Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 1 of 2

Interpreting Security vulnerability Response data.

Solved! Go to Solution.

Good day, 

I have a working PoC script that is able to hit one of my public repositories with the following: 

url = 'https://api.github.com/graphql'
query = 'query{repository(owner:"Naughtron", name:"test_sec_alerts") {vulnerabilityAlerts(first:100) {nodes {id}}}}'
headers = {"Authorization": "Bearer <VALID_TOKEN_HERE>", "Accept": "application/vnd.github.vixen-preview+json"}
I get back the following JSON blob: 
{"data":{"repository":{"vulnerabilityAlerts":{"nodes":[{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzY4NzYwMDg="},{"id":"MDI4OlJlcG9zaXRv
cnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTQ="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTU="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJh
YmlsaXR5QWxlcnQxMzc5OTQ0OTc="},{"id":"MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzc5OTQ0OTg="}]}}}}

 

If I base64 decode one of the results, for example: 

MDI4OlJlcG9zaXRvcnlWdWxuZXJhYmlsaXR5QWxlcnQxMzY4NzYwMDg=

 

I am presented with: 

028:RepositoryVulnerabilityAlert136876008

From this point what can I do with that information? Is there a way to ultimately get information as to the actual library and its location in the repository as we get via the UI? 

 

Screen Shot 2019-10-29 at 11.48.15 AM.png

 

1 Reply
Solution
Community Manager
Message 2 of 2

Re: Interpreting Security vulnerability Response data.

Node IDs of all types are intended to be opaque. There is nothing you can get from them without requesting more information from the API. You can find the other fields that are available from the `RepositoryVulnerabilityAlert` object (besides `id`) in the GraphQL API documentation.

 

For example, you could use this query:

 

{
  repository(owner: "Naughtron", name: "test_sec_alerts") {
    vulnerabilityAlerts(first: 100) {
      nodes {
        securityVulnerability {
          package {
            ecosystem
            name
          }
          vulnerableVersionRange
          firstPatchedVersion {
            identifier
          }
        }
      }
    }
  }
}

 

I hope that helps!