Reports MCP Server

update_vulnerability

Modify vulnerability details in penetration testing reports by updating fields like title, description, severity, CVSS score, and remediation steps.

Instructions

Update a vulnerability. Use minimal HTML formatting: only tags for paragraphs and for simple bullet lists. NO nesting, NO numbered lists, NO code blocks, NO headers.

Input Schema

TableJSON Schema

Name	Required	Description
`bearerToken`	No	Bearer token for authentication (optional if REPORTS_JWT_TOKEN env var is set)
`vulnerabilityId`	Yes	The ID of the vulnerability to update (24-character MongoDB ObjectId)
`title`	No	The title of the vulnerability (optional)
`description`	No	Simple HTML description using only <p> tags (optional)
`details`	No	Simple HTML details using only <p> and <ul><li> tags (optional)
`impact`	No	Simple HTML impact using only <p> and <ul><li> tags (optional)
`remediation`	No	Simple HTML remediation using only <p> and <ul><li> tags (optional)
`cvss`	No	CVSS 3.1 vector string (optional)
`cvssScore`	No	CVSS 3.1 score (0.0 to 10.0, optional)
`severity`	No	Vulnerability severity level (optional)
`taskId`	No	Task ID associated with the vulnerability (optional)

Implementation Reference

server.js:422-516 (handler)

Core handler function executing the update_vulnerability tool: validates token, ID, data (CVSS, severity), performs PUT request to vulnerability API endpoint, returns formatted JSON response or handles errors.

async function updateVulnerability(providedToken, vulnerabilityId, vulnerabilityData) {
  try {
    const bearerToken = getBearerToken(providedToken);
    
    // Validate vulnerabilityId format (should be MongoDB ObjectId)
    if (!vulnerabilityId || !vulnerabilityId.match(/^[0-9a-fA-F]{24}$/)) {
      throw new McpError(
        ErrorCode.InvalidParams,
        'Invalid vulnerabilityId format. Must be a valid MongoDB ObjectId (24 characters)'
      );
    }

    // Validate vulnerability data
    if (vulnerabilityData.cvssScore !== undefined) {
      if (typeof vulnerabilityData.cvssScore !== 'number' || vulnerabilityData.cvssScore < 0 || vulnerabilityData.cvssScore > 10) {
        throw new McpError(
          ErrorCode.InvalidParams,
          'CVSS Score must be a number between 0.0 and 10.0'
        );
      }
    }
    
    if (vulnerabilityData.severity !== undefined) {
      const validSeverities = ['Informational', 'Low', 'Medium', 'High', 'Critical'];
      if (!validSeverities.includes(vulnerabilityData.severity)) {
        throw new McpError(
          ErrorCode.InvalidParams,
          `Severity must be one of: ${validSeverities.join(', ')}`
        );
      }
    }
    
    if (vulnerabilityData.cvss !== undefined) {
      if (typeof vulnerabilityData.cvss !== 'string' || !vulnerabilityData.cvss.startsWith('CVSS:3.1/')) {
        throw new McpError(
          ErrorCode.InvalidParams,
          'CVSS vector must be a valid CVSS 3.1 string starting with "CVSS:3.1/"'
        );
      }
    }

    const response = await axios.put(`${VULNERABILITY_ENDPOINT}/${vulnerabilityId}`, vulnerabilityData, {
      headers: {
        'Authorization': `Bearer ${bearerToken}`,
        'Content-Type': 'application/json',
      },
      timeout: 15000,
    });

    return {
      content: [
        {
          type: 'text',
          text: JSON.stringify({
            success: true,
            status: response.status,
            data: response.data,
            timestamp: new Date().toISOString(),
            message: `Successfully updated vulnerability ${vulnerabilityId}`,
          }, null, 2),
        },
      ],
    };
  } catch (error) {
    if (error instanceof McpError) {
      throw error;
    }
    
    if (error.response) {
      return {
        content: [
          {
            type: 'text',
            text: JSON.stringify({
              success: false,
              status: error.response.status,
              error: error.response.data || error.message,
              timestamp: new Date().toISOString(),
            }, null, 2),
          },
        ],
      };
    } else if (error.request) {
      throw new McpError(
        ErrorCode.InternalError,
        `Network error: Unable to reach the API at ${VULNERABILITY_ENDPOINT}/${vulnerabilityId}`
      );
    } else {
      throw new McpError(
        ErrorCode.InternalError,
        `Request setup error: ${error.message}`
      );
    }
  }
}

server.js:917-972 (schema)

Input schema for update_vulnerability tool as registered in ListTools handler, defining parameters, types, descriptions, and requirements.

  name: 'update_vulnerability',
  description: 'Update a vulnerability. Use minimal HTML formatting: only <p> tags for paragraphs and <ul><li> for simple bullet lists. NO nesting, NO numbered lists, NO code blocks, NO headers.',
  inputSchema: {
    type: 'object',
    properties: {
      bearerToken: {
        type: 'string',
        description: 'Bearer token for authentication (optional if REPORTS_JWT_TOKEN env var is set)',
      },
      vulnerabilityId: {
        type: 'string',
        description: 'The ID of the vulnerability to update (24-character MongoDB ObjectId)',
      },
      title: {
        type: 'string',
        description: 'The title of the vulnerability (optional)',
      },
      description: {
        type: 'string',
        description: 'Simple HTML description using only <p> tags (optional)',
      },
      details: {
        type: 'string',
        description: 'Simple HTML details using only <p> and <ul><li> tags (optional)',
      },
      impact: {
        type: 'string',
        description: 'Simple HTML impact using only <p> and <ul><li> tags (optional)',
      },
      remediation: {
        type: 'string',
        description: 'Simple HTML remediation using only <p> and <ul><li> tags (optional)',
      },
      cvss: {
        type: 'string',
        description: 'CVSS 3.1 vector string (optional)',
      },
      cvssScore: {
        type: 'number',
        minimum: 0,
        maximum: 10,
        description: 'CVSS 3.1 score (0.0 to 10.0, optional)',
      },
      severity: {
        type: 'string',
        enum: ['Informational', 'Low', 'Medium', 'High', 'Critical'],
        description: 'Vulnerability severity level (optional)',
      },
      taskId: {
        type: 'string',
        description: 'Task ID associated with the vulnerability (optional)',
      },
    },
    required: ['vulnerabilityId'],
  },
},

server.js:1163-1191 (registration)

Registration and dispatch in CallToolRequestHandler switch: validates args, applies HTML formatting to text fields using formatAsHTML helper, constructs updateData, and invokes the handler function.

case 'update_vulnerability':
  if (!args.vulnerabilityId) {
    throw new McpError(
      ErrorCode.InvalidParams,
      'Vulnerability ID is required'
    );
  }
  
  // Build update data object from provided fields with auto-HTML formatting
  const updateData = {};
  if (args.title !== undefined) updateData.title = args.title;
  if (args.description !== undefined) updateData.description = formatAsHTML(args.description);
  if (args.details !== undefined) updateData.details = formatAsHTML(args.details);
  if (args.impact !== undefined) updateData.impact = formatAsHTML(args.impact, 'list');
  if (args.remediation !== undefined) updateData.remediation = formatAsHTML(args.remediation, 'list');
  if (args.cvss !== undefined) updateData.cvss = args.cvss;
  if (args.cvssScore !== undefined) updateData.cvssScore = args.cvssScore;
  if (args.severity !== undefined) updateData.severity = args.severity;
  if (args.taskId !== undefined) updateData.taskId = args.taskId;
  
  if (Object.keys(updateData).length === 0) {
    throw new McpError(
      ErrorCode.InvalidParams,
      'At least one field must be provided to update'
    );
  }
  
  return await updateVulnerability(args.bearerToken, args.vulnerabilityId, updateData);

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. While it mentions HTML formatting constraints, it doesn't disclose critical behavioral traits: that this is a mutation operation (implied but not explicit), what permissions are required, whether changes are reversible, rate limits, or what happens when optional fields are omitted. For an 11-parameter mutation tool with zero annotation coverage, this is inadequate.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is appropriately concise with two sentences. The first sentence states the core purpose, and the second provides important formatting constraints. However, the formatting guidance could be more efficiently integrated with the purpose statement rather than as a separate sentence.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For an 11-parameter mutation tool with no annotations and no output schema, the description is insufficient. It doesn't explain what 'updating' entails (partial vs. complete updates), what happens to existing fields when optional parameters are omitted, authentication requirements beyond what's in the schema, or expected response format. The HTML formatting guidance is helpful but doesn't compensate for missing behavioral context.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already documents all 11 parameters thoroughly. The description adds minimal value beyond the schema - it mentions HTML formatting constraints that apply to some parameters, but doesn't provide additional semantic context about parameter interactions or usage patterns. The baseline of 3 is appropriate when the schema does the heavy lifting.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose with the verb 'Update' and resource 'vulnerability', making it immediately understandable. However, it doesn't differentiate this tool from its sibling 'update_report' or explain how vulnerability updates differ from report updates, which prevents a perfect score.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives like 'create_vulnerabilities' or 'update_report'. It mentions HTML formatting constraints but doesn't explain the tool's specific use case, prerequisites, or when it's appropriate versus other mutation tools in the sibling list.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/izzy0101010101/mcp-reports-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server