detailedreport.do

Veracode APIs

The detailedreport.do call returns a detailed XML report of all scan results related to the specified build.

Before using this API, Veracode strongly recommends that you read API Usage and Access Guidelines. Ensure you access the APIs with the domain for your region.

For performance reasons, this API automatically compresses the XML output, regardless of file size, in Gzip format. When accessing this API in production, Veracode strongly recommends that you use a user agent, such as HTTPie, which is the default, that supports Gzip. To test this API, you can use any tool that supports HTTP.

REST API Equivalent

The REST API equivalent of this call is a GET to /appsec/v1/applications/{applicationGuid}/findings using the Applications API. Veracode strongly recommends that you use the REST API for this action. For new integrations, always use the REST APIs.

Resource URL

https://analysiscenter.veracode.com/api/5.0/detailedreport.do

Parameters

Name Type Description
build_id

Required

Integer Application or sandbox build ID.
Note: This call returns detailed flaw data only available for internally developed applications. Using this call for a third-party application returns an error.

HTTPie Example

Examples use the HTTPie command-line tool. See Using HTTPie with the Python Authentication Library.

http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/detailedreport.do" "build_id==<build id>"

HTTPie Results

The detailedreport.do call returns the detailedreport XML document, which references the detailedreport.xsd schema file. You can use the XSD schema file to validate the XML data.

A partial XML example. Veracode has deprecated assurance level and replaced it with business criticality.

<?xml version='1.0' encoding='UTF-8'?>
          
          <detailedreport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
          xmlns="https://www.veracode.com/schema/reports/export/1.0" 
          xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 
          https://analysiscenter.veracode.com/resource/detailedreport.xsd" 
          report_format_version="1.5" account_id="<account id>" app_name="<app name>" 
          app_id="<app id>" analysis_id="4705951" static_analysis_unit_id="4721671" 
          sandbox_id="<sandbox id>" first_build_submitted_date="2019-08-13 17:57:41 UTC" 
          version="13 Aug 2019 Static" build_id="4722565" submitter="Veracode" 
          platform="Not Specified" assurance_level="5" business_criticality="5" 
          generation_date="2019-09-03 19:54:36 UTC" veracode_level="VL1" total_flaws="22" 
          flaws_not_mitigated="22" teams="Demo Team" life_cycle_stage="Not Specified" 
          planned_deployment_date="" last_update_time="2019-08-13 18:08:47 UTC" 
          is_latest_build="true" policy_name="Veracode Transitional Very High" 
          policy_version="1" policy_compliance_status="Did Not Pass" 
          policy_rules_status="Did Not Pass" grace_period_expired="true" 
          scan_overdue="false" business_owner="" business_unit="Not Specified" tags="" 
          legacy_scan_engine="false">
          <static-analysis rating="D" score="82" submitted_date="2019-08-13 17:57:39 UTC" 
          published_date="2019-08-13 18:08:35 UTC" version="13 Aug 2019 Static" 
          analysis_size_bytes="16157840" engine_version="20190805180615">
          <modules>
          <module name="httpd" compiler="GCC_Linux_IA32_3_4_6" 
          os="Red Hat Enterprise Linux v4 (IA32)" architecture="IA32" loc="66813" 
          score="82" numflawssev0="0" numflawssev1="0" numflawssev2="6" numflawssev3="13" 
          numflawssev4="0" numflawssev5="3" />
          </modules>
          </static-analysis>
          <severity level="5">
          <category categoryid="3" categoryname="Buffer Overflow" pcirelated="false">
          <desc><para text="Buffer overflows (or buffer overruns) occur 
          when a program attempts to put more data in a buffer than it has been allocated to hold.  
          Writing to areas of memory not intended by the application developer can lead to serious 
          security vulnerabilities and can cause an application to execute arbitrary code on behalf 
          of an attacker." /><para text="The degree of exploitability of buffer overflows varies 
          depending on a number of factors, including buffer location, execution path, and platform.  Often, the resultant behavior is limited 
          to corrupting data or crashing the application.  However, in many cases, specially crafted attacks can be constructed that 
          will execute arbitrary code with the privileges of the vulnerable application.  " />
          </desc>
          <recommendations><para text="There are a number of mitigations that can be applied during both design and implementation to 
          prevent buffer overflows from occurring.  Using multiple techniques provides defense-in-depth. ">
          <bulletitem text="Always use bounded rather than unbounded string manipulation functions, e.g. strncpy() and strncat() 
          instead of strcpy() and strcat()." />
          <bulletitem text="When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the 
          destination buffer size is equal to the source buffer size, it may not null-terminate the string." />
          <bulletitem text="Be careful when working with multi-byte strings, as the number of logical characters in a string is not 
          equivalent to the number of bytes allocated in memory." /><bulletitem text="Use a safe string handling functions such as 
          Microsoft's strsafe.h. These functions prevent data from being written past the end of buffers and guarantees null 
          termination.  Alternatively, use a string abstraction library such as SafeStr, which automatically resizes strings as 
          required.  While neither of these approaches is foolproof, they will prevent many common mistakes." /></para>
          </recommendations>
          ...

API Wrapper Examples

Java example:

java -jar vosp-api-wrapper-java{version}.jar -vid <Veracode API ID> -vkey <Veracode API Key> -action detailedreport -buildid <build id> -outputfilepath c:\javawrappers\detailedreport.xml

C# example:

VeracodeC#API -vid <Veracode API ID> -vkey <Veracode API key> -action detailedreport -buildid <build id> -outputfilepath c:\csharpwrappers\detailedreport.xml

API Wrapper Results

The detailedreport.do call returns the detailedreport XML document, which references the detailedreport.xsd schema file. You can use the XSD schema file to validate the XML data.

A partial XML example. Veracode has deprecated assurance level and replaced it with business criticality.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
        <detailedreport xmlns="https://www.veracode.com/schema/reports/export/1.0" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="<account id>" analysis_id="4705951" 
        app_id="<app id>" app_name="Apache" assurance_level="5" build_id="<build id>" business_criticality="5" 
        business_owner="" business_unit="Not Specified" first_build_submitted_date="2019-08-13 17:57:41 UTC" 
        flaws_not_mitigated="22" generation_date="2019-10-09 21:31:49 UTC" 
        grace_period_expired="true" is_latest_build="true" last_update_time="2019-08-13 18:08:47 UTC" 
        legacy_scan_engine="false" life_cycle_stage="Not Specified" planned_deployment_date="" 
        platform="Not Specified" policy_compliance_status="Did Not Pass" 
        policy_name="Veracode Transitional Very High" policy_rules_status="Did Not Pass" policy_version="1" 
        report_format_version="1.5" sandbox_id="1358509" scan_overdue="false" static_analysis_unit_id="4721671" 
        submitter="Veracode" tags="" teams="Demo Team" total_flaws="22" veracode_level="VL1" 
        version="13 Aug 2019 Static" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 
        https://analysiscenter.veracode.com/resource/detailedreport.xsd">
        <static-analysis analysis_size_bytes="16157840" engine_version="20190805180615" 
        published_date="2019-08-13 18:08:35 UTC" rating="D" score="82" submitted_date="2019-08-13 17:57:39 UTC" 
        version="13 Aug 2019 Static">
        <modules>
        <module architecture="IA32" compiler="GCC_Linux_IA32_3_4_6" loc="66813" name="httpd" numflawssev0="0" 
        numflawssev1="0" numflawssev2="6" numflawssev3="13" numflawssev4="0" numflawssev5="3" 
        os="Red Hat Enterprise Linux v4 (IA32)" score="82"/>
        </modules>
        </static-analysis>
        <severity level="5">
        <category categoryid="3" categoryname="Buffer Overflow" pcirelated="false">
        <desc>
        <para text="Buffer overflows (or buffer overruns) occur when a program attempts to put more data in a buffer 
        than it has been allocated to hold.  Writing to areas of memory not intended by the application developer 
        can lead to serious security vulnerabilities and can cause an application to execute arbitrary code on 
        behalf of an attacker."/>
        <para text="The degree of exploitability of buffer overflows varies depending on a number of factors, including 
        buffer location, execution path, and platform.  Often, the resultant behavior is limited to corrupting data 
        or crashing the application.  However, in many cases, specially crafted attacks can be constructed that will 
        execute arbitrary code with the privileges of the vulnerable application.  "/>
        </desc>
        <recommendations>
        <para text="There are a number of mitigations that can be applied during both design and implementation to 
        prevent buffer overflows from occurring.  Using multiple techniques provides defense-in-depth. ">
        <bulletitem text="Always use bounded rather than unbounded string manipulation functions, e.g. strncpy() and 
        strncat() instead of strcpy() and strcat()."/>
        <bulletitem text="When using functions that accept a number of bytes to copy, such as strncpy(), be aware that 
        if the destination buffer size is equal to the source buffer size, it may not null-terminate the string."/>
        <bulletitem text="Be careful when working with multi-byte strings, as the number of logical characters in a 
        string is not equivalent to the number of bytes allocated in memory."/>
        <bulletitem text="Use a safe string handling functions such as Microsoft's strsafe.h. These functions prevent 
        data from being written past the end of buffers and guarantees null termination.  Alternatively, use a string 
        abstraction library such as SafeStr, which automatically resizes strings as required.  While neither of these 
        approaches is foolproof, they will prevent many common mistakes."/>
        </para>
        </recommendations>