Dispositions API
Create and manage vulnerability triage decisions via the API.
Dispositions are triage decisions that classify how a vulnerability affects your product. Each disposition links to a specific vulnerability and follows the VEX status model.
Disposition Statuses
| Status | When to use | Additional fields |
|---|---|---|
affected | The vulnerability impacts your product | response required |
not_affected | The vulnerability does not impact your product | justification required |
fixed | The vulnerability has been remediated | - |
under_investigation | Still evaluating the impact | - |
Justification values (for not_affected)
component_not_present— The component is not present in the productvulnerable_code_not_present— The vulnerable code is not presentvulnerable_code_not_in_execute_path— The vulnerable code cannot be reachedvulnerable_code_cannot_be_controlled_by_adversary— An attacker cannot control the vulnerable codeinline_mitigations_already_exist— Existing mitigations address the vulnerability
Response values (for affected)
can_not_fix— Cannot be fixedwill_not_fix— Will not be fixedupdate— Fix available via updaterollback— Fix available via rollbackworkaround_available— A workaround exists
Create or Upsert a Disposition
POST /api/dispositions
Scope: dispositions:write
If a disposition already exists for the given vulnerability, it is updated.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
vulnerabilityId | uuid | Yes | The vulnerability to triage |
status | string | No | Disposition status (defaults to under_investigation) |
justification | string | No | Required when status is not_affected |
response | string | No | Used when status is affected |
detail | string | No | Detailed explanation (max 5000 chars) |
actionStatement | string | No | Action to be taken (max 5000 chars) |
impactStatement | string | No | Impact description (max 5000 chars) |
assignedTo | uuid | No | Team member ID to assign |
Example:
curl -X POST \
-H "Authorization: Bearer cvk_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"vulnerabilityId": "vuln-uuid",
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"detail": "The vulnerable code path is not reachable in our configuration."
}' \
https://cis.cveium.com/api/dispositions
Update a Disposition
PUT /api/dispositions/{dispositionId}
Scope: dispositions:write
All fields are optional. Returns 409 if the disposition is locked (a VEX document referencing it is in the approval/published state).
Batch Upsert Dispositions
POST /api/dispositions/batch
Scope: dispositions:write
Apply the same disposition to multiple vulnerabilities at once. Maximum 500 vulnerability IDs per request.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
vulnerabilityIds | uuid[] | Yes | Array of vulnerability IDs (max 500) |
status | string | Yes | Disposition status to apply |
justification | string | No | Justification (for not_affected) |
response | string | No | Response (for affected) |
detail | string | No | Detailed explanation (max 5000 chars) |
Example:
curl -X POST \
-H "Authorization: Bearer cvk_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"vulnerabilityIds": ["uuid-1", "uuid-2", "uuid-3"],
"status": "not_affected",
"justification": "component_not_present"
}' \
https://cis.cveium.com/api/dispositions/batch
Response:
{
"updated": 3
}
Locked Dispositions
When a VEX document is submitted for approval, the entire release chain is locked. This includes the release, its SBOM, and all dispositions. Attempting to modify a locked disposition returns 409 (Conflict).
To unlock, the VEX document must be rejected (returned to draft state) or the release must be unlocked by a team member.