How to extrack the 'back level' indicator with curl command?

[nigellh]

Hi

It would be useful to be able to share the packages that are back level when this information is reported on. I can extract the vulnerabilities from DT using the following command:

curl -X 'GET' \
  'http://000.000.000.000:8081/api/v1/finding/project/<project-id>' \
  -H 'accept: application/json' \
  -H 'X-Api-Key: <X-Api-Key>' \
  -o 'vuln.json'

(000.000.000.000 - the IP address of server that DT is running on and I believe needs to be specified in the docker-compose.yml file rather than localhost for this to work remotely)

It works really well. Is there anything that we can add to this call, or make a separate one to combine with this that will allow anything related to back level to be extracted for the packages?

Many thanks

[nscuro]

Can you elaborate on what you mean with "back level"?

[nigellh]

My bad, I should have called it 'outdated'

[nscuro]

You can retrieve the latest version of a component via

GET /api/v1/repository/latest?purl=<PACKAGE_URL>

The package URL of the component(s) should be included in the JSON you already have.

[nigellh]

Thanks again!

The following are the list of fields that are generated via the curl command above with the data for one package

component/name                  :  aiohttp
component/project               :  fc10eb01-91b1-41ec-9291-c24237ee15a1
component/purl                  :  pkg:pypi/[email protected]
component/uuid                  :  a1c09b90-adab-4906-a712-52881e2430bc
component/version               :  3.6.3
attribution/alternateIdentifier :  CVE-2021-21330
attribution/analyzerIdentity    :  OSSINDEX_ANALYZER
attribution/attributedOn        :  0.030028935
attribution/referenceUrl        :  https://ossindex.sonatype.org/vulnerability/CVE-2021-21330?component-type=pypi&component-name=aiohttp&utm_source=dependency-track&utm_medium=integration&utm_content=v4.6.3
vulnerability/severity          :  MEDIUM
vulnerability/cvssV3BaseScore   :  6.1
vulnerability/vulnId            :  CVE-2021-21330
vulnerability/cweId             :  601
vulnerability/description       :  aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.
vulnerability/epssScore         :  0.01183
vulnerability/source            :  NVD
vulnerability/cwes/0/cweId      :  601
vulnerability/cwes/0/name       :  URL Redirection to Untrusted Site ('Open Redirect')
vulnerability/cwes/0/id         :  0
vulnerability/uuid              :  1ef30eac-a6df-4ad8-8209-b799c6082dd6
vulnerability/severityRank      :  2
vulnerability/cweName           :  URL Redirection to Untrusted Site ('Open Redirect')
vulnerability/epssPercentile    :  0.6117
vulnerability/cvssV2BaseScore   :  5.8
analysis/isSuppressed           :  FALSE
matrix                          :  fc10eb01-91b1-41ec-9291-c24237ee15a1:a1c09b90-adab-4906-a712-52881e2430bc:1ef30eac-a6df-4ad8-8209-b799c6082dd6
vulnerability/cwes/1/cweId      :  
vulnerability/cwes/1/name       :  
vulnerability/cwes/1/id         :  
vulnerability/cwes/2/cweId      :  
vulnerability/cwes/2/name       :  
vulnerability/cwes/2/id         :  

What we would like to do is extract a single list of all packages that have there vulnerabilities (or none if there aren't any) and all the current versions.

The curl above seems to extract just the ones with the vulnerabilities and so is probably not the correct one.

I guess the same as the above information, but for packages and the current version.

[nigellh]

Hi, came across this page - https://docs.dependencytrack.org/integrations/rest-api/

Guessing it is experimenting with the GET commands that I can see on mine when I run it with Swagger UI Console to see which might give me the solution.

e.g. what I am seeing at the top of the list is