Object

Issue

A potential security vulnerability that has been identified on one of your sites by a scan.

Fields

issue_type(): IssueType
The type of issue that was found by a scan, for example, an SQL injection vulnerability.
confidence(): Confidence!
Indicates how confident Burp Scanner is that the identified issue is a genuine vulnerability. This reflects the inherent reliability of the technique that was used to identify the issue.
display_confidence(): Confidence
The confidence that was manually set by a user. At the moment, this can only be used to mark an issue as a false positive.
serial_number(): ID!
A unique identifier for the individual instance of the issue.
severity(): Severity!
Indicates how dangerous the identified issue is. The higher the severity level, the larger the impact is likely to be if an attacker is able to exploit this vulnerability.
description_html(): String
A description of this occurrence of the issue, including information about how it arose and how it could potentially be exploited by an attacker.
remediation_html(): String
A brief overview of measures you can take to try and resolve this issue.
path(): String!
The URL path at which the issue was found, excluding the query string.
origin(): String!
The host on which the issue was found.
novelty(): Novelty
Indicates this issue's relationship to the results of the previous scan, for example, whether this is a new issue that was not identified by the previous scan.
evidence(): [Evidence!]
A list of evidence that the scan found for the issue, such as the HTTP request and response that can be exploited.
tickets(): [Ticket!]
A list of tickets that are linked to this issue. Note that this is only applicable if you have configured the integration between Burp Suite Enterprise Edition and Jira using the REST API.
generated_by_extension(): GeneratedByExtension
The extension that generated the issue, if there is one.
false_positive_note(): String
Note submitted when the issue was marked as a false positive.
false_positive_timestamp(): String
Timestamp when the issue was marked as a false positive.
false_positive_username(): String
Name of the user who marked the issue as a false positive.

Example

Query
query getIssue ($scanId: ID!, $serialNumber: ID!) {
  issue (scan_id: $scanId, serial_number: $serialNumber) {
    issue_type
      {
          type_index,
          name,
          description_html,
          remediation_html,
          vulnerability_classifications_html,
          references_html
      },
    display_confidence
    serial_number
    remediation_html
    description_html
    confidence
    severity
    path
    origin
    generated_by_extension {
        name
    }
    evidence {
      ... on Request {
        request_index
        request_count
        request_segments {
          ... on DataSegment {
            data_html
          }
          ... on HighlightSegment {
            highlight_html
          }
          ... on SnipSegment {
            snip_length
          }
        }
      }
      ... on Response {
        response_index
        response_count
        response_segments {
          ... on DataSegment {
            data_html
          }
          ... on HighlightSegment {
            highlight_html
          }
          ... on SnipSegment {
            snip_length
          }
        }
      }
      ... on HttpInteraction {
        title
        description_html
        request {
          ... on DataSegment {
            data_html
          }
          ... on HighlightSegment {
            highlight_html
          }
          ... on SnipSegment {
            snip_length
          }
        }
        response {
          ... on DataSegment {
            data_html
          }
          ... on HighlightSegment {
            highlight_html
          }
          ... on SnipSegment {
            snip_length
          }
        }
      }
      ... on DescriptiveEvidence {
        title
        description_html
      }
    }
  }
}
Variables
{
  "scanId": "2",
  "serialNumber": "314276827364273645"
}
Result
{
    "data": {
        "issue": {
            "issue_type": {
                "type_index": null,
                "name": null,
                "description_html": null,
                "remediation_html": null,
                "vulnerability_classifications_html": null,
                "references_html": null
            },
            "display_confidence": null,
            "serial_number": null,
            "remediation_html": null,
            "description_html": null,
            "confidence": null,
            "severity": null,
            "path": null,
            "origin": null,
            "generated_by_extension": null,
            "evidence": [
                {
                    "request_index": 0,
                    "request_count": 1,
                    "request_segments": [
                        {
                            "data_html": null
                        }
                    ]
                },
                {
                    "response_index": 0,
                    "response_count": 1,
                    "response_segments": [
                        {
                            "data_html": null
                        },
                        {
                            "highlight_html": null
                        },
                        {
                            "data_html": null
                        }
                    ]
                }
            ]
        }
    }
}