Vulnerability Findings API

原文:https://docs.gitlab.com/ee/api/vulnerability_findings.html

Vulnerability Findings API

在 GitLab Ultimate 12.5 中引入 .

注意:此 API 资源已从”漏洞”重命名为”漏洞发现”,因为这些漏洞是为服务即将到来的独立漏洞对象而保留的. 要修复与以前的 Vulnerabilities API 的任何损坏的集成,请将vulnerabilities URL 部分更改为vulnerabilities _ vulnerability_findings .

每个对漏洞发现的 API 调用都必须经过身份验证 .

漏洞发现是项目约束的实体. 如果用户不是项目成员,并且该项目是私有项目,则对该项目的请求将产生404状态代码.

如果用户能够访问该项目但无权使用 Project Security 仪表板 ,则任何对此项目的漏洞发现的请求都将生成403状态代码.

警告:此 API 处于 alpha 阶段,被认为是不稳定的. 响应有效载荷可能会在 GitLab 版本之间发生更改或损坏.

Vulnerability findings pagination

默认情况下,因为 API 结果是分页的,所以GET请求一次返回 20 个结果.

阅读有关分页的更多信息.

List project vulnerability findings

列出项目的所有漏洞发现.

  1. GET /projects/:id/vulnerability_findings
  2. GET /projects/:id/vulnerability_findings?report_type=sast
  3. GET /projects/:id/vulnerability_findings?report_type=container_scanning
  4. GET /projects/:id/vulnerability_findings?report_type=sast,dast
  5. GET /projects/:id/vulnerability_findings?scope=all
  6. GET /projects/:id/vulnerability_findings?scope=dismissed
  7. GET /projects/:id/vulnerability_findings?severity=high
  8. GET /projects/:id/vulnerability_findings?confidence=unknown,experimental
  9. GET /projects/:id/vulnerability_findings?scanner=bandit,find_sec_bugs
  10. GET /projects/:id/vulnerability_findings?pipeline_id=42

弃用:从 GitLab 12.9 开始,不再报告undefined严重性和可信度级别.

Attribute Type Required Description
id integer/string yes 经过身份验证的用户所属的项目的 ID 或URL 编码路径 .
report_type 字符串数组 no 返回属于指定报告类型的漏洞发现. 有效值: sastdastdependency_scanningcontainer_scanning . 默认为全部.
scope string no 返回给定范围内的漏洞发现结果: all或已dismissed . 默认为dismissed .
severity 字符串数组 no 返回属于指定严重性级别的漏洞发现: infounknownlowmediumhighcritical . 默认为全部.
confidence 字符串数组 no 返回属于指定置信度的漏洞发现: ignoreunknownexperimentallowmediumhighconfirmed . 默认为全部.
scanner 字符串数组 no 返回指定扫描程序检测到的漏洞发现.
pipeline_id integer/string no 返回属于指定管道的漏洞发现.
  1. curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings"

Example response:

  1. [ { "id": null, "report_type": "dependency_scanning", "name": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", "severity": "unknown", "confidence": "undefined", "scanner": { "external_id": "gemnasium", "name": "Gemnasium" }, "identifiers": [ { "external_type": "gemnasium", "external_id": "9952e574-7b5b-46fa-a270-aeb694198a98", "name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98", "url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories" }, { "external_type": "cve", "external_id": "CVE-2017-11429", "name": "CVE-2017-11429", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429" } ], "project_fingerprint": "fa6f5b6c5d240b834ac5e901dc69f9484cef89ec", "create_vulnerability_feedback_issue_path": "/tests/yarn-remediation-test/vulnerability_feedback", "create_vulnerability_feedback_merge_request_path": "/tests/yarn-remediation-test/vulnerability_feedback", "create_vulnerability_feedback_dismissal_path": "/tests/yarn-remediation-test/vulnerability_feedback", "project": { "id": 31, "name": "yarn-remediation-test", "full_path": "/tests/yarn-remediation-test", "full_name": "tests / yarn-remediation-test" }, "dismissal_feedback": null, "issue_feedback": null, "merge_request_feedback": null, "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.", "links": [ { "url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279" }, { "url": "https://www.kb.cert.org/vuls/id/475445" }, { "url": "https://github.com/Clever/saml2/issues/127" } ], "location": { "file": "yarn.lock", "dependency": { "package": { "name": "saml2-js" }, "version": "1.5.0" } }, "solution": "Upgrade to fixed version.\r\n", "blob_path": "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock" } ]