Interpreting Security vulnerability Response data. #24824

naughtron · 2019-10-29T15:49:34Z

naughtron
Oct 29, 2019

Good day,

I have a working PoC script that is able to hit one of my public repositories with the following:

url = 'https://api.github.com/graphql'
query = 'query{repository(owner:"Naughtron", name:"test_sec_alerts") {vulnerabilityAlerts(first:100) {nodes {id}}}}'
headers = {"Authorization": "Bearer <VALID_TOKEN_HERE>", "Accept": "application/vnd.github.vixen-preview+json"}

I get back the following JSON blob:

{"data":{"repository":{"vulnerabilityAlerts":{"nodes":[{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzY4NzYwMDg="},{"id":"MDI4OlJlcG9zaXRv
cnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTQ="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTU="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJh
YmlsaXR5QWxlcnQxMzc5OTQ0OTc="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTg="}]}}}}

If I base64 decode one of the results, for example:

MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzY4NzYwMDg=

I am presented with:

028:RepositoryVulnerabilityAlert136876008

From this point what can I do with that information? Is there a way to ultimately get information as to the actual library and its location in the repository as we get via the UI?

Screen Shot 2019-10-29 at 11.48.15 AM.png2090×962 239 KB

Answered by lee-dohm

Nov 1, 2019

Node IDs of all types are intended to be opaque. There is nothing you can get from them without requesting more information from the API. You can find the other fields that are available from the RepositoryVulnerabilityAlert object (besides id) in the GraphQL API documentation.

For example, you could use this query:

{
  repository(owner: "Naughtron", name: "test_sec_alerts") {
    vulnerabilityAlerts(first: 100) {
      nodes {
        securityVulnerability {
          package {
            ecosystem
            name
          }
          vulnerableVersionRange
          firstPatchedVersion {
            identifier
          }
        }
      }
    }
  }
}

I hope that helps!

View full answer

lee-dohm · 2019-11-01T19:14:05Z

lee-dohm
Nov 1, 2019

Node IDs of all types are intended to be opaque. There is nothing you can get from them without requesting more information from the API. You can find the other fields that are available from the RepositoryVulnerabilityAlert object (besides id) in the GraphQL API documentation.

For example, you could use this query:

{
  repository(owner: "Naughtron", name: "test_sec_alerts") {
    vulnerabilityAlerts(first: 100) {
      nodes {
        securityVulnerability {
          package {
            ecosystem
            name
          }
          vulnerableVersionRange
          firstPatchedVersion {
            identifier
          }
        }
      }
    }
  }
}

I hope that helps!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Interpreting Security vulnerability Response data. #24824

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Navigation Menu

GitHub Community

Interpreting Security vulnerability Response data. #24824

naughtron Oct 29, 2019

Replies: 1 comment

lee-dohm Nov 1, 2019

naughtron
Oct 29, 2019

lee-dohm
Nov 1, 2019