Description: Retrieves vulnerability report data by report ID using the enhanced V2 format with advanced filtering and search capabilities.
Since: Xray 3.0
Applicable Environment: JFrog SaaS, JFrog Self-Hosted
Security: Requires a valid user with Reports Manager permission.
Usage: POST xray/api/v2/reports/vulnerabilities/{id}
Consumes: application/json
Produces: application/json
Path parameters:
Name | Type | Required/Optional | Description |
|---|---|---|---|
| string | required | The unique identifier of the vulnerability report. |
Query parameters:
Name | Type | Required/Optional | Description |
|---|---|---|---|
| string | optional | Search term to filter results across CVEs, impacted artifacts, vulnerable components, paths, and project keys. |
| string | optional | Sort direction: |
| integer | required | Number of rows per page. |
| string | optional | Field to sort by. |
| integer | required | Page number (1-based). |
Request body:
Field | Type | Required/Optional | Description |
|---|---|---|---|
| object | optional | Advanced filtering options for the report data. |
Response body:
Field | Type | Description |
|---|---|---|
| integer | Total number of vulnerability records matching the filters. |
| array | Array of vulnerability report rows. |
Vulnerability Report Row:
Field | Type | Description |
|---|---|---|
| array | List of CVEs associated with the vulnerability. |
| number | Maximum CVSS v2 score among all CVEs. |
| number | Maximum CVSS v3 score among all CVEs. |
| string | Severity level: Critical, High, Medium, Low, Unknown. |
| string | Source of the severity rating. |
| string | Physical path to the vulnerable component. |
| array of strings | Path showing how the vulnerability impacts the system. |
| array of strings | List of versions that fix this vulnerability. |
| string | Unique identifier for the vulnerability issue. |
| array of strings | Project keys associated with the vulnerability. |
| boolean | Whether the vulnerability is applicable. |
| string | Result of applicability analysis: Applicable, Not Applicable, Unknown. |
| array of strings | List of vulnerable component names. |
| array of strings | List of impacted artifact names. |
| array of strings | File paths containing the vulnerability. |
| string | JFrog's severity assessment. |
| array of strings | Common Weakness Enumeration identifiers. |
CVE Object:
Field | Type | Description |
|---|---|---|
| string | CVE identifier (e.g., CVE-2021-44228). |
| number | CVSS v2 base score. |
| string | CVSS v2 vector string. |
| number | CVSS v3 base score. |
| string | CVSS v3 vector string. |
Response Codes:
Status Code | Description |
|---|---|
200 | OK - Report data retrieved successfully |
400 | Bad request - Invalid parameters or filters |
403 | Permission denied - Insufficient permissions |
404 | Not found - Report not found or not accessible |
500 | Internal server error |
Sample Request:
POST /api/v2/reports/vulnerabilities/12345?search=log4j&direction=desc&num_of_rows=10&page_num=1
Content-Type: application/json
Accept: application/json
{
"filters": {
"severity": ["Critical", "High"],
"applicability_result": ["Applicable"]
}
}Sample Response:
200 OK
{
"total_rows": 25,
"rows": [
{
"cves": [
{
"cve": "CVE-2021-44228",
"cvss_v2_score": 9.3,
"cvss_v2_vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"cvss_v3_score": 10.0,
"cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"cvss2_max_score": 9.3,
"cvss3_max_score": 10.0,
"severity": "Critical",
"severity_source": "NVD",
"physical_path": "/app/lib/log4j-core-2.14.1.jar",
"impact_path": ["/app", "/app/lib"],
"fixed_versions": ["2.15.0", "2.16.0"],
"issue_id": "XRAY-123456",
"project_keys": ["my-project"],
"applicability": true,
"applicability_result": "Applicable",
"vulnerable_components": ["log4j-core:2.14.1"],
"impacted_artifacts": ["my-app:1.0.0"],
"paths": ["/app/lib/log4j-core-2.14.1.jar"],
"jfrog_severity": "Critical",
"cwe": ["CWE-502", "CWE-77"]
}
]
}