Interpreting Security vulnerability Response data.

Good day, 

I have a working PoC script that is able to hit one of my public repositories with the following: 

url = 'https://api.github.com/graphql'
query = 'query{repository(owner:"Naughtron", name:"test_sec_alerts") {vulnerabilityAlerts(first:100) {nodes {id}}}}'
headers = {"Authorization": "Bearer <VALID_TOKEN_HERE>", "Accept": "application/vnd.github.vixen-preview+json"}

I get back the following JSON blob: 

{"data":{"repository":{"vulnerabilityAlerts":{"nodes":[{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzY4NzYwMDg="},{"id":"MDI4OlJlcG9zaXRv
cnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTQ="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTU="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJh
YmlsaXR5QWxlcnQxMzc5OTQ0OTc="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTg="}]}}}}

If I base64 decode one of the results, for example: 

MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzY4NzYwMDg=

I am presented with: 

028:RepositoryVulnerabilityAlert136876008

From this point what can I do with that information? Is there a way to ultimately get information as to the actual library and its location in the repository as we get via the UI? 

Node IDs of all types are intended to be opaque. There is nothing you can get from them without requesting more information from the API. You can find the other fields that are available from the RepositoryVulnerabilityAlert object (besides id) in the GraphQL API documentation.

For example, you could use this query:

{
  repository(owner: "Naughtron", name: "test_sec_alerts") {
    vulnerabilityAlerts(first: 100) {
      nodes {
        securityVulnerability {
          package {
            ecosystem
            name
          }
          vulnerableVersionRange
          firstPatchedVersion {
            identifier
          }
        }
      }
    }
  }
}

I hope that helps!

2 Likes