WebSphere Automation Vulnerability Remediation

arazzo: 1.0.1
info:
  title: WebSphere Automation Vulnerability Remediation
  summary: Find an open critical vulnerability, inspect it, and apply a fix.
  description: >-
    A WebSphere Automation security remediation flow. The workflow lists open
    critical vulnerabilities affecting managed servers, reads the chosen
    vulnerability to capture the affected servers and available fixes, and then
    initiates resolution by applying a fix to the targeted servers. Every step
    spells out its request inline so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: automationApi
  url: ../openapi/websphere-automation-rest-api.yml
  type: openapi
workflows:
- workflowId: remediate-vulnerability
  summary: Inspect an open vulnerability and initiate a fix on the affected servers.
  description: >-
    Lists open critical vulnerabilities, reads the target vulnerability, and
    initiates resolution by applying a fix to the supplied target servers.
  inputs:
    type: object
    required:
    - vulnerabilityId
    - fixId
    - serverIds
    properties:
      vulnerabilityId:
        type: string
        description: The vulnerability identifier to remediate.
      fixId:
        type: string
        description: The specific fix to apply.
      serverIds:
        type: array
        items:
          type: string
        description: Target servers for the fix.
  steps:
  - stepId: listOpenCritical
    description: >-
      List open critical vulnerabilities affecting managed servers so the target
      can be confirmed.
    operationId: listVulnerabilities
    parameters:
    - name: severity
      in: query
      value: critical
    - name: status
      in: query
      value: open
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      vulnerabilities: $response.body#/vulnerabilities
      totalCount: $response.body#/totalCount
  - stepId: getVulnerability
    description: >-
      Read the target vulnerability to capture its severity, affected servers,
      and available fixes.
    operationId: getVulnerability
    parameters:
    - name: vulnerabilityId
      in: path
      value: $inputs.vulnerabilityId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      severity: $response.body#/severity
      affectedServers: $response.body#/affectedServers
      availableFixes: $response.body#/availableFixes
  - stepId: resolveVulnerability
    description: >-
      Initiate resolution of the vulnerability by applying the chosen fix to the
      target servers. Returns a task id for the asynchronous remediation.
    operationId: resolveVulnerability
    parameters:
    - name: vulnerabilityId
      in: path
      value: $inputs.vulnerabilityId
    requestBody:
      contentType: application/json
      payload:
        action: apply-fix
        fixId: $inputs.fixId
        serverIds: $inputs.serverIds
    successCriteria:
    - condition: $statusCode == 202
    outputs:
      taskId: $response.body#/taskId
      taskStatus: $response.body#/status
  outputs:
    vulnerabilityId: $inputs.vulnerabilityId
    severity: $steps.getVulnerability.outputs.severity
    taskId: $steps.resolveVulnerability.outputs.taskId