WebInspect REST API - Issues with the Report api

I am basically trying to generate reports of scan(s) using the WebInspect REST API in order to automate our post scan workflow.
Environment details :
WebInspect - 23.2.0.121
OS - Windows Server 2016
WebInspect API service is running as the current user due to this issue : Knowledge Doc: WebInspect API not showing all scan results
All relevant updates are installed.
Issues I currently am facing :
1) GET /api/v1/scanner/reports 
API response does not list any of my custom favourites that is in the WebInspect instance
I am able to see the following response : https://pastebin.com/raw/YRWiDqn0
This only includes the standard report templates. I have two specific custom ones that are saved as favourites in WebInspect that is missing in this list.
2) GET /api/v1/scanner/reports/{scanId}.{reportFormat}
This API basically never works. Any combination of request ends up sending back a 500 response.
Example : A scan with id "9cda3f42-d807-4976-be90-8f4996ba25ac" exists in the particular WebInspect instance.
I am able to get the info of this scan using the GET /api/v1/scanner/scans/{scanId} & GET /api/v1/scanner/scans/{scanId}.{extension}. Both these work as expected.
Given that "Executive Summary" & "OWASP Top 10 2017" was included in the report list, let try to use that.
When I send :
GET /webinspect/api/v1/scanner/reports/9cda3f42-d807-4976-be90-8f4996ba25ac.pdf?reportType=issue&reportName=Executive%20Summary&isCustom=false 
GET /webinspect/api/v1/scanner/reports/9cda3f42-d807-4976-be90-8f4996ba25ac.pdf?reportType=compliance&reportName=OWASP%20Top%2010%202017&isCustom=false
I get the following as response:

HTTP/1.1 500 Internal Server Error
Content-Length: 70
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 04 Apr 2024 11:01:22 GMT

Checking the Event Viewer for WebInspect API, there is this ERROR event logged
  • 0

    I cant recall if WIE has a "web" UI - in which case F12 and manually get your report - then steal the HAR trace and see how it is done.
    if it is some .net app - maybe there are some trace logs where you can monitor APIs and see if that give hints?

  • 0 in reply to 

    The UI screenshot I posted is from the Swagger UI accessed from "<hostname>/webinspect/swagger/ui/index#!/Scanner/".
    The errors exist in both Swagger UI and Postman. So its seems like a documentation / setup issue.

  • 0  

    The are a few things mentioned here:

    1. Customer reports not appearing. WebInspect UI and WebInspect API/CLI are different. Custom reports for WebInspect UI should be in C:\ProgramData\HP\HP WebInspect\Reporting and the API/CLI/Schedule should be in C:\ProgramData\HP\HP WebInspect\Schedule\Reporting. I would recommend copying any custom to the schedule and then seeing if they appear via API.
    2. ScanID not available. It is interesting that you can pull the scan information via WI API, but not generate a report against it. You might want to open a support ticket regarding this for further testing verification. It would make sense if the scanID was not returned when you pulled a list of scans via WI API.
  • 0 in reply to   

    1. I checked 'CustomQueryDescriptors' & 'CustomReportDescriptors' in both 

    • 'C:\ProgramData\HP\HP WebInspect\Reporting'
    • 'C:\ProgramData\HP\HP WebInspect\Schedule\Reporting'

    Both directories were empty.

    Is there anywhere else I should look for ?

    Just so I am clear, this is what I am looking for : 

    2) I will raise a support ticket soon for this. I am getting the ScanId in the scan list, able to pull the status and the issues from that scan using its ScanId. Only the reports part seem to not work.

  • 0   in reply to 

    My recommendation would be to go ahead and open a support ticket for this as I'm not sure that report favorites are exposed in WI API. It appears to only be available via the UI.

  • Verified Answer

    +1

    For others facing these issues,

    1) GET /api/v1/scanner/reports

    This API does not return any favorites as of now. I have raised a ticket for this to be added as a feature. Hopefully they will do this and we can start seeing our favorite reports in the future releases.

    2) GET /api/v1/scanner/reports/{scanId}.{reportFormat}

    After much testing with the support team, it was found this issue exists with WebInspect and SQL Express setups.

    The current workaround is to upgrade to SQL Server 2022 Enterprise.

    Don't know if this will be fixed in the future.