FluidAttacks API Entity Relationships
Overview
The FluidAttacks API provides a comprehensive security assessment and management system. This document outlines the key entities, their relationships, and access control mechanisms.
Key Components
- Organizations: Top-level structure and policy management
- Groups: Project and application organization
- Roots: Assessment target definition
- Findings and Vulnerabilities: Security issue tracking
- ToE: Detailed analysis components
- Stakeholders and Integrations: Access and automation management
- Events and Analytics: Monitoring and reporting
Core Entities
Organization
- Top-level entity for macro projects
- Manages groups, stakeholders, and policies
- Handles billing and compliance
- Controls access management and security standards
- Configures vulnerability acceptance policies
- Manages ZTNA (Zero Trust Network Access) settings
Group
- Project-level vulnerability management
- Contains roots, findings, and stakeholders
- Configures service attributes and policies
- Manages ToE (Target of Evaluation) components
- Tracks security metrics and analytics
- Integrates with third-party services
Root
- Security assessment target
- Types:
- Git Root: Repository assessment
- IP Root: Network assessment
- URL Root: Web application assessment
- Manages environment configurations
- Links to ToE components
- Controls access credentials
Finding
- Vulnerability type classification
- Contains descriptions and evidence
- Includes severity ratings and analytics
- Provides remediation guidance
- Supports tagging and categorization
- Integrates with external tracking
Vulnerability
- Specific security issue instance
- Contains location and technical details
- Uses CVSS severity scoring
- Tracks treatment and verification
- Supports zero-risk assessment
- Integrates with issue tracking
ToE (Target of Evaluation)
- Assessment target details
- Components:
- Inputs: Entry points and components
- Lines: Code coverage analysis
- Ports: Network information
- Tracks changes and history
- Measures security coverage
- Analyzes dependencies
Stakeholder
- System user representation
- Role-based permissions
- Notification preferences
- Activity tracking
- Verification capabilities
- Multi-group membership
Event
- Incident tracking
- Evidence documentation
- Verification workflow
- Stakeholder consultation
- Component linking
Integration
- External system connectivity
- Supported platforms:
- GitLab
- Azure DevOps
- CI/CD systems
- Workflow automation
- Issue synchronization
- Security check configuration
Analytics
- Security metrics and insights
- Vulnerability statistics
- Remediation timing
- Code composition analysis
- Usage and billing reporting
- Compliance monitoring
Entity Relationships
1. Organization → Group
Type: One-to-Many
Features:
- Group-wide policy management
- Centralized billing
- Stakeholder access control
- Compliance standard management
- Vulnerability acceptance criteria
- ZTNA logging
2. Group → Root
Type: One-to-Many
Features:
- Multiple root type support
- Environment URL configuration
- Docker image management
- ToE association
3. Group → Finding
Type: One-to-Many
Features:
- Vulnerability containment
- Severity classification
- Evidence documentation
- Organizational tagging
- Analytics tracking
4. Finding → Vulnerability
Type: One-to-Many
Features:
- CVSS scoring
- Treatment tracking
- Verification status
- Zero-risk handling
- Bug tracking integration
5. Group → ToE
Type: One-to-Many
Features:
- Attack history tracking
- Code change monitoring
- Dependency analysis
- Coverage measurement
6. Group → Stakeholder
Type: Many-to-Many
Features:
- Access control
- Permission management
- Activity monitoring
- Notification handling
7. Group → Integration
Type: One-to-Many
Features:
- Issue tracking
- DevSecOps integration
- Security automation
8. Group → Event
Type: One-to-Many
Features:
- Incident tracking
- Evidence management
- Verification process
- Consultation support
9. Organization → Compliance
Type: One-to-Many
Features:
- Standards tracking
- Policy management
- Security metrics
- Compliance reporting
10. Group → Analytics
Type: One-to-One
Features:
- Vulnerability metrics
- Remediation timing
- Code analysis
- Security tracking
- Usage reporting
Access Control
Organization Roles
ORGANIZATION_MANAGER
- Organization credential management
- Analytics handling
- Billing control
- Stakeholder and mailmap management
CUSTOMER_MANAGER
- Organization support
- Process streamlining
- Basic organization management
RESOURCER
- Organization input maintenance
- Resource management
USER
- Basic access
- Limited organization visibility
Stakeholder Roles
ADMIN
- Full platform access
- Treatment modification restricted
- Highest access level
ARCHITECT
- Ethical hacking quality assurance
- Pentesting deliverable oversight
- Quality control
GROUP_MANAGER
- Report generation
- Notification management
- Treatment handling
- Tag management
- Group administration
HACKER
- Vulnerability identification
- Security exploitation
- Finding documentation
- Security reporting
REATTACKER
- Solution verification
- Remediation checking
- Security fix validation
REVIEWER
- Vulnerability management
- Draft evaluation
- Risk level verification
- Quality control
SERVICE_FORCES
- Forces service execution
- Data querying
- Zero risk handling
- Tag management
- Group access
VULNERABILITY_MANAGER
- Report generation
- Notification handling
- Treatment management
- Reattack requests
- Tag administration
- Vulnerability oversight
API Usage
GraphQL Queries
Organization Groups
query GetOrganizationGroups($organizationId: String!) { organization(organizationId: $organizationId) { groups { name description hasForces service subscription } }}Group Vulnerabilities
query GetGroupVulnerabilities( $group: String!, $first: Int, $state: VulnerabilityState, $severity: SeverityRating) { group(groupName: $group) { vulnerabilities( first: $first, state: $state, severityRating: $severity ) { edges { node { id state where severityRating treatmentStatus verification lastVerificationDate } } } openVulnerabilities maxOpenSeverity meanRemediate }}Zero-Risk Vulnerabilities
query GetZeroRiskVulnerabilities($findingId: String!, $first: Int) { finding(identifier: $findingId) { zeroRiskConnection(first: $first) { edges { node { id where justification status } } } zeroRiskSummary { approved rejected pending } }}Treatment Summary
query GetVulnerabilityTreatment($findingId: String!) { finding(identifier: $findingId) { treatmentSummary { accepted inProgress notDefined scheduled } verificationSummary { pending verified requested } vulnStats { open closed total } }}Critical Vulnerabilities
query GetCriticalVulnerabilities($group: String!) { group(groupName: $group) { vulnerabilities( first: 100, severityRating: CRITICAL, state: VULNERABLE ) { edges { node { id where severityRating treatment lastVerificationDate attackVectorDescription remediation } } } maxOpenSeverity meanRemediateCriticalSeverity }}User Roles
query Me { me { userEmail role organizations { groups { userRole } userRole } }}Permissions
query Me { me { userEmail permissions organizations { groups { permissions } permissions } }}Organization Permissions
query OrgPermissions($organizationId: String!) { organization(organizationId: $organizationId) { permissions userRole groups { name permissions } }}Group Permissions
query GroupPermissions($groupName: String!) { group(groupName: $groupName) { permissions }}