gitlab-security_report_schemas 0.1.0.min0.0.0.max0.0.0 → 0.1.0.min15.0.0.max15.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (106) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +3 -3
  3. data/README.md +27 -4
  4. data/RUNBOOK.md +28 -0
  5. data/Rakefile +14 -3
  6. data/gem_version +1 -1
  7. data/gitlab-security_report_schemas.gemspec +33 -0
  8. data/lib/gitlab/security_report_schemas/cli/schema_checker/remote_file.rb +9 -2
  9. data/lib/gitlab/security_report_schemas/cli/schema_downloader.rb +1 -3
  10. data/lib/gitlab/security_report_schemas/configuration.rb +27 -2
  11. data/lib/gitlab/security_report_schemas/release/bundler.rb +34 -0
  12. data/lib/gitlab/security_report_schemas/release/gemfile.rb +49 -0
  13. data/lib/gitlab/security_report_schemas/release/issue.rb +77 -0
  14. data/lib/gitlab/security_report_schemas/release/merge_request.rb +84 -0
  15. data/lib/gitlab/security_report_schemas/release/templates/issue_description.erb +13 -0
  16. data/lib/gitlab/security_report_schemas/release/workflow.rb +108 -0
  17. data/lib/gitlab/security_report_schemas/schema_ver.rb +7 -4
  18. data/lib/gitlab/security_report_schemas/version.rb +0 -2
  19. data/lib/gitlab/security_report_schemas.rb +7 -3
  20. data/schemas/15.0.0/cluster-image-scanning-report-format.json +946 -0
  21. data/schemas/15.0.0/container-scanning-report-format.json +880 -0
  22. data/schemas/15.0.0/coverage-fuzzing-report-format.json +836 -0
  23. data/schemas/15.0.0/dast-report-format.json +1241 -0
  24. data/schemas/15.0.0/dependency-scanning-report-format.json +944 -0
  25. data/schemas/15.0.0/sast-report-format.json +831 -0
  26. data/schemas/15.0.0/secret-detection-report-format.json +854 -0
  27. data/schemas/15.0.1/cluster-image-scanning-report-format.json +980 -0
  28. data/schemas/15.0.1/container-scanning-report-format.json +914 -0
  29. data/schemas/15.0.1/coverage-fuzzing-report-format.json +870 -0
  30. data/schemas/15.0.1/dast-report-format.json +1275 -0
  31. data/schemas/15.0.1/dependency-scanning-report-format.json +978 -0
  32. data/schemas/15.0.1/sast-report-format.json +865 -0
  33. data/schemas/15.0.1/secret-detection-report-format.json +888 -0
  34. data/schemas/15.0.2/cluster-image-scanning-report-format.json +980 -0
  35. data/schemas/15.0.2/container-scanning-report-format.json +912 -0
  36. data/schemas/15.0.2/coverage-fuzzing-report-format.json +870 -0
  37. data/schemas/15.0.2/dast-report-format.json +1275 -0
  38. data/schemas/15.0.2/dependency-scanning-report-format.json +978 -0
  39. data/schemas/15.0.2/sast-report-format.json +865 -0
  40. data/schemas/15.0.2/secret-detection-report-format.json +888 -0
  41. data/schemas/15.0.4/cluster-image-scanning-report-format.json +984 -0
  42. data/schemas/15.0.4/container-scanning-report-format.json +916 -0
  43. data/schemas/15.0.4/coverage-fuzzing-report-format.json +874 -0
  44. data/schemas/15.0.4/dast-report-format.json +1279 -0
  45. data/schemas/15.0.4/dependency-scanning-report-format.json +982 -0
  46. data/schemas/15.0.4/sast-report-format.json +869 -0
  47. data/schemas/15.0.4/secret-detection-report-format.json +893 -0
  48. data/schemas/15.0.5/cluster-image-scanning-report-format.json +1035 -0
  49. data/schemas/15.0.5/container-scanning-report-format.json +967 -0
  50. data/schemas/15.0.5/coverage-fuzzing-report-format.json +925 -0
  51. data/schemas/15.0.5/dast-report-format.json +1330 -0
  52. data/schemas/15.0.5/dependency-scanning-report-format.json +1033 -0
  53. data/schemas/15.0.5/sast-report-format.json +920 -0
  54. data/schemas/15.0.5/secret-detection-report-format.json +944 -0
  55. data/schemas/15.0.6/cluster-image-scanning-report-format.json +1035 -0
  56. data/schemas/15.0.6/container-scanning-report-format.json +967 -0
  57. data/schemas/15.0.6/coverage-fuzzing-report-format.json +925 -0
  58. data/schemas/15.0.6/dast-report-format.json +1330 -0
  59. data/schemas/15.0.6/dependency-scanning-report-format.json +1033 -0
  60. data/schemas/15.0.6/sast-report-format.json +920 -0
  61. data/schemas/15.0.6/secret-detection-report-format.json +944 -0
  62. data/schemas/15.0.7/cluster-image-scanning-report-format.json +1085 -0
  63. data/schemas/15.0.7/container-scanning-report-format.json +1017 -0
  64. data/schemas/15.0.7/coverage-fuzzing-report-format.json +975 -0
  65. data/schemas/15.0.7/dast-report-format.json +1380 -0
  66. data/schemas/15.0.7/dependency-scanning-report-format.json +1083 -0
  67. data/schemas/15.0.7/sast-report-format.json +970 -0
  68. data/schemas/15.0.7/secret-detection-report-format.json +994 -0
  69. data/schemas/15.1.0/cluster-image-scanning-report-format.json +1065 -0
  70. data/schemas/15.1.0/container-scanning-report-format.json +997 -0
  71. data/schemas/15.1.0/coverage-fuzzing-report-format.json +975 -0
  72. data/schemas/15.1.0/dast-report-format.json +1380 -0
  73. data/schemas/15.1.0/dependency-scanning-report-format.json +986 -0
  74. data/schemas/15.1.0/sast-report-format.json +970 -0
  75. data/schemas/15.1.0/secret-detection-report-format.json +994 -0
  76. data/schemas/15.1.1/cluster-image-scanning-report-format.json +1065 -0
  77. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  78. data/schemas/15.1.1/container-scanning-report-format.json +998 -0
  79. data/schemas/15.1.1/coverage-fuzzing-report-format.json +975 -0
  80. data/schemas/15.1.1/dast-report-format.json +1380 -0
  81. data/schemas/15.1.1/dependency-scanning-report-format.json +986 -0
  82. data/schemas/15.1.1/sast-report-format.json +970 -0
  83. data/schemas/15.1.1/secret-detection-report-format.json +994 -0
  84. data/schemas/15.1.2/cluster-image-scanning-report-format.json +1190 -0
  85. data/schemas/15.1.2/container-scanning-report-format.json +1123 -0
  86. data/schemas/15.1.2/coverage-fuzzing-report-format.json +1100 -0
  87. data/schemas/15.1.2/dast-report-format.json +1505 -0
  88. data/schemas/15.1.2/dependency-scanning-report-format.json +1111 -0
  89. data/schemas/15.1.2/sast-report-format.json +1095 -0
  90. data/schemas/15.1.2/secret-detection-report-format.json +1119 -0
  91. data/schemas/15.1.3/cluster-image-scanning-report-format.json +1190 -0
  92. data/schemas/15.1.3/container-scanning-report-format.json +1123 -0
  93. data/schemas/15.1.3/coverage-fuzzing-report-format.json +1100 -0
  94. data/schemas/15.1.3/dast-report-format.json +1505 -0
  95. data/schemas/15.1.3/dependency-scanning-report-format.json +1111 -0
  96. data/schemas/15.1.3/sast-report-format.json +1095 -0
  97. data/schemas/15.1.3/secret-detection-report-format.json +1119 -0
  98. data/schemas/15.1.4/cluster-image-scanning-report-format.json +1190 -0
  99. data/schemas/15.1.4/container-scanning-report-format.json +1123 -0
  100. data/schemas/15.1.4/coverage-fuzzing-report-format.json +1100 -0
  101. data/schemas/15.1.4/dast-report-format.json +1505 -0
  102. data/schemas/15.1.4/dependency-scanning-report-format.json +1111 -0
  103. data/schemas/15.1.4/sast-report-format.json +1095 -0
  104. data/schemas/15.1.4/secret-detection-report-format.json +1119 -0
  105. data/supported_versions +12 -0
  106. metadata +112 -12
@@ -0,0 +1,1505 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dast-report-format.json",
4
+ "title": "Report format for GitLab DAST",
5
+ "description": "This schema provides the the report format for Dynamic Application Security Testing (https://docs.gitlab.com/ee/user/application_security/dast).",
6
+ "definitions": {
7
+ "detail_type": {
8
+ "oneOf": [
9
+ {
10
+ "$ref": "#/definitions/named_list"
11
+ },
12
+ {
13
+ "$ref": "#/definitions/list"
14
+ },
15
+ {
16
+ "$ref": "#/definitions/table"
17
+ },
18
+ {
19
+ "$ref": "#/definitions/text"
20
+ },
21
+ {
22
+ "$ref": "#/definitions/url"
23
+ },
24
+ {
25
+ "$ref": "#/definitions/code"
26
+ },
27
+ {
28
+ "$ref": "#/definitions/value"
29
+ },
30
+ {
31
+ "$ref": "#/definitions/diff"
32
+ },
33
+ {
34
+ "$ref": "#/definitions/markdown"
35
+ },
36
+ {
37
+ "$ref": "#/definitions/commit"
38
+ },
39
+ {
40
+ "$ref": "#/definitions/file_location"
41
+ },
42
+ {
43
+ "$ref": "#/definitions/module_location"
44
+ },
45
+ {
46
+ "$ref": "#/definitions/code_flows"
47
+ }
48
+ ]
49
+ },
50
+ "text_value": {
51
+ "type": "string"
52
+ },
53
+ "named_field": {
54
+ "type": "object",
55
+ "required": [
56
+ "name"
57
+ ],
58
+ "properties": {
59
+ "name": {
60
+ "$ref": "#/definitions/text_value",
61
+ "type": "string",
62
+ "minLength": 1
63
+ },
64
+ "description": {
65
+ "$ref": "#/definitions/text_value"
66
+ }
67
+ }
68
+ },
69
+ "named_list": {
70
+ "type": "object",
71
+ "description": "An object with named and typed fields",
72
+ "required": [
73
+ "type",
74
+ "items"
75
+ ],
76
+ "properties": {
77
+ "type": {
78
+ "const": "named-list"
79
+ },
80
+ "items": {
81
+ "type": "object",
82
+ "patternProperties": {
83
+ "^.*$": {
84
+ "allOf": [
85
+ {
86
+ "$ref": "#/definitions/named_field"
87
+ },
88
+ {
89
+ "$ref": "#/definitions/detail_type"
90
+ }
91
+ ]
92
+ }
93
+ }
94
+ }
95
+ }
96
+ },
97
+ "list": {
98
+ "type": "object",
99
+ "description": "A list of typed fields",
100
+ "required": [
101
+ "type",
102
+ "items"
103
+ ],
104
+ "properties": {
105
+ "type": {
106
+ "const": "list"
107
+ },
108
+ "items": {
109
+ "type": "array",
110
+ "items": {
111
+ "$ref": "#/definitions/detail_type"
112
+ }
113
+ }
114
+ }
115
+ },
116
+ "table": {
117
+ "type": "object",
118
+ "description": "A table of typed fields",
119
+ "required": [
120
+ "type",
121
+ "rows"
122
+ ],
123
+ "properties": {
124
+ "type": {
125
+ "const": "table"
126
+ },
127
+ "header": {
128
+ "type": "array",
129
+ "items": {
130
+ "$ref": "#/definitions/detail_type"
131
+ }
132
+ },
133
+ "rows": {
134
+ "type": "array",
135
+ "items": {
136
+ "type": "array",
137
+ "items": {
138
+ "$ref": "#/definitions/detail_type"
139
+ }
140
+ }
141
+ }
142
+ }
143
+ },
144
+ "text": {
145
+ "type": "object",
146
+ "description": "Raw text",
147
+ "required": [
148
+ "type",
149
+ "value"
150
+ ],
151
+ "properties": {
152
+ "type": {
153
+ "const": "text"
154
+ },
155
+ "value": {
156
+ "$ref": "#/definitions/text_value"
157
+ }
158
+ }
159
+ },
160
+ "url": {
161
+ "type": "object",
162
+ "description": "A single URL",
163
+ "required": [
164
+ "type",
165
+ "href"
166
+ ],
167
+ "properties": {
168
+ "type": {
169
+ "const": "url"
170
+ },
171
+ "text": {
172
+ "$ref": "#/definitions/text_value"
173
+ },
174
+ "href": {
175
+ "type": "string",
176
+ "minLength": 1,
177
+ "examples": [
178
+ "http://mysite.com"
179
+ ]
180
+ }
181
+ }
182
+ },
183
+ "code": {
184
+ "type": "object",
185
+ "description": "A codeblock",
186
+ "required": [
187
+ "type",
188
+ "value"
189
+ ],
190
+ "properties": {
191
+ "type": {
192
+ "const": "code"
193
+ },
194
+ "value": {
195
+ "type": "string"
196
+ },
197
+ "lang": {
198
+ "type": "string",
199
+ "description": "A programming language"
200
+ }
201
+ }
202
+ },
203
+ "value": {
204
+ "type": "object",
205
+ "description": "A field that can store a range of types of value",
206
+ "required": [
207
+ "type",
208
+ "value"
209
+ ],
210
+ "properties": {
211
+ "type": {
212
+ "const": "value"
213
+ },
214
+ "value": {
215
+ "type": [
216
+ "number",
217
+ "string",
218
+ "boolean"
219
+ ]
220
+ }
221
+ }
222
+ },
223
+ "diff": {
224
+ "type": "object",
225
+ "description": "A diff",
226
+ "required": [
227
+ "type",
228
+ "before",
229
+ "after"
230
+ ],
231
+ "properties": {
232
+ "type": {
233
+ "const": "diff"
234
+ },
235
+ "before": {
236
+ "type": "string"
237
+ },
238
+ "after": {
239
+ "type": "string"
240
+ }
241
+ }
242
+ },
243
+ "markdown": {
244
+ "type": "object",
245
+ "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
246
+ "required": [
247
+ "type",
248
+ "value"
249
+ ],
250
+ "properties": {
251
+ "type": {
252
+ "const": "markdown"
253
+ },
254
+ "value": {
255
+ "$ref": "#/definitions/text_value",
256
+ "examples": [
257
+ "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
258
+ ]
259
+ }
260
+ }
261
+ },
262
+ "commit": {
263
+ "type": "object",
264
+ "description": "A commit/tag/branch within the GitLab project",
265
+ "required": [
266
+ "type",
267
+ "value"
268
+ ],
269
+ "properties": {
270
+ "type": {
271
+ "const": "commit"
272
+ },
273
+ "value": {
274
+ "type": "string",
275
+ "description": "The commit SHA",
276
+ "minLength": 1
277
+ }
278
+ }
279
+ },
280
+ "file_location": {
281
+ "type": "object",
282
+ "description": "A location within a file in the project",
283
+ "required": [
284
+ "type",
285
+ "file_name",
286
+ "line_start"
287
+ ],
288
+ "properties": {
289
+ "type": {
290
+ "const": "file-location"
291
+ },
292
+ "file_name": {
293
+ "type": "string",
294
+ "minLength": 1
295
+ },
296
+ "line_start": {
297
+ "type": "integer"
298
+ },
299
+ "line_end": {
300
+ "type": "integer"
301
+ }
302
+ }
303
+ },
304
+ "module_location": {
305
+ "type": "object",
306
+ "description": "A location within a binary module of the form module+relative_offset",
307
+ "required": [
308
+ "type",
309
+ "module_name",
310
+ "offset"
311
+ ],
312
+ "properties": {
313
+ "type": {
314
+ "const": "module-location"
315
+ },
316
+ "module_name": {
317
+ "type": "string",
318
+ "minLength": 1,
319
+ "examples": [
320
+ "compiled_binary"
321
+ ]
322
+ },
323
+ "offset": {
324
+ "type": "integer",
325
+ "examples": [
326
+ 100
327
+ ]
328
+ }
329
+ }
330
+ },
331
+ "code_flow_node": {
332
+ "type": "object",
333
+ "description": "A code flow node representing a part of a vulnerability flow from source to sink",
334
+ "required": [
335
+ "file_location",
336
+ "node_type"
337
+ ],
338
+ "properties": {
339
+ "type": {
340
+ "const": "code-flow-node"
341
+ },
342
+ "file_location": {
343
+ "$ref": "#/definitions/file_location"
344
+ },
345
+ "node_type": {
346
+ "type": "string",
347
+ "description": "Describes a code flow node type",
348
+ "enum": [
349
+ "source",
350
+ "sink",
351
+ "propagation"
352
+ ]
353
+ }
354
+ },
355
+ "examples": [
356
+ {
357
+ "type": "code-flow-node",
358
+ "node_type": "propagation",
359
+ "file_location": {
360
+ "type": "file-location",
361
+ "file_name": "file_name.py",
362
+ "line_start": 4,
363
+ "line_end": 6
364
+ }
365
+ }
366
+ ]
367
+ },
368
+ "code_flows": {
369
+ "type": "object",
370
+ "description": "A code flow representing a vulnerability flow from source to sink",
371
+ "required": [
372
+ "items",
373
+ "type"
374
+ ],
375
+ "properties": {
376
+ "type": {
377
+ "const": "code-flows"
378
+ },
379
+ "items": {
380
+ "type": "array",
381
+ "minItems": 1,
382
+ "maxItems": 10,
383
+ "items": {
384
+ "type": "array",
385
+ "minItems": 1,
386
+ "items": {
387
+ "$ref": "#/definitions/code_flow_node"
388
+ }
389
+ }
390
+ }
391
+ },
392
+ "examples": [
393
+ {
394
+ "type": "code-flows",
395
+ "items": [
396
+ [
397
+ {
398
+ "type": "code-flow-node",
399
+ "node_type": "source",
400
+ "file_location": {
401
+ "type": "file-location",
402
+ "file_name": "file_name.py",
403
+ "line_start": 1,
404
+ "line_end": 2
405
+ }
406
+ },
407
+ {
408
+ "type": "code-flow-node",
409
+ "node_type": "propagation",
410
+ "file_location": {
411
+ "type": "file-location",
412
+ "file_name": "file_name.py",
413
+ "line_start": 3
414
+ }
415
+ },
416
+ {
417
+ "type": "code-flow-node",
418
+ "node_type": "sink",
419
+ "file_location": {
420
+ "type": "file-location",
421
+ "file_name": "file_name.py",
422
+ "line_start": 4,
423
+ "line_end": 6
424
+ }
425
+ }
426
+ ],
427
+ [
428
+ {
429
+ "type": "code-flow-node",
430
+ "node_type": "source",
431
+ "file_location": {
432
+ "type": "file-location",
433
+ "file_name": "different_flow.py",
434
+ "line_start": 100,
435
+ "line_end": 102
436
+ }
437
+ },
438
+ {
439
+ "type": "code-flow-node",
440
+ "node_type": "sink",
441
+ "file_location": {
442
+ "type": "file-location",
443
+ "file_name": "file_name.py",
444
+ "line_start": 4,
445
+ "line_end": 6
446
+ }
447
+ }
448
+ ]
449
+ ]
450
+ }
451
+ ]
452
+ }
453
+ },
454
+ "self": {
455
+ "version": "15.1.4"
456
+ },
457
+ "type": "object",
458
+ "required": [
459
+ "scan",
460
+ "version",
461
+ "vulnerabilities"
462
+ ],
463
+ "additionalProperties": true,
464
+ "properties": {
465
+ "scan": {
466
+ "type": "object",
467
+ "required": [
468
+ "analyzer",
469
+ "end_time",
470
+ "scanned_resources",
471
+ "scanner",
472
+ "start_time",
473
+ "status",
474
+ "type"
475
+ ],
476
+ "properties": {
477
+ "end_time": {
478
+ "type": "string",
479
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
480
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
481
+ "examples": [
482
+ "2020-01-28T03:26:02"
483
+ ]
484
+ },
485
+ "messages": {
486
+ "type": "array",
487
+ "items": {
488
+ "type": "object",
489
+ "description": "Communication intended for the initiator of a scan.",
490
+ "required": [
491
+ "level",
492
+ "value"
493
+ ],
494
+ "properties": {
495
+ "level": {
496
+ "type": "string",
497
+ "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
498
+ "enum": [
499
+ "info",
500
+ "warn",
501
+ "fatal"
502
+ ],
503
+ "examples": [
504
+ "info"
505
+ ]
506
+ },
507
+ "value": {
508
+ "type": "string",
509
+ "description": "The message to communicate.",
510
+ "minLength": 1,
511
+ "examples": [
512
+ "Permission denied, scanning aborted"
513
+ ]
514
+ }
515
+ }
516
+ }
517
+ },
518
+ "options": {
519
+ "type": "array",
520
+ "items": {
521
+ "type": "object",
522
+ "description": "A configuration option used for this scan.",
523
+ "required": [
524
+ "name",
525
+ "value"
526
+ ],
527
+ "properties": {
528
+ "name": {
529
+ "type": "string",
530
+ "description": "The configuration option name.",
531
+ "maxLength": 255,
532
+ "minLength": 1,
533
+ "examples": [
534
+ "DAST_FF_ENABLE_BAS",
535
+ "DOCKER_TLS_CERTDIR",
536
+ "DS_MAX_DEPTH",
537
+ "SECURE_LOG_LEVEL"
538
+ ]
539
+ },
540
+ "source": {
541
+ "type": "string",
542
+ "description": "The source of this option.",
543
+ "enum": [
544
+ "argument",
545
+ "file",
546
+ "env_variable",
547
+ "other"
548
+ ]
549
+ },
550
+ "value": {
551
+ "type": [
552
+ "boolean",
553
+ "integer",
554
+ "null",
555
+ "string"
556
+ ],
557
+ "description": "The value used for this scan.",
558
+ "examples": [
559
+ true,
560
+ 2,
561
+ null,
562
+ "fatal",
563
+ ""
564
+ ]
565
+ }
566
+ }
567
+ }
568
+ },
569
+ "analyzer": {
570
+ "type": "object",
571
+ "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
572
+ "required": [
573
+ "id",
574
+ "name",
575
+ "version",
576
+ "vendor"
577
+ ],
578
+ "properties": {
579
+ "id": {
580
+ "type": "string",
581
+ "description": "Unique id that identifies the analyzer.",
582
+ "minLength": 1,
583
+ "examples": [
584
+ "gitlab-dast"
585
+ ]
586
+ },
587
+ "name": {
588
+ "type": "string",
589
+ "description": "A human readable value that identifies the analyzer, not required to be unique.",
590
+ "minLength": 1,
591
+ "examples": [
592
+ "GitLab DAST"
593
+ ]
594
+ },
595
+ "url": {
596
+ "type": "string",
597
+ "pattern": "^https?://.+",
598
+ "description": "A link to more information about the analyzer.",
599
+ "examples": [
600
+ "https://docs.gitlab.com/ee/user/application_security/dast"
601
+ ]
602
+ },
603
+ "vendor": {
604
+ "description": "The vendor/maintainer of the analyzer.",
605
+ "type": "object",
606
+ "required": [
607
+ "name"
608
+ ],
609
+ "properties": {
610
+ "name": {
611
+ "type": "string",
612
+ "description": "The name of the vendor.",
613
+ "minLength": 1,
614
+ "examples": [
615
+ "GitLab"
616
+ ]
617
+ }
618
+ }
619
+ },
620
+ "version": {
621
+ "type": "string",
622
+ "description": "The version of the analyzer.",
623
+ "minLength": 1,
624
+ "examples": [
625
+ "1.0.2"
626
+ ]
627
+ }
628
+ }
629
+ },
630
+ "scanner": {
631
+ "type": "object",
632
+ "description": "Object defining the scanner used to perform the scan.",
633
+ "required": [
634
+ "id",
635
+ "name",
636
+ "version",
637
+ "vendor"
638
+ ],
639
+ "properties": {
640
+ "id": {
641
+ "type": "string",
642
+ "description": "Unique id that identifies the scanner.",
643
+ "minLength": 1,
644
+ "examples": [
645
+ "my-sast-scanner"
646
+ ]
647
+ },
648
+ "name": {
649
+ "type": "string",
650
+ "description": "A human readable value that identifies the scanner, not required to be unique.",
651
+ "minLength": 1,
652
+ "examples": [
653
+ "My SAST Scanner"
654
+ ]
655
+ },
656
+ "url": {
657
+ "type": "string",
658
+ "description": "A link to more information about the scanner.",
659
+ "examples": [
660
+ "https://scanner.url"
661
+ ]
662
+ },
663
+ "version": {
664
+ "type": "string",
665
+ "description": "The version of the scanner.",
666
+ "minLength": 1,
667
+ "examples": [
668
+ "1.0.2"
669
+ ]
670
+ },
671
+ "vendor": {
672
+ "description": "The vendor/maintainer of the scanner.",
673
+ "type": "object",
674
+ "required": [
675
+ "name"
676
+ ],
677
+ "properties": {
678
+ "name": {
679
+ "type": "string",
680
+ "description": "The name of the vendor.",
681
+ "minLength": 1,
682
+ "examples": [
683
+ "GitLab"
684
+ ]
685
+ }
686
+ }
687
+ }
688
+ }
689
+ },
690
+ "start_time": {
691
+ "type": "string",
692
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
693
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
694
+ "examples": [
695
+ "2020-02-14T16:01:59"
696
+ ]
697
+ },
698
+ "status": {
699
+ "type": "string",
700
+ "description": "Result of the scan.",
701
+ "enum": [
702
+ "success",
703
+ "failure"
704
+ ]
705
+ },
706
+ "type": {
707
+ "type": "string",
708
+ "description": "Type of the scan.",
709
+ "enum": [
710
+ "dast",
711
+ "api_fuzzing"
712
+ ]
713
+ },
714
+ "primary_identifiers": {
715
+ "type": "array",
716
+ "description": "An unordered array containing an exhaustive list of primary identifiers for which the analyzer may return results",
717
+ "items": {
718
+ "type": "object",
719
+ "required": [
720
+ "type",
721
+ "name",
722
+ "value"
723
+ ],
724
+ "properties": {
725
+ "type": {
726
+ "type": "string",
727
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
728
+ "minLength": 1
729
+ },
730
+ "name": {
731
+ "type": "string",
732
+ "description": "Human-readable name of the identifier.",
733
+ "minLength": 1
734
+ },
735
+ "url": {
736
+ "type": "string",
737
+ "description": "URL of the identifier's documentation.",
738
+ "pattern": "^(https?|ftp)://.+"
739
+ },
740
+ "value": {
741
+ "type": "string",
742
+ "description": "Value of the identifier, for matching purpose.",
743
+ "minLength": 1
744
+ }
745
+ }
746
+ }
747
+ },
748
+ "scanned_resources": {
749
+ "type": "array",
750
+ "description": "The attack surface scanned by DAST.",
751
+ "items": {
752
+ "type": "object",
753
+ "required": [
754
+ "method",
755
+ "url",
756
+ "type"
757
+ ],
758
+ "properties": {
759
+ "method": {
760
+ "type": "string",
761
+ "minLength": 1,
762
+ "description": "HTTP method of the scanned resource.",
763
+ "examples": [
764
+ "GET",
765
+ "POST",
766
+ "HEAD"
767
+ ]
768
+ },
769
+ "url": {
770
+ "type": "string",
771
+ "minLength": 1,
772
+ "description": "URL of the scanned resource.",
773
+ "examples": [
774
+ "http://my.site.com/a-page"
775
+ ]
776
+ },
777
+ "type": {
778
+ "type": "string",
779
+ "minLength": 1,
780
+ "description": "Type of the scanned resource, for DAST, this must be 'url'.",
781
+ "examples": [
782
+ "url"
783
+ ]
784
+ }
785
+ }
786
+ }
787
+ }
788
+ }
789
+ },
790
+ "schema": {
791
+ "type": "string",
792
+ "description": "URI pointing to the validating security report schema.",
793
+ "pattern": "^https?://.+"
794
+ },
795
+ "version": {
796
+ "type": "string",
797
+ "description": "The version of the schema to which the JSON report conforms.",
798
+ "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
799
+ },
800
+ "vulnerabilities": {
801
+ "type": "array",
802
+ "description": "Array of vulnerability objects.",
803
+ "items": {
804
+ "type": "object",
805
+ "description": "Describes the vulnerability using GitLab Flavored Markdown",
806
+ "required": [
807
+ "id",
808
+ "identifiers",
809
+ "location"
810
+ ],
811
+ "properties": {
812
+ "id": {
813
+ "type": "string",
814
+ "minLength": 1,
815
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
816
+ "examples": [
817
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
818
+ ]
819
+ },
820
+ "name": {
821
+ "type": "string",
822
+ "maxLength": 255,
823
+ "description": "The name of the vulnerability. This must not include the finding's specific information."
824
+ },
825
+ "description": {
826
+ "type": "string",
827
+ "maxLength": 1048576,
828
+ "description": "A long text section describing the vulnerability more fully."
829
+ },
830
+ "severity": {
831
+ "type": "string",
832
+ "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
833
+ "enum": [
834
+ "Info",
835
+ "Unknown",
836
+ "Low",
837
+ "Medium",
838
+ "High",
839
+ "Critical"
840
+ ]
841
+ },
842
+ "solution": {
843
+ "type": "string",
844
+ "maxLength": 7000,
845
+ "description": "Explanation of how to fix the vulnerability."
846
+ },
847
+ "identifiers": {
848
+ "type": "array",
849
+ "minItems": 1,
850
+ "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
851
+ "items": {
852
+ "type": "object",
853
+ "required": [
854
+ "type",
855
+ "name",
856
+ "value"
857
+ ],
858
+ "properties": {
859
+ "type": {
860
+ "type": "string",
861
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
862
+ "minLength": 1
863
+ },
864
+ "name": {
865
+ "type": "string",
866
+ "description": "Human-readable name of the identifier.",
867
+ "minLength": 1
868
+ },
869
+ "url": {
870
+ "type": "string",
871
+ "description": "URL of the identifier's documentation.",
872
+ "pattern": "^(https?|ftp)://.+"
873
+ },
874
+ "value": {
875
+ "type": "string",
876
+ "description": "Value of the identifier, for matching purpose.",
877
+ "minLength": 1
878
+ }
879
+ }
880
+ }
881
+ },
882
+ "cvss_vectors": {
883
+ "type": "array",
884
+ "minItems": 1,
885
+ "maxItems": 10,
886
+ "description": "An ordered array of CVSS vectors, each issued by a vendor to rate the vulnerability. The first item in the array is used as the primary CVSS vector, and is used to filter and sort the vulnerability.",
887
+ "items": {
888
+ "oneOf": [
889
+ {
890
+ "type": "object",
891
+ "properties": {
892
+ "vendor": {
893
+ "type": "string",
894
+ "minLength": 1,
895
+ "default": "unknown"
896
+ },
897
+ "vector": {
898
+ "type": "string",
899
+ "minLength": 16,
900
+ "maxLength": 128,
901
+ "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
902
+ }
903
+ },
904
+ "required": [
905
+ "vendor",
906
+ "vector"
907
+ ]
908
+ },
909
+ {
910
+ "type": "object",
911
+ "properties": {
912
+ "vendor": {
913
+ "type": "string",
914
+ "minLength": 1,
915
+ "default": "unknown"
916
+ },
917
+ "vector": {
918
+ "type": "string",
919
+ "minLength": 32,
920
+ "maxLength": 128,
921
+ "pattern": "^CVSS:3[.][01]/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
922
+ }
923
+ },
924
+ "required": [
925
+ "vendor",
926
+ "vector"
927
+ ]
928
+ }
929
+ ]
930
+ }
931
+ },
932
+ "links": {
933
+ "type": "array",
934
+ "description": "An array of references to external documentation or articles that describe the vulnerability.",
935
+ "items": {
936
+ "type": "object",
937
+ "required": [
938
+ "url"
939
+ ],
940
+ "properties": {
941
+ "name": {
942
+ "type": "string",
943
+ "description": "Name of the vulnerability details link."
944
+ },
945
+ "url": {
946
+ "type": "string",
947
+ "description": "URL of the vulnerability details document.",
948
+ "pattern": "^(https?|ftp)://.+"
949
+ }
950
+ }
951
+ }
952
+ },
953
+ "details": {
954
+ "$ref": "#/definitions/named_list/properties/items"
955
+ },
956
+ "tracking": {
957
+ "type": "object",
958
+ "description": "Describes how this vulnerability should be tracked as the project changes.",
959
+ "oneOf": [
960
+ {
961
+ "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
962
+ "required": [
963
+ "items"
964
+ ],
965
+ "properties": {
966
+ "type": {
967
+ "const": "source"
968
+ },
969
+ "items": {
970
+ "type": "array",
971
+ "items": {
972
+ "description": "An item that should be tracked using source-specific tracking methods.",
973
+ "type": "object",
974
+ "required": [
975
+ "signatures"
976
+ ],
977
+ "properties": {
978
+ "file": {
979
+ "type": "string",
980
+ "description": "Path to the file where the vulnerability is located."
981
+ },
982
+ "start_line": {
983
+ "type": "number",
984
+ "description": "The first line of the file that includes the vulnerability."
985
+ },
986
+ "end_line": {
987
+ "type": "number",
988
+ "description": "The last line of the file that includes the vulnerability."
989
+ },
990
+ "signatures": {
991
+ "type": "array",
992
+ "description": "An array of calculated tracking signatures for this tracking item.",
993
+ "minItems": 1,
994
+ "items": {
995
+ "description": "A calculated tracking signature value and metadata.",
996
+ "type": "object",
997
+ "required": [
998
+ "algorithm",
999
+ "value"
1000
+ ],
1001
+ "properties": {
1002
+ "algorithm": {
1003
+ "type": "string",
1004
+ "description": "The algorithm used to generate the signature."
1005
+ },
1006
+ "value": {
1007
+ "type": "string",
1008
+ "description": "The result of this signature algorithm."
1009
+ }
1010
+ }
1011
+ }
1012
+ }
1013
+ }
1014
+ }
1015
+ }
1016
+ }
1017
+ }
1018
+ ],
1019
+ "properties": {
1020
+ "type": {
1021
+ "type": "string",
1022
+ "description": "Each tracking type must declare its own type."
1023
+ }
1024
+ }
1025
+ },
1026
+ "flags": {
1027
+ "description": "Flags that can be attached to vulnerabilities.",
1028
+ "type": "array",
1029
+ "items": {
1030
+ "type": "object",
1031
+ "description": "Informational flags identified and assigned to a vulnerability.",
1032
+ "required": [
1033
+ "type",
1034
+ "origin",
1035
+ "description"
1036
+ ],
1037
+ "properties": {
1038
+ "type": {
1039
+ "type": "string",
1040
+ "minLength": 1,
1041
+ "description": "Result of the scan.",
1042
+ "enum": [
1043
+ "flagged-as-likely-false-positive"
1044
+ ]
1045
+ },
1046
+ "origin": {
1047
+ "minLength": 1,
1048
+ "description": "Tool that issued the flag.",
1049
+ "type": "string"
1050
+ },
1051
+ "description": {
1052
+ "minLength": 1,
1053
+ "description": "What the flag is about.",
1054
+ "type": "string"
1055
+ }
1056
+ }
1057
+ }
1058
+ },
1059
+ "evidence": {
1060
+ "type": "object",
1061
+ "properties": {
1062
+ "source": {
1063
+ "type": "object",
1064
+ "description": "Source of evidence",
1065
+ "required": [
1066
+ "id",
1067
+ "name"
1068
+ ],
1069
+ "properties": {
1070
+ "id": {
1071
+ "type": "string",
1072
+ "minLength": 1,
1073
+ "description": "Unique source identifier",
1074
+ "examples": [
1075
+ "assert:LogAnalysis",
1076
+ "assert:StatusCode"
1077
+ ]
1078
+ },
1079
+ "name": {
1080
+ "type": "string",
1081
+ "minLength": 1,
1082
+ "description": "Source display name",
1083
+ "examples": [
1084
+ "Log Analysis",
1085
+ "Status Code"
1086
+ ]
1087
+ },
1088
+ "url": {
1089
+ "type": "string",
1090
+ "description": "Link to additional information",
1091
+ "examples": [
1092
+ "https://docs.gitlab.com/ee/development/integrations/secure.html"
1093
+ ]
1094
+ }
1095
+ }
1096
+ },
1097
+ "summary": {
1098
+ "type": "string",
1099
+ "description": "Human readable string containing evidence of the vulnerability.",
1100
+ "examples": [
1101
+ "Credit card 4111111111111111 found",
1102
+ "Server leaked information nginx/1.17.6"
1103
+ ]
1104
+ },
1105
+ "request": {
1106
+ "type": "object",
1107
+ "description": "An HTTP request.",
1108
+ "required": [
1109
+ "headers",
1110
+ "method",
1111
+ "url"
1112
+ ],
1113
+ "properties": {
1114
+ "headers": {
1115
+ "type": "array",
1116
+ "description": "HTTP headers present on the request.",
1117
+ "items": {
1118
+ "type": "object",
1119
+ "required": [
1120
+ "name",
1121
+ "value"
1122
+ ],
1123
+ "properties": {
1124
+ "name": {
1125
+ "type": "string",
1126
+ "minLength": 1,
1127
+ "description": "Name of the HTTP header.",
1128
+ "examples": [
1129
+ "Accept",
1130
+ "Content-Length",
1131
+ "Content-Type"
1132
+ ]
1133
+ },
1134
+ "value": {
1135
+ "type": "string",
1136
+ "description": "Value of the HTTP header.",
1137
+ "examples": [
1138
+ "*/*",
1139
+ "560",
1140
+ "application/json; charset=utf-8"
1141
+ ]
1142
+ }
1143
+ }
1144
+ }
1145
+ },
1146
+ "method": {
1147
+ "type": "string",
1148
+ "minLength": 1,
1149
+ "description": "HTTP method used in the request.",
1150
+ "examples": [
1151
+ "GET",
1152
+ "POST"
1153
+ ]
1154
+ },
1155
+ "url": {
1156
+ "type": "string",
1157
+ "minLength": 1,
1158
+ "description": "URL of the request.",
1159
+ "examples": [
1160
+ "http://my.site.com/vulnerable-endpoint?show-credit-card"
1161
+ ]
1162
+ },
1163
+ "body": {
1164
+ "type": "string",
1165
+ "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1166
+ "examples": [
1167
+ "user=jsmith&first=%27&last=smith"
1168
+ ]
1169
+ }
1170
+ }
1171
+ },
1172
+ "response": {
1173
+ "type": "object",
1174
+ "description": "An HTTP response.",
1175
+ "required": [
1176
+ "headers",
1177
+ "reason_phrase",
1178
+ "status_code"
1179
+ ],
1180
+ "properties": {
1181
+ "headers": {
1182
+ "type": "array",
1183
+ "description": "HTTP headers present on the request.",
1184
+ "items": {
1185
+ "type": "object",
1186
+ "required": [
1187
+ "name",
1188
+ "value"
1189
+ ],
1190
+ "properties": {
1191
+ "name": {
1192
+ "type": "string",
1193
+ "minLength": 1,
1194
+ "description": "Name of the HTTP header.",
1195
+ "examples": [
1196
+ "Accept",
1197
+ "Content-Length",
1198
+ "Content-Type"
1199
+ ]
1200
+ },
1201
+ "value": {
1202
+ "type": "string",
1203
+ "description": "Value of the HTTP header.",
1204
+ "examples": [
1205
+ "*/*",
1206
+ "560",
1207
+ "application/json; charset=utf-8"
1208
+ ]
1209
+ }
1210
+ }
1211
+ }
1212
+ },
1213
+ "reason_phrase": {
1214
+ "type": "string",
1215
+ "description": "HTTP reason phrase of the response.",
1216
+ "examples": [
1217
+ "OK",
1218
+ "Internal Server Error"
1219
+ ]
1220
+ },
1221
+ "status_code": {
1222
+ "type": "integer",
1223
+ "description": "HTTP status code of the response.",
1224
+ "examples": [
1225
+ 200,
1226
+ 500
1227
+ ]
1228
+ },
1229
+ "body": {
1230
+ "type": "string",
1231
+ "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1232
+ "examples": [
1233
+ "{\"user_id\": 2}"
1234
+ ]
1235
+ }
1236
+ }
1237
+ },
1238
+ "supporting_messages": {
1239
+ "type": "array",
1240
+ "description": "Array of supporting http messages.",
1241
+ "items": {
1242
+ "type": "object",
1243
+ "description": "A supporting http message.",
1244
+ "required": [
1245
+ "name"
1246
+ ],
1247
+ "properties": {
1248
+ "name": {
1249
+ "type": "string",
1250
+ "minLength": 1,
1251
+ "description": "Message display name.",
1252
+ "examples": [
1253
+ "Unmodified",
1254
+ "Recorded"
1255
+ ]
1256
+ },
1257
+ "request": {
1258
+ "type": "object",
1259
+ "description": "An HTTP request.",
1260
+ "required": [
1261
+ "headers",
1262
+ "method",
1263
+ "url"
1264
+ ],
1265
+ "properties": {
1266
+ "headers": {
1267
+ "type": "array",
1268
+ "description": "HTTP headers present on the request.",
1269
+ "items": {
1270
+ "type": "object",
1271
+ "required": [
1272
+ "name",
1273
+ "value"
1274
+ ],
1275
+ "properties": {
1276
+ "name": {
1277
+ "type": "string",
1278
+ "minLength": 1,
1279
+ "description": "Name of the HTTP header.",
1280
+ "examples": [
1281
+ "Accept",
1282
+ "Content-Length",
1283
+ "Content-Type"
1284
+ ]
1285
+ },
1286
+ "value": {
1287
+ "type": "string",
1288
+ "description": "Value of the HTTP header.",
1289
+ "examples": [
1290
+ "*/*",
1291
+ "560",
1292
+ "application/json; charset=utf-8"
1293
+ ]
1294
+ }
1295
+ }
1296
+ }
1297
+ },
1298
+ "method": {
1299
+ "type": "string",
1300
+ "minLength": 1,
1301
+ "description": "HTTP method used in the request.",
1302
+ "examples": [
1303
+ "GET",
1304
+ "POST"
1305
+ ]
1306
+ },
1307
+ "url": {
1308
+ "type": "string",
1309
+ "minLength": 1,
1310
+ "description": "URL of the request.",
1311
+ "examples": [
1312
+ "http://my.site.com/vulnerable-endpoint?show-credit-card"
1313
+ ]
1314
+ },
1315
+ "body": {
1316
+ "type": "string",
1317
+ "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1318
+ "examples": [
1319
+ "user=jsmith&first=%27&last=smith"
1320
+ ]
1321
+ }
1322
+ }
1323
+ },
1324
+ "response": {
1325
+ "type": "object",
1326
+ "description": "An HTTP response.",
1327
+ "required": [
1328
+ "headers",
1329
+ "reason_phrase",
1330
+ "status_code"
1331
+ ],
1332
+ "properties": {
1333
+ "headers": {
1334
+ "type": "array",
1335
+ "description": "HTTP headers present on the request.",
1336
+ "items": {
1337
+ "type": "object",
1338
+ "required": [
1339
+ "name",
1340
+ "value"
1341
+ ],
1342
+ "properties": {
1343
+ "name": {
1344
+ "type": "string",
1345
+ "minLength": 1,
1346
+ "description": "Name of the HTTP header.",
1347
+ "examples": [
1348
+ "Accept",
1349
+ "Content-Length",
1350
+ "Content-Type"
1351
+ ]
1352
+ },
1353
+ "value": {
1354
+ "type": "string",
1355
+ "description": "Value of the HTTP header.",
1356
+ "examples": [
1357
+ "*/*",
1358
+ "560",
1359
+ "application/json; charset=utf-8"
1360
+ ]
1361
+ }
1362
+ }
1363
+ }
1364
+ },
1365
+ "reason_phrase": {
1366
+ "type": "string",
1367
+ "description": "HTTP reason phrase of the response.",
1368
+ "examples": [
1369
+ "OK",
1370
+ "Internal Server Error"
1371
+ ]
1372
+ },
1373
+ "status_code": {
1374
+ "type": "integer",
1375
+ "description": "HTTP status code of the response.",
1376
+ "examples": [
1377
+ 200,
1378
+ 500
1379
+ ]
1380
+ },
1381
+ "body": {
1382
+ "type": "string",
1383
+ "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1384
+ "examples": [
1385
+ "{\"user_id\": 2}"
1386
+ ]
1387
+ }
1388
+ }
1389
+ }
1390
+ }
1391
+ }
1392
+ }
1393
+ }
1394
+ },
1395
+ "location": {
1396
+ "type": "object",
1397
+ "description": "Identifies the vulnerability's location.",
1398
+ "properties": {
1399
+ "hostname": {
1400
+ "type": "string",
1401
+ "description": "The protocol, domain, and port of the application where the vulnerability was found."
1402
+ },
1403
+ "method": {
1404
+ "type": "string",
1405
+ "description": "The HTTP method that was used to request the URL where the vulnerability was found."
1406
+ },
1407
+ "param": {
1408
+ "type": "string",
1409
+ "description": "A value provided by a vulnerability rule related to the found vulnerability. Examples include a header value, or a parameter used in a HTTP POST."
1410
+ },
1411
+ "path": {
1412
+ "type": "string",
1413
+ "description": "The path of the URL where the vulnerability was found. Typically, this would start with a forward slash."
1414
+ }
1415
+ }
1416
+ },
1417
+ "assets": {
1418
+ "type": "array",
1419
+ "description": "Array of build assets associated with vulnerability.",
1420
+ "items": {
1421
+ "type": "object",
1422
+ "description": "Describes an asset associated with vulnerability.",
1423
+ "required": [
1424
+ "type",
1425
+ "name",
1426
+ "url"
1427
+ ],
1428
+ "properties": {
1429
+ "type": {
1430
+ "type": "string",
1431
+ "description": "The type of asset",
1432
+ "enum": [
1433
+ "http_session",
1434
+ "postman"
1435
+ ]
1436
+ },
1437
+ "name": {
1438
+ "type": "string",
1439
+ "minLength": 1,
1440
+ "description": "Display name for asset",
1441
+ "examples": [
1442
+ "HTTP Messages",
1443
+ "Postman Collection"
1444
+ ]
1445
+ },
1446
+ "url": {
1447
+ "type": "string",
1448
+ "minLength": 1,
1449
+ "description": "Link to asset in build artifacts",
1450
+ "examples": [
1451
+ "https://gitlab.com/gitlab-org/security-products/dast/-/jobs/626397001/artifacts/file//output/zap_session.data"
1452
+ ]
1453
+ }
1454
+ }
1455
+ }
1456
+ }
1457
+ }
1458
+ }
1459
+ },
1460
+ "remediations": {
1461
+ "type": "array",
1462
+ "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
1463
+ "items": {
1464
+ "type": "object",
1465
+ "required": [
1466
+ "fixes",
1467
+ "summary",
1468
+ "diff"
1469
+ ],
1470
+ "properties": {
1471
+ "fixes": {
1472
+ "type": "array",
1473
+ "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
1474
+ "items": {
1475
+ "type": "object",
1476
+ "required": [
1477
+ "id"
1478
+ ],
1479
+ "properties": {
1480
+ "id": {
1481
+ "type": "string",
1482
+ "minLength": 1,
1483
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
1484
+ "examples": [
1485
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
1486
+ ]
1487
+ }
1488
+ }
1489
+ }
1490
+ },
1491
+ "summary": {
1492
+ "type": "string",
1493
+ "minLength": 1,
1494
+ "description": "An overview of how the vulnerabilities were fixed."
1495
+ },
1496
+ "diff": {
1497
+ "type": "string",
1498
+ "minLength": 1,
1499
+ "description": "A base64-encoded remediation code diff, compatible with git apply."
1500
+ }
1501
+ }
1502
+ }
1503
+ }
1504
+ }
1505
+ }