Countermeasures

Get all Countermeasures of a project

This endpoint returns a list of Countermeasures resources associated with the project having id "project_id".

GET /api/v2/projects/{project_id}/tasks/

GET /api/v2/projects/1/tasks/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json

{
    "facets": {},
    "results": [{
        "id": "1-T2",
        "task_id": "T2",
        "url": "http://example.com/bunits/new-business-unit/...",
        "title": "Secure forgotten password",
        "text": "Insecure forgotten password and password reset...",
        "priority": 8,
        "problem": "P526",
        "phase": "X1",
        "manually_added_from_library": false,
        "project_specific": false,
        "relevant": true,
        "relevant_via_survey": true,
        "accepted": true,
        "assigned_to": [],
        "became_relevant": "2016-02-16T16:47:02.997851-05:00",
        "updated": "2020-03-26T22:41:17.922809-04:00",
        "updater": 7,
        "library_task_created": "2015-06-16T19:36:57.863684Z",
        "library_task_updated": "2015-06-16T19:36:57.836874Z",
        "verification_status": "none",
        "status": "TS2",
        "status_updated": "2020-03-26T22:41:17.922809-04:00",
        "note_count": 0,
        "artifact_proxy": null
    }]
}

Expand parameters

See the Expand Parameters section for more details.

Parameter Description
text Description field is expanded into content and amendments sub-fields.
status Status field is expanded into id, meaning, icon, name and slug sub-fields.
phase Phase field is expanded into id, name, slug, description and tip sub-fields.
problem Weakness field is expanded into id, title, text, cwe, and risk rating sub-fields.
updater Updater field is expanded into id, first name, last name, email, role, and active status sub-fields.
tags Tags field is expanded into library-level & project-level tags (requires tags to be included).

GET /api/v2/projects/1/tasks/?include=tags&expand=text,status,phase,problem,updater,tags HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json

{
    "facets": {},
    "results": [{
        "id": "1-T2",
        "task_id": "T2",
        "url": "http://example.com/bunits/new-business-unit/...",
        "tags": {
            "library_tags": ["foo", "bar"],
            "project_tags": ["baz"]
        },
        "title": "Secure forgotten password",
        "text": {
            "description": "Insecure forgotten password and password reset...",
            "amendments": []
        },
        "priority": 8,
        "problem": {
            "id": "P526",
            "title": "P526: Weak Password Recovery Mechanism...",
            "text": "It is common for an application...",
            "cwe": [
                {
                    "url": "http://example.com/640",
                    "id": 640,
                    "title": "Weak Password Recovery..."
                }
            ],
            "risk_rating": 7
        },
        "phase": {
            "id": "X1",
            "name": "Requirements",
            "slug": "requirements",
            "description": "Application security requirements...",
            "tip": "One-time Countermeasures that you can verify...",
            "ordinal": 2,
            "active": true,
            "is_custom": false,
            "retain": false,
            "db_id": 1
        },
        "manually_added_from_library": false,
        "project_specific": false,
        "relevant": true,
        "relevant_via_survey": true,
        "accepted": true,
        "assigned_to": [],
        "became_relevant": "2016-02-16T16:47:02.997851-05:00",
        "updated": "2020-03-26T22:41:17.922809-04:00",
        "updater": {
            "first_name": "Hamish",
            "last_name": "Stout",
            "is_active": true,
            "email": "hamish.stout@example.com",
            "role": {
                "id": "UR1",
                "name": "User"
            },
            "id": 7
        },
        "library_task_created": "2015-06-16T19:36:57.863684Z",
        "library_task_updated": "2015-06-16T19:36:57.836874Z",
        "verification_status": "none",
        "status": {
            "id": "TS2",
            "meaning": "TODO",
            "icon": "clock-o",
            "name": "Incomplete",
            "requires_comment": false,
            "slug": "TODO"
        },
        "status_updated": "2020-03-26T22:41:17.922809-04:00",
        "note_count": 0,
        "artifact_proxy": null
    }]
}

Include parameters

See the Include Parameters section for more details.

Parameter Description
how_tos Includes a list of applicable How-tos.
last_note Includes the last Countermeasure note.
last_verification Includes the last verification note.
problem Includes the Weakness that the Countermeasure is related to.
related Includes a list of related Countermeasures.
tags Includes a list of tags associated to the Countermeasure (both Library & project).
regulation_sections Includes a list of regulation sections to which this Countermeasure belongs.
references Includes a list of Countermeasure references linked to this Countermeasure.
training Includes a list of training courses/modules linked to this Countermeasure.
reason_for_inclusion Includes the reason for a Countermeasure's inclusion within a project.

GET /api/v2/projects/1/tasks/?include=last_note,last_verification,tags,related,problem,how_tos,references,training,reason_for_inclusion HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json

{
    "facets": {},
    "results": [{
        "id": "1-T2",
        "task_id": "T2",
        "url": "http://example.com/bunits/new-business-unit/...",
        "title": "Secure forgotten password",
        "text": "Insecure forgotten password and password reset...",
        "priority": 8,
        "phase": "Requirements",
        "last_note": {
          "automatic": false,
          "text": "Countermeasure Note",
          "id": 2,
          "created": "2018-02-21T15:09:26.321072-05:00",
          "updater": "admin@example.com",
          "updated": "2018-02-21T15:09:26.321072-05:00"
        },
        "last_verification": {
          "id": 2,
          "automatic": false,
          "created": "2018-02-21T15:09:38.748141-05:00",
          "status": "pass",
          "finding_ref": "Verification Reference",
          "updated": "2018-02-21T15:09:38.748141-05:00",
          "updater": "admin@example.com"
        },
        "manually_added_from_library": false,
        "project_specific": false,
        "relevant": true,
        "relevant_via_survey": true,
        "accepted": true,
        "assigned_to": [],
        "became_relevant": "2016-02-16T16:47:02.997851-05:00",
        "updated": "2015-06-16T19:37:44.710100Z",
        "updater": 7,
        "library_task_created": "2015-06-16T19:36:57.863684Z",
        "library_task_updated": "2015-06-16T19:36:57.836874Z",
        "verification_status": "pass",
        "status": "TS2",
        "status_updated": null,
        "note_count": 2,
        "artifact_proxy": null,
        "tags": ["tag1", "tag2"],
        "related": [
            {
                "id": "T227",
                "phase": "Testing",
                "title": "Verify that application's access to database is restricted",
                "url": "http://example.com/bunits/test-bu/codebot/bug-fix-81028-rc3/tasks/phase/testing/2-T227"
            },
            {
                "id": "T14",
                "phase": "Architecture & Design",
                "title": "Enforce the Principle of Least Privilege",
                "url": "http://example.com/bunits/test-bu/codebot/bug-fix-81028-rc3/tasks/phase/architecture-design/2-T14"
            }
        ],
        "problem": {
            "id": "P526",
            "title": "P526: Weak Password Recovery Mechanism...",
            "text": "It is common for an application...",
            "cwe": [
                {
                    "url": "http://example.com/640",
                    "id": 640,
                    "title": "Weak Password Recovery..."
                }
            ],
            "risk_rating": 7
        },
        "how_tos": [
            {
                "id": "I131",
                "title": "Manually with browser",
                "slug": "test-account-lockout-manually-browser",
                "url": "http://a7069ccda519b00c4/....",
                "text": "1. Open your web browser ..."
            }
        ],
        "regulation_sections": [
            {
                "description": "Denial of service (DoS) protection and working in a degraded mode during DoS attacks.",
                "id": "RS1026",
                "name": "CR2.7 (L3 and higher)",
                "regulation_id": "CR45",
                "regulation_name": "ANSI/ISA 62443-4-2"
            },
            {
                "description": "Denial of service (DoS) protection and working in a degraded mode during DoS attacks.",
                "id": "RS642",
                "name": "SR2.7 (L3 and higher)",
                "regulation_id": "CR39",
                "regulation_name": "ANSI/ISA 62443-3-3"
            }
        ],
        "references": [
            {
              "id": 10,
              "issue_tracker_connection": 1,
              "reference": "47300",
              "name": "US451",
              "link": "https://sdetest.atlassian.net/rest/api/2/issue/47300"
            }
        ],
        "training": [
            {
              "title": "OWASP Top 10 2013",
              "id": "TR1",
              "modules": [
                  {
                     "title": "Cross-site request forgery (CSRF)",
                     "id": "M5",
                     "link": "/training/module/05_CSRF/",
                     "completed": false
                  },
                  {
                     "title": "Broken authentication and session management",
                     "id": "M7",
                     "link": "/training/module/07_Broken_Auth/",
                     "completed": true
                  }
              ]
            },
            {
              "title": "Development",
              "id": "TR6",
              "modules": [
                  {
                     "title": "Software Development, Operation, Maintenance & Disposal",
                     "id": "M8",
                     "link": "/training/module/08_Software_dev/",
                     "completed": true
                  }
              ]
            }
        ],
        "reason_for_inclusion": {
            "reason": "problem_match_and_task_match",
            "explanation": "This Countermeasure's rules are satisfied by any of the following block(s) of survey answers",
            "relevant_rules": [
                [
                    {
                        "id": "A734",
                        "display_text": "Changes to authentication",
                        "negated": false,
                        "hidden": true,
                        "section_slug": null,
                        "subsection_id": null,
                        "question_id": null,
                        "url": null,
                        "implying_answers": []
                    },
                    {
                        "id": "A758",
                        "display_text": "Features and Functions > Authentication > Authentication Features > Has direct or third party authentication for end users, devices or nodes",
                        "negated": false,
                        "hidden": false,
                        "section_slug": "app-features",
                        "subsection_id": "Q199",
                        "question_id": "Q120",
                        "url": "http://example.com/bunits/test-bu/gigasrc/version-8844-rc2/tasks/survey/questions/app-features/Q199/",
                        "implying_answers": [
                            {
                                "id": "A4",
                                "text": "Web application",
                                "url": "http://example.com/bunits/test-bu/gigasrc/version-8844-rc2/tasks/survey/questions/app-general/Q199/",
                                "selecting_user_name": "John Doe"
                            }
                        ]
                    }
                ]
            ],
            "component_reason": "component_added_task",
            "component_explanation": "This countermeasure is mapped to the following Diagram components.",
            "introducing_components": [
                {
                    "id": "SC29",
                    "title": "Web Application - Backend",
                    "mapped_answer": {
                        "id": "A4",
                        "text": "Web application",
                        "url": "http://example.com/bunits/test-bu/gigasrc/version-8844-rc2/tasks/survey/questions/app-general/Q199/",
                        "selecting_user_name": "John Doe"
                    }
                }
            ]
        }
    }]
}

Filter parameters

You can filter Countermeasures by their relevance and whether or not they have been accepted into a project by a project lead. If no filters are passed, the default is to return accepted Countermeasures to match with the list shown in the web application.

Parameter Expected values Description Custom Field Lookup support
accepted true, false Filter by Countermeasure's accepted state supports __in only
assigned_to email Filter Countermeasures by assigned user's email/username Yes
category string Filter by category name (internal machine tag names) Yes
library_task_id standard item id (T21) Filter by library Countermeasure id Yes
phase phase slug (development, architecture-design) Filter by phase Yes
priority priority value (1-10) Filter by Countermeasure priority Yes
relevant true, false Filter by Countermeasure relevance No
relevant_via_survey true, false Filter by Countermeasures that were made relevant via survey No
regulation regulation item ID (REG53) Filter Countermeasures by regulation they beyond to Yes
risk_relevant true, false Filter by Countermeasure risk policy relevance No
source default, custom, manual, project Filter by Countermeasure source (built-in Countermeasure, custom Countermeasure, manually added Library Countermeasure, project-specific Countermeasure) supports __in only
status status item id (TS1) Filter by Countermeasure status Yes
tag tag name Filter by tags on Countermeasure (standard and Countermeasure-level tags). No
verification no_dynamic, no_static, pass, partial, fail, none Filter by Countermeasure verification status No

The follow table defines how the accepted and relevant fields affect project Countermeasures.

accepted relevant Result
false false Countermeasure is no longer part of the project.
true false Countermeasure is part of the project, but not relevant. Will be flagged for removal by the 'new content updates' widget.
false true Countermeasure is not part of the project, but is relevant. Will be flagged for addition by the 'new content updates' widget.
true true Countermeasure is part of the project and relevant, the usual case.

GET /api/v2/projects/1/tasks/?accepted=true&relevant=false HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json

{
    "facets": {},
    "results": [{
        "id": "1-T2",
        "task_id": "T2",
        "url": "http://example.com/bunits/new-business-unit/...",
        "title": "Secure forgotten password",
        "text": "Insecure forgotten password and password reset...",
        "priority": 8,
        "problem": "P526",
        "phase": "Requirements",
        "manually_added_from_library": false,
        "project_specific": false,
        "relevant": false,
        "accepted": true,
        "assigned_to": [],
        "became_relevant": "2016-02-16T16:47:02.997851-05:00",
        "updated": "2020-03-26T22:41:17.922809-04:00",
        "updater": 7,
        "library_task_created": "2015-06-16T19:36:57.863684Z",
        "library_task_updated": "2015-06-16T19:36:57.836874Z",
        "verification_status": "none",
        "status": "TS2",
        "status_updated": "2020-03-26T22:41:17.922809-04:00",
        "note_count": 0,
        "artifact_proxy": null
    }]
}

Facets parameter

Countermeasures can return facets that correspond to properties of Countermeasures being queried. Currently, the Countermeasure endpoint performs basic faceting: it shows relevant phases and the number of Countermeasures within them based on current query filters. The parameter accepts either include or only as its acceptable values. If no facets parameter is provided, an empty facets object is returned. Facets respect all filters applied to the query, including search.

Facets Param Value Description
include Facets object is computed
only Facets object is computed, results are not returned

GET /api/v2/projects/1/tasks/?facets=only&accepted=true&relevant=false HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json

{
    "facets": {
        "phases": {
            "development": 15,
            "requirements": 22,
            "architecture-design": 10,
            "testing": 42,
            "deployment": 1
        }
    },
    "results": []
}

Get a specific Countermeasure

This endpoint retrieves a single Countermeasure resource, as specified by the id parameter.

GET /api/v2/projects/{project_id}/tasks/{task_id}/


GET /api/v2/projects/1/tasks/1-T2/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 200 OK
Content-Type: application/json

{
    "accepted": true,
    "manually_added_from_library": false,
    "project_specific": false,
    "artifact_proxy": "ABC-XYZ",
    "assigned_to": [
        {
            "first_name": "Admin",
            "last_name": "Testerton",
            "is_active": true,
            "email": "admin@example.com",
            "role": {
                "id": "UR1",
                "name": "User"
            },
            "id": 1
        }
    ],
    "became_relevant": "2016-02-16T16:47:02.997851-05:00",
    "text": "Insecure forgotten password.",
    "id": "1-T2",
    "library_task_created": "2010-10-20T17:46:50Z",
    "library_task_updated": "2015-05-07T18:58:26.732000Z",
    "note_count": 0,
    "phase": "Requirements",
    "priority": "8",
    "problem": "P526",
    "relevant": true,
    "relevant_via_survey": true,
    "status": "TS2",
    "status_updated": "2020-03-26T22:41:17.922809-04:00",
    "task_id": "T2",
    "title": "Secure forgotten password",
    "updated": "2020-03-26T22:41:17.922809-04:00",
    "updater": 7,
    "url": "http://example.com/bunits/bu1/app1/proj1/tasks/phase/requirements/1-T2",
    "verification_status": "none"
}

Create a new project-specific Countermeasure

Creates a new Countermeasure resource that is project-specific.

POST /api/v2/projects/{project_id}/tasks/

URL Parameters

Parameter Description
project_id The id of the project the new Countermeasure belongs to

Payload

Fields Required Description
artifact_proxy No Arbitrary string which identifies a synchronized Issue Tracker issue.
assigned_to No A list of emails for users that belong to the project.
phase Yes The id of a phase.
priority Yes The priority value from 0-10.
problem No The id of a Weakness applicable to the project. If unspecified, defaults to the Always Applicable Weakness.
status No The id of a status.
text Yes The description of the new Countermeasure.
title Yes The title of the new Countermeasure.
tags No A list of tags for the Countermeasure.

POST /api/v2/projects/1/tasks/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

{
    "artifact_proxy": "ABC-XYZ",
    "assigned_to": ["admin@example.com"],
    "phase": "X1",
    "priority": 9,
    "problem": "P526",
    "status": "TS1",
    "tags": ["tag1", "tag2"],
    "text": "Countermeasure description",
    "title": "Project-specific Countermeasure"
}
HTTP/1.1 201 CREATED
Content-Type: application/json

{
    "accepted": true,
    "manually_added_from_library": false,
    "project_specific": true,
    "artifact_proxy": "ABC-XYZ",
    "assigned_to": [
        {
            "first_name": "Admin",
            "last_name": "Testerton",
            "is_active": true,
            "email": "admin@example.com",
            "role": {
                "id": "UR1",
                "name": "User"
            },
            "id": 1
        }
    ],
    "became_relevant": "2016-02-16T16:47:02.997851-05:00",
    "text": "Countermeasure description",
    "id": "1-PT1",
    "library_task_created": "2015-05-07T18:58:26.732000Z",
    "library_task_updated": "2015-05-07T18:58:26.732000Z",
    "note_count": 0,
    "phase": "X1",
    "priority": "9",
    "problem": "P526",
    "relevant": true,
    "relevant_via_survey": false,
    "status": "TS1",
    "status_updated": null,
    "tags": ["tag1", "tag2"],
    "task_id": "PT1",
    "title": "Project-specific Countermeasure",
    "updater": 7,
    "updated": "2015-05-07T18:58:26.732000Z",
    "url": "http://example.com/.../1-PT1",
    "verification_status": "none"
}

Create a new Countermeasure from an existing Library Countermeasure

Add a Library Countermeasure to a project. Only Library Countermeasures that aren't applicable to a project can be added.

POST /api/v2/projects/{project_id}/tasks/

URL Parameters

Parameter Description
project_id The id of the project the new Countermeasure belongs to

Payload

Fields Required Description
artifact_proxy No Arbitrary string which identifies a synchronized Issue Tracker issue
assigned_to No A list of emails for users that belong to the project
status No The id of a status
task_id Yes The id of the Library Countermeasure to add to the project.
tags No A list of tags that will be added to this Countermeasure for this project only.

POST /api/v2/projects/1/tasks/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

{
    "task_id": "T21"
}
HTTP/1.1 201 CREATED
Content-Type: application/json

{
    "accepted": true,
    "manually_added_from_library": true,
    "project_specific": false,
    "artifact_proxy": "ABC-XYZ",
    "assigned_to": [
        {
            "first_name": "Admin",
            "last_name": "Testerton",
            "is_active": true,
            "email": "admin@example.com",
            "role": {
                "id": "UR1",
                "name": "User"
            },
            "id": 1
        }
    ],
    "became_relevant": "2016-02-16T16:47:02.997851-05:00",
    "text": "Countermeasure description",
    "id": "1-T21",
    "library_task_created": "2015-05-07T18:58:26.732000Z",
    "library_task_updated": "2015-05-07T18:58:26.732000Z",
    "note_count": 0,
    "phase": "X1",
    "priority": "8",
    "problem": "P712",
    "relevant": false,
    "status": "TS1",
    "status_updated": null,
    "task_id": "T21",
    "title": "Ensure Confidential Data Is Sent Over an Encrypted Channel",
    "updater": 7,
    "updated": "2015-05-07T18:58:26.732000Z",
    "url": "http://example.com/.../1-T21",
    "verification_status": "none"
}

Update a specific Countermeasure

Updates a single Countermeasure resource, as specified by the project_id and Countermeasure id parameters.

PATCH /api/v2/projects/{project_id}/tasks/{id}/

URL Parameters

Parameter Description
project_id The id of the project this Countermeasure belongs to
id The id of the Countermeasure to modify

Payload

Fields Required Description
artifact_proxy No Arbitrary string which identifies a synchronized Issue Tracker issue.
assigned_to No A list of emails for users that belong to the project.
phase No The id of a phase. Available only if the updated Countermeasure is a project-specific Countermeasure.
priority No The priority value from 0-10. Available only if the updated Countermeasure is a project-specific Countermeasure.
problem No The id of a Weakness applicable to the project. Available only if the updated Countermeasure is a project-specific Countermeasure.
status No The id of a status.
status_note No Create a note related to the status change.
tags No A list of tags that will be set for this Countermeasure for this project only.
text No The description of the Countermeasure. Available only if the updated Countermeasure is a project-specific Countermeasure.
title No The title of the Countermeasure. Available only if the updated Countermeasure is a project-specific Countermeasure.

PATCH /api/v2/projects/1/tasks/1-T2/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"

{
    "artifact_proxy": "ABC-XYZ",
    "assigned_to": ["user1@example.com", "user2@example.com"],
    "problem": "P526",
    "status": "TS1",
    "tags": ["tag1", "tag2"]
}
HTTP/1.1 200 OK
Content-Type: application/json

{
    "accepted": true,
    "manually_added_from_library": false,
    "project_specific": false,
    "artifact_proxy": "ABC-XYZ",
    "assigned_to": [
        {
            "first_name": "Admin",
            "last_name": "Testerton",
            "is_active": true,
            "email": "admin@example.com",
            "role": {
                "id": "UR1",
                "name": "User"
            },
            "id": 1
        }
    ],
    "became_relevant": "2016-02-16T16:47:02.997851-05:00",
    "text": "Insecure forgotten password.",
    "id": "1-T2",
    "library_task_created": "2010-10-20T17:46:50Z",
    "library_task_updated": "2015-05-07T18:58:26.732000Z",
    "note_count": 0,
    "phase": "X1",
    "priority": "8",
    "problem": "P526",
    "relevant": true,
    "relevant_via_survey": true,
    "status": "TS1",
    "status_updated": "2020-03-26T22:41:17.922809-04:00",
    "task_id": "T2",
    "tags": ["tag1", "tag2"],
    "title": "Secure forgotten password",
    "updated": "2020-03-26T22:41:17.922809-04:00",
    "updater": 7,
    "url": "http://example.com/.../1-T2",
    "verification_status": "none"
}

Delete a Countermeasure

Delete a single Countermeasure resource, as specified by the project_id and Countermeasure id parameters.

Only manually added Library Countermeasures and project-specific Countermeasures may be deleted.

DELETE /api/v2/projects/{project_id}/tasks/{id}/

URL Parameters

Parameter Description
project_id The id of the project this Countermeasure belongs to
id The id of the Countermeasure to delete
DELETE /api/v2/projects/2/tasks/2-T21/ HTTP/1.1
Accept: application/json
Authorization: Token "YOUR SDE ACCESS TOKEN"
HTTP/1.1 204 NO CONTENT

results matching ""

    No results matching ""