gitlab-security_report_schemas 0.1.0.min15.0.0.max15.1.4 → 0.1.0.min15.1.0.max15.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (88) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +5 -3
  3. data/README.md +10 -14
  4. data/Rakefile +1 -1
  5. data/gem_version +1 -1
  6. data/lib/gitlab/security_report_schemas/configuration.rb +2 -2
  7. data/lib/gitlab/security_report_schemas/version.rb +2 -0
  8. data/supported_versions +0 -11
  9. metadata +2 -81
  10. data/RUNBOOK.md +0 -28
  11. data/schemas/15.0.0/cluster-image-scanning-report-format.json +0 -946
  12. data/schemas/15.0.0/container-scanning-report-format.json +0 -880
  13. data/schemas/15.0.0/coverage-fuzzing-report-format.json +0 -836
  14. data/schemas/15.0.0/dast-report-format.json +0 -1241
  15. data/schemas/15.0.0/dependency-scanning-report-format.json +0 -944
  16. data/schemas/15.0.0/sast-report-format.json +0 -831
  17. data/schemas/15.0.0/secret-detection-report-format.json +0 -854
  18. data/schemas/15.0.1/cluster-image-scanning-report-format.json +0 -980
  19. data/schemas/15.0.1/container-scanning-report-format.json +0 -914
  20. data/schemas/15.0.1/coverage-fuzzing-report-format.json +0 -870
  21. data/schemas/15.0.1/dast-report-format.json +0 -1275
  22. data/schemas/15.0.1/dependency-scanning-report-format.json +0 -978
  23. data/schemas/15.0.1/sast-report-format.json +0 -865
  24. data/schemas/15.0.1/secret-detection-report-format.json +0 -888
  25. data/schemas/15.0.2/cluster-image-scanning-report-format.json +0 -980
  26. data/schemas/15.0.2/container-scanning-report-format.json +0 -912
  27. data/schemas/15.0.2/coverage-fuzzing-report-format.json +0 -870
  28. data/schemas/15.0.2/dast-report-format.json +0 -1275
  29. data/schemas/15.0.2/dependency-scanning-report-format.json +0 -978
  30. data/schemas/15.0.2/sast-report-format.json +0 -865
  31. data/schemas/15.0.2/secret-detection-report-format.json +0 -888
  32. data/schemas/15.0.4/cluster-image-scanning-report-format.json +0 -984
  33. data/schemas/15.0.4/container-scanning-report-format.json +0 -916
  34. data/schemas/15.0.4/coverage-fuzzing-report-format.json +0 -874
  35. data/schemas/15.0.4/dast-report-format.json +0 -1279
  36. data/schemas/15.0.4/dependency-scanning-report-format.json +0 -982
  37. data/schemas/15.0.4/sast-report-format.json +0 -869
  38. data/schemas/15.0.4/secret-detection-report-format.json +0 -893
  39. data/schemas/15.0.5/cluster-image-scanning-report-format.json +0 -1035
  40. data/schemas/15.0.5/container-scanning-report-format.json +0 -967
  41. data/schemas/15.0.5/coverage-fuzzing-report-format.json +0 -925
  42. data/schemas/15.0.5/dast-report-format.json +0 -1330
  43. data/schemas/15.0.5/dependency-scanning-report-format.json +0 -1033
  44. data/schemas/15.0.5/sast-report-format.json +0 -920
  45. data/schemas/15.0.5/secret-detection-report-format.json +0 -944
  46. data/schemas/15.0.6/cluster-image-scanning-report-format.json +0 -1035
  47. data/schemas/15.0.6/container-scanning-report-format.json +0 -967
  48. data/schemas/15.0.6/coverage-fuzzing-report-format.json +0 -925
  49. data/schemas/15.0.6/dast-report-format.json +0 -1330
  50. data/schemas/15.0.6/dependency-scanning-report-format.json +0 -1033
  51. data/schemas/15.0.6/sast-report-format.json +0 -920
  52. data/schemas/15.0.6/secret-detection-report-format.json +0 -944
  53. data/schemas/15.0.7/cluster-image-scanning-report-format.json +0 -1085
  54. data/schemas/15.0.7/container-scanning-report-format.json +0 -1017
  55. data/schemas/15.0.7/coverage-fuzzing-report-format.json +0 -975
  56. data/schemas/15.0.7/dast-report-format.json +0 -1380
  57. data/schemas/15.0.7/dependency-scanning-report-format.json +0 -1083
  58. data/schemas/15.0.7/sast-report-format.json +0 -970
  59. data/schemas/15.0.7/secret-detection-report-format.json +0 -994
  60. data/schemas/15.1.1/cluster-image-scanning-report-format.json +0 -1065
  61. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  62. data/schemas/15.1.1/container-scanning-report-format.json +0 -998
  63. data/schemas/15.1.1/coverage-fuzzing-report-format.json +0 -975
  64. data/schemas/15.1.1/dast-report-format.json +0 -1380
  65. data/schemas/15.1.1/dependency-scanning-report-format.json +0 -986
  66. data/schemas/15.1.1/sast-report-format.json +0 -970
  67. data/schemas/15.1.1/secret-detection-report-format.json +0 -994
  68. data/schemas/15.1.2/cluster-image-scanning-report-format.json +0 -1190
  69. data/schemas/15.1.2/container-scanning-report-format.json +0 -1123
  70. data/schemas/15.1.2/coverage-fuzzing-report-format.json +0 -1100
  71. data/schemas/15.1.2/dast-report-format.json +0 -1505
  72. data/schemas/15.1.2/dependency-scanning-report-format.json +0 -1111
  73. data/schemas/15.1.2/sast-report-format.json +0 -1095
  74. data/schemas/15.1.2/secret-detection-report-format.json +0 -1119
  75. data/schemas/15.1.3/cluster-image-scanning-report-format.json +0 -1190
  76. data/schemas/15.1.3/container-scanning-report-format.json +0 -1123
  77. data/schemas/15.1.3/coverage-fuzzing-report-format.json +0 -1100
  78. data/schemas/15.1.3/dast-report-format.json +0 -1505
  79. data/schemas/15.1.3/dependency-scanning-report-format.json +0 -1111
  80. data/schemas/15.1.3/sast-report-format.json +0 -1095
  81. data/schemas/15.1.3/secret-detection-report-format.json +0 -1119
  82. data/schemas/15.1.4/cluster-image-scanning-report-format.json +0 -1190
  83. data/schemas/15.1.4/container-scanning-report-format.json +0 -1123
  84. data/schemas/15.1.4/coverage-fuzzing-report-format.json +0 -1100
  85. data/schemas/15.1.4/dast-report-format.json +0 -1505
  86. data/schemas/15.1.4/dependency-scanning-report-format.json +0 -1111
  87. data/schemas/15.1.4/sast-report-format.json +0 -1095
  88. data/schemas/15.1.4/secret-detection-report-format.json +0 -1119
@@ -1,1380 +0,0 @@
1
- {
2
- "$schema": "http://json-schema.org/draft-07/schema#",
3
- "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dast-report-format.json",
4
- "title": "Report format for GitLab DAST",
5
- "description": "This schema provides the the report format for Dynamic Application Security Testing (https://docs.gitlab.com/ee/user/application_security/dast).",
6
- "definitions": {
7
- "detail_type": {
8
- "oneOf": [
9
- {
10
- "$ref": "#/definitions/named_list"
11
- },
12
- {
13
- "$ref": "#/definitions/list"
14
- },
15
- {
16
- "$ref": "#/definitions/table"
17
- },
18
- {
19
- "$ref": "#/definitions/text"
20
- },
21
- {
22
- "$ref": "#/definitions/url"
23
- },
24
- {
25
- "$ref": "#/definitions/code"
26
- },
27
- {
28
- "$ref": "#/definitions/value"
29
- },
30
- {
31
- "$ref": "#/definitions/diff"
32
- },
33
- {
34
- "$ref": "#/definitions/markdown"
35
- },
36
- {
37
- "$ref": "#/definitions/commit"
38
- },
39
- {
40
- "$ref": "#/definitions/file_location"
41
- },
42
- {
43
- "$ref": "#/definitions/module_location"
44
- }
45
- ]
46
- },
47
- "text_value": {
48
- "type": "string"
49
- },
50
- "named_field": {
51
- "type": "object",
52
- "required": [
53
- "name"
54
- ],
55
- "properties": {
56
- "name": {
57
- "$ref": "#/definitions/text_value",
58
- "type": "string",
59
- "minLength": 1
60
- },
61
- "description": {
62
- "$ref": "#/definitions/text_value"
63
- }
64
- }
65
- },
66
- "named_list": {
67
- "type": "object",
68
- "description": "An object with named and typed fields",
69
- "required": [
70
- "type",
71
- "items"
72
- ],
73
- "properties": {
74
- "type": {
75
- "const": "named-list"
76
- },
77
- "items": {
78
- "type": "object",
79
- "patternProperties": {
80
- "^.*$": {
81
- "allOf": [
82
- {
83
- "$ref": "#/definitions/named_field"
84
- },
85
- {
86
- "$ref": "#/definitions/detail_type"
87
- }
88
- ]
89
- }
90
- }
91
- }
92
- }
93
- },
94
- "list": {
95
- "type": "object",
96
- "description": "A list of typed fields",
97
- "required": [
98
- "type",
99
- "items"
100
- ],
101
- "properties": {
102
- "type": {
103
- "const": "list"
104
- },
105
- "items": {
106
- "type": "array",
107
- "items": {
108
- "$ref": "#/definitions/detail_type"
109
- }
110
- }
111
- }
112
- },
113
- "table": {
114
- "type": "object",
115
- "description": "A table of typed fields",
116
- "required": [
117
- "type",
118
- "rows"
119
- ],
120
- "properties": {
121
- "type": {
122
- "const": "table"
123
- },
124
- "header": {
125
- "type": "array",
126
- "items": {
127
- "$ref": "#/definitions/detail_type"
128
- }
129
- },
130
- "rows": {
131
- "type": "array",
132
- "items": {
133
- "type": "array",
134
- "items": {
135
- "$ref": "#/definitions/detail_type"
136
- }
137
- }
138
- }
139
- }
140
- },
141
- "text": {
142
- "type": "object",
143
- "description": "Raw text",
144
- "required": [
145
- "type",
146
- "value"
147
- ],
148
- "properties": {
149
- "type": {
150
- "const": "text"
151
- },
152
- "value": {
153
- "$ref": "#/definitions/text_value"
154
- }
155
- }
156
- },
157
- "url": {
158
- "type": "object",
159
- "description": "A single URL",
160
- "required": [
161
- "type",
162
- "href"
163
- ],
164
- "properties": {
165
- "type": {
166
- "const": "url"
167
- },
168
- "text": {
169
- "$ref": "#/definitions/text_value"
170
- },
171
- "href": {
172
- "type": "string",
173
- "minLength": 1,
174
- "examples": [
175
- "http://mysite.com"
176
- ]
177
- }
178
- }
179
- },
180
- "code": {
181
- "type": "object",
182
- "description": "A codeblock",
183
- "required": [
184
- "type",
185
- "value"
186
- ],
187
- "properties": {
188
- "type": {
189
- "const": "code"
190
- },
191
- "value": {
192
- "type": "string"
193
- },
194
- "lang": {
195
- "type": "string",
196
- "description": "A programming language"
197
- }
198
- }
199
- },
200
- "value": {
201
- "type": "object",
202
- "description": "A field that can store a range of types of value",
203
- "required": [
204
- "type",
205
- "value"
206
- ],
207
- "properties": {
208
- "type": {
209
- "const": "value"
210
- },
211
- "value": {
212
- "type": [
213
- "number",
214
- "string",
215
- "boolean"
216
- ]
217
- }
218
- }
219
- },
220
- "diff": {
221
- "type": "object",
222
- "description": "A diff",
223
- "required": [
224
- "type",
225
- "before",
226
- "after"
227
- ],
228
- "properties": {
229
- "type": {
230
- "const": "diff"
231
- },
232
- "before": {
233
- "type": "string"
234
- },
235
- "after": {
236
- "type": "string"
237
- }
238
- }
239
- },
240
- "markdown": {
241
- "type": "object",
242
- "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
243
- "required": [
244
- "type",
245
- "value"
246
- ],
247
- "properties": {
248
- "type": {
249
- "const": "markdown"
250
- },
251
- "value": {
252
- "$ref": "#/definitions/text_value",
253
- "examples": [
254
- "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
255
- ]
256
- }
257
- }
258
- },
259
- "commit": {
260
- "type": "object",
261
- "description": "A commit/tag/branch within the GitLab project",
262
- "required": [
263
- "type",
264
- "value"
265
- ],
266
- "properties": {
267
- "type": {
268
- "const": "commit"
269
- },
270
- "value": {
271
- "type": "string",
272
- "description": "The commit SHA",
273
- "minLength": 1
274
- }
275
- }
276
- },
277
- "file_location": {
278
- "type": "object",
279
- "description": "A location within a file in the project",
280
- "required": [
281
- "type",
282
- "file_name",
283
- "line_start"
284
- ],
285
- "properties": {
286
- "type": {
287
- "const": "file-location"
288
- },
289
- "file_name": {
290
- "type": "string",
291
- "minLength": 1
292
- },
293
- "line_start": {
294
- "type": "integer"
295
- },
296
- "line_end": {
297
- "type": "integer"
298
- }
299
- }
300
- },
301
- "module_location": {
302
- "type": "object",
303
- "description": "A location within a binary module of the form module+relative_offset",
304
- "required": [
305
- "type",
306
- "module_name",
307
- "offset"
308
- ],
309
- "properties": {
310
- "type": {
311
- "const": "module-location"
312
- },
313
- "module_name": {
314
- "type": "string",
315
- "minLength": 1,
316
- "examples": [
317
- "compiled_binary"
318
- ]
319
- },
320
- "offset": {
321
- "type": "integer",
322
- "examples": [
323
- 100
324
- ]
325
- }
326
- }
327
- }
328
- },
329
- "self": {
330
- "version": "15.0.7"
331
- },
332
- "type": "object",
333
- "required": [
334
- "scan",
335
- "version",
336
- "vulnerabilities"
337
- ],
338
- "additionalProperties": true,
339
- "properties": {
340
- "scan": {
341
- "type": "object",
342
- "required": [
343
- "analyzer",
344
- "end_time",
345
- "scanned_resources",
346
- "scanner",
347
- "start_time",
348
- "status",
349
- "type"
350
- ],
351
- "properties": {
352
- "end_time": {
353
- "type": "string",
354
- "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
355
- "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
356
- "examples": [
357
- "2020-01-28T03:26:02"
358
- ]
359
- },
360
- "messages": {
361
- "type": "array",
362
- "items": {
363
- "type": "object",
364
- "description": "Communication intended for the initiator of a scan.",
365
- "required": [
366
- "level",
367
- "value"
368
- ],
369
- "properties": {
370
- "level": {
371
- "type": "string",
372
- "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
373
- "enum": [
374
- "info",
375
- "warn",
376
- "fatal"
377
- ],
378
- "examples": [
379
- "info"
380
- ]
381
- },
382
- "value": {
383
- "type": "string",
384
- "description": "The message to communicate.",
385
- "minLength": 1,
386
- "examples": [
387
- "Permission denied, scanning aborted"
388
- ]
389
- }
390
- }
391
- }
392
- },
393
- "options": {
394
- "type": "array",
395
- "items": {
396
- "type": "object",
397
- "description": "A configuration option used for this scan.",
398
- "required": [
399
- "name",
400
- "value"
401
- ],
402
- "properties": {
403
- "name": {
404
- "type": "string",
405
- "description": "The configuration option name.",
406
- "maxLength": 255,
407
- "minLength": 1,
408
- "examples": [
409
- "DAST_FF_ENABLE_BAS",
410
- "DOCKER_TLS_CERTDIR",
411
- "DS_MAX_DEPTH",
412
- "SECURE_LOG_LEVEL"
413
- ]
414
- },
415
- "source": {
416
- "type": "string",
417
- "description": "The source of this option.",
418
- "enum": [
419
- "argument",
420
- "file",
421
- "env_variable",
422
- "other"
423
- ]
424
- },
425
- "value": {
426
- "type": [
427
- "boolean",
428
- "integer",
429
- "null",
430
- "string"
431
- ],
432
- "description": "The value used for this scan.",
433
- "examples": [
434
- true,
435
- 2,
436
- null,
437
- "fatal",
438
- ""
439
- ]
440
- }
441
- }
442
- }
443
- },
444
- "analyzer": {
445
- "type": "object",
446
- "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
447
- "required": [
448
- "id",
449
- "name",
450
- "version",
451
- "vendor"
452
- ],
453
- "properties": {
454
- "id": {
455
- "type": "string",
456
- "description": "Unique id that identifies the analyzer.",
457
- "minLength": 1,
458
- "examples": [
459
- "gitlab-dast"
460
- ]
461
- },
462
- "name": {
463
- "type": "string",
464
- "description": "A human readable value that identifies the analyzer, not required to be unique.",
465
- "minLength": 1,
466
- "examples": [
467
- "GitLab DAST"
468
- ]
469
- },
470
- "url": {
471
- "type": "string",
472
- "pattern": "^https?://.+",
473
- "description": "A link to more information about the analyzer.",
474
- "examples": [
475
- "https://docs.gitlab.com/ee/user/application_security/dast"
476
- ]
477
- },
478
- "vendor": {
479
- "description": "The vendor/maintainer of the analyzer.",
480
- "type": "object",
481
- "required": [
482
- "name"
483
- ],
484
- "properties": {
485
- "name": {
486
- "type": "string",
487
- "description": "The name of the vendor.",
488
- "minLength": 1,
489
- "examples": [
490
- "GitLab"
491
- ]
492
- }
493
- }
494
- },
495
- "version": {
496
- "type": "string",
497
- "description": "The version of the analyzer.",
498
- "minLength": 1,
499
- "examples": [
500
- "1.0.2"
501
- ]
502
- }
503
- }
504
- },
505
- "scanner": {
506
- "type": "object",
507
- "description": "Object defining the scanner used to perform the scan.",
508
- "required": [
509
- "id",
510
- "name",
511
- "version",
512
- "vendor"
513
- ],
514
- "properties": {
515
- "id": {
516
- "type": "string",
517
- "description": "Unique id that identifies the scanner.",
518
- "minLength": 1,
519
- "examples": [
520
- "my-sast-scanner"
521
- ]
522
- },
523
- "name": {
524
- "type": "string",
525
- "description": "A human readable value that identifies the scanner, not required to be unique.",
526
- "minLength": 1,
527
- "examples": [
528
- "My SAST Scanner"
529
- ]
530
- },
531
- "url": {
532
- "type": "string",
533
- "description": "A link to more information about the scanner.",
534
- "examples": [
535
- "https://scanner.url"
536
- ]
537
- },
538
- "version": {
539
- "type": "string",
540
- "description": "The version of the scanner.",
541
- "minLength": 1,
542
- "examples": [
543
- "1.0.2"
544
- ]
545
- },
546
- "vendor": {
547
- "description": "The vendor/maintainer of the scanner.",
548
- "type": "object",
549
- "required": [
550
- "name"
551
- ],
552
- "properties": {
553
- "name": {
554
- "type": "string",
555
- "description": "The name of the vendor.",
556
- "minLength": 1,
557
- "examples": [
558
- "GitLab"
559
- ]
560
- }
561
- }
562
- }
563
- }
564
- },
565
- "start_time": {
566
- "type": "string",
567
- "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
568
- "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
569
- "examples": [
570
- "2020-02-14T16:01:59"
571
- ]
572
- },
573
- "status": {
574
- "type": "string",
575
- "description": "Result of the scan.",
576
- "enum": [
577
- "success",
578
- "failure"
579
- ]
580
- },
581
- "type": {
582
- "type": "string",
583
- "description": "Type of the scan.",
584
- "enum": [
585
- "dast",
586
- "api_fuzzing"
587
- ]
588
- },
589
- "primary_identifiers": {
590
- "type": "array",
591
- "description": "An unordered array containing an exhaustive list of primary identifiers for which the analyzer may return results",
592
- "items": {
593
- "type": "object",
594
- "required": [
595
- "type",
596
- "name",
597
- "value"
598
- ],
599
- "properties": {
600
- "type": {
601
- "type": "string",
602
- "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
603
- "minLength": 1
604
- },
605
- "name": {
606
- "type": "string",
607
- "description": "Human-readable name of the identifier.",
608
- "minLength": 1
609
- },
610
- "url": {
611
- "type": "string",
612
- "description": "URL of the identifier's documentation.",
613
- "pattern": "^(https?|ftp)://.+"
614
- },
615
- "value": {
616
- "type": "string",
617
- "description": "Value of the identifier, for matching purpose.",
618
- "minLength": 1
619
- }
620
- }
621
- }
622
- },
623
- "scanned_resources": {
624
- "type": "array",
625
- "description": "The attack surface scanned by DAST.",
626
- "items": {
627
- "type": "object",
628
- "required": [
629
- "method",
630
- "url",
631
- "type"
632
- ],
633
- "properties": {
634
- "method": {
635
- "type": "string",
636
- "minLength": 1,
637
- "description": "HTTP method of the scanned resource.",
638
- "examples": [
639
- "GET",
640
- "POST",
641
- "HEAD"
642
- ]
643
- },
644
- "url": {
645
- "type": "string",
646
- "minLength": 1,
647
- "description": "URL of the scanned resource.",
648
- "examples": [
649
- "http://my.site.com/a-page"
650
- ]
651
- },
652
- "type": {
653
- "type": "string",
654
- "minLength": 1,
655
- "description": "Type of the scanned resource, for DAST, this must be 'url'.",
656
- "examples": [
657
- "url"
658
- ]
659
- }
660
- }
661
- }
662
- }
663
- }
664
- },
665
- "schema": {
666
- "type": "string",
667
- "description": "URI pointing to the validating security report schema.",
668
- "pattern": "^https?://.+"
669
- },
670
- "version": {
671
- "type": "string",
672
- "description": "The version of the schema to which the JSON report conforms.",
673
- "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
674
- },
675
- "vulnerabilities": {
676
- "type": "array",
677
- "description": "Array of vulnerability objects.",
678
- "items": {
679
- "type": "object",
680
- "description": "Describes the vulnerability using GitLab Flavored Markdown",
681
- "required": [
682
- "id",
683
- "identifiers",
684
- "location"
685
- ],
686
- "properties": {
687
- "id": {
688
- "type": "string",
689
- "minLength": 1,
690
- "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
691
- "examples": [
692
- "642735a5-1425-428d-8d4e-3c854885a3c9"
693
- ]
694
- },
695
- "name": {
696
- "type": "string",
697
- "maxLength": 255,
698
- "description": "The name of the vulnerability. This must not include the finding's specific information."
699
- },
700
- "description": {
701
- "type": "string",
702
- "maxLength": 1048576,
703
- "description": "A long text section describing the vulnerability more fully."
704
- },
705
- "severity": {
706
- "type": "string",
707
- "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
708
- "enum": [
709
- "Info",
710
- "Unknown",
711
- "Low",
712
- "Medium",
713
- "High",
714
- "Critical"
715
- ]
716
- },
717
- "solution": {
718
- "type": "string",
719
- "maxLength": 7000,
720
- "description": "Explanation of how to fix the vulnerability."
721
- },
722
- "identifiers": {
723
- "type": "array",
724
- "minItems": 1,
725
- "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
726
- "items": {
727
- "type": "object",
728
- "required": [
729
- "type",
730
- "name",
731
- "value"
732
- ],
733
- "properties": {
734
- "type": {
735
- "type": "string",
736
- "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
737
- "minLength": 1
738
- },
739
- "name": {
740
- "type": "string",
741
- "description": "Human-readable name of the identifier.",
742
- "minLength": 1
743
- },
744
- "url": {
745
- "type": "string",
746
- "description": "URL of the identifier's documentation.",
747
- "pattern": "^(https?|ftp)://.+"
748
- },
749
- "value": {
750
- "type": "string",
751
- "description": "Value of the identifier, for matching purpose.",
752
- "minLength": 1
753
- }
754
- }
755
- }
756
- },
757
- "cvss_vectors": {
758
- "type": "array",
759
- "minItems": 1,
760
- "maxItems": 10,
761
- "description": "An ordered array of CVSS vectors, each issued by a vendor to rate the vulnerability. The first item in the array is used as the primary CVSS vector, and is used to filter and sort the vulnerability.",
762
- "items": {
763
- "oneOf": [
764
- {
765
- "type": "object",
766
- "properties": {
767
- "vendor": {
768
- "type": "string",
769
- "minLength": 1,
770
- "default": "unknown"
771
- },
772
- "vector": {
773
- "type": "string",
774
- "minLength": 16,
775
- "maxLength": 128,
776
- "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
777
- }
778
- },
779
- "required": [
780
- "vendor",
781
- "vector"
782
- ]
783
- },
784
- {
785
- "type": "object",
786
- "properties": {
787
- "vendor": {
788
- "type": "string",
789
- "minLength": 1,
790
- "default": "unknown"
791
- },
792
- "vector": {
793
- "type": "string",
794
- "minLength": 32,
795
- "maxLength": 128,
796
- "pattern": "^CVSS:3[.][01]/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
797
- }
798
- },
799
- "required": [
800
- "vendor",
801
- "vector"
802
- ]
803
- }
804
- ]
805
- }
806
- },
807
- "links": {
808
- "type": "array",
809
- "description": "An array of references to external documentation or articles that describe the vulnerability.",
810
- "items": {
811
- "type": "object",
812
- "required": [
813
- "url"
814
- ],
815
- "properties": {
816
- "name": {
817
- "type": "string",
818
- "description": "Name of the vulnerability details link."
819
- },
820
- "url": {
821
- "type": "string",
822
- "description": "URL of the vulnerability details document.",
823
- "pattern": "^(https?|ftp)://.+"
824
- }
825
- }
826
- }
827
- },
828
- "details": {
829
- "$ref": "#/definitions/named_list/properties/items"
830
- },
831
- "tracking": {
832
- "type": "object",
833
- "description": "Describes how this vulnerability should be tracked as the project changes.",
834
- "oneOf": [
835
- {
836
- "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
837
- "required": [
838
- "items"
839
- ],
840
- "properties": {
841
- "type": {
842
- "const": "source"
843
- },
844
- "items": {
845
- "type": "array",
846
- "items": {
847
- "description": "An item that should be tracked using source-specific tracking methods.",
848
- "type": "object",
849
- "required": [
850
- "signatures"
851
- ],
852
- "properties": {
853
- "file": {
854
- "type": "string",
855
- "description": "Path to the file where the vulnerability is located."
856
- },
857
- "start_line": {
858
- "type": "number",
859
- "description": "The first line of the file that includes the vulnerability."
860
- },
861
- "end_line": {
862
- "type": "number",
863
- "description": "The last line of the file that includes the vulnerability."
864
- },
865
- "signatures": {
866
- "type": "array",
867
- "description": "An array of calculated tracking signatures for this tracking item.",
868
- "minItems": 1,
869
- "items": {
870
- "description": "A calculated tracking signature value and metadata.",
871
- "type": "object",
872
- "required": [
873
- "algorithm",
874
- "value"
875
- ],
876
- "properties": {
877
- "algorithm": {
878
- "type": "string",
879
- "description": "The algorithm used to generate the signature."
880
- },
881
- "value": {
882
- "type": "string",
883
- "description": "The result of this signature algorithm."
884
- }
885
- }
886
- }
887
- }
888
- }
889
- }
890
- }
891
- }
892
- }
893
- ],
894
- "properties": {
895
- "type": {
896
- "type": "string",
897
- "description": "Each tracking type must declare its own type."
898
- }
899
- }
900
- },
901
- "flags": {
902
- "description": "Flags that can be attached to vulnerabilities.",
903
- "type": "array",
904
- "items": {
905
- "type": "object",
906
- "description": "Informational flags identified and assigned to a vulnerability.",
907
- "required": [
908
- "type",
909
- "origin",
910
- "description"
911
- ],
912
- "properties": {
913
- "type": {
914
- "type": "string",
915
- "minLength": 1,
916
- "description": "Result of the scan.",
917
- "enum": [
918
- "flagged-as-likely-false-positive"
919
- ]
920
- },
921
- "origin": {
922
- "minLength": 1,
923
- "description": "Tool that issued the flag.",
924
- "type": "string"
925
- },
926
- "description": {
927
- "minLength": 1,
928
- "description": "What the flag is about.",
929
- "type": "string"
930
- }
931
- }
932
- }
933
- },
934
- "evidence": {
935
- "type": "object",
936
- "properties": {
937
- "source": {
938
- "type": "object",
939
- "description": "Source of evidence",
940
- "required": [
941
- "id",
942
- "name"
943
- ],
944
- "properties": {
945
- "id": {
946
- "type": "string",
947
- "minLength": 1,
948
- "description": "Unique source identifier",
949
- "examples": [
950
- "assert:LogAnalysis",
951
- "assert:StatusCode"
952
- ]
953
- },
954
- "name": {
955
- "type": "string",
956
- "minLength": 1,
957
- "description": "Source display name",
958
- "examples": [
959
- "Log Analysis",
960
- "Status Code"
961
- ]
962
- },
963
- "url": {
964
- "type": "string",
965
- "description": "Link to additional information",
966
- "examples": [
967
- "https://docs.gitlab.com/ee/development/integrations/secure.html"
968
- ]
969
- }
970
- }
971
- },
972
- "summary": {
973
- "type": "string",
974
- "description": "Human readable string containing evidence of the vulnerability.",
975
- "examples": [
976
- "Credit card 4111111111111111 found",
977
- "Server leaked information nginx/1.17.6"
978
- ]
979
- },
980
- "request": {
981
- "type": "object",
982
- "description": "An HTTP request.",
983
- "required": [
984
- "headers",
985
- "method",
986
- "url"
987
- ],
988
- "properties": {
989
- "headers": {
990
- "type": "array",
991
- "description": "HTTP headers present on the request.",
992
- "items": {
993
- "type": "object",
994
- "required": [
995
- "name",
996
- "value"
997
- ],
998
- "properties": {
999
- "name": {
1000
- "type": "string",
1001
- "minLength": 1,
1002
- "description": "Name of the HTTP header.",
1003
- "examples": [
1004
- "Accept",
1005
- "Content-Length",
1006
- "Content-Type"
1007
- ]
1008
- },
1009
- "value": {
1010
- "type": "string",
1011
- "description": "Value of the HTTP header.",
1012
- "examples": [
1013
- "*/*",
1014
- "560",
1015
- "application/json; charset=utf-8"
1016
- ]
1017
- }
1018
- }
1019
- }
1020
- },
1021
- "method": {
1022
- "type": "string",
1023
- "minLength": 1,
1024
- "description": "HTTP method used in the request.",
1025
- "examples": [
1026
- "GET",
1027
- "POST"
1028
- ]
1029
- },
1030
- "url": {
1031
- "type": "string",
1032
- "minLength": 1,
1033
- "description": "URL of the request.",
1034
- "examples": [
1035
- "http://my.site.com/vulnerable-endpoint?show-credit-card"
1036
- ]
1037
- },
1038
- "body": {
1039
- "type": "string",
1040
- "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1041
- "examples": [
1042
- "user=jsmith&first=%27&last=smith"
1043
- ]
1044
- }
1045
- }
1046
- },
1047
- "response": {
1048
- "type": "object",
1049
- "description": "An HTTP response.",
1050
- "required": [
1051
- "headers",
1052
- "reason_phrase",
1053
- "status_code"
1054
- ],
1055
- "properties": {
1056
- "headers": {
1057
- "type": "array",
1058
- "description": "HTTP headers present on the request.",
1059
- "items": {
1060
- "type": "object",
1061
- "required": [
1062
- "name",
1063
- "value"
1064
- ],
1065
- "properties": {
1066
- "name": {
1067
- "type": "string",
1068
- "minLength": 1,
1069
- "description": "Name of the HTTP header.",
1070
- "examples": [
1071
- "Accept",
1072
- "Content-Length",
1073
- "Content-Type"
1074
- ]
1075
- },
1076
- "value": {
1077
- "type": "string",
1078
- "description": "Value of the HTTP header.",
1079
- "examples": [
1080
- "*/*",
1081
- "560",
1082
- "application/json; charset=utf-8"
1083
- ]
1084
- }
1085
- }
1086
- }
1087
- },
1088
- "reason_phrase": {
1089
- "type": "string",
1090
- "description": "HTTP reason phrase of the response.",
1091
- "examples": [
1092
- "OK",
1093
- "Internal Server Error"
1094
- ]
1095
- },
1096
- "status_code": {
1097
- "type": "integer",
1098
- "description": "HTTP status code of the response.",
1099
- "examples": [
1100
- 200,
1101
- 500
1102
- ]
1103
- },
1104
- "body": {
1105
- "type": "string",
1106
- "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1107
- "examples": [
1108
- "{\"user_id\": 2}"
1109
- ]
1110
- }
1111
- }
1112
- },
1113
- "supporting_messages": {
1114
- "type": "array",
1115
- "description": "Array of supporting http messages.",
1116
- "items": {
1117
- "type": "object",
1118
- "description": "A supporting http message.",
1119
- "required": [
1120
- "name"
1121
- ],
1122
- "properties": {
1123
- "name": {
1124
- "type": "string",
1125
- "minLength": 1,
1126
- "description": "Message display name.",
1127
- "examples": [
1128
- "Unmodified",
1129
- "Recorded"
1130
- ]
1131
- },
1132
- "request": {
1133
- "type": "object",
1134
- "description": "An HTTP request.",
1135
- "required": [
1136
- "headers",
1137
- "method",
1138
- "url"
1139
- ],
1140
- "properties": {
1141
- "headers": {
1142
- "type": "array",
1143
- "description": "HTTP headers present on the request.",
1144
- "items": {
1145
- "type": "object",
1146
- "required": [
1147
- "name",
1148
- "value"
1149
- ],
1150
- "properties": {
1151
- "name": {
1152
- "type": "string",
1153
- "minLength": 1,
1154
- "description": "Name of the HTTP header.",
1155
- "examples": [
1156
- "Accept",
1157
- "Content-Length",
1158
- "Content-Type"
1159
- ]
1160
- },
1161
- "value": {
1162
- "type": "string",
1163
- "description": "Value of the HTTP header.",
1164
- "examples": [
1165
- "*/*",
1166
- "560",
1167
- "application/json; charset=utf-8"
1168
- ]
1169
- }
1170
- }
1171
- }
1172
- },
1173
- "method": {
1174
- "type": "string",
1175
- "minLength": 1,
1176
- "description": "HTTP method used in the request.",
1177
- "examples": [
1178
- "GET",
1179
- "POST"
1180
- ]
1181
- },
1182
- "url": {
1183
- "type": "string",
1184
- "minLength": 1,
1185
- "description": "URL of the request.",
1186
- "examples": [
1187
- "http://my.site.com/vulnerable-endpoint?show-credit-card"
1188
- ]
1189
- },
1190
- "body": {
1191
- "type": "string",
1192
- "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1193
- "examples": [
1194
- "user=jsmith&first=%27&last=smith"
1195
- ]
1196
- }
1197
- }
1198
- },
1199
- "response": {
1200
- "type": "object",
1201
- "description": "An HTTP response.",
1202
- "required": [
1203
- "headers",
1204
- "reason_phrase",
1205
- "status_code"
1206
- ],
1207
- "properties": {
1208
- "headers": {
1209
- "type": "array",
1210
- "description": "HTTP headers present on the request.",
1211
- "items": {
1212
- "type": "object",
1213
- "required": [
1214
- "name",
1215
- "value"
1216
- ],
1217
- "properties": {
1218
- "name": {
1219
- "type": "string",
1220
- "minLength": 1,
1221
- "description": "Name of the HTTP header.",
1222
- "examples": [
1223
- "Accept",
1224
- "Content-Length",
1225
- "Content-Type"
1226
- ]
1227
- },
1228
- "value": {
1229
- "type": "string",
1230
- "description": "Value of the HTTP header.",
1231
- "examples": [
1232
- "*/*",
1233
- "560",
1234
- "application/json; charset=utf-8"
1235
- ]
1236
- }
1237
- }
1238
- }
1239
- },
1240
- "reason_phrase": {
1241
- "type": "string",
1242
- "description": "HTTP reason phrase of the response.",
1243
- "examples": [
1244
- "OK",
1245
- "Internal Server Error"
1246
- ]
1247
- },
1248
- "status_code": {
1249
- "type": "integer",
1250
- "description": "HTTP status code of the response.",
1251
- "examples": [
1252
- 200,
1253
- 500
1254
- ]
1255
- },
1256
- "body": {
1257
- "type": "string",
1258
- "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1259
- "examples": [
1260
- "{\"user_id\": 2}"
1261
- ]
1262
- }
1263
- }
1264
- }
1265
- }
1266
- }
1267
- }
1268
- }
1269
- },
1270
- "location": {
1271
- "type": "object",
1272
- "description": "Identifies the vulnerability's location.",
1273
- "properties": {
1274
- "hostname": {
1275
- "type": "string",
1276
- "description": "The protocol, domain, and port of the application where the vulnerability was found."
1277
- },
1278
- "method": {
1279
- "type": "string",
1280
- "description": "The HTTP method that was used to request the URL where the vulnerability was found."
1281
- },
1282
- "param": {
1283
- "type": "string",
1284
- "description": "A value provided by a vulnerability rule related to the found vulnerability. Examples include a header value, or a parameter used in a HTTP POST."
1285
- },
1286
- "path": {
1287
- "type": "string",
1288
- "description": "The path of the URL where the vulnerability was found. Typically, this would start with a forward slash."
1289
- }
1290
- }
1291
- },
1292
- "assets": {
1293
- "type": "array",
1294
- "description": "Array of build assets associated with vulnerability.",
1295
- "items": {
1296
- "type": "object",
1297
- "description": "Describes an asset associated with vulnerability.",
1298
- "required": [
1299
- "type",
1300
- "name",
1301
- "url"
1302
- ],
1303
- "properties": {
1304
- "type": {
1305
- "type": "string",
1306
- "description": "The type of asset",
1307
- "enum": [
1308
- "http_session",
1309
- "postman"
1310
- ]
1311
- },
1312
- "name": {
1313
- "type": "string",
1314
- "minLength": 1,
1315
- "description": "Display name for asset",
1316
- "examples": [
1317
- "HTTP Messages",
1318
- "Postman Collection"
1319
- ]
1320
- },
1321
- "url": {
1322
- "type": "string",
1323
- "minLength": 1,
1324
- "description": "Link to asset in build artifacts",
1325
- "examples": [
1326
- "https://gitlab.com/gitlab-org/security-products/dast/-/jobs/626397001/artifacts/file//output/zap_session.data"
1327
- ]
1328
- }
1329
- }
1330
- }
1331
- }
1332
- }
1333
- }
1334
- },
1335
- "remediations": {
1336
- "type": "array",
1337
- "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
1338
- "items": {
1339
- "type": "object",
1340
- "required": [
1341
- "fixes",
1342
- "summary",
1343
- "diff"
1344
- ],
1345
- "properties": {
1346
- "fixes": {
1347
- "type": "array",
1348
- "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
1349
- "items": {
1350
- "type": "object",
1351
- "required": [
1352
- "id"
1353
- ],
1354
- "properties": {
1355
- "id": {
1356
- "type": "string",
1357
- "minLength": 1,
1358
- "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
1359
- "examples": [
1360
- "642735a5-1425-428d-8d4e-3c854885a3c9"
1361
- ]
1362
- }
1363
- }
1364
- }
1365
- },
1366
- "summary": {
1367
- "type": "string",
1368
- "minLength": 1,
1369
- "description": "An overview of how the vulnerabilities were fixed."
1370
- },
1371
- "diff": {
1372
- "type": "string",
1373
- "minLength": 1,
1374
- "description": "A base64-encoded remediation code diff, compatible with git apply."
1375
- }
1376
- }
1377
- }
1378
- }
1379
- }
1380
- }