Burp Suite User Forum

Login to post

Graphql issue_type in issues returning null

Pedro | Last updated: Oct 01, 2020 09:13AM UTC

Hello, I'm having problems fetching issues from a scan, namely the issue_type of each scan is returning null, along with description_html and remediation_html. my query: query getScan { scan(id: 34) { site_id start_time status issue_counts { total } issues (start: 0, count:100){ issue_type { name } serial_number description_html confidence severity path } } } and the results: "data": { "scan": { "site_id": "1", "start_time": "2020-09-02T09:06:13.394Z", "status": "succeeded", "issue_counts": { "total": 19 }, "issues": [ { "issue_type": null, "serial_number": "391938863453095936", "description_html": null, "remediation_html": null, "confidence": "firm", "severity": "medium", "path": "/" }, { "issue_type": null, "serial_number": "5917894240204179456", "description_html": null, "remediation_html": null, "confidence": "firm", "severity": "medium", "path": "/accounts/login/" }, I've seen a similar post: https://forum.portswigger.net/thread/graphql-scan-query-issues-return-null-values-813298e9 but this seems different, since I don't want just the general issue types of a scan, but the issue type and its info, of each issue. I also feel the documentation of the api is lacking, I had to search the forums to find that the issues needed two params (start and count), it would be nice to have this info in the documentation. Unless I'm missing something, Im not too familiar with Graphql.

Hannah, PortSwigger Agent | Last updated: Oct 02, 2020 03:07PM UTC

Could you try using the following query to retrieve issues from a scan, then use the second query to retrieve the specific issue details? 1. query ScanInfo { scan(id: 267) { issue_type_groups(severities: [], confidences: [], novelties: []) { issue_type { type_index name } first_child_serial_number } } } 2. query Issue { issue(scan_id: 267, serial_number: 3867981835782894592) { issue_type { type_index name description_html remediation_html vulnerability_classifications_html references_html } confidence display_confidence serial_number description_html remediation_html severity path origin novelty evidence { ... on Request { request_index request_count request_segments { ... on DataSegment { data_html } ... on HighlightSegment { highlight_html } ... on SnipSegment { snip_length } } } ... on Response { response_index response_count response_segments { ... on DataSegment { data_html } ... on HighlightSegment { highlight_html } ... on SnipSegment { snip_length } } } ... on HttpInteraction { title description_html request { ... on DataSegment { data_html } ... on HighlightSegment { highlight_html } ... on SnipSegment { snip_length } } response { ... on DataSegment { data_html } ... on HighlightSegment { highlight_html } ... on SnipSegment { snip_length } } } ... on DescriptiveEvidence { title description_html } } } }

Pedro | Last updated: Oct 12, 2020 11:19AM UTC

Hello Hannah, the queries you provided work, but is this the only way to get info about the issues of a scan in on request?

Pedro | Last updated: Oct 12, 2020 11:19AM UTC

*in one request

Pedro | Last updated: Oct 12, 2020 11:30AM UTC

I'm sorry, I phrased it wrong, I mean to ask: is there a way to get all the issues of a scan (including the info of each) in one request?

Michelle, PortSwigger Agent | Last updated: Oct 13, 2020 10:33AM UTC

Hi There is currently a bug when trying to return all the issues using one command. This is with our developers but we have linked this post so we can let you know when it is fixed.

Pedro | Last updated: Oct 14, 2020 04:52PM UTC

Thank you.

You need to Log in to post a reply. Or register here, for free.