Vulnerability Findings API
原文:https://docs.gitlab.com/ee/api/vulnerability_findings.html
Vulnerability Findings API
在 GitLab Ultimate 12.5 中引入 .
注意:此 API 资源已从”漏洞”重命名为”漏洞发现”,因为这些漏洞是为服务即将到来的独立漏洞对象而保留的. 要修复与以前的 Vulnerabilities API 的任何损坏的集成,请将vulnerabilities
URL 部分更改为vulnerabilities
_ vulnerability_findings
.
每个对漏洞发现的 API 调用都必须经过身份验证 .
漏洞发现是项目约束的实体. 如果用户不是项目成员,并且该项目是私有项目,则对该项目的请求将产生404
状态代码.
如果用户能够访问该项目但无权使用 Project Security 仪表板 ,则任何对此项目的漏洞发现的请求都将生成403
状态代码.
警告:此 API 处于 alpha 阶段,被认为是不稳定的. 响应有效载荷可能会在 GitLab 版本之间发生更改或损坏.
Vulnerability findings pagination
默认情况下,因为 API 结果是分页的,所以GET
请求一次返回 20 个结果.
阅读有关分页的更多信息.
List project vulnerability findings
列出项目的所有漏洞发现.
GET /projects/:id/vulnerability_findings
GET /projects/:id/vulnerability_findings?report_type=sast
GET /projects/:id/vulnerability_findings?report_type=container_scanning
GET /projects/:id/vulnerability_findings?report_type=sast,dast
GET /projects/:id/vulnerability_findings?scope=all
GET /projects/:id/vulnerability_findings?scope=dismissed
GET /projects/:id/vulnerability_findings?severity=high
GET /projects/:id/vulnerability_findings?confidence=unknown,experimental
GET /projects/:id/vulnerability_findings?scanner=bandit,find_sec_bugs
GET /projects/:id/vulnerability_findings?pipeline_id=42
弃用:从 GitLab 12.9 开始,不再报告undefined
严重性和可信度级别.
Attribute | Type | Required | Description |
---|---|---|---|
id |
integer/string | yes | 经过身份验证的用户所属的项目的 ID 或URL 编码路径 . |
report_type |
字符串数组 | no | 返回属于指定报告类型的漏洞发现. 有效值: sast , dast , dependency_scanning 或container_scanning . 默认为全部. |
scope |
string | no | 返回给定范围内的漏洞发现结果: all 或已dismissed . 默认为dismissed . |
severity |
字符串数组 | no | 返回属于指定严重性级别的漏洞发现: info , unknown , low , medium , high 或critical . 默认为全部. |
confidence |
字符串数组 | no | 返回属于指定置信度的漏洞发现: ignore , unknown , experimental , low , medium , high 或confirmed . 默认为全部. |
scanner |
字符串数组 | no | 返回指定扫描程序检测到的漏洞发现. |
pipeline_id |
integer/string | no | 返回属于指定管道的漏洞发现. |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings"
Example response:
[ { "id": null, "report_type": "dependency_scanning", "name": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", "severity": "unknown", "confidence": "undefined", "scanner": { "external_id": "gemnasium", "name": "Gemnasium" }, "identifiers": [ { "external_type": "gemnasium", "external_id": "9952e574-7b5b-46fa-a270-aeb694198a98", "name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98", "url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories" }, { "external_type": "cve", "external_id": "CVE-2017-11429", "name": "CVE-2017-11429", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429" } ], "project_fingerprint": "fa6f5b6c5d240b834ac5e901dc69f9484cef89ec", "create_vulnerability_feedback_issue_path": "/tests/yarn-remediation-test/vulnerability_feedback", "create_vulnerability_feedback_merge_request_path": "/tests/yarn-remediation-test/vulnerability_feedback", "create_vulnerability_feedback_dismissal_path": "/tests/yarn-remediation-test/vulnerability_feedback", "project": { "id": 31, "name": "yarn-remediation-test", "full_path": "/tests/yarn-remediation-test", "full_name": "tests / yarn-remediation-test" }, "dismissal_feedback": null, "issue_feedback": null, "merge_request_feedback": null, "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.", "links": [ { "url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279" }, { "url": "https://www.kb.cert.org/vuls/id/475445" }, { "url": "https://github.com/Clever/saml2/issues/127" } ], "location": { "file": "yarn.lock", "dependency": { "package": { "name": "saml2-js" }, "version": "1.5.0" } }, "solution": "Upgrade to fixed version.\r\n", "blob_path": "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock" } ]