gitlab-security_report_schemas 0.1.0.min15.0.0.max15.1.4 → 0.1.0.min15.1.0.max15.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (88) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +5 -3
  3. data/README.md +10 -14
  4. data/Rakefile +1 -1
  5. data/gem_version +1 -1
  6. data/lib/gitlab/security_report_schemas/configuration.rb +2 -2
  7. data/lib/gitlab/security_report_schemas/version.rb +2 -0
  8. data/supported_versions +0 -11
  9. metadata +2 -81
  10. data/RUNBOOK.md +0 -28
  11. data/schemas/15.0.0/cluster-image-scanning-report-format.json +0 -946
  12. data/schemas/15.0.0/container-scanning-report-format.json +0 -880
  13. data/schemas/15.0.0/coverage-fuzzing-report-format.json +0 -836
  14. data/schemas/15.0.0/dast-report-format.json +0 -1241
  15. data/schemas/15.0.0/dependency-scanning-report-format.json +0 -944
  16. data/schemas/15.0.0/sast-report-format.json +0 -831
  17. data/schemas/15.0.0/secret-detection-report-format.json +0 -854
  18. data/schemas/15.0.1/cluster-image-scanning-report-format.json +0 -980
  19. data/schemas/15.0.1/container-scanning-report-format.json +0 -914
  20. data/schemas/15.0.1/coverage-fuzzing-report-format.json +0 -870
  21. data/schemas/15.0.1/dast-report-format.json +0 -1275
  22. data/schemas/15.0.1/dependency-scanning-report-format.json +0 -978
  23. data/schemas/15.0.1/sast-report-format.json +0 -865
  24. data/schemas/15.0.1/secret-detection-report-format.json +0 -888
  25. data/schemas/15.0.2/cluster-image-scanning-report-format.json +0 -980
  26. data/schemas/15.0.2/container-scanning-report-format.json +0 -912
  27. data/schemas/15.0.2/coverage-fuzzing-report-format.json +0 -870
  28. data/schemas/15.0.2/dast-report-format.json +0 -1275
  29. data/schemas/15.0.2/dependency-scanning-report-format.json +0 -978
  30. data/schemas/15.0.2/sast-report-format.json +0 -865
  31. data/schemas/15.0.2/secret-detection-report-format.json +0 -888
  32. data/schemas/15.0.4/cluster-image-scanning-report-format.json +0 -984
  33. data/schemas/15.0.4/container-scanning-report-format.json +0 -916
  34. data/schemas/15.0.4/coverage-fuzzing-report-format.json +0 -874
  35. data/schemas/15.0.4/dast-report-format.json +0 -1279
  36. data/schemas/15.0.4/dependency-scanning-report-format.json +0 -982
  37. data/schemas/15.0.4/sast-report-format.json +0 -869
  38. data/schemas/15.0.4/secret-detection-report-format.json +0 -893
  39. data/schemas/15.0.5/cluster-image-scanning-report-format.json +0 -1035
  40. data/schemas/15.0.5/container-scanning-report-format.json +0 -967
  41. data/schemas/15.0.5/coverage-fuzzing-report-format.json +0 -925
  42. data/schemas/15.0.5/dast-report-format.json +0 -1330
  43. data/schemas/15.0.5/dependency-scanning-report-format.json +0 -1033
  44. data/schemas/15.0.5/sast-report-format.json +0 -920
  45. data/schemas/15.0.5/secret-detection-report-format.json +0 -944
  46. data/schemas/15.0.6/cluster-image-scanning-report-format.json +0 -1035
  47. data/schemas/15.0.6/container-scanning-report-format.json +0 -967
  48. data/schemas/15.0.6/coverage-fuzzing-report-format.json +0 -925
  49. data/schemas/15.0.6/dast-report-format.json +0 -1330
  50. data/schemas/15.0.6/dependency-scanning-report-format.json +0 -1033
  51. data/schemas/15.0.6/sast-report-format.json +0 -920
  52. data/schemas/15.0.6/secret-detection-report-format.json +0 -944
  53. data/schemas/15.0.7/cluster-image-scanning-report-format.json +0 -1085
  54. data/schemas/15.0.7/container-scanning-report-format.json +0 -1017
  55. data/schemas/15.0.7/coverage-fuzzing-report-format.json +0 -975
  56. data/schemas/15.0.7/dast-report-format.json +0 -1380
  57. data/schemas/15.0.7/dependency-scanning-report-format.json +0 -1083
  58. data/schemas/15.0.7/sast-report-format.json +0 -970
  59. data/schemas/15.0.7/secret-detection-report-format.json +0 -994
  60. data/schemas/15.1.1/cluster-image-scanning-report-format.json +0 -1065
  61. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  62. data/schemas/15.1.1/container-scanning-report-format.json +0 -998
  63. data/schemas/15.1.1/coverage-fuzzing-report-format.json +0 -975
  64. data/schemas/15.1.1/dast-report-format.json +0 -1380
  65. data/schemas/15.1.1/dependency-scanning-report-format.json +0 -986
  66. data/schemas/15.1.1/sast-report-format.json +0 -970
  67. data/schemas/15.1.1/secret-detection-report-format.json +0 -994
  68. data/schemas/15.1.2/cluster-image-scanning-report-format.json +0 -1190
  69. data/schemas/15.1.2/container-scanning-report-format.json +0 -1123
  70. data/schemas/15.1.2/coverage-fuzzing-report-format.json +0 -1100
  71. data/schemas/15.1.2/dast-report-format.json +0 -1505
  72. data/schemas/15.1.2/dependency-scanning-report-format.json +0 -1111
  73. data/schemas/15.1.2/sast-report-format.json +0 -1095
  74. data/schemas/15.1.2/secret-detection-report-format.json +0 -1119
  75. data/schemas/15.1.3/cluster-image-scanning-report-format.json +0 -1190
  76. data/schemas/15.1.3/container-scanning-report-format.json +0 -1123
  77. data/schemas/15.1.3/coverage-fuzzing-report-format.json +0 -1100
  78. data/schemas/15.1.3/dast-report-format.json +0 -1505
  79. data/schemas/15.1.3/dependency-scanning-report-format.json +0 -1111
  80. data/schemas/15.1.3/sast-report-format.json +0 -1095
  81. data/schemas/15.1.3/secret-detection-report-format.json +0 -1119
  82. data/schemas/15.1.4/cluster-image-scanning-report-format.json +0 -1190
  83. data/schemas/15.1.4/container-scanning-report-format.json +0 -1123
  84. data/schemas/15.1.4/coverage-fuzzing-report-format.json +0 -1100
  85. data/schemas/15.1.4/dast-report-format.json +0 -1505
  86. data/schemas/15.1.4/dependency-scanning-report-format.json +0 -1111
  87. data/schemas/15.1.4/sast-report-format.json +0 -1095
  88. data/schemas/15.1.4/secret-detection-report-format.json +0 -1119
@@ -1,1275 +0,0 @@
1
- {
2
- "$schema": "http://json-schema.org/draft-07/schema#",
3
- "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dast-report-format.json",
4
- "title": "Report format for GitLab DAST",
5
- "description": "This schema provides the the report format for Dynamic Application Security Testing (https://docs.gitlab.com/ee/user/application_security/dast).",
6
- "definitions": {
7
- "detail_type": {
8
- "oneOf": [
9
- {
10
- "$ref": "#/definitions/named_list"
11
- },
12
- {
13
- "$ref": "#/definitions/list"
14
- },
15
- {
16
- "$ref": "#/definitions/table"
17
- },
18
- {
19
- "$ref": "#/definitions/text"
20
- },
21
- {
22
- "$ref": "#/definitions/url"
23
- },
24
- {
25
- "$ref": "#/definitions/code"
26
- },
27
- {
28
- "$ref": "#/definitions/value"
29
- },
30
- {
31
- "$ref": "#/definitions/diff"
32
- },
33
- {
34
- "$ref": "#/definitions/markdown"
35
- },
36
- {
37
- "$ref": "#/definitions/commit"
38
- },
39
- {
40
- "$ref": "#/definitions/file_location"
41
- },
42
- {
43
- "$ref": "#/definitions/module_location"
44
- }
45
- ]
46
- },
47
- "text_value": {
48
- "type": "string"
49
- },
50
- "named_field": {
51
- "type": "object",
52
- "required": [
53
- "name"
54
- ],
55
- "properties": {
56
- "name": {
57
- "$ref": "#/definitions/text_value",
58
- "minLength": 1
59
- },
60
- "description": {
61
- "$ref": "#/definitions/text_value"
62
- }
63
- }
64
- },
65
- "named_list": {
66
- "type": "object",
67
- "description": "An object with named and typed fields",
68
- "required": [
69
- "type",
70
- "items"
71
- ],
72
- "properties": {
73
- "type": {
74
- "const": "named-list"
75
- },
76
- "items": {
77
- "type": "object",
78
- "patternProperties": {
79
- "^.*$": {
80
- "allOf": [
81
- {
82
- "$ref": "#/definitions/named_field"
83
- },
84
- {
85
- "$ref": "#/definitions/detail_type"
86
- }
87
- ]
88
- }
89
- }
90
- }
91
- }
92
- },
93
- "list": {
94
- "type": "object",
95
- "description": "A list of typed fields",
96
- "required": [
97
- "type",
98
- "items"
99
- ],
100
- "properties": {
101
- "type": {
102
- "const": "list"
103
- },
104
- "items": {
105
- "type": "array",
106
- "items": {
107
- "$ref": "#/definitions/detail_type"
108
- }
109
- }
110
- }
111
- },
112
- "table": {
113
- "type": "object",
114
- "description": "A table of typed fields",
115
- "required": [
116
- "type",
117
- "rows"
118
- ],
119
- "properties": {
120
- "type": {
121
- "const": "table"
122
- },
123
- "header": {
124
- "type": "array",
125
- "items": {
126
- "$ref": "#/definitions/detail_type"
127
- }
128
- },
129
- "rows": {
130
- "type": "array",
131
- "items": {
132
- "type": "array",
133
- "items": {
134
- "$ref": "#/definitions/detail_type"
135
- }
136
- }
137
- }
138
- }
139
- },
140
- "text": {
141
- "type": "object",
142
- "description": "Raw text",
143
- "required": [
144
- "type",
145
- "value"
146
- ],
147
- "properties": {
148
- "type": {
149
- "const": "text"
150
- },
151
- "value": {
152
- "$ref": "#/definitions/text_value"
153
- }
154
- }
155
- },
156
- "url": {
157
- "type": "object",
158
- "description": "A single URL",
159
- "required": [
160
- "type",
161
- "href"
162
- ],
163
- "properties": {
164
- "type": {
165
- "const": "url"
166
- },
167
- "text": {
168
- "$ref": "#/definitions/text_value"
169
- },
170
- "href": {
171
- "type": "string",
172
- "minLength": 1,
173
- "examples": [
174
- "http://mysite.com"
175
- ]
176
- }
177
- }
178
- },
179
- "code": {
180
- "type": "object",
181
- "description": "A codeblock",
182
- "required": [
183
- "type",
184
- "value"
185
- ],
186
- "properties": {
187
- "type": {
188
- "const": "code"
189
- },
190
- "value": {
191
- "type": "string"
192
- },
193
- "lang": {
194
- "type": "string",
195
- "description": "A programming language"
196
- }
197
- }
198
- },
199
- "value": {
200
- "type": "object",
201
- "description": "A field that can store a range of types of value",
202
- "required": [
203
- "type",
204
- "value"
205
- ],
206
- "properties": {
207
- "type": {
208
- "const": "value"
209
- },
210
- "value": {
211
- "type": [
212
- "number",
213
- "string",
214
- "boolean"
215
- ]
216
- }
217
- }
218
- },
219
- "diff": {
220
- "type": "object",
221
- "description": "A diff",
222
- "required": [
223
- "type",
224
- "before",
225
- "after"
226
- ],
227
- "properties": {
228
- "type": {
229
- "const": "diff"
230
- },
231
- "before": {
232
- "type": "string"
233
- },
234
- "after": {
235
- "type": "string"
236
- }
237
- }
238
- },
239
- "markdown": {
240
- "type": "object",
241
- "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
242
- "required": [
243
- "type",
244
- "value"
245
- ],
246
- "properties": {
247
- "type": {
248
- "const": "markdown"
249
- },
250
- "value": {
251
- "$ref": "#/definitions/text_value",
252
- "examples": [
253
- "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
254
- ]
255
- }
256
- }
257
- },
258
- "commit": {
259
- "type": "object",
260
- "description": "A commit/tag/branch within the GitLab project",
261
- "required": [
262
- "type",
263
- "value"
264
- ],
265
- "properties": {
266
- "type": {
267
- "const": "commit"
268
- },
269
- "value": {
270
- "type": "string",
271
- "description": "The commit SHA",
272
- "minLength": 1
273
- }
274
- }
275
- },
276
- "file_location": {
277
- "type": "object",
278
- "description": "A location within a file in the project",
279
- "required": [
280
- "type",
281
- "file_name",
282
- "line_start"
283
- ],
284
- "properties": {
285
- "type": {
286
- "const": "file-location"
287
- },
288
- "file_name": {
289
- "type": "string",
290
- "minLength": 1
291
- },
292
- "line_start": {
293
- "type": "integer"
294
- },
295
- "line_end": {
296
- "type": "integer"
297
- }
298
- }
299
- },
300
- "module_location": {
301
- "type": "object",
302
- "description": "A location within a binary module of the form module+relative_offset",
303
- "required": [
304
- "type",
305
- "module_name",
306
- "offset"
307
- ],
308
- "properties": {
309
- "type": {
310
- "const": "module-location"
311
- },
312
- "module_name": {
313
- "type": "string",
314
- "minLength": 1,
315
- "examples": [
316
- "compiled_binary"
317
- ]
318
- },
319
- "offset": {
320
- "type": "integer",
321
- "examples": [
322
- 100
323
- ]
324
- }
325
- }
326
- }
327
- },
328
- "self": {
329
- "version": "15.0.1"
330
- },
331
- "required": [
332
- "scan",
333
- "version",
334
- "vulnerabilities"
335
- ],
336
- "additionalProperties": true,
337
- "properties": {
338
- "scan": {
339
- "type": "object",
340
- "required": [
341
- "analyzer",
342
- "end_time",
343
- "scanned_resources",
344
- "scanner",
345
- "start_time",
346
- "status",
347
- "type"
348
- ],
349
- "properties": {
350
- "end_time": {
351
- "type": "string",
352
- "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
353
- "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
354
- "examples": [
355
- "2020-01-28T03:26:02"
356
- ]
357
- },
358
- "messages": {
359
- "type": "array",
360
- "items": {
361
- "type": "object",
362
- "description": "Communication intended for the initiator of a scan.",
363
- "required": [
364
- "level",
365
- "value"
366
- ],
367
- "properties": {
368
- "level": {
369
- "type": "string",
370
- "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
371
- "enum": [
372
- "info",
373
- "warn",
374
- "fatal"
375
- ],
376
- "examples": [
377
- "info"
378
- ]
379
- },
380
- "value": {
381
- "type": "string",
382
- "description": "The message to communicate.",
383
- "minLength": 1,
384
- "examples": [
385
- "Permission denied, scanning aborted"
386
- ]
387
- }
388
- }
389
- }
390
- },
391
- "analyzer": {
392
- "type": "object",
393
- "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
394
- "required": [
395
- "id",
396
- "name",
397
- "version",
398
- "vendor"
399
- ],
400
- "properties": {
401
- "id": {
402
- "type": "string",
403
- "description": "Unique id that identifies the analyzer.",
404
- "minLength": 1,
405
- "examples": [
406
- "gitlab-dast"
407
- ]
408
- },
409
- "name": {
410
- "type": "string",
411
- "description": "A human readable value that identifies the analyzer, not required to be unique.",
412
- "minLength": 1,
413
- "examples": [
414
- "GitLab DAST"
415
- ]
416
- },
417
- "url": {
418
- "type": "string",
419
- "pattern": "^https?://.+",
420
- "description": "A link to more information about the analyzer.",
421
- "examples": [
422
- "https://docs.gitlab.com/ee/user/application_security/dast"
423
- ]
424
- },
425
- "vendor": {
426
- "description": "The vendor/maintainer of the analyzer.",
427
- "type": "object",
428
- "required": [
429
- "name"
430
- ],
431
- "properties": {
432
- "name": {
433
- "type": "string",
434
- "description": "The name of the vendor.",
435
- "minLength": 1,
436
- "examples": [
437
- "GitLab"
438
- ]
439
- }
440
- }
441
- },
442
- "version": {
443
- "type": "string",
444
- "description": "The version of the analyzer.",
445
- "minLength": 1,
446
- "examples": [
447
- "1.0.2"
448
- ]
449
- }
450
- }
451
- },
452
- "scanner": {
453
- "type": "object",
454
- "description": "Object defining the scanner used to perform the scan.",
455
- "required": [
456
- "id",
457
- "name",
458
- "version",
459
- "vendor"
460
- ],
461
- "properties": {
462
- "id": {
463
- "type": "string",
464
- "description": "Unique id that identifies the scanner.",
465
- "minLength": 1,
466
- "examples": [
467
- "my-sast-scanner"
468
- ]
469
- },
470
- "name": {
471
- "type": "string",
472
- "description": "A human readable value that identifies the scanner, not required to be unique.",
473
- "minLength": 1,
474
- "examples": [
475
- "My SAST Scanner"
476
- ]
477
- },
478
- "url": {
479
- "type": "string",
480
- "description": "A link to more information about the scanner.",
481
- "examples": [
482
- "https://scanner.url"
483
- ]
484
- },
485
- "version": {
486
- "type": "string",
487
- "description": "The version of the scanner.",
488
- "minLength": 1,
489
- "examples": [
490
- "1.0.2"
491
- ]
492
- },
493
- "vendor": {
494
- "description": "The vendor/maintainer of the scanner.",
495
- "type": "object",
496
- "required": [
497
- "name"
498
- ],
499
- "properties": {
500
- "name": {
501
- "type": "string",
502
- "description": "The name of the vendor.",
503
- "minLength": 1,
504
- "examples": [
505
- "GitLab"
506
- ]
507
- }
508
- }
509
- }
510
- }
511
- },
512
- "start_time": {
513
- "type": "string",
514
- "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
515
- "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
516
- "examples": [
517
- "2020-02-14T16:01:59"
518
- ]
519
- },
520
- "status": {
521
- "type": "string",
522
- "description": "Result of the scan.",
523
- "enum": [
524
- "success",
525
- "failure"
526
- ]
527
- },
528
- "type": {
529
- "type": "string",
530
- "description": "Type of the scan.",
531
- "enum": [
532
- "dast",
533
- "api_fuzzing"
534
- ]
535
- },
536
- "primary_identifiers": {
537
- "type": "array",
538
- "description": "An array containing an exhaustive list of primary identifiers for which the analyzer may return results",
539
- "items": {
540
- "type": "object",
541
- "required": [
542
- "type",
543
- "name",
544
- "value"
545
- ],
546
- "properties": {
547
- "type": {
548
- "type": "string",
549
- "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
550
- "minLength": 1
551
- },
552
- "name": {
553
- "type": "string",
554
- "description": "Human-readable name of the identifier.",
555
- "minLength": 1
556
- },
557
- "url": {
558
- "type": "string",
559
- "description": "URL of the identifier's documentation.",
560
- "pattern": "^https?://.+"
561
- },
562
- "value": {
563
- "type": "string",
564
- "description": "Value of the identifier, for matching purpose.",
565
- "minLength": 1
566
- }
567
- }
568
- }
569
- },
570
- "scanned_resources": {
571
- "type": "array",
572
- "description": "The attack surface scanned by DAST.",
573
- "items": {
574
- "type": "object",
575
- "required": [
576
- "method",
577
- "url",
578
- "type"
579
- ],
580
- "properties": {
581
- "method": {
582
- "type": "string",
583
- "minLength": 1,
584
- "description": "HTTP method of the scanned resource.",
585
- "examples": [
586
- "GET",
587
- "POST",
588
- "HEAD"
589
- ]
590
- },
591
- "url": {
592
- "type": "string",
593
- "minLength": 1,
594
- "description": "URL of the scanned resource.",
595
- "examples": [
596
- "http://my.site.com/a-page"
597
- ]
598
- },
599
- "type": {
600
- "type": "string",
601
- "minLength": 1,
602
- "description": "Type of the scanned resource, for DAST, this must be 'url'.",
603
- "examples": [
604
- "url"
605
- ]
606
- }
607
- }
608
- }
609
- }
610
- }
611
- },
612
- "schema": {
613
- "type": "string",
614
- "description": "URI pointing to the validating security report schema.",
615
- "pattern": "^https?://.+"
616
- },
617
- "version": {
618
- "type": "string",
619
- "description": "The version of the schema to which the JSON report conforms.",
620
- "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
621
- },
622
- "vulnerabilities": {
623
- "type": "array",
624
- "description": "Array of vulnerability objects.",
625
- "items": {
626
- "type": "object",
627
- "description": "Describes the vulnerability using GitLab Flavored Markdown",
628
- "required": [
629
- "id",
630
- "identifiers",
631
- "location"
632
- ],
633
- "properties": {
634
- "id": {
635
- "type": "string",
636
- "minLength": 1,
637
- "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
638
- "examples": [
639
- "642735a5-1425-428d-8d4e-3c854885a3c9"
640
- ]
641
- },
642
- "name": {
643
- "type": "string",
644
- "maxLength": 255,
645
- "description": "The name of the vulnerability. This must not include the finding's specific information."
646
- },
647
- "description": {
648
- "type": "string",
649
- "maxLength": 1048576,
650
- "description": "A long text section describing the vulnerability more fully."
651
- },
652
- "severity": {
653
- "type": "string",
654
- "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
655
- "enum": [
656
- "Info",
657
- "Unknown",
658
- "Low",
659
- "Medium",
660
- "High",
661
- "Critical"
662
- ]
663
- },
664
- "solution": {
665
- "type": "string",
666
- "maxLength": 7000,
667
- "description": "Explanation of how to fix the vulnerability."
668
- },
669
- "identifiers": {
670
- "type": "array",
671
- "minItems": 1,
672
- "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
673
- "items": {
674
- "type": "object",
675
- "required": [
676
- "type",
677
- "name",
678
- "value"
679
- ],
680
- "properties": {
681
- "type": {
682
- "type": "string",
683
- "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
684
- "minLength": 1
685
- },
686
- "name": {
687
- "type": "string",
688
- "description": "Human-readable name of the identifier.",
689
- "minLength": 1
690
- },
691
- "url": {
692
- "type": "string",
693
- "description": "URL of the identifier's documentation.",
694
- "pattern": "^https?://.+"
695
- },
696
- "value": {
697
- "type": "string",
698
- "description": "Value of the identifier, for matching purpose.",
699
- "minLength": 1
700
- }
701
- }
702
- }
703
- },
704
- "links": {
705
- "type": "array",
706
- "description": "An array of references to external documentation or articles that describe the vulnerability.",
707
- "items": {
708
- "type": "object",
709
- "required": [
710
- "url"
711
- ],
712
- "properties": {
713
- "name": {
714
- "type": "string",
715
- "description": "Name of the vulnerability details link."
716
- },
717
- "url": {
718
- "type": "string",
719
- "description": "URL of the vulnerability details document.",
720
- "pattern": "^https?://.+"
721
- }
722
- }
723
- }
724
- },
725
- "details": {
726
- "$ref": "#/definitions/named_list/properties/items"
727
- },
728
- "tracking": {
729
- "description": "Describes how this vulnerability should be tracked as the project changes.",
730
- "oneOf": [
731
- {
732
- "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
733
- "required": [
734
- "items"
735
- ],
736
- "properties": {
737
- "type": {
738
- "const": "source"
739
- },
740
- "items": {
741
- "type": "array",
742
- "items": {
743
- "description": "An item that should be tracked using source-specific tracking methods.",
744
- "type": "object",
745
- "required": [
746
- "signatures"
747
- ],
748
- "properties": {
749
- "file": {
750
- "type": "string",
751
- "description": "Path to the file where the vulnerability is located."
752
- },
753
- "start_line": {
754
- "type": "number",
755
- "description": "The first line of the file that includes the vulnerability."
756
- },
757
- "end_line": {
758
- "type": "number",
759
- "description": "The last line of the file that includes the vulnerability."
760
- },
761
- "signatures": {
762
- "type": "array",
763
- "description": "An array of calculated tracking signatures for this tracking item.",
764
- "minItems": 1,
765
- "items": {
766
- "description": "A calculated tracking signature value and metadata.",
767
- "required": [
768
- "algorithm",
769
- "value"
770
- ],
771
- "properties": {
772
- "algorithm": {
773
- "type": "string",
774
- "description": "The algorithm used to generate the signature."
775
- },
776
- "value": {
777
- "type": "string",
778
- "description": "The result of this signature algorithm."
779
- }
780
- }
781
- }
782
- }
783
- }
784
- }
785
- }
786
- }
787
- }
788
- ],
789
- "properties": {
790
- "type": {
791
- "type": "string",
792
- "description": "Each tracking type must declare its own type."
793
- }
794
- }
795
- },
796
- "flags": {
797
- "description": "Flags that can be attached to vulnerabilities.",
798
- "type": "array",
799
- "items": {
800
- "type": "object",
801
- "description": "Informational flags identified and assigned to a vulnerability.",
802
- "required": [
803
- "type",
804
- "origin",
805
- "description"
806
- ],
807
- "properties": {
808
- "type": {
809
- "type": "string",
810
- "minLength": 1,
811
- "description": "Result of the scan.",
812
- "enum": [
813
- "flagged-as-likely-false-positive"
814
- ]
815
- },
816
- "origin": {
817
- "minLength": 1,
818
- "description": "Tool that issued the flag.",
819
- "type": "string"
820
- },
821
- "description": {
822
- "minLength": 1,
823
- "description": "What the flag is about.",
824
- "type": "string"
825
- }
826
- }
827
- }
828
- },
829
- "evidence": {
830
- "type": "object",
831
- "properties": {
832
- "source": {
833
- "type": "object",
834
- "description": "Source of evidence",
835
- "required": [
836
- "id",
837
- "name"
838
- ],
839
- "properties": {
840
- "id": {
841
- "type": "string",
842
- "minLength": 1,
843
- "description": "Unique source identifier",
844
- "examples": [
845
- "assert:LogAnalysis",
846
- "assert:StatusCode"
847
- ]
848
- },
849
- "name": {
850
- "type": "string",
851
- "minLength": 1,
852
- "description": "Source display name",
853
- "examples": [
854
- "Log Analysis",
855
- "Status Code"
856
- ]
857
- },
858
- "url": {
859
- "type": "string",
860
- "description": "Link to additional information",
861
- "examples": [
862
- "https://docs.gitlab.com/ee/development/integrations/secure.html"
863
- ]
864
- }
865
- }
866
- },
867
- "summary": {
868
- "type": "string",
869
- "description": "Human readable string containing evidence of the vulnerability.",
870
- "examples": [
871
- "Credit card 4111111111111111 found",
872
- "Server leaked information nginx/1.17.6"
873
- ]
874
- },
875
- "request": {
876
- "type": "object",
877
- "description": "An HTTP request.",
878
- "required": [
879
- "headers",
880
- "method",
881
- "url"
882
- ],
883
- "properties": {
884
- "headers": {
885
- "type": "array",
886
- "description": "HTTP headers present on the request.",
887
- "items": {
888
- "type": "object",
889
- "required": [
890
- "name",
891
- "value"
892
- ],
893
- "properties": {
894
- "name": {
895
- "type": "string",
896
- "minLength": 1,
897
- "description": "Name of the HTTP header.",
898
- "examples": [
899
- "Accept",
900
- "Content-Length",
901
- "Content-Type"
902
- ]
903
- },
904
- "value": {
905
- "type": "string",
906
- "description": "Value of the HTTP header.",
907
- "examples": [
908
- "*/*",
909
- "560",
910
- "application/json; charset=utf-8"
911
- ]
912
- }
913
- }
914
- }
915
- },
916
- "method": {
917
- "type": "string",
918
- "minLength": 1,
919
- "description": "HTTP method used in the request.",
920
- "examples": [
921
- "GET",
922
- "POST"
923
- ]
924
- },
925
- "url": {
926
- "type": "string",
927
- "minLength": 1,
928
- "description": "URL of the request.",
929
- "examples": [
930
- "http://my.site.com/vulnerable-endpoint?show-credit-card"
931
- ]
932
- },
933
- "body": {
934
- "type": "string",
935
- "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
936
- "examples": [
937
- "user=jsmith&first=%27&last=smith"
938
- ]
939
- }
940
- }
941
- },
942
- "response": {
943
- "type": "object",
944
- "description": "An HTTP response.",
945
- "required": [
946
- "headers",
947
- "reason_phrase",
948
- "status_code"
949
- ],
950
- "properties": {
951
- "headers": {
952
- "type": "array",
953
- "description": "HTTP headers present on the request.",
954
- "items": {
955
- "type": "object",
956
- "required": [
957
- "name",
958
- "value"
959
- ],
960
- "properties": {
961
- "name": {
962
- "type": "string",
963
- "minLength": 1,
964
- "description": "Name of the HTTP header.",
965
- "examples": [
966
- "Accept",
967
- "Content-Length",
968
- "Content-Type"
969
- ]
970
- },
971
- "value": {
972
- "type": "string",
973
- "description": "Value of the HTTP header.",
974
- "examples": [
975
- "*/*",
976
- "560",
977
- "application/json; charset=utf-8"
978
- ]
979
- }
980
- }
981
- }
982
- },
983
- "reason_phrase": {
984
- "type": "string",
985
- "description": "HTTP reason phrase of the response.",
986
- "examples": [
987
- "OK",
988
- "Internal Server Error"
989
- ]
990
- },
991
- "status_code": {
992
- "type": "integer",
993
- "description": "HTTP status code of the response.",
994
- "examples": [
995
- 200,
996
- 500
997
- ]
998
- },
999
- "body": {
1000
- "type": "string",
1001
- "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1002
- "examples": [
1003
- "{\"user_id\": 2}"
1004
- ]
1005
- }
1006
- }
1007
- },
1008
- "supporting_messages": {
1009
- "type": "array",
1010
- "description": "Array of supporting http messages.",
1011
- "items": {
1012
- "type": "object",
1013
- "description": "A supporting http message.",
1014
- "required": [
1015
- "name"
1016
- ],
1017
- "properties": {
1018
- "name": {
1019
- "type": "string",
1020
- "minLength": 1,
1021
- "description": "Message display name.",
1022
- "examples": [
1023
- "Unmodified",
1024
- "Recorded"
1025
- ]
1026
- },
1027
- "request": {
1028
- "type": "object",
1029
- "description": "An HTTP request.",
1030
- "required": [
1031
- "headers",
1032
- "method",
1033
- "url"
1034
- ],
1035
- "properties": {
1036
- "headers": {
1037
- "type": "array",
1038
- "description": "HTTP headers present on the request.",
1039
- "items": {
1040
- "type": "object",
1041
- "required": [
1042
- "name",
1043
- "value"
1044
- ],
1045
- "properties": {
1046
- "name": {
1047
- "type": "string",
1048
- "minLength": 1,
1049
- "description": "Name of the HTTP header.",
1050
- "examples": [
1051
- "Accept",
1052
- "Content-Length",
1053
- "Content-Type"
1054
- ]
1055
- },
1056
- "value": {
1057
- "type": "string",
1058
- "description": "Value of the HTTP header.",
1059
- "examples": [
1060
- "*/*",
1061
- "560",
1062
- "application/json; charset=utf-8"
1063
- ]
1064
- }
1065
- }
1066
- }
1067
- },
1068
- "method": {
1069
- "type": "string",
1070
- "minLength": 1,
1071
- "description": "HTTP method used in the request.",
1072
- "examples": [
1073
- "GET",
1074
- "POST"
1075
- ]
1076
- },
1077
- "url": {
1078
- "type": "string",
1079
- "minLength": 1,
1080
- "description": "URL of the request.",
1081
- "examples": [
1082
- "http://my.site.com/vulnerable-endpoint?show-credit-card"
1083
- ]
1084
- },
1085
- "body": {
1086
- "type": "string",
1087
- "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1088
- "examples": [
1089
- "user=jsmith&first=%27&last=smith"
1090
- ]
1091
- }
1092
- }
1093
- },
1094
- "response": {
1095
- "type": "object",
1096
- "description": "An HTTP response.",
1097
- "required": [
1098
- "headers",
1099
- "reason_phrase",
1100
- "status_code"
1101
- ],
1102
- "properties": {
1103
- "headers": {
1104
- "type": "array",
1105
- "description": "HTTP headers present on the request.",
1106
- "items": {
1107
- "type": "object",
1108
- "required": [
1109
- "name",
1110
- "value"
1111
- ],
1112
- "properties": {
1113
- "name": {
1114
- "type": "string",
1115
- "minLength": 1,
1116
- "description": "Name of the HTTP header.",
1117
- "examples": [
1118
- "Accept",
1119
- "Content-Length",
1120
- "Content-Type"
1121
- ]
1122
- },
1123
- "value": {
1124
- "type": "string",
1125
- "description": "Value of the HTTP header.",
1126
- "examples": [
1127
- "*/*",
1128
- "560",
1129
- "application/json; charset=utf-8"
1130
- ]
1131
- }
1132
- }
1133
- }
1134
- },
1135
- "reason_phrase": {
1136
- "type": "string",
1137
- "description": "HTTP reason phrase of the response.",
1138
- "examples": [
1139
- "OK",
1140
- "Internal Server Error"
1141
- ]
1142
- },
1143
- "status_code": {
1144
- "type": "integer",
1145
- "description": "HTTP status code of the response.",
1146
- "examples": [
1147
- 200,
1148
- 500
1149
- ]
1150
- },
1151
- "body": {
1152
- "type": "string",
1153
- "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1154
- "examples": [
1155
- "{\"user_id\": 2}"
1156
- ]
1157
- }
1158
- }
1159
- }
1160
- }
1161
- }
1162
- }
1163
- }
1164
- },
1165
- "location": {
1166
- "type": "object",
1167
- "description": "Identifies the vulnerability's location.",
1168
- "properties": {
1169
- "hostname": {
1170
- "type": "string",
1171
- "description": "The protocol, domain, and port of the application where the vulnerability was found."
1172
- },
1173
- "method": {
1174
- "type": "string",
1175
- "description": "The HTTP method that was used to request the URL where the vulnerability was found."
1176
- },
1177
- "param": {
1178
- "type": "string",
1179
- "description": "A value provided by a vulnerability rule related to the found vulnerability. Examples include a header value, or a parameter used in a HTTP POST."
1180
- },
1181
- "path": {
1182
- "type": "string",
1183
- "description": "The path of the URL where the vulnerability was found. Typically, this would start with a forward slash."
1184
- }
1185
- }
1186
- },
1187
- "assets": {
1188
- "type": "array",
1189
- "description": "Array of build assets associated with vulnerability.",
1190
- "items": {
1191
- "type": "object",
1192
- "description": "Describes an asset associated with vulnerability.",
1193
- "required": [
1194
- "type",
1195
- "name",
1196
- "url"
1197
- ],
1198
- "properties": {
1199
- "type": {
1200
- "type": "string",
1201
- "description": "The type of asset",
1202
- "enum": [
1203
- "http_session",
1204
- "postman"
1205
- ]
1206
- },
1207
- "name": {
1208
- "type": "string",
1209
- "minLength": 1,
1210
- "description": "Display name for asset",
1211
- "examples": [
1212
- "HTTP Messages",
1213
- "Postman Collection"
1214
- ]
1215
- },
1216
- "url": {
1217
- "type": "string",
1218
- "minLength": 1,
1219
- "description": "Link to asset in build artifacts",
1220
- "examples": [
1221
- "https://gitlab.com/gitlab-org/security-products/dast/-/jobs/626397001/artifacts/file//output/zap_session.data"
1222
- ]
1223
- }
1224
- }
1225
- }
1226
- }
1227
- }
1228
- }
1229
- },
1230
- "remediations": {
1231
- "type": "array",
1232
- "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
1233
- "items": {
1234
- "type": "object",
1235
- "required": [
1236
- "fixes",
1237
- "summary",
1238
- "diff"
1239
- ],
1240
- "properties": {
1241
- "fixes": {
1242
- "type": "array",
1243
- "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
1244
- "items": {
1245
- "type": "object",
1246
- "required": [
1247
- "id"
1248
- ],
1249
- "properties": {
1250
- "id": {
1251
- "type": "string",
1252
- "minLength": 1,
1253
- "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
1254
- "examples": [
1255
- "642735a5-1425-428d-8d4e-3c854885a3c9"
1256
- ]
1257
- }
1258
- }
1259
- }
1260
- },
1261
- "summary": {
1262
- "type": "string",
1263
- "minLength": 1,
1264
- "description": "An overview of how the vulnerabilities were fixed."
1265
- },
1266
- "diff": {
1267
- "type": "string",
1268
- "minLength": 1,
1269
- "description": "A base64-encoded remediation code diff, compatible with git apply."
1270
- }
1271
- }
1272
- }
1273
- }
1274
- }
1275
- }