Fetch vulnerabilities with approaching SLAs

How to query vulnerabilities approaching deadline

Fetching Vulnerabilities Based on SLA Deadlines

To effectively manage and prioritize vulnerabilities based on their remediateByDate, you can utilize Vanta's "GET Vulnerabilities" endpoint. This guide demonstrates how to fetch vulnerabilities approaching their remediation deadlines, as well as those within a specified date range.

Steps:

  • GET Vulnerabilities from the Vulnerabilities endpoint
    • Filter by slaDeadlineBeforeDate and slaDeadlineAfterDate query params.


Get Vulnerabilities Endpoint

Using this endpoint, we'll be able to get a list of vulnerabilities filtered by the several Query Parameters below. We'll be using the **slaDeadlineBeforeDate** and **slaDeadlineAfterDate** to filter the list down to an SLA time range.

Endpoint

/vulnerabilities

Query parameters:

  • q: Filter vulnerabilities by a search query, such as text appearing in vulnerability details.
  • pageSize: Set the number of vulnerabilities to return in one response; here we will set to "2".
  • pageCursor: Navigate through paginated results using a cursor string provided by the server.
  • isDeactivated: Filter vulnerabilities based on whether they are deactivated; expects a boolean value.
  • externalVulnerabilityId: Filter for vulnerabilities that have a specific external ID.
  • isFixAvailable: Filter vulnerabilities to only those which have an available fix; set to "True".
  • packageIdentifier: Target vulnerabilities originating from a specific software package.
  • slaDeadlineAfterDate: Filter vulnerabilities with a "remediate by" deadline after a specified timestamp (e.g., "2024-04-02T17:14:26.718Z").
  • slaDeadlineBeforeDate: Filter vulnerabilities that need to be remediated before a specific timestamp (e.g., "2024-04-16T17:14:26.718Z").
  • severity: Filter vulnerabilities by their severity level, with possible values including "CRITICAL", "HIGH", "MEDIUM", and "LOW".
  • integrationId: Filter vulnerabilities by the vulnerability scanner or integration they are associated with.
  • includeVulnerabilitiesWithoutSlas: Include vulnerabilities in the results that do not have a specified SLA due date; expects a boolean value.
  • vulnerableAssetId: Filter vulnerabilities by the asset they affect, identified by an Asset ID.

Each of these parameters can be used to refine the API query to fetch vulnerabilities more aligned with specific criteria or reporting needs. For this task, we'll want to filter vulnerabilities by specifying deadlines:

  • **slaDeadlineBeforeDate**: Fetches vulnerabilities that are due before the specified date.
  • **slaDeadlineAfterDate**: Fetches vulnerabilities that are due after the specified date.

Get Vulnerabilities - Code Example

curl --location 'https://api.vanta.com/v1/vulnerabilities?pageSize=2&slaDeadlineAfterDate=2024-04-02T17%3A14%3A26.718Z&slaDeadlineBeforeDate=2024-04-16T17%3A14%3A26.718Z' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer _your_token_here_'
const myHeaders = new Headers();
myHeaders.append("Accept", "application/json");
myHeaders.append("Authorization", "Bearer _your_token_here_");

let deadlineBefore = 'slaDeadlineBeforeDate=2024-04-16T17:14:26.718Z';
let deadlineAfter = 'slaDeadlineAfterDate=2024-04-02T17:14:26.718Z';
let queryParams = `?pageSize=2&${deadlineAfter}&${deadlineBefore}`;

const requestOptions = {
  method: "GET",
  headers: myHeaders,
  redirect: "follow"
};

fetch(`https://api.vanta.com/v1/vulnerabilities${queryParams}`, requestOptions)
  .then(response => response.json())  // Parsing the response as JSON.
  .then(result => console.log(result))
  .catch(error => console.error('Error:', error));

const axios = require('axios');

let deadlineBefore = 'slaDeadlineBeforeDate=2024-04-16T17:14:26.718Z'
let deadlineAfter = 'slaDeadlineAfterDate=2024-04-02T17:14:26.718Z'
let qParams = `?pageSize=2&${deadlineAfter}&${deadlineBefore}`

let config = {
  method: 'get',
  maxBodyLength: Infinity,
  url: `https://api.vanta.com/v1/vulnerabilities${qParams}`,
  headers: { 
    'Accept': 'application/json', 
    'Authorization': 'Bearer _your_token_here_'
  }
};

axios.request(config)
.then((response) => {
  console.log(JSON.stringify(response.data));
})
.catch((error) => {
  console.log(error);
});
import requests

# Base URL for the API endpoint
url = "https://api.vanta.com/v1/vulnerabilities"

# Query parameters as a dictionary
params = {
    'pageSize': 2,
    'slaDeadlineAfterDate': '2024-04-02T17:14:26.718Z',
    'slaDeadlineBeforeDate': '2024-04-16T17:14:26.718Z'
}

# Headers with authentication and content type
headers = {
    'Accept': 'application/json',
    'Authorization': 'Bearer _your_token_here_'
}

# Send a GET request
response = requests.get(url, headers=headers, params=params)

# Print the response text
print(response.text)

Get Vulnerabilities - Example Response

Here's what a response might look like, showing the vulnerabilities within the specified date range:

{
    "results": {
        "pageInfo": {
            "endCursor": "eyJyZW1lZGlhdGVCeSI6eyIkZGF0ZSI6IjIwMjQtMDQtMTZUMTc6MTQ6MjYuNzE4WiJ9LCJfaWQiOnsiJG9pZCI6IjY1ZjA1YjVkZWY0YTlmMDRjNDRlNTc1MiJ9fQ==",
            "hasNextPage": true,
            "hasPreviousPage": false,
            "startCursor": "eyJyZW1lZGlhdGVCeSI6eyIkZGF0ZSI6IjIwMjQtMDQtMTZUMTc6MTQ6MjYuNzE4WiJ9LCJfaWQiOnsiJG9pZCI6IjY1ZjA1YjVkZWY0YTlmMDRjNDRlNTc0OCJ9fQ=="
        },
        "data": [
            {
                "id": "65f05b5def4a9f04c44e5748",
                "name": "CVE-2021-3711",
                "description": "Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)",
                "integrationId": "qualys",
                "packageIdentifier": "libssl1.1:1.1.1g-r0",
                "vulnerabilityType": "COMMON",
                "targetId": "65f05b57f37f4ffbd87dc20c",
                "firstDetectedDate": "2024-03-12T13:40:45.839Z",
                "lastDetectedDate": null,
                "severity": "CRITICAL",
                "cvssSeverityScore": 9.8,
                "scannerScore": null,
                "isFixable": true,
                "remediateByDate": "2024-04-16T17:14:26.718Z",
                "relatedVulns": [
                    "CVE-2021-3711"
                ],
                "relatedUrls": [],
                "externalURL": "https://qualysguard.qg4.apps.qualys.com/cs/#/assets/images/e310e1d4a8bb863aae8958caa219f63214d531da80b18b20405ed175c68e79fb",
                "deactivateMetadata": null
            },
            {
                "id": "65f05b5def4a9f04c44e5752",
                "name": "CVE-2021-3712",
                "description": "Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)",
                "integrationId": "qualys",
                "packageIdentifier": "libssl1.1:1.1.1g-r0",
                "vulnerabilityType": "COMMON",
                "targetId": "65f05b57f37f4ffbd87dc20c",
                "firstDetectedDate": "2024-03-12T13:40:45.850Z",
                "lastDetectedDate": null,
                "severity": "CRITICAL",
                "cvssSeverityScore": 9.8,
                "scannerScore": null,
                "isFixable": true,
                "remediateByDate": "2024-04-16T17:14:26.718Z",
                "relatedVulns": [
                    "CVE-2021-3712"
                ],
                "relatedUrls": [],
                "externalURL": "https://qualysguard.qg4.apps.qualys.com/cs/#/assets/images/e310e1d4a8bb863aae8958caa219f63214d531da80b18b20405ed175c68e79fb",
                "deactivateMetadata": null
            }
        ]
    }
}

Get Vulnerabilities - Response Schema

Here is a schema breakdown of the JSON response, detailing each element and its type. This may be useful for understanding the structure and data types expected in the /vulnerabilities endpoint response:

results (Object): The root object containing the result data.

pageInfo (Object): Contains information related to pagination.
  • endCursor (String): A base64 encoded string that acts as a pointer to the end of the current page of results.
  • hasNextPage (Boolean): Indicates whether there is a subsequent page of results available.
  • hasPreviousPage (Boolean): Indicates whether there is a preceding page of results available.
  • startCursor (String): A base64 encoded string that acts as a pointer to the start of the current page of results.
data (Array): An array of vulnerability objects.
  • Vulnerability Object:
    • id (String): A unique identifier for the vulnerability.
    • name (String): The name or title of the vulnerability, often referencing a CVE (Common Vulnerabilities and Exposures) identifier.
    • description (String): A brief description of the vulnerability.
    • integrationId (String): Identifier for the integration or tool that detected the vulnerability.
    • packageIdentifier (String): Identifier for the software package affected by the vulnerability.
    • vulnerabilityType (String): A classification of the vulnerability type, such as "COMMON".
    • targetId (String): Identifier for the specific target or asset affected by the vulnerability.
    • firstDetectedDate (String, ISO 8601 date): The date and time when the vulnerability was first detected.
    • lastDetectedDate (String, ISO 8601 date or null): The last date and time the vulnerability was detected, if applicable.
    • severity (String): The severity level of the vulnerability (e.g., "CRITICAL").
    • cvssSeverityScore (Number): The CVSS (Common Vulnerability Scoring System) score associated with the vulnerability.
    • scannerScore (Number or null): A scoring metric used by the scanning tool, if applicable.
    • isFixable (Boolean): Indicates whether a fix is available for the vulnerability.
    • remediateByDate (String, ISO 8601 date): The date by which the vulnerability should be remediated.
    • relatedVulns (Array of Strings): List of related vulnerabilities, often CVE identifiers.
    • relatedUrls (Array): A list of URLs providing additional information about the vulnerability.
    • externalURL (String): A URL to an external site providing detailed information or a dashboard view of the vulnerability.
    • deactivateMetadata (null or Object): Any additional metadata related to the deactivation of the vulnerability.