Deployment Task

This article explains how to acknowledge a vulnerability via the Aqua REST API.


When acknowledging a vulnerability, it's possible to check if any of its instances have already been acknowledged in other images, repositories, or versions. 



Deployment Steps

To uniquely identify a vulnerability, use ImageName, Vulnerability Name, and Resource or File, since the same Vulnerability may appear in different repositories and/or images. Furthermore, a given combination of ImageName and Vulnerability, can have multiple results with a different file or resource.


  • The first step is to identify and get the basic information required. This is done through querying for image details by searching for the vulnerability in all registered images:

    GET /api/v2/images/<REGISTRY>/<IMAGE>/vulnerabilities?text_search=<Vulnerability>

    For example:

    http://11.11.11.11:8080/api/v2/images/Docker%20Hub/centos:6.6/vulnerabilities?text_search=CVE-2013-0743


  • We also need the image's resource information, specifically the value of the “resource_cpe”. Using the results of the previous step, query for the image resources as follows:
    GET /api/v2/images/<REGISTRY>/<IMAGE>/<TAG>/resources
    For example:
    api/v2/images/Docker%20Hub/centos/6.6/resources?order_by=vulnerabilities


  • To acknowledge a vulnerability with the details collected above, use the following endpoint:
    POST /api/v2/risks/acknowledge
    Here is an example body:
    {
       "issues": [
          {
             "issue_type": "vulnerability",
             "issue_name": "CVE-2013-0743",
             "resource_type": "package",
             "resource_cpe": "pkg:/centos:6:nss:3.16.1-14.el6",
             "resource_name": "nss",
             "resource_version": "3.16.1-14.el",
             "registry_name": "Docker Hub",
             "image_name": "centos:6.6"
          }
       ],
       "comment": "Reason for acknowledgement"
    }


To get the list or verify the acknowledged vulnerabilities, use the following API call:
GET /api/v2/risks/acknowledge