APIs

Latest API documentation can be found within the VulnIQ web application.

VulnIQ provides simple, REST APIs to access data. You can generate bearer access tokens and call VulnIQ APIs from you scripts, applications or however you want to call them.

You can view API documentation by adding _documentation=true parameter to an API request. For example https://free.vulniq.com/api/advisory/list?_documentation=true will return endpoint documentation in JSON format.
This json documentation contains a list of supported methods, parameters, parameter types and allowed values. The documentation is directly generated by the API request handling code so it is always 100% accurate and up to date.

A simple API example

A shell script that accepts a package name argument (e.g curl, wget) and lists the vulnerabilities affecting the current installed version on a debian based system.
Please note that this is not production quality code and please ignore poor shell scripting practices etc.
This example is provided to demonstrate how VulnIQ APIs can be used.
#!/bin/bash
ACCESS_TOKEN="your access token here"
#first argument is the package name
PACKAGE_NAME="$1"

#you didn't provide a package name
if [ -z  $PACKAGE_NAME ]
then
    echo "You must provide a package name, e.g curl or wget or python"
    exit
fi

#finds the version number for the given package
INSTALLED_VERSION=$(apt list --installed | grep "^$PACKAGE_NAME[0-9.]*/" |head -1 | awk '{print $2}' | cut -f1 -d"-")
echo "Found version: $INSTALLED_VERSION"

#finds the guid of the package + version first
API_URL_V="https://free.vulniq.com/api/search/vpv?query=$PACKAGE_NAME""%20""$INSTALLED_VERSION"

for VERSION_GUID in $(curl -s -H "Authorization: Bearer $ACCESS_TOKEN" "$API_URL_V" | jq -r '.results[] | .versionGuid')
do
    echo "Found guid for version: $VERSION_GUID"
    curl -s -H "Authorization: Bearer $ACCESS_TOKEN" "https://free.vulniq.com/api/version/$VERSION_GUID/vulnerabilities?pageNumber=1&orderBy=&sort=&resultsPerPage=20" | jq -r '.results[] | .guid + "\n" + .description'
done

When run on an ubuntu instance with an old curl package, the above script will output:
# ./poc.sh curl
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Found version: 7.58.0
Found guid for version: P6dHjk4R5axZUUpOjPkInzaEjJs
CVE-2018-16842
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
CVE-2018-16839
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
CVE-2018-0500
Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).
CVE-2018-1000300
curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0.
CVE-2018-1000301
curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.
CVE-2018-1000121
A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service
CVE-2018-1000122
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage

Search Example

You want to search for vulnerabilities that may be related to a "tic.c" file, you googled it and it return 5.800.000 results and asked you if you ment tic tac.
You just call https://free.vulniq.com/api/search/fts?query=tic.c and get the relevant results instantly:
{
"results":[
    {
        "dataGuid":"2dID0gUhKs7B2E5iS_eHfM3Eddo",
        "idAtSource":"https://bugzilla.redhat.com/show_bug.cgi?id=1484284",
        "dataType":100,
        "title":"1484284 There is an illegal address access in tic.c of libncurses."
    },
    {
        "dataGuid":"CVE-2017-13730",
        "idAtSource":"CVE-2017-13730",
        "dataType":1,
        "title":"There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack."}
    ....
Please note that the results contain all relevant data, regardless of their types. The first result is a processed URL and the second result is a CVE and so on.