Create Library through the API

This page has been moved to Zendesk. Please, refer to this link for the latest version.

Once the API is enabled in IriusRisk, you may want to create Libraries through the API to better integrate with other automated systems.  The data model for IriusRisk can be viewed here.

Step-by-step guide

  1. Make sure you have enabled the API
    1. Make sure you have enabled the API in your IriusRisk instance and have a valid API token in your user account (more info in API)
  2. Create library
    curl -X POST \
      https://my.iriusrisk.com/api/v1/libraries/ \
      -H 'accept: application/json' \
      -H 'content-type: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -d '{
    	"ref": "library",
    	"name": "library name",
    	"desc": "library description"
    }'
    1. If no error is returned then a library named 'library name' with reference 'library' has been created. Check that the library exists with the following API call:

      curl -X GET \
        https://my.iriusrisk.com/api/v1/libraries/library \
        -H 'accept: application/json' \
        -H 'content-type: application/json' \
        -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \  
  3. Create a Risk Pattern Libraries contain Risk Patterns.  To create a Risk Pattern:
    curl -X POST \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "risk pattern",
    	"name": "risk pattern name",
    	"desc": "risk pattern description"
    }'
  4. Create Weakness for the Risk Pattern
    curl -X POST \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/weaknesses \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "weakness",
    	"name": "weakness name"
    }'
    1. Optionally provide more detail when creating a weakness 

      curl -X POST \
        https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/weaknesses \
        -H 'accept: application/json' \
        -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
        -H 'content-type: application/json' \
        -d '{
      	"ref": "weakness2",
      	"name": "weakness2 name",
      	"desc": "weakness2 description",
      	"impact": "medium",
      	"test": {
      		"steps": "some steps",
      		"notes": "some notes"
      	}
      }'
  5. Create Countermeasure
    curl -X POST \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/countermeasures \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "countermeasure",
    	"name": "countermeasure name"
    }'
    1. Create provide more detail when creating a Countermeasure 

      curl -X POST \
        https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/countermeasures \
        -H 'accept: application/json' \
        -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
        -H 'content-type: application/json' \
        -d '{
      	"ref": "countermeasure2",
      	"name": "countermeasure2 name",
      	"desc": "countermeasure2 description",
      	"state": "required",
      	"costRating": "high",
      	"standards": [
      		{
      			"ref": "1.0",
      			"name": "PCI-DSS-v3.2"
      		},
      		{
      			"ref": "1.1",
      			"name": "OWASP-ASVS-Level-1"
      		}
      		],
      	"test": {
      		"steps": "some steps",
      		"notes": "some notes"
      	}
      }'
  6. Create UseCase
    curl -X POST \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/usecases \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "usecase",
    	"name": "use case name",
        "desc": "use case description"
    }'
  7. Create a basic Threat for the UseCase
    curl -X POST \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/usecases/usecase/threats \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "threat",
    	"name": "threat name"
    }'
    1. Optionally, create a more detailed Threat

      curl -X POST \
        https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/usecases/usecase/threats \
        -H 'accept: application/json' \
        -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
        -H 'content-type: application/json' \
        -d '{
      	"ref": "threat2",
          "name": "threat2 name",
          "desc": "threat2 description",
          "riskRating": {
              "confidentiality": "low",
              "integrity": "medium",
              "availability": "very-high",
              "easeOfExploitation": "none"
          }
      }'
  8. Associate existing Weakness to existing Threat.  In this example, we use the threat reference "threat" from the example above.
    curl -X PUT \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/usecases/usecase/threats/threat/weaknesses \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "weakness"
    }'
  9. Associate existing Countermeasure to a Weakness and a Threat.  In this example, we use the threat reference "threat" and the weakness reference "weakness"

    curl -X PUT \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/usecases/usecase/threats/threat/weaknesses/weakness/countermeasures \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "countermeasure"
    }'
  10. Associate existing Countermeasure to Threat.  The typical relationship is from Threat to Weakness to Countermeasure.  But it is also possible to link Countermeasures directly to Threats, without an intermediate Weakness.
    curl -X PUT \
      https://my.iriusrisk.com/api/v1/libraries/library/riskpatterns/riskpattern/usecases/usecase/threats/threat/countermeasures \
      -H 'accept: application/json' \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \
      -H 'content-type: application/json' \
      -d '{
    	"ref": "countermeasure2"
    }'
  11. Get the complete library, in this case we're using the library reference "library" 
    curl -X GET \
      https://my.iriusrisk.com/api/v1/libraries/library \
      -H 'api-token: XXXXXX-XXXXX-XXXX-XXXX-XXXXX' \