Feedback about Security Vulnerability API

January 9, 2024

First of all the Vulnerability portal (https://www.atlassian.com/trust/data-protection/vulnerabilities) is a great starting point to keep track of vulnerabilities.

Recently I've played around with the Security Vulnerability API (https://developer.atlassian.com/platform/security-vulnerability-api/). Mainly put them into Assets / Insight.

Here is some feedback / questions / improvements for the API that come to my mind:

Entries should have a technical ID for further processing the correct entries. At the moment I've used cve_id and atl_tracking_url to identify unique entries. In the example the same CVE has two BAM issues with different summaries. So the CVE itself is also not unique for a product
Example:
- https://api.atlassian.com/vuln-transparency/v1/cves?cve_ids=CVE-2023-28709&products=Bamboo+Data+Center%2CBamboo+Server
- https://jira.atlassian.com/browse/CONFSERVER-91258
  Looking at issue history the CVE ID has changed from CVE-2023-22512 to CVE-2024-21679
CVE details output format (https://developer.atlassian.com/platform/security-vulnerability-api/rest/api-group-cves/#api-group-cves) can the specified as html, plaintext and adf. Can someone update the API documentation?
Example: https://api.atlassian.com/vuln-transparency/v1/cves?format=html&cve_ids=CVE-2022-1471
returns "400_BAD_REQUEST invalid format: html".
Also adf works only in small letters and plaintext works only as text.
Jira Core Data Center isn't a product / license that exists as of today :)
affected_products contains just the Marketing names. It would be great to also have the application / product keys propogated to a separate attribute that are used in the Marketplace API (https://developer.atlassian.com/platform/marketplace/rest/v2) instead of only human readable names.
affected_products not always accurate looking at CVE-2023-42794 (https://jira.atlassian.com/browse/JSWSERVER-25400) if the problem itself is in Apache Tomcat, then Jira Core and Jira Service Management are also affected by this. Not sure how I would solve this because technically it doesn't matter... Server / Data Center is the same deployment package and Jira Software & Jira Service Management are technically still apps just bundled into a single deployment that runs on Jira "Core without bundled products". As JSW and JSM updates are distributed only with Jira Core, Jira Core should be always an affected application. But might be different again when e.g. the problem is in Assets, Advanced Roadmaps, Automation for Jira or any other bundled app.
Getting the affected & fixed versions isn't perfect...
Example: https://api.atlassian.com/vuln-transparency/v1/products?products=Bamboo%20Server%2CBamboo%20Data%20Center&cve_ids=CVE-2023-28709
Remember I filtered for a specific CVE for a product...

I'll have the feeling after looking at https://www.atlassian.com/trust/data-protection/vulnerabilities that it's mixed up with Confluence in the response also it wasn't requested?
Having a vulnerability type attribute (e.g. overflow, memory corruption, SQL injection, etc) would be nice for further filtering

Little feedback for the portal itself:

Ability to directly link to a vulnerability

And in general it would be great if there would be an initiative to also open this to app vendors maybe as part of the Marketplace Security Bug Bounty Program.

Kind Regards,
Tim

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Get product advice from experts

Join a community group

Advance your career with learning paths

Earn badges and rewards

Connect and share ideas at events

Feedback about Security Vulnerability API

2 answers

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events