angler-fishThe Vulnerability History Project

Vulnerability History Project RESTful API (1.0.0)

Download OpenAPI specification:Download

License: MIT

This read-only API allows detailed access to the VHP data.

This documentation is a work-in-progress. If you want to contribute, see our issue on GitHub.

vulnerabilities

Putting the V in VHP.

These API calls are related to getting information about vulnerabilities, the files they impacted, and the ways we have categorized them.

/api/vulnerabilities

Returns a non-detailed list of all vulnerabilities

query Parameters
short_descriptions
boolean

Should the descriptions be truncated? Mainly used in the VHP UI

limit
integer

Limit the number of results

offset
integer

Return a subset of the results, offset by this number

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

/api/vulnerabilites/{cve}

Returns detailed information on a vulnerability with the specified ID

path Parameters
cve
string <Common Vulnerabilities Enumeration> ^CVE\-\d{4}\-\d+$
Example: CVE-2017-5638

The unique CVE identifier of the vulnerability

Responses

Response samples

Content type
application/json
{
  • "id": 2427,
  • "cve": "CVE-2017-5638",
  • "project_id": 6,
  • "announced": "2017-03-02T00:00:00.000Z",
  • "description": "Apache Struts utilizes multipart parsers to handle HTTP POST requests,\nand there are two types available, Jakarta and Pell. The Jakarta\nMultiparser was the one that had the vulnerability, and it generates an\nexception when parsing the Content-Type. It raises this exception and\nincludes the invalid data in the error message, and does this by\nparsing the input and treating the parsed result as an OGNL expression.\nThis is potential for remote code execution.\n",
  • "short_desc": "Apache Struts utilizes multipart parsers to handle HTTP POST requests, and there are \ntwo types available, Jakarta and Pell",
  • "upvotes": 0,
  • "nickname": "The Equifax Breach"
}

/api/vulnerabilities/{cve}/events

Return all events for the specified vulnerability

path Parameters
cve
string <Common Vulnerabilities Enumeration> ^CVE\-\d{4}\-\d+$
Example: CVE-2017-5638

The unique CVE identifier of the vulnerability

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

/api/filepaths/{filepath_id}/vulnerabilities

Returns a list of vulnerabilities fixed in this file.

path Parameters
filepath_id
string

The url-friendly identifier of a filepath.

Responses

Response samples

Content type
application/json
null

/api/corpus

Returns a list of vulnerabilities filtered by having written langauge in the description and mistakes fields. Also includes tag data too. Use for research purposes.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

commits

Data for commits in the VHP database: fixes, vulnerability-contributing commits (VCCs), and any commit marked "interesting" by a curator.

/api/commits

Returns a non-detailed list of all commits in the database. These are VCCs, fixes, and interesting commits.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

/api/commits/{sha}

Author of the given commit

path Parameters
sha
string <Git SHA-256> ^[\da-f]{40}$
Example: 011a54315e46acdf288003566b8570440f5ac985

The unique SHA hash string of a git commit

Responses

Response samples

Content type
application/json
{
  • "id": 1,
  • "commit_hash": "639e20992a66d7a42fb59c974db91c8a0f730a1e",
  • "project_id": 8,
  • "author_id": 1,
  • "message": "Add additional configuration options to the DIGEST authenticator\nThis is the fix for CVE-2011-1184\n\ngit-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1087655 13f79535-47bb-0310-9956-ffa450edef68",
  • "date_created": "2011-04-01T11:36:54.000Z",
  • "notes": {
    }
}

/api/commits/{sha}/developer

Author of the given commit

path Parameters
sha
string <Git SHA-256> ^[\da-f]{40}$
Example: 011a54315e46acdf288003566b8570440f5ac985

The unique SHA hash string of a git commit

Responses

Response samples

Content type
application/json
{
  • "id": 88,
  • "email": "foo@example.com",
  • "nickname": "Warren the Whale",
  • "notes": { }
}

/api/developers/{developer_id}/commits

List the commits for a developer

path Parameters
developer_id
integer <int32>

The internal primary key of the developer. Subject to change without notice.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

/api/filepaths/{filepath_id}/commits

Returns a list of key commits to the file. Only includes VCCs, fixes, and interesting commits.

path Parameters
filepath_id
string

The url-friendly identifier of a filepath.

Responses

Response samples

Content type
application/json
null

developers

Data for developers who are authors of any commits in VHP.

These are not a comprehensive list of the developers in the project. Far from it. These are only the people who are involved in fixing, contributing, or otherwise directly related to code authorship involving a vulnerability.

/api/commits/{sha}/developer

Author of the given commit

path Parameters
sha
string <Git SHA-256> ^[\da-f]{40}$
Example: 011a54315e46acdf288003566b8570440f5ac985

The unique SHA hash string of a git commit

Responses

Response samples

Content type
application/json
{
  • "id": 88,
  • "email": "foo@example.com",
  • "nickname": "Warren the Whale",
  • "notes": { }
}

/api/developers

Return a list of the developers who are authors of vulnerability-contributing commits, or fix commits.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

/api/developers/{developer_id}/commits

List the commits for a developer

path Parameters
developer_id
integer <int32>

The internal primary key of the developer. Subject to change without notice.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

/api/filepaths/{filepath_id}/developers

Returns a list of authors to the commits of the file. Only includes authors of commits in VHP.

path Parameters
filepath_id
string

The url-friendly identifier of a filepath.

Responses

Response samples

Content type
application/json
null

filepaths

Data on any filepath fixed for a vulnerability. A filepath is the name of a file combined with the directories its in, rooted at the top of the source code repository.

These are not a comprehensive list of files in the project. These are only files involved in a vulnerability in some way.

A subset of these files are known offenders, which are files that have been fixed for at least one vulnerability.

/api/filepaths

List all files touched by any commit in the database

query Parameters
offenders
boolean
Default: false

Only return "known offenders", which are files that are part of at least one vulnerability fix

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

/api/filepaths/{filepath_id}/developers

Returns a list of authors to the commits of the file. Only includes authors of commits in VHP.

path Parameters
filepath_id
string

The url-friendly identifier of a filepath.

Responses

Response samples

Content type
application/json
null

/api/filepaths/{filepath_id}/commits

Returns a list of key commits to the file. Only includes VCCs, fixes, and interesting commits.

path Parameters
filepath_id
string

The url-friendly identifier of a filepath.

Responses

Response samples

Content type
application/json
null

/api/filepaths/{filepath_id}/vulnerabilities

Returns a list of vulnerabilities fixed in this file.

path Parameters
filepath_id
string

The url-friendly identifier of a filepath.

Responses

Response samples

Content type
application/json
null

tags

Data on the tags we use to categorize vulnerabilities.

Tags have a many-many relationship with vulnerabilities and are used for a variety of things. They are very general-purpose in nature.

/api/tags

List all tags in the database

query Parameters
map
boolean
Default: false

Change the return format from array to dictionary

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

/api/tags/{tag_id}

Show details of a particular tag, including vulnerabilities that this tag has been applied to.

path Parameters
tag_id
string

The url-friendly slug of a tag

Responses

Response samples

Content type
application/json
null

/api/insights/tag-trends

Returns a set of nodes and links based off of the families passed in. The nodes are the tags, and the links are the number of vulnerabilities that have both tags. The nodes are sized by the number of vulnerabilities that have that tag. The links are sized by the number of vulnerabilities that have both tags.

query Parameters
family_list
required
string

A comma-separated string of tag families to common vulnerabilities with those tag families.

Responses

Response samples

Content type
application/json
[
  • {
    }
]

projects

Data on the open source projects that these vulnerabilities originate from.

/api/projects

Returns the list of projects

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

overlaps

/api/tags/overlaps/array

Returns the vulnerabilities in common between the tags provided in decending order according to upvotes

query Parameters
overlaps
required
array of tag shortnames

The tags to find the overlaps of.

Responses

Response samples

Content type
application/json
null
expand_less