Vulnerability
/api/v1/vulnerabilitiesA known weakness on an asset, often tied to a CVE.
listgetcreateupdateresolveSchema
| Field | Type | Notes |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | frontend | backend | server | system | apiWhere the write originated. Defaults to 'api'. |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| cve_id | string | Common Vulnerabilities and Exposures identifier. Null for vulnerabilities that do not have an assigned CVE (e.g. misconfigurations, proprietary scanner findings |
| title | string | Short, descriptive title summarizing the vulnerability. |
| description | string | Detailed technical description of the vulnerability, including attack vector, prerequisites, and potential impact. |
| severity | string | Severity classification of this vulnerability. Typically aligned with CVSS severity bands. |
| cvss_score | number | CVSS base score (0.0 to 10.0). Null when no CVSS score is available. |
| cvss_vector | string | CVSS vector string describing the vulnerability characteristics (e.g. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). |
| affected_asset_id | uuid | UUID of the asset affected by this vulnerability. The asset type is indicated by affectedAssetType. |
| affected_asset_type | string | Discriminator indicating which entity type affectedAssetId refers to: a TechnologyAsset, PhysicalAsset, or CloudResource. |
| status | string | Current remediation status. 'accepted_risk' requires documented justification and periodic review. 'false_positive' removes the item from active tracking. |
| discovered_at | date-time | ISO 8601 timestamp when this vulnerability was first discovered by the scanning tool or reported. |
| remediated_at | date-time | ISO 8601 timestamp when the vulnerability was confirmed as remediated. Set by the platform or manually by a security engineer. |
| due_date | date-time | Remediation deadline based on severity SLA policy. Critical vulnerabilities typically have a 7-day SLA, high a 30-day SLA. |
| assigned_to | uuid | UUID of the Person responsible for remediating this vulnerability. |
| source | string | Name of the scanner or tool that discovered this vulnerability (e.g. Tenable). |
API
client.vulnerabilities.*Loading manifest…