Endpoint: cves-to-patch-group

The Patch Management feature of Ivanti Neurons supports the use of the Common Vulnerabilities and Exposures (CVE) list. CVEs are vulnerability disclosures that can potentially relate to many patches and notifications.

The cves-to-patch-group endpoint enables you to specify CVE IDs that you want to convert to a patch group. You can then use that patch group in your scans and deployments.

Another option: If you have a large number of CVEs, it can be cumbersome and error prone to manually specify each individual CVE ID on a body parameter. You might prefer to import a CVE file that already contains the desired list of CVE IDs. To do this, you use a PowerShell script that will import the CVE file, parse it and then convert the contents to a patch group. See the example PowerShell scripts at the bottom of this topic for more details.

Required Header Parameters

Name Type Description

X-On-Behalf-Of

String

Provide a name or some form of information that identifies the requester. This is used for auditing purposes and will be displayed in the Ivanti Neurons user interface. A 400 status code is returned if this is not provided.

Authorization

Authheader

Use the Bearer <access-token> value determined during the Authenticate to the Patch Management API process.

X-RapidAPI-Key

Enum

The key that applications and developers need to invoke the API.

X-RapidAPI-Host

String

The name that identifies which API will be used. For example: my-api-name.ivanti.rapidapi.com.

Request Body Parameters

GET Method

Returns a collection of CVE IDs and their associated Patch IDs that exist in the provided Patch Group ID.

Requires that the caller has the patchgroup.reader, patchgroup.admin, or patchgroup.editor role.

Name Type Description

patchGroupId

Guid

Required as the route parameter for the patch group. For example, v1/cves-to-patch-group/{guid}.

Response Output Example

Copy
{
    "CVE-2006-3439": [
        "0000071a-0000-0000-0000-000000000000",
        "0000071b-0000-0000-0000-000000000000",
        "00000722-0000-0000-0000-000000000000"
    ],
    "CVE-2012-0002": [
        "00004ee9-0000-0000-0000-000000000000",
        "00004eea-0000-0000-0000-000000000000",
        "00004eeb-0000-0000-0000-000000000000",
        "00004ef0-0000-0000-0000-000000000000",
    ],
    "CVE-2012-0152": [
        "00004ef7-0000-0000-0000-000000000000",
    ],
    "CVE-2008-4250": [
        "00005495-0000-0000-0000-000000000000",
        "00005496-0000-0000-0000-000000000000",
        "00005497-0000-0000-0000-000000000000",
        "00005498-0000-0000-0000-000000000000"
    ]
}

PUT Method

Updates an existing patch group with the patches associated with the specified CVEs.

Requires that the caller has the patchgroup.admin or patchgroup.editor role.

Name Type Description
dataUpdateErrorPolicy String

Determines if the call will throw an error when encountering an invalid ID.

  • None: No error policy is specified.
  • Throw: The entire request will be rejected.
  • Omit: The problem area will be omitted, but the rest of the request will be completed. This is the default option.

patchGroupId

Guid

Specifies the ID of the patch group that is being updated. There is no default.

cveIds String[]

One or more CVEs are required. Example input:

  • One CVE: ["CVE-2023-2528"]
  • Multiple CVEs: ["CVE-2023-2528", "CVE-2023-2529", "CVE-2023-2560"]

activateAssociatedPolicies

Boolean

Specifies if the updated patch group will be made active to the endpoints via the associated policy group. This is equivalent to the Save and make active button that is available in the Ivanti Neurons user interface. The default is false.

POST Method

Creates a new patch group and adds all patches associated with the specified CVEs.

Requires that the caller has the patchgroup.admin role.

Name Type Description
dataUpdateErrorPolicy String

Determines if the call will throw an error when encountering an invalid ID.

  • None: No error policy is specified.
  • Throw: The entire request will be rejected.
  • Omit: The problem area will be omitted, but the rest of the request will be completed. This is the default option.

patchGroupName

String

Specifies the name of the patch group that will be created. There is no default.

cveIds String[]

One or more CVEs are required. Example input:

  • One CVE: ["CVE-2023-2528"]
  • Multiple CVEs: ["CVE-2023-2528", "CVE-2023-2529", "CVE-2023-2560"]

Output Data Properties

The following set of data items represent the patch group and its related metadata that will be returned as part of a successful response.

Name

Type

Description
patchGroupName

String

The name of the patch group.
patchGroupId Guid The ID of the patch group.
cvesToPatches Array of Guids Patch identifiers that address the key CVE.

cvesMissingPatches

Array of strings

Identifiers of each CVE that did not have a corresponding patch.

cvesNotFound

Array of strings

Identifiers of each CVE that did not appear to exist anymore.

PowerShell Script Implementation: Create a Patch Group Using Input From a CVE File

Goal

Provide example PowerShell scripts that invoke the Ivanti Neurons for Patch Management API and perform the following tasks:

Import a CVE file

Parse the CVE file

Convert the content to a patch group

Retrieve the Bearer token