cves-to-patch-group

The Patch Management feature of Ivanti Neurons supports the use of the Common Vulnerabilities and Exposures (CVE) list. CVEs are vulnerability disclosures that can potentially relate to many patches and notifications.

The cves-to-patch-group endpoint enables you to specify CVE IDs that you want to convert to a patch group. You can then use that patch group in your scans and deployments.

Another option: If you have a large number of CVEs, it can be cumbersome and error prone to manually specify each individual CVE ID on a body parameter. You might prefer to import a CVE file that already contains the desired list of CVE IDs.

Required Header Parameters

Name Type Description

X-On-Behalf-Of

String

Provide a name or some form of information that identifies the requester. This is used for auditing purposes and will be displayed in the Ivanti Neurons user interface. A 400 status code is returned if this is not provided.

Authorization

Authheader

Use the Bearer <access-token> value determined during the Authenticate to the Patch Management API process.

HTTP Method

GET

Request URI

https://<hostname>/api/v1/cves-to-patch-group/{id}

Returns a collection of CVE IDs and their associated Patch IDs that exist in the provided Patch Group ID.

Requires that the caller has the patchgroup.reader, patchgroup.admin, or patchgroup.editor role.

Request Parameters

Name Type Description

patchGroupId

Guid

Required as the route parameter for the patch group. For example, v1/cves-to-patch-group/{guid}.

Example Response

Copy 
{
    "CVE-2006-3439": [
        "0000071a-0000-0000-0000-000000000000",
        "0000071b-0000-0000-0000-000000000000",
        "00000722-0000-0000-0000-000000000000"
    ],
    "CVE-2012-0002": [
        "00004ee9-0000-0000-0000-000000000000",
        "00004eea-0000-0000-0000-000000000000",
        "00004eeb-0000-0000-0000-000000000000",
        "00004ef0-0000-0000-0000-000000000000",
    ],
    "CVE-2012-0152": [
        "00004ef7-0000-0000-0000-000000000000",
    ],
    "CVE-2008-4250": [
        "00005495-0000-0000-0000-000000000000",
        "00005496-0000-0000-0000-000000000000",
        "00005497-0000-0000-0000-000000000000",
        "00005498-0000-0000-0000-000000000000"
    ]
}

HTTP Method

PUT

Request URI

https://<hostname>/api/v1/cves-to-patch-group

Example Request Body

Copy 
{
  "dataUpdateErrorPolicy": "None",
  "patchGroupId": "string",
  "cveIds": [
    "string"
  ],
  "activateAssociatedPolicies": true
}

Updates an existing patch group with the patches associated with the specified CVEs.

Requires that the caller has the patchgroup.admin or patchgroup.editor role.

Request Parameters

Name Type Description
dataUpdateErrorPolicy String

Determines if the call will throw an error when encountering an invalid ID.

  • None: No error policy is specified.
  • Throw: The entire request will be rejected.
  • Omit: The problem area will be omitted, but the rest of the request will be completed. This is the default option.

patchGroupId

Guid

Specifies the ID of the patch group that is being updated. There is no default.
cveIds String[]

One or more CVEs are required. Example input:

  • One CVE: ["CVE-2023-2528"]
  • Multiple CVEs: ["CVE-2023-2528", "CVE-2023-2529", "CVE-2023-2560"]

activateAssociatedPolicies

Boolean

Specifies if the updated patch group will be made active to the endpoints via the associated policy group. This is equivalent to the Save and make active button that is available in the Ivanti Neurons user interface. The default is false.

Example Response

Copy 
{
  "patchGroupName": "string",
  "patchGroupId": "string",
  "cvesToPatches": {
    "additionalProp1": [
      "string"
    ],
    "additionalProp2": [
      "string"
    ],
    "additionalProp3": [
      "string"
    ]
  },
  "cvesMissingPatches": [
    "string"
  ],
  "cvesNotFound": [
    "string"
  ]
}

POST Method

Creates a new patch group and adds all patches associated with the specified CVEs.

Requires that the caller has the patchgroup.admin role.

Request URI

https://<hostname>/api/v1/cves-to-patch-group

Request Body

Copy 
{
  "dataUpdateErrorPolicy": "None",
  "patchGroupName": "string",
  "cveIds": [
    "string"
  ]
}

Request Parameters

Name Type Description
dataUpdateErrorPolicy String

Determines if the call will throw an error when encountering an invalid ID.

  • None: No error policy is specified.
  • Throw: The entire request will be rejected.
  • Omit: The problem area will be omitted, but the rest of the request will be completed. This is the default option.

patchGroupName

String

Specifies the name of the patch group that will be created. There is no default.
cveIds String[]

One or more CVEs are required. Example input:

  • One CVE: ["CVE-2023-2528"]
  • Multiple CVEs: ["CVE-2023-2528", "CVE-2023-2529", "CVE-2023-2560"]

Example Response

Copy 
{
  "patchGroupName": "string",
  "patchGroupId": "string",
  "cvesToPatches": {
    "additionalProp1": [
      "string"
    ],
    "additionalProp2": [
      "string"
    ],
    "additionalProp3": [
      "string"
    ]
  },
  "cvesMissingPatches": [
    "string"
  ],
  "cvesNotFound": [
    "string"
  ]
}

Output Data Properties

The following set of data items represent the patch group and its related metadata that will be returned as part of a successful response.

Name

Type

 Description
patchGroupName

String

 The name of the patch group.
patchGroupId Guid The ID of the patch group.
cvesToPatches Array of Guids Patch identifiers that address the key CVE.

cvesMissingPatches

Array of strings

Identifiers of each CVE that did not have a corresponding patch.

cvesNotFound

Array of strings

Identifiers of each CVE that did not appear to exist anymore.