Patch Groups

A patch group is a collection of patches that you wish to scan for and/or deploy. Patch groups can represent required or mandatory patches that have been approved for your organization. You can create, find and delete patch groups. You can also import a list of CVEs to a patch group. Security Controls will determine which patches are related to each CVE and add those patches to the patch group.

Base URL

        https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups

Supported Requests

Method	URL	Input	Return
DELETE	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}		Success or failure code.
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}/patches/{vulnerabilty id}		Success or failure code.
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}/patches	VulIds Request Body	Success or failure code.
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}/patches/cves	CVEs Request Body	Success or failure code.
GET	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups	URL Parameters	PatchGroups[].
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}		A patch group.
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}/patches		Vulnerabilities[]
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}/usedby		UsedBy[]
POST	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups	Request Body	A patch group.
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}/patches	VulIds URL Parameter VulIds Request Body	Success or failure code.
	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}/patches/cves	CVEs Request Body	Success or failure code.
PUT	https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/{id of patch group}	Request Body	Success or failure code.

Input Models

URL Parameters

Name	Type	Description
count	Integer	Provide the count of items to return. The default is 10 and the maximum value is 1000.
createdByMe	Boolean	Returns only those items created by the user. This parameter will be removed in a future release and should be used only in legacy requests.
name	String	Returns the items whose name matches the specified name.
start	Integer	Sets the starting point. The items are sorted by their unique identifier and the starting point is the index into that sorted list.
path	String	Returns the groups containing the path.

VulIds URL Parameter

Name	Type	Description
ignoreInvalidVulnerabilityIds	Boolean	POST requests that contain invalid IDs will be submitted; invalid IDs will be ignored.

Request Body

Name	Required?	Type	Default Value	Description
name	Yes	String	None	Specifies the patch group name.
path	No	String	None	The path that describes the location of the patch group within the Patch Templates and Groups list in the navigation pane. Example: Lab\Servers

Name

Required?

Type

Default Value

Description

name

Yes

String

None

Specifies the patch group name.

path

String

None

The path that describes the location of the patch group within the Patch Templates and Groups list in the navigation pane.

Example: Lab\Servers

VulIds Request Body

Name	Required?	Type	Default Value	Description
NA	Yes	Int32[]	None	The list of vulnerability IDs. Example: [11408,15246]

Name

Required?

Type

Default Value

Description

Yes

Int32[]

None

The list of vulnerability IDs. Example:

[11408,15246]

CVEs Request Body

Name	Required?	Type	Default Value	Description
cves	Yes	String[]	None	The CVE IDs. The values must be specified within an array.
errorPolicy	No		Throw	errorPolicy=Throw means the entire request will be rejected errorPolicy=Omit means the problem area will be omitted but the rest of the request will be completed.

Example with Sample Response

Find all patch groups

GET Request

https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups

Sample Response

Copy

{
    "count": 2,
    "links": {
        "next": {
            "href": "https://device-name.example.com:3121/st/console/api/v1.0/patch/groups?count=10&start=3"
        }
    },
        "value": [
            {
                "id": 1,
                "links": {
                    "self": {
                        "href": "https://device-name.example.com:3121/st/console/api/v1.0/patch/groups/1"
                    },
                    "patches": {
                        "href": "https://device-name.example.com:3121/st/console/api/v1.0/patch/groups/1/patches"
                    },
                    "usedby": {
                        "href": "https://device-name.example.com:3121/st/console/api/v1.0/patch/groups/1/usedby"
                    }
                },
                "name": "Sample Patch Group"
            },
        {
            "id": 2,
            "links": {
                "self": {
                    "href": "https://device-name.example.com:3121/st/console/api/v1.0/patch/groups/2"
                },
                "patches": {
                    "href": "https://device-name.example.com:3121/st/console/api/v1.0/patch/groups/2/patches"
                },
                "usedby": {
                    "href": "https://device-name.example.com:3121/st/console/api/v1.0/patch/groups/2/usedby"
                }
            },
            "name": "Security Patches Group"
        }
    ]
}

Other Request Examples

Remove specific vulnerabilities from an existing patch group

DELETE Request

Copy

https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/1/patches

{
    [74783,74785]
}

Remove a CVE from an existing patch group

DELETE Request

Copy

https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/1/patches/cves

{
    "cves": ["CVE-2019-17068"]
}

Add two vulnerabilities with IDs 11408 and 15246 to the patch group with ID 1

POST Request

Copy

https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/1/patches

[11408, 15246]

Import multiple CVEs to the patch group with ID 2

All patches related to the specified CVEs will be added to the patch group.

POST Request

Copy

https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/2/patches/cves

{
"errorPolicy" : "Throw",
"cves" : [
    "CVE-2019-0701", 
    "CVE-2019-0708",
    "CVE-2019-1367"
    ]
}

Rename an existing patch group

PUT Request

Copy

https://<consoleFQDN:port>/st/console/api/v1.0/patch/groups/2

{
    "name" : "NewName",
    "path" : "SamplePath"
}

PowerShell Example

This example does the following:

Create or find a patch group.
Use a CVE list to add patches to a patch group.
Identify CVEs that do not correspond to a supported patch.

Copy

###########################################################

    $serverFqdn = “<your server name FQDN here>”
 
#################################

# Create a patch group.

    $addPatchGroup = @{ name = “Based On CVEs”} | ConvertTo-Json
    $groupDefinition = Invoke-RestMethod -Uri “https://$($serverFqdn):3121/st/console/api/v1.0/patch/groups” -Method POST -UseDefaultCredentials -Body $ addPatchGroup -ContentType "application/json"
 
#Alternatively, find an existing patch group by name.

    $matchingGroupDefinitions = Invoke-RestMethod -Uri "https://$($serverFqdn):3121/st/console/api/v1.0/patch/groups?name=Based On CVEs" -Method GET -UseDefaultCredentials -ContentType "application/json"
    $groupDefinition = $matchingGroupDefinitions.value[0]
 
################################

# Add the list of CVEs including un-matched, non-existent CVEs.
# Note the use of errorPolicy = Omit.  This omits un-matched input.

    $addCves = @{ cves = @("CVE-2019-0708","CVE-2019-0701","CVE-2019-1367","bad input","invalid Cve","un mapped Cve"); errorPolicy="Omit"}
    $addCvesJson = $addCves | ConvertTo-Json -Depth 99
    Invoke-RestMethod -Uri “$($groupDefinition.links.patches.href)/cves” -Method POST -UseDefaultCredentials -Body $addCvesJson -ContentType "application/json"
 
################################

# Find list of un-matched or invalid CVEs, this can be done one of two ways:
# 1. Compare the list of CVEs in the patches returned by a get operation  - Or –
# 2. Let the API do the matching work for you by setting the error policy to Throw
 
# A simple example to get the patch group details and loop through patches reporting their CVE for comparison

    $patchesInGroup = Invoke-RestMethod -Uri $groupDefinition.links.patches.href -Method GET -UseDefaultCredentials -ContentType "application/json"
    Foreach ($patch in $patchesInGroup.value)
    {
        Write-Host $patch.cve
    }
 
# Use the exception policy to report CVEs that don’t exist.

    $addCves.errorPolicy = “Throw”
    $findInvalidCvesJson = $addCves | ConvertTo-Json -Depth 99
    Invoke-RestMethod -Uri “$($groupDefinition.links.patches.href)/cves” -Method POST -UseDefaultCredentials -Body $findInvalidCvesJson -ContentType "application/json"
 
## All invalid CVEs are reported in the error message body as a comma separated list.

#Example: {"message":"Cves not found: 'bad input,invalid Cve,un mapped Cve'"}

#####################################################

Output Models

PatchGroups

Name	Type	Description
id	Int32	The patch group ID.
links	Links	Shows the related URLs for the patch group.
name	String	The name of the patch group.
path	String	The path that describes the location of the patch group within the Windows Patch Groups list in the navigation pane.

Vulnerability

Name	Type	Description
bulletinId	String	The bulletin ID
cve	String[]	The list of associated CVEs.
iavaId	String	IAVA ID.
id	Integer	The vulnerability ID.
kb	String	The KB.
links	Links	Shows the related URLs for each vulnerability.
patchIds	Guid[]	The list of patch UIDs.
patchType	KnownPatchType	The patch type.
releaseDate	DateTime	The release date.
replacedBy	String	The list of all patches that replace this vulnerability.
revisionDate	DateTime	The revision date.

UsedBy

Name	Type	Description
name	String	Gets the name of the item that is using this patch group.
usageType	Enum	The type of component using the patch group. See SummaryType.