Open API Spec Evaluation

API spec assessment for risks and compliance

20 June 2021

Table of Contents

Input File Details Overall Design Issues Issue categories details Violation Details

Report Analysis

Executive summary of the overall design issues and their categories

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Input File Details

Information about data found inside the zip file

What did we find inside the uploaded zip file?

Issues

7

APIs

83

Parameters

188

Data Types

21

How is content distributed inside your files?

By API Method

By Parameter Type

By API Response Code

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Overall Design Issues

Information about design issues found in the uploaded file

What did we find inside the uploaded zip file?

Total checkups performed

7,199

Issues found

334 (20%)

Issues distribution by severity

Critical

200

Major

100

Minor

34

Most frequently occuring violation

Properties of type “array” should have “maxItems” defined.

439 Violations

20%

Properties of type “array” should have “maxItems” defined.

439 Violations

20%

What are the issue categories?

API Design Scorecard

Issue Category Issues Found Severity Highest Severity
Data Type Definition 32

32 Critical

Data Type Definition 32

32 Critical

Data Type Definition 32

32 Critical

Data Type Definition 32

32 Critical

Data Type Definition 60

60 Major

Critical

Major

Minor

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Issue Categories Details

Information about issue categories found inside the zip file

What are the issue categories?

API Transport Issues

Issue Category APIs with Issue Severity Distribution Files Data Tags

Transport Method Not Defined

The APIs that did not define the transport method at local or global level

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

Clear Text HTTP

The APIs that are defined to be using clear text HTTP

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Issue Categories Details

Information about issue categories found inside the zip file

Data Type Issues

Issue Category APIs with Issue Severity Distribution Files Data Tags

Data Bounds Not Defined

The bounds for the data are not defined for various entities. E.g. Maximum string length or Maximum number of elements in an Array may not be defined

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

Non-restrictive Data Bounds

The bounds for data are not restrictive for various entities. E.g. a string might have been defined to be any pattern (*) rather than being restricted to alpha-numeric

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

Type & Attribute Mismatch

Certain entities are of a particular type but mandarory attributes are missing. E.g. an entity of type Array does not have items defined

0

No Issues found! Kudos to you and your team!

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Issue Categories Details

Information about issue categories found inside the zip file

API Authentication & Authorization Issues

Issue Category APIs with Issue Severity Distribution Files Data Tags

No Auth Information Defined

The APIs that did not define any authorization information

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

Invalid or Insecure Auth URL

The APIs that are defined to be using an invalid or insecure auth URL

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Issue Categories Details

Information about issue categories found inside the zip file

API Lifecycle and Management Issues

Issue Category APIs with Issue Severity Distribution Files Data Tags

No API Versioning

The APIs defined do not accomodate versioning. E.g. an API defined as /api/v1/employeeInfo allows for versioning. Absence of such API is not ideal for API lifecycle management

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

API Error Responses Not Defined

Certain entities are of a particular type but mandatory attributes are missing. E.g. an entity of type array does not have items defined

2

32 Critical

22 Major

22 Minor

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

/tmp/cvapispecrisk_auvk/orangebank_stores.json

text_array-cms

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Issue Categories Details

Information about issue categories found inside the zip file

API Spec-file Management Issues

Issue Category APIs with Issue Severity Distribution Files Data Tags

Contact Information Missing

The contact information is missing from the API Specification files

0

No Issues found! Kudos to you and your team!

Appendix

All details about violations

Input File Details

Overall Design Issues

Issue categories details

Violation Details

Violation Details

Information about violations and locations in the spec.

Critical Issues (68)

Type

Local security field is missing

Issues

7

Details

The global security field is missing, is empty, or contains an empty security requirement.

Impact

Lack of the security field implies that no security schemes will be applied for the affected operations. Security schemes ensure authenticated and authorized access to APIs, lack of which may make the API vulnerable.

  1. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  2. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  3. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  4. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  5. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  6. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  7. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)

Type

Security Definitions field is not defined or is empty.

Issues

6

Details

Absence of the security definitions implies that even if the security schemes have been specified, they cannot be applied without the scheme definition as captured in the securityDefintions field.

Impact

Lack of the security field implies that no security schemes will be applied for the affected operations. Security schemes ensure authenticated and authorized access to APIs, lack of which may make the API vulnerable.

  1. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  2. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  3. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  4. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  5. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  6. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  7. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)

Major Issues (100)

Type

Local security field is missing

Issues

7

Details

The global security field is missing, is empty, or contains an empty security requirement.

Impact

Lack of the security field implies that no security schemes will be applied for the affected operations. Security schemes ensure authenticated and authorized access to APIs, lack of which may make the API vulnerable.

  1. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  2. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  3. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  4. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  5. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  6. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  7. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)

Minor Issues (100)

Type

Local security field is missing

Issues

7

Details

The global security field is missing, is empty, or contains an empty security requirement.

Impact

Lack of the security field implies that no security schemes will be applied for the affected operations. Security schemes ensure authenticated and authorized access to APIs, lack of which may make the API vulnerable.

  1. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  2. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  3. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  4. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  5. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  6. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)
  7. /store/order/{orderId}
    (#->paths->/store/order/{orderId}->delete->security is-missing True)[1] and ((#->security is-missing True)[1] == True)

Protecting data and all paths to it

Have ideas on how we can make this report better? Give us feedback