django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Cobalt.io - Org token encryption format to update

Open YannBERTOLI opened this issue 6 months ago • 3 comments

Hi !

I was trying to setup the cobalt.io API connection from v. 2.47.0 version. I followed those instructions to get the organization token : https://docs.cobalt.io/cobalt-api/get-organization-token/ and had the following error :

Image

I noticed the "Accept" header in the curl to retrieve the org token mentioned a v2 :

curl -X GET "https://api.cobalt.io/orgs"
-H "Accept: application/vnd.cobalt.v2+json"
-H "Authorization: Bearer YOUR-PERSONAL-API-TOKEN"
| jq .

I generated a token using v1 curl -X GET "https://api.cobalt.io/orgs"
-H "Accept: application/vnd.cobalt.v1+json"
-H "Authorization: Bearer YOUR-PERSONAL-API-TOKEN"
| jq .

And i was able to use the output to setup the integration, and the import worked fine. Could you update so V2 (seems to be the standard) is working ?

Thanks for the great product and community !

YannBERTOLI avatar Jun 09 '25 15:06 YannBERTOLI

Thank you for reporting. Do I understand correctly that if you generate a V1 token, the integration with Defect Dojo works fine?

Is there any documentation/instruction from Cobalt on the difference betwen V1 and V2? Can we just set it to V2 and never look back or do we need to support both? Existing users with a V1 token stored in Defect Dojo probably expect it to "keep working".

valentijnscholten avatar Jun 09 '25 16:06 valentijnscholten

Hi,

"Do I understand correctly that if you generate a V1 token, the integration with Defect Dojo works fine?" -> Yes, except images that are not fetched in the findings, but it was maybe the case already, i never tested.

For the other part, you can find the change log here : https://docs.cobalt.io/cobalt-api/documentation/v2/ It looks like they are still supporting V1, but V2 enhanced a few endpoints, and changes identifiers for all endpoints...

YannBERTOLI avatar Jun 09 '25 17:06 YannBERTOLI

So:

  • the URL is the same for V1 and V2?
  • the server sides decides to use its V1 or V2 logic based on the accept header provided by the client?
  • for V2 the client needs a different token than for V1?

That's unfortunate, especially the requirement for a new token.

Are you able to do some testing and make a PR as I don't think we have access to a Cobalt instance?

valentijnscholten avatar Jun 10 '25 17:06 valentijnscholten