in the UI to support comparing exposure and ve-scores based on different enforcement types.

GET

/orgs/:xorg_id//workloads?representation=workload_labels_vulnerabilities

Four new columns are being added to the workload list tables in the UI to support comparing exposure and ve-scores for different enforcement types.

GET

/orgs/:xorg_id//workloads/:workload_id?representation=workload_labels_vulnerabilities

GET

/orgs/:xorg_id/aggregated_detected_vulnerabilities

The vulnerability scores and summary scores are now in additional tables, and scores from them are added to the response.

GET

/orgs/:xorg_id/app_groups

GET

/orgs/:xorg_id/workloads/detailed_vulnerabilities

The vulnerability data in response is not computed at runtime but is taken from the database generated by the proper stats processor.



Vulnerability Exposure per Enforcement Mode Reference

This topic contains some examples and code changes for the vulnerability APIs that regulate exposure per enforcement mode.

API Changes for Vulnerability APIs

Changes in the existing schemas are shown below.

common aggregated_detected_vulnerability

{
  "properties": {
    "aggregated_detected_vulnerabilities": {
      "items": {
        "properties": {
          "full_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for full enforcement mode"
          },
          "selective_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for selective enforcement mode"
          },
          "visibility_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for visibility-only enforcement mode"
          },
          "current_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for the current enforcement mode"
          }
        }
      }
    }
  }
}

common vulnerability_summary

{
  "properties": {
    "full_enforcement_vulnerability_exposure__added": {
      "$ref": "vulnerability_summary_exposure.schema.json",
      "description": "vulnerability exposure details for full enforcement mode"
    },
    "selective_enforcement_vulnerability_exposure__added": {
      "$ref": "vulnerability_summary_exposure.schema.json",
      "description": "vulnerability exposure details for selective enforcement mode"
    },
    "visibility_enforcement_vulnerability_exposure__added": {
      "$ref": "vulnerability_summary_exposure.schema.json",
      "description": "vulnerability exposure details for visibility-only enforcement mode"
    },
    "current_enforcement_vulnerability_exposure__added": {
      "$ref": "vulnerability_summary_exposure.schema.json",
      "description": "vulnerability exposure details for the current enforcement mode"
    },
    "max_vulnerability_exposure_score__added": {
      "description": "The maximum vulnerability exposure score of the workload in its current enforcement state across all vulnerable ports",
      "type": [
        "integer",
        "null"
      ]
    },
    "last_updated_at__added": {
      "description": "Indicates when the vulnerability data was last updated",
      "type": "string",
      "format": "date-time"
    },
    "vulnerable_port_exposure": {
      "description": {
        "__old": "The aggregated vulnerability port exposure score of the workload across all the vulnerable ports",
        "__new": "The aggregated vulnerability port exposure score of the workload in full enforcement mode across all the vulnerable ports"
      }
    },
    "vulnerability_exposure_score": {
      "description": {
        "__old": "The aggregated vulnerability exposure score of the workload across all the vulnerable ports.",
        "__new": "The aggregated vulnerability exposure score of the workload in full enforcement mode across all the vulnerable ports."
      }
    }
  }
}

common workload_detected_vulnerabilities

{
  "properties": {
    "last_updated_at__added": {
      "description": "Indicates when the vulnerability data was last updated",
      "type": "string",
      "format": "date-time"
    },
    "workload_detected_vulnerabilities": {
      "items": {
        "properties": {
          "full_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for full enforcement mode"
          },
          "selective_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for selective enforcement mode"
          },
          "visibility_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for visibility-only enforcement mode"
          },
          "current_enforcement_vulnerability_exposure__added": {
            "$ref": "workloads_detected_vulnerabilities_exposure.schema.json",
            "description": "vulnerability exposure details for the current enforcement mode"
          }
        }
      }
    }
  }
}