Dynamic XML API
The getdynamicflaws.do call returns information on a specific flaw from a Dynamic Analysis.
Before using this API, Veracode strongly recommends that you read API usage and access guidelines. Ensure you access the APIs with the domain for your region.
REST API equivalent
The REST API equivalent of this call is GET /appsec/v2/applications/<guid>/findings/<id>/dynamic_flaw_info. Veracode strongly recommends that you use the REST API for this action. For new integrations, always use the REST APIs.
Resource URL
https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do
Permissions
- You need the Results API role to use this call.
- API credentials
- HMAC authentication
Parameters
| Name | Type | Description |
|---|---|---|
build_idRequired | Integer | Application or sandbox build ID. |
flaw_idRequired | Integer | Find flaw IDs on the Triage Flaws page in the Veracode Platform or in the issueid fields returned by the Detailed Report API. |
To locate the parameters for getdynamicflaws.do:
- Call
getapplist.doto locate theapp_idfor your application. - Call
getbuildlist.dowith theapp_idto locate the currentbuild_idfor your application. - Call
detailedreport.dowith thebuild_idto locate aflaw_id. - In the XML code of the detailed report, find the report section for the target flaw and then find the
issueidelement in that section. Theissueidis theflaw_id.
HTTPie example
Examples use the HTTPie command-line tool.
http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/getdynamicflaws.do" "build_id==<build id>" "flaw_id==2"
HTTPie results
The getdynamicflaws.do call returns the dynamicfinding XML document, which references the dynamicfinding.xsd schema file. You can use the XSD schema file to validate the XML data.
<?xml version="1.0" encoding="UTF-8"?>
<dynamicfinding xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding"
xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/dynamicfinding
https://analysiscenter.veracode.com/resource/4.0/dynamicscaninfo.xsd"
app_id="<app id>" build_id="<build id>" flaw_id="2" engine_version="" cwe_id="402"
description="The security cookie does not have the "HttpOnly" attribute set. Using this attribute helps
to prevent client-side Javascript from accessing the cookie, thereby mitigating one of the most common XSS exploit
scenarios.
" remediation="Unless the application requires that cookies be accessible to Javascript code, set
the "HttpOnly" attribute when generating cookies.
"
parameter_type=""
parameter_name=""
parameter="Set-Cookie security HTTP response header"
original_arg=""
raw_response="HTTP/1.1 302 Found
Date: Tue, 01 Oct 2019 20:46:15 GMT
Server:
Apache
Set-Cookie: PHPSESSID=3696on897sncfp18jb800jnvfl; path=/
Expires:
Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma:
no-cache
Set-Cookie: PHPSESSID=3696on897sncfp18jb800jnvfl; path=/
Set-Cookie:
security=low
Location: login.php
Keep-Alive: timeout=65, max=100
Connection:
Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 0

"
injected_arg="" referer_url="">
<request host="www.example.com" port="80" secure="false" raw_request="GET / HTTP/1.1
Host:
www.example.com#xd;
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:21.0)
Gecko/20100101 Firefox/21.0/Veracode Security Scan/support@veracode.com
Accept:
*/*
Connection: keep-alive
Accept-Encoding: identity
Accept-Language:
en-us,en;q=0.5
Content-Length: 0

" method="GET" protocol="HTTP"
url="http://dvwa.sa.veracode.io/" path="/" uri="/" body="">
<header name="Host" value="www.example.com"/>
<header name="User-Agent" value="Mozilla/5.0 (Windows NT 5.2; WOW64; rv:21.0) Gecko/20100101
Firefox/21.0/Veracode Security Scan/support@veracode.com"/>
<header name="Accept" value="*/*"/>
<header name="Connection" value="keep-alive"/>
<header name="Accept-Encoding" value="identity"/>
<header name="Accept-Language" value="en-us,en;q=0.5"/>
<header name="Content-Length" value="0"/>
</request>
</dynamicfinding>