Reports MCP Server

Instructions

Implementation Reference

• server.js:422-516 (handler)

  Core handler function executing the update_vulnerability tool: validates token, ID, data (CVSS, severity), performs PUT request to vulnerability API endpoint, returns formatted JSON response or handles errors.
  async function updateVulnerability(providedToken, vulnerabilityId, vulnerabilityData) { try { const bearerToken = getBearerToken(providedToken); // Validate vulnerabilityId format (should be MongoDB ObjectId) if (!vulnerabilityId || !vulnerabilityId.match(/^[0-9a-fA-F]{24}$/)) { throw new McpError( ErrorCode.InvalidParams, 'Invalid vulnerabilityId format. Must be a valid MongoDB ObjectId (24 characters)' ); } // Validate vulnerability data if (vulnerabilityData.cvssScore !== undefined) { if (typeof vulnerabilityData.cvssScore !== 'number' || vulnerabilityData.cvssScore < 0 || vulnerabilityData.cvssScore > 10) { throw new McpError( ErrorCode.InvalidParams, 'CVSS Score must be a number between 0.0 and 10.0' ); } } if (vulnerabilityData.severity !== undefined) { const validSeverities = ['Informational', 'Low', 'Medium', 'High', 'Critical']; if (!validSeverities.includes(vulnerabilityData.severity)) { throw new McpError( ErrorCode.InvalidParams, `Severity must be one of: ${validSeverities.join(', ')}` ); } } if (vulnerabilityData.cvss !== undefined) { if (typeof vulnerabilityData.cvss !== 'string' || !vulnerabilityData.cvss.startsWith('CVSS:3.1/')) { throw new McpError( ErrorCode.InvalidParams, 'CVSS vector must be a valid CVSS 3.1 string starting with "CVSS:3.1/"' ); } } const response = await axios.put(`${VULNERABILITY_ENDPOINT}/${vulnerabilityId}`, vulnerabilityData, { headers: { 'Authorization': `Bearer ${bearerToken}`, 'Content-Type': 'application/json', }, timeout: 15000, }); return { content: [ { type: 'text', text: JSON.stringify({ success: true, status: response.status, data: response.data, timestamp: new Date().toISOString(), message: `Successfully updated vulnerability ${vulnerabilityId}`, }, null, 2), }, ], }; } catch (error) { if (error instanceof McpError) { throw error; } if (error.response) { return { content: [ { type: 'text', text: JSON.stringify({ success: false, status: error.response.status, error: error.response.data || error.message, timestamp: new Date().toISOString(), }, null, 2), }, ], }; } else if (error.request) { throw new McpError( ErrorCode.InternalError, `Network error: Unable to reach the API at ${VULNERABILITY_ENDPOINT}/${vulnerabilityId}` ); } else { throw new McpError( ErrorCode.InternalError, `Request setup error: ${error.message}` ); } } }
• server.js:917-972 (schema)

  Input schema for update_vulnerability tool as registered in ListTools handler, defining parameters, types, descriptions, and requirements.
  name: 'update_vulnerability', description: 'Update a vulnerability. Use minimal HTML formatting: only <p> tags for paragraphs and <ul><li> for simple bullet lists. NO nesting, NO numbered lists, NO code blocks, NO headers.', inputSchema: { type: 'object', properties: { bearerToken: { type: 'string', description: 'Bearer token for authentication (optional if REPORTS_JWT_TOKEN env var is set)', }, vulnerabilityId: { type: 'string', description: 'The ID of the vulnerability to update (24-character MongoDB ObjectId)', }, title: { type: 'string', description: 'The title of the vulnerability (optional)', }, description: { type: 'string', description: 'Simple HTML description using only <p> tags (optional)', }, details: { type: 'string', description: 'Simple HTML details using only <p> and <ul><li> tags (optional)', }, impact: { type: 'string', description: 'Simple HTML impact using only <p> and <ul><li> tags (optional)', }, remediation: { type: 'string', description: 'Simple HTML remediation using only <p> and <ul><li> tags (optional)', }, cvss: { type: 'string', description: 'CVSS 3.1 vector string (optional)', }, cvssScore: { type: 'number', minimum: 0, maximum: 10, description: 'CVSS 3.1 score (0.0 to 10.0, optional)', }, severity: { type: 'string', enum: ['Informational', 'Low', 'Medium', 'High', 'Critical'], description: 'Vulnerability severity level (optional)', }, taskId: { type: 'string', description: 'Task ID associated with the vulnerability (optional)', }, }, required: ['vulnerabilityId'], }, },
• server.js:1163-1191 (registration)

  Registration and dispatch in CallToolRequestHandler switch: validates args, applies HTML formatting to text fields using formatAsHTML helper, constructs updateData, and invokes the handler function.
  case 'update_vulnerability': if (!args.vulnerabilityId) { throw new McpError( ErrorCode.InvalidParams, 'Vulnerability ID is required' ); } // Build update data object from provided fields with auto-HTML formatting const updateData = {}; if (args.title !== undefined) updateData.title = args.title; if (args.description !== undefined) updateData.description = formatAsHTML(args.description); if (args.details !== undefined) updateData.details = formatAsHTML(args.details); if (args.impact !== undefined) updateData.impact = formatAsHTML(args.impact, 'list'); if (args.remediation !== undefined) updateData.remediation = formatAsHTML(args.remediation, 'list'); if (args.cvss !== undefined) updateData.cvss = args.cvss; if (args.cvssScore !== undefined) updateData.cvssScore = args.cvssScore; if (args.severity !== undefined) updateData.severity = args.severity; if (args.taskId !== undefined) updateData.taskId = args.taskId; if (Object.keys(updateData).length === 0) { throw new McpError( ErrorCode.InvalidParams, 'At least one field must be provided to update' ); } return await updateVulnerability(args.bearerToken, args.vulnerabilityId, updateData);