gitlab-security_report_schemas 0.1.0.min15.0.0.max15.1.4 → 0.1.0.min15.1.0.max15.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (88) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +5 -3
  3. data/README.md +10 -14
  4. data/Rakefile +1 -1
  5. data/gem_version +1 -1
  6. data/lib/gitlab/security_report_schemas/configuration.rb +2 -2
  7. data/lib/gitlab/security_report_schemas/version.rb +2 -0
  8. data/supported_versions +0 -11
  9. metadata +2 -81
  10. data/RUNBOOK.md +0 -28
  11. data/schemas/15.0.0/cluster-image-scanning-report-format.json +0 -946
  12. data/schemas/15.0.0/container-scanning-report-format.json +0 -880
  13. data/schemas/15.0.0/coverage-fuzzing-report-format.json +0 -836
  14. data/schemas/15.0.0/dast-report-format.json +0 -1241
  15. data/schemas/15.0.0/dependency-scanning-report-format.json +0 -944
  16. data/schemas/15.0.0/sast-report-format.json +0 -831
  17. data/schemas/15.0.0/secret-detection-report-format.json +0 -854
  18. data/schemas/15.0.1/cluster-image-scanning-report-format.json +0 -980
  19. data/schemas/15.0.1/container-scanning-report-format.json +0 -914
  20. data/schemas/15.0.1/coverage-fuzzing-report-format.json +0 -870
  21. data/schemas/15.0.1/dast-report-format.json +0 -1275
  22. data/schemas/15.0.1/dependency-scanning-report-format.json +0 -978
  23. data/schemas/15.0.1/sast-report-format.json +0 -865
  24. data/schemas/15.0.1/secret-detection-report-format.json +0 -888
  25. data/schemas/15.0.2/cluster-image-scanning-report-format.json +0 -980
  26. data/schemas/15.0.2/container-scanning-report-format.json +0 -912
  27. data/schemas/15.0.2/coverage-fuzzing-report-format.json +0 -870
  28. data/schemas/15.0.2/dast-report-format.json +0 -1275
  29. data/schemas/15.0.2/dependency-scanning-report-format.json +0 -978
  30. data/schemas/15.0.2/sast-report-format.json +0 -865
  31. data/schemas/15.0.2/secret-detection-report-format.json +0 -888
  32. data/schemas/15.0.4/cluster-image-scanning-report-format.json +0 -984
  33. data/schemas/15.0.4/container-scanning-report-format.json +0 -916
  34. data/schemas/15.0.4/coverage-fuzzing-report-format.json +0 -874
  35. data/schemas/15.0.4/dast-report-format.json +0 -1279
  36. data/schemas/15.0.4/dependency-scanning-report-format.json +0 -982
  37. data/schemas/15.0.4/sast-report-format.json +0 -869
  38. data/schemas/15.0.4/secret-detection-report-format.json +0 -893
  39. data/schemas/15.0.5/cluster-image-scanning-report-format.json +0 -1035
  40. data/schemas/15.0.5/container-scanning-report-format.json +0 -967
  41. data/schemas/15.0.5/coverage-fuzzing-report-format.json +0 -925
  42. data/schemas/15.0.5/dast-report-format.json +0 -1330
  43. data/schemas/15.0.5/dependency-scanning-report-format.json +0 -1033
  44. data/schemas/15.0.5/sast-report-format.json +0 -920
  45. data/schemas/15.0.5/secret-detection-report-format.json +0 -944
  46. data/schemas/15.0.6/cluster-image-scanning-report-format.json +0 -1035
  47. data/schemas/15.0.6/container-scanning-report-format.json +0 -967
  48. data/schemas/15.0.6/coverage-fuzzing-report-format.json +0 -925
  49. data/schemas/15.0.6/dast-report-format.json +0 -1330
  50. data/schemas/15.0.6/dependency-scanning-report-format.json +0 -1033
  51. data/schemas/15.0.6/sast-report-format.json +0 -920
  52. data/schemas/15.0.6/secret-detection-report-format.json +0 -944
  53. data/schemas/15.0.7/cluster-image-scanning-report-format.json +0 -1085
  54. data/schemas/15.0.7/container-scanning-report-format.json +0 -1017
  55. data/schemas/15.0.7/coverage-fuzzing-report-format.json +0 -975
  56. data/schemas/15.0.7/dast-report-format.json +0 -1380
  57. data/schemas/15.0.7/dependency-scanning-report-format.json +0 -1083
  58. data/schemas/15.0.7/sast-report-format.json +0 -970
  59. data/schemas/15.0.7/secret-detection-report-format.json +0 -994
  60. data/schemas/15.1.1/cluster-image-scanning-report-format.json +0 -1065
  61. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  62. data/schemas/15.1.1/container-scanning-report-format.json +0 -998
  63. data/schemas/15.1.1/coverage-fuzzing-report-format.json +0 -975
  64. data/schemas/15.1.1/dast-report-format.json +0 -1380
  65. data/schemas/15.1.1/dependency-scanning-report-format.json +0 -986
  66. data/schemas/15.1.1/sast-report-format.json +0 -970
  67. data/schemas/15.1.1/secret-detection-report-format.json +0 -994
  68. data/schemas/15.1.2/cluster-image-scanning-report-format.json +0 -1190
  69. data/schemas/15.1.2/container-scanning-report-format.json +0 -1123
  70. data/schemas/15.1.2/coverage-fuzzing-report-format.json +0 -1100
  71. data/schemas/15.1.2/dast-report-format.json +0 -1505
  72. data/schemas/15.1.2/dependency-scanning-report-format.json +0 -1111
  73. data/schemas/15.1.2/sast-report-format.json +0 -1095
  74. data/schemas/15.1.2/secret-detection-report-format.json +0 -1119
  75. data/schemas/15.1.3/cluster-image-scanning-report-format.json +0 -1190
  76. data/schemas/15.1.3/container-scanning-report-format.json +0 -1123
  77. data/schemas/15.1.3/coverage-fuzzing-report-format.json +0 -1100
  78. data/schemas/15.1.3/dast-report-format.json +0 -1505
  79. data/schemas/15.1.3/dependency-scanning-report-format.json +0 -1111
  80. data/schemas/15.1.3/sast-report-format.json +0 -1095
  81. data/schemas/15.1.3/secret-detection-report-format.json +0 -1119
  82. data/schemas/15.1.4/cluster-image-scanning-report-format.json +0 -1190
  83. data/schemas/15.1.4/container-scanning-report-format.json +0 -1123
  84. data/schemas/15.1.4/coverage-fuzzing-report-format.json +0 -1100
  85. data/schemas/15.1.4/dast-report-format.json +0 -1505
  86. data/schemas/15.1.4/dependency-scanning-report-format.json +0 -1111
  87. data/schemas/15.1.4/sast-report-format.json +0 -1095
  88. data/schemas/15.1.4/secret-detection-report-format.json +0 -1119
data/schemas/15.1.2/dast-report-format.json DELETED
@@ -1,1505 +0,0 @@
1
- {
2
- "$schema": "http://json-schema.org/draft-07/schema#",
3
- "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dast-report-format.json",
4
- "title": "Report format for GitLab DAST",
5
- "description": "This schema provides the the report format for Dynamic Application Security Testing (https://docs.gitlab.com/ee/user/application_security/dast).",
6
- "definitions": {
7
- "detail_type": {
8
- "oneOf": [
9
- {
10
- "$ref": "#/definitions/named_list"
11
- },
12
- {
13
- "$ref": "#/definitions/list"
14
- },
15
- {
16
- "$ref": "#/definitions/table"
17
- },
18
- {
19
- "$ref": "#/definitions/text"
20
- },
21
- {
22
- "$ref": "#/definitions/url"
23
- },
24
- {
25
- "$ref": "#/definitions/code"
26
- },
27
- {
28
- "$ref": "#/definitions/value"
29
- },
30
- {
31
- "$ref": "#/definitions/diff"
32
- },
33
- {
34
- "$ref": "#/definitions/markdown"
35
- },
36
- {
37
- "$ref": "#/definitions/commit"
38
- },
39
- {
40
- "$ref": "#/definitions/file_location"
41
- },
42
- {
43
- "$ref": "#/definitions/module_location"
44
- },
45
- {
46
- "$ref": "#/definitions/code_flows"
47
- }
48
- ]
49
- },
50
- "text_value": {
51
- "type": "string"
52
- },
53
- "named_field": {
54
- "type": "object",
55
- "required": [
56
- "name"
57
- ],
58
- "properties": {
59
- "name": {
60
- "$ref": "#/definitions/text_value",
61
- "type": "string",
62
- "minLength": 1
63
- },
64
- "description": {
65
- "$ref": "#/definitions/text_value"
66
- }
67
- }
68
- },
69
- "named_list": {
70
- "type": "object",
71
- "description": "An object with named and typed fields",
72
- "required": [
73
- "type",
74
- "items"
75
- ],
76
- "properties": {
77
- "type": {
78
- "const": "named-list"
79
- },
80
- "items": {
81
- "type": "object",
82
- "patternProperties": {
83
- "^.*$": {
84
- "allOf": [
85
- {
86
- "$ref": "#/definitions/named_field"
87
- },
88
- {
89
- "$ref": "#/definitions/detail_type"
90
- }
91
- ]
92
- }
93
- }
94
- }
95
- }
96
- },
97
- "list": {
98
- "type": "object",
99
- "description": "A list of typed fields",
100
- "required": [
101
- "type",
102
- "items"
103
- ],
104
- "properties": {
105
- "type": {
106
- "const": "list"
107
- },
108
- "items": {
109
- "type": "array",
110
- "items": {
111
- "$ref": "#/definitions/detail_type"
112
- }
113
- }
114
- }
115
- },
116
- "table": {
117
- "type": "object",
118
- "description": "A table of typed fields",
119
- "required": [
120
- "type",
121
- "rows"
122
- ],
123
- "properties": {
124
- "type": {
125
- "const": "table"
126
- },
127
- "header": {
128
- "type": "array",
129
- "items": {
130
- "$ref": "#/definitions/detail_type"
131
- }
132
- },
133
- "rows": {
134
- "type": "array",
135
- "items": {
136
- "type": "array",
137
- "items": {
138
- "$ref": "#/definitions/detail_type"
139
- }
140
- }
141
- }
142
- }
143
- },
144
- "text": {
145
- "type": "object",
146
- "description": "Raw text",
147
- "required": [
148
- "type",
149
- "value"
150
- ],
151
- "properties": {
152
- "type": {
153
- "const": "text"
154
- },
155
- "value": {
156
- "$ref": "#/definitions/text_value"
157
- }
158
- }
159
- },
160
- "url": {
161
- "type": "object",
162
- "description": "A single URL",
163
- "required": [
164
- "type",
165
- "href"
166
- ],
167
- "properties": {
168
- "type": {
169
- "const": "url"
170
- },
171
- "text": {
172
- "$ref": "#/definitions/text_value"
173
- },
174
- "href": {
175
- "type": "string",
176
- "minLength": 1,
177
- "examples": [
178
- "http://mysite.com"
179
- ]
180
- }
181
- }
182
- },
183
- "code": {
184
- "type": "object",
185
- "description": "A codeblock",
186
- "required": [
187
- "type",
188
- "value"
189
- ],
190
- "properties": {
191
- "type": {
192
- "const": "code"
193
- },
194
- "value": {
195
- "type": "string"
196
- },
197
- "lang": {
198
- "type": "string",
199
- "description": "A programming language"
200
- }
201
- }
202
- },
203
- "value": {
204
- "type": "object",
205
- "description": "A field that can store a range of types of value",
206
- "required": [
207
- "type",
208
- "value"
209
- ],
210
- "properties": {
211
- "type": {
212
- "const": "value"
213
- },
214
- "value": {
215
- "type": [
216
- "number",
217
- "string",
218
- "boolean"
219
- ]
220
- }
221
- }
222
- },
223
- "diff": {
224
- "type": "object",
225
- "description": "A diff",
226
- "required": [
227
- "type",
228
- "before",
229
- "after"
230
- ],
231
- "properties": {
232
- "type": {
233
- "const": "diff"
234
- },
235
- "before": {
236
- "type": "string"
237
- },
238
- "after": {
239
- "type": "string"
240
- }
241
- }
242
- },
243
- "markdown": {
244
- "type": "object",
245
- "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
246
- "required": [
247
- "type",
248
- "value"
249
- ],
250
- "properties": {
251
- "type": {
252
- "const": "markdown"
253
- },
254
- "value": {
255
- "$ref": "#/definitions/text_value",
256
- "examples": [
257
- "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
258
- ]
259
- }
260
- }
261
- },
262
- "commit": {
263
- "type": "object",
264
- "description": "A commit/tag/branch within the GitLab project",
265
- "required": [
266
- "type",
267
- "value"
268
- ],
269
- "properties": {
270
- "type": {
271
- "const": "commit"
272
- },
273
- "value": {
274
- "type": "string",
275
- "description": "The commit SHA",
276
- "minLength": 1
277
- }
278
- }
279
- },
280
- "file_location": {
281
- "type": "object",
282
- "description": "A location within a file in the project",
283
- "required": [
284
- "type",
285
- "file_name",
286
- "line_start"
287
- ],
288
- "properties": {
289
- "type": {
290
- "const": "file-location"
291
- },
292
- "file_name": {
293
- "type": "string",
294
- "minLength": 1
295
- },
296
- "line_start": {
297
- "type": "integer"
298
- },
299
- "line_end": {
300
- "type": "integer"
301
- }
302
- }
303
- },
304
- "module_location": {
305
- "type": "object",
306
- "description": "A location within a binary module of the form module+relative_offset",
307
- "required": [
308
- "type",
309
- "module_name",
310
- "offset"
311
- ],
312
- "properties": {
313
- "type": {
314
- "const": "module-location"
315
- },
316
- "module_name": {
317
- "type": "string",
318
- "minLength": 1,
319
- "examples": [
320
- "compiled_binary"
321
- ]
322
- },
323
- "offset": {
324
- "type": "integer",
325
- "examples": [
326
- 100
327
- ]
328
- }
329
- }
330
- },
331
- "code_flow_node": {
332
- "type": "object",
333
- "description": "A code flow node representing a part of a vulnerability flow from source to sink",
334
- "required": [
335
- "file_location",
336
- "node_type"
337
- ],
338
- "properties": {
339
- "type": {
340
- "const": "code_flow_node"
341
- },
342
- "file_location": {
343
- "$ref": "#/definitions/file_location"
344
- },
345
- "node_type": {
346
- "type": "string",
347
- "description": "Describes a code flow node type",
348
- "enum": [
349
- "source",
350
- "sink",
351
- "propagation"
352
- ]
353
- }
354
- },
355
- "examples": [
356
- {
357
- "type": "code_flow_node",
358
- "node_type": "propagation",
359
- "file_location": {
360
- "type": "file-location",
361
- "file_name": "file_name.py",
362
- "line_start": 4,
363
- "line_end": 6
364
- }
365
- }
366
- ]
367
- },
368
- "code_flows": {
369
- "type": "object",
370
- "description": "A code flow representing a vulnerability flow from source to sink",
371
- "required": [
372
- "items",
373
- "type"
374
- ],
375
- "properties": {
376
- "type": {
377
- "const": "code_flows"
378
- },
379
- "items": {
380
- "type": "array",
381
- "minItems": 1,
382
- "maxItems": 10,
383
- "items": {
384
- "type": "array",
385
- "minItems": 1,
386
- "items": {
387
- "$ref": "#/definitions/code_flow_node"
388
- }
389
- }
390
- }
391
- },
392
- "examples": [
393
- {
394
- "type": "code_flows",
395
- "items": [
396
- [
397
- {
398
- "type": "code_flow_node",
399
- "node_type": "source",
400
- "file_location": {
401
- "type": "file-location",
402
- "file_name": "file_name.py",
403
- "line_start": 1,
404
- "line_end": 2
405
- }
406
- },
407
- {
408
- "type": "code_flow_node",
409
- "node_type": "propagation",
410
- "file_location": {
411
- "type": "file-location",
412
- "file_name": "file_name.py",
413
- "line_start": 3
414
- }
415
- },
416
- {
417
- "type": "code_flow_node",
418
- "node_type": "sink",
419
- "file_location": {
420
- "type": "file-location",
421
- "file_name": "file_name.py",
422
- "line_start": 4,
423
- "line_end": 6
424
- }
425
- }
426
- ],
427
- [
428
- {
429
- "type": "code_flow_node",
430
- "node_type": "source",
431
- "file_location": {
432
- "type": "file-location",
433
- "file_name": "different_flow.py",
434
- "line_start": 100,
435
- "line_end": 102
436
- }
437
- },
438
- {
439
- "type": "code_flow_node",
440
- "node_type": "sink",
441
- "file_location": {
442
- "type": "file-location",
443
- "file_name": "file_name.py",
444
- "line_start": 4,
445
- "line_end": 6
446
- }
447
- }
448
- ]
449
- ]
450
- }
451
- ]
452
- }
453
- },
454
- "self": {
455
- "version": "15.1.2"
456
- },
457
- "type": "object",
458
- "required": [
459
- "scan",
460
- "version",
461
- "vulnerabilities"
462
- ],
463
- "additionalProperties": true,
464
- "properties": {
465
- "scan": {
466
- "type": "object",
467
- "required": [
468
- "analyzer",
469
- "end_time",
470
- "scanned_resources",
471
- "scanner",
472
- "start_time",
473
- "status",
474
- "type"
475
- ],
476
- "properties": {
477
- "end_time": {
478
- "type": "string",
479
- "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
480
- "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
481
- "examples": [
482
- "2020-01-28T03:26:02"
483
- ]
484
- },
485
- "messages": {
486
- "type": "array",
487
- "items": {
488
- "type": "object",
489
- "description": "Communication intended for the initiator of a scan.",
490
- "required": [
491
- "level",
492
- "value"
493
- ],
494
- "properties": {
495
- "level": {
496
- "type": "string",
497
- "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
498
- "enum": [
499
- "info",
500
- "warn",
501
- "fatal"
502
- ],
503
- "examples": [
504
- "info"
505
- ]
506
- },
507
- "value": {
508
- "type": "string",
509
- "description": "The message to communicate.",
510
- "minLength": 1,
511
- "examples": [
512
- "Permission denied, scanning aborted"
513
- ]
514
- }
515
- }
516
- }
517
- },
518
- "options": {
519
- "type": "array",
520
- "items": {
521
- "type": "object",
522
- "description": "A configuration option used for this scan.",
523
- "required": [
524
- "name",
525
- "value"
526
- ],
527
- "properties": {
528
- "name": {
529
- "type": "string",
530
- "description": "The configuration option name.",
531
- "maxLength": 255,
532
- "minLength": 1,
533
- "examples": [
534
- "DAST_FF_ENABLE_BAS",
535
- "DOCKER_TLS_CERTDIR",
536
- "DS_MAX_DEPTH",
537
- "SECURE_LOG_LEVEL"
538
- ]
539
- },
540
- "source": {
541
- "type": "string",
542
- "description": "The source of this option.",
543
- "enum": [
544
- "argument",
545
- "file",
546
- "env_variable",
547
- "other"
548
- ]
549
- },
550
- "value": {
551
- "type": [
552
- "boolean",
553
- "integer",
554
- "null",
555
- "string"
556
- ],
557
- "description": "The value used for this scan.",
558
- "examples": [
559
- true,
560
- 2,
561
- null,
562
- "fatal",
563
- ""
564
- ]
565
- }
566
- }
567
- }
568
- },
569
- "analyzer": {
570
- "type": "object",
571
- "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
572
- "required": [
573
- "id",
574
- "name",
575
- "version",
576
- "vendor"
577
- ],
578
- "properties": {
579
- "id": {
580
- "type": "string",
581
- "description": "Unique id that identifies the analyzer.",
582
- "minLength": 1,
583
- "examples": [
584
- "gitlab-dast"
585
- ]
586
- },
587
- "name": {
588
- "type": "string",
589
- "description": "A human readable value that identifies the analyzer, not required to be unique.",
590
- "minLength": 1,
591
- "examples": [
592
- "GitLab DAST"
593
- ]
594
- },
595
- "url": {
596
- "type": "string",
597
- "pattern": "^https?://.+",
598
- "description": "A link to more information about the analyzer.",
599
- "examples": [
600
- "https://docs.gitlab.com/ee/user/application_security/dast"
601
- ]
602
- },
603
- "vendor": {
604
- "description": "The vendor/maintainer of the analyzer.",
605
- "type": "object",
606
- "required": [
607
- "name"
608
- ],
609
- "properties": {
610
- "name": {
611
- "type": "string",
612
- "description": "The name of the vendor.",
613
- "minLength": 1,
614
- "examples": [
615
- "GitLab"
616
- ]
617
- }
618
- }
619
- },
620
- "version": {
621
- "type": "string",
622
- "description": "The version of the analyzer.",
623
- "minLength": 1,
624
- "examples": [
625
- "1.0.2"
626
- ]
627
- }
628
- }
629
- },
630
- "scanner": {
631
- "type": "object",
632
- "description": "Object defining the scanner used to perform the scan.",
633
- "required": [
634
- "id",
635
- "name",
636
- "version",
637
- "vendor"
638
- ],
639
- "properties": {
640
- "id": {
641
- "type": "string",
642
- "description": "Unique id that identifies the scanner.",
643
- "minLength": 1,
644
- "examples": [
645
- "my-sast-scanner"
646
- ]
647
- },
648
- "name": {
649
- "type": "string",
650
- "description": "A human readable value that identifies the scanner, not required to be unique.",
651
- "minLength": 1,
652
- "examples": [
653
- "My SAST Scanner"
654
- ]
655
- },
656
- "url": {
657
- "type": "string",
658
- "description": "A link to more information about the scanner.",
659
- "examples": [
660
- "https://scanner.url"
661
- ]
662
- },
663
- "version": {
664
- "type": "string",
665
- "description": "The version of the scanner.",
666
- "minLength": 1,
667
- "examples": [
668
- "1.0.2"
669
- ]
670
- },
671
- "vendor": {
672
- "description": "The vendor/maintainer of the scanner.",
673
- "type": "object",
674
- "required": [
675
- "name"
676
- ],
677
- "properties": {
678
- "name": {
679
- "type": "string",
680
- "description": "The name of the vendor.",
681
- "minLength": 1,
682
- "examples": [
683
- "GitLab"
684
- ]
685
- }
686
- }
687
- }
688
- }
689
- },
690
- "start_time": {
691
- "type": "string",
692
- "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
693
- "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
694
- "examples": [
695
- "2020-02-14T16:01:59"
696
- ]
697
- },
698
- "status": {
699
- "type": "string",
700
- "description": "Result of the scan.",
701
- "enum": [
702
- "success",
703
- "failure"
704
- ]
705
- },
706
- "type": {
707
- "type": "string",
708
- "description": "Type of the scan.",
709
- "enum": [
710
- "dast",
711
- "api_fuzzing"
712
- ]
713
- },
714
- "primary_identifiers": {
715
- "type": "array",
716
- "description": "An unordered array containing an exhaustive list of primary identifiers for which the analyzer may return results",
717
- "items": {
718
- "type": "object",
719
- "required": [
720
- "type",
721
- "name",
722
- "value"
723
- ],
724
- "properties": {
725
- "type": {
726
- "type": "string",
727
- "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
728
- "minLength": 1
729
- },
730
- "name": {
731
- "type": "string",
732
- "description": "Human-readable name of the identifier.",
733
- "minLength": 1
734
- },
735
- "url": {
736
- "type": "string",
737
- "description": "URL of the identifier's documentation.",
738
- "pattern": "^(https?|ftp)://.+"
739
- },
740
- "value": {
741
- "type": "string",
742
- "description": "Value of the identifier, for matching purpose.",
743
- "minLength": 1
744
- }
745
- }
746
- }
747
- },
748
- "scanned_resources": {
749
- "type": "array",
750
- "description": "The attack surface scanned by DAST.",
751
- "items": {
752
- "type": "object",
753
- "required": [
754
- "method",
755
- "url",
756
- "type"
757
- ],
758
- "properties": {
759
- "method": {
760
- "type": "string",
761
- "minLength": 1,
762
- "description": "HTTP method of the scanned resource.",
763
- "examples": [
764
- "GET",
765
- "POST",
766
- "HEAD"
767
- ]
768
- },
769
- "url": {
770
- "type": "string",
771
- "minLength": 1,
772
- "description": "URL of the scanned resource.",
773
- "examples": [
774
- "http://my.site.com/a-page"
775
- ]
776
- },
777
- "type": {
778
- "type": "string",
779
- "minLength": 1,
780
- "description": "Type of the scanned resource, for DAST, this must be 'url'.",
781
- "examples": [
782
- "url"
783
- ]
784
- }
785
- }
786
- }
787
- }
788
- }
789
- },
790
- "schema": {
791
- "type": "string",
792
- "description": "URI pointing to the validating security report schema.",
793
- "pattern": "^https?://.+"
794
- },
795
- "version": {
796
- "type": "string",
797
- "description": "The version of the schema to which the JSON report conforms.",
798
- "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
799
- },
800
- "vulnerabilities": {
801
- "type": "array",
802
- "description": "Array of vulnerability objects.",
803
- "items": {
804
- "type": "object",
805
- "description": "Describes the vulnerability using GitLab Flavored Markdown",
806
- "required": [
807
- "id",
808
- "identifiers",
809
- "location"
810
- ],
811
- "properties": {
812
- "id": {
813
- "type": "string",
814
- "minLength": 1,
815
- "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
816
- "examples": [
817
- "642735a5-1425-428d-8d4e-3c854885a3c9"
818
- ]
819
- },
820
- "name": {
821
- "type": "string",
822
- "maxLength": 255,
823
- "description": "The name of the vulnerability. This must not include the finding's specific information."
824
- },
825
- "description": {
826
- "type": "string",
827
- "maxLength": 1048576,
828
- "description": "A long text section describing the vulnerability more fully."
829
- },
830
- "severity": {
831
- "type": "string",
832
- "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
833
- "enum": [
834
- "Info",
835
- "Unknown",
836
- "Low",
837
- "Medium",
838
- "High",
839
- "Critical"
840
- ]
841
- },
842
- "solution": {
843
- "type": "string",
844
- "maxLength": 7000,
845
- "description": "Explanation of how to fix the vulnerability."
846
- },
847
- "identifiers": {
848
- "type": "array",
849
- "minItems": 1,
850
- "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
851
- "items": {
852
- "type": "object",
853
- "required": [
854
- "type",
855
- "name",
856
- "value"
857
- ],
858
- "properties": {
859
- "type": {
860
- "type": "string",
861
- "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
862
- "minLength": 1
863
- },
864
- "name": {
865
- "type": "string",
866
- "description": "Human-readable name of the identifier.",
867
- "minLength": 1
868
- },
869
- "url": {
870
- "type": "string",
871
- "description": "URL of the identifier's documentation.",
872
- "pattern": "^(https?|ftp)://.+"
873
- },
874
- "value": {
875
- "type": "string",
876
- "description": "Value of the identifier, for matching purpose.",
877
- "minLength": 1
878
- }
879
- }
880
- }
881
- },
882
- "cvss_vectors": {
883
- "type": "array",
884
- "minItems": 1,
885
- "maxItems": 10,
886
- "description": "An ordered array of CVSS vectors, each issued by a vendor to rate the vulnerability. The first item in the array is used as the primary CVSS vector, and is used to filter and sort the vulnerability.",
887
- "items": {
888
- "oneOf": [
889
- {
890
- "type": "object",
891
- "properties": {
892
- "vendor": {
893
- "type": "string",
894
- "minLength": 1,
895
- "default": "unknown"
896
- },
897
- "vector": {
898
- "type": "string",
899
- "minLength": 16,
900
- "maxLength": 128,
901
- "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
902
- }
903
- },
904
- "required": [
905
- "vendor",
906
- "vector"
907
- ]
908
- },
909
- {
910
- "type": "object",
911
- "properties": {
912
- "vendor": {
913
- "type": "string",
914
- "minLength": 1,
915
- "default": "unknown"
916
- },
917
- "vector": {
918
- "type": "string",
919
- "minLength": 32,
920
- "maxLength": 128,
921
- "pattern": "^CVSS:3[.][01]/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
922
- }
923
- },
924
- "required": [
925
- "vendor",
926
- "vector"
927
- ]
928
- }
929
- ]
930
- }
931
- },
932
- "links": {
933
- "type": "array",
934
- "description": "An array of references to external documentation or articles that describe the vulnerability.",
935
- "items": {
936
- "type": "object",
937
- "required": [
938
- "url"
939
- ],
940
- "properties": {
941
- "name": {
942
- "type": "string",
943
- "description": "Name of the vulnerability details link."
944
- },
945
- "url": {
946
- "type": "string",
947
- "description": "URL of the vulnerability details document.",
948
- "pattern": "^(https?|ftp)://.+"
949
- }
950
- }
951
- }
952
- },
953
- "details": {
954
- "$ref": "#/definitions/named_list/properties/items"
955
- },
956
- "tracking": {
957
- "type": "object",
958
- "description": "Describes how this vulnerability should be tracked as the project changes.",
959
- "oneOf": [
960
- {
961
- "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
962
- "required": [
963
- "items"
964
- ],
965
- "properties": {
966
- "type": {
967
- "const": "source"
968
- },
969
- "items": {
970
- "type": "array",
971
- "items": {
972
- "description": "An item that should be tracked using source-specific tracking methods.",
973
- "type": "object",
974
- "required": [
975
- "signatures"
976
- ],
977
- "properties": {
978
- "file": {
979
- "type": "string",
980
- "description": "Path to the file where the vulnerability is located."
981
- },
982
- "start_line": {
983
- "type": "number",
984
- "description": "The first line of the file that includes the vulnerability."
985
- },
986
- "end_line": {
987
- "type": "number",
988
- "description": "The last line of the file that includes the vulnerability."
989
- },
990
- "signatures": {
991
- "type": "array",
992
- "description": "An array of calculated tracking signatures for this tracking item.",
993
- "minItems": 1,
994
- "items": {
995
- "description": "A calculated tracking signature value and metadata.",
996
- "type": "object",
997
- "required": [
998
- "algorithm",
999
- "value"
1000
- ],
1001
- "properties": {
1002
- "algorithm": {
1003
- "type": "string",
1004
- "description": "The algorithm used to generate the signature."
1005
- },
1006
- "value": {
1007
- "type": "string",
1008
- "description": "The result of this signature algorithm."
1009
- }
1010
- }
1011
- }
1012
- }
1013
- }
1014
- }
1015
- }
1016
- }
1017
- }
1018
- ],
1019
- "properties": {
1020
- "type": {
1021
- "type": "string",
1022
- "description": "Each tracking type must declare its own type."
1023
- }
1024
- }
1025
- },
1026
- "flags": {
1027
- "description": "Flags that can be attached to vulnerabilities.",
1028
- "type": "array",
1029
- "items": {
1030
- "type": "object",
1031
- "description": "Informational flags identified and assigned to a vulnerability.",
1032
- "required": [
1033
- "type",
1034
- "origin",
1035
- "description"
1036
- ],
1037
- "properties": {
1038
- "type": {
1039
- "type": "string",
1040
- "minLength": 1,
1041
- "description": "Result of the scan.",
1042
- "enum": [
1043
- "flagged-as-likely-false-positive"
1044
- ]
1045
- },
1046
- "origin": {
1047
- "minLength": 1,
1048
- "description": "Tool that issued the flag.",
1049
- "type": "string"
1050
- },
1051
- "description": {
1052
- "minLength": 1,
1053
- "description": "What the flag is about.",
1054
- "type": "string"
1055
- }
1056
- }
1057
- }
1058
- },
1059
- "evidence": {
1060
- "type": "object",
1061
- "properties": {
1062
- "source": {
1063
- "type": "object",
1064
- "description": "Source of evidence",
1065
- "required": [
1066
- "id",
1067
- "name"
1068
- ],
1069
- "properties": {
1070
- "id": {
1071
- "type": "string",
1072
- "minLength": 1,
1073
- "description": "Unique source identifier",
1074
- "examples": [
1075
- "assert:LogAnalysis",
1076
- "assert:StatusCode"
1077
- ]
1078
- },
1079
- "name": {
1080
- "type": "string",
1081
- "minLength": 1,
1082
- "description": "Source display name",
1083
- "examples": [
1084
- "Log Analysis",
1085
- "Status Code"
1086
- ]
1087
- },
1088
- "url": {
1089
- "type": "string",
1090
- "description": "Link to additional information",
1091
- "examples": [
1092
- "https://docs.gitlab.com/ee/development/integrations/secure.html"
1093
- ]
1094
- }
1095
- }
1096
- },
1097
- "summary": {
1098
- "type": "string",
1099
- "description": "Human readable string containing evidence of the vulnerability.",
1100
- "examples": [
1101
- "Credit card 4111111111111111 found",
1102
- "Server leaked information nginx/1.17.6"
1103
- ]
1104
- },
1105
- "request": {
1106
- "type": "object",
1107
- "description": "An HTTP request.",
1108
- "required": [
1109
- "headers",
1110
- "method",
1111
- "url"
1112
- ],
1113
- "properties": {
1114
- "headers": {
1115
- "type": "array",
1116
- "description": "HTTP headers present on the request.",
1117
- "items": {
1118
- "type": "object",
1119
- "required": [
1120
- "name",
1121
- "value"
1122
- ],
1123
- "properties": {
1124
- "name": {
1125
- "type": "string",
1126
- "minLength": 1,
1127
- "description": "Name of the HTTP header.",
1128
- "examples": [
1129
- "Accept",
1130
- "Content-Length",
1131
- "Content-Type"
1132
- ]
1133
- },
1134
- "value": {
1135
- "type": "string",
1136
- "description": "Value of the HTTP header.",
1137
- "examples": [
1138
- "*/*",
1139
- "560",
1140
- "application/json; charset=utf-8"
1141
- ]
1142
- }
1143
- }
1144
- }
1145
- },
1146
- "method": {
1147
- "type": "string",
1148
- "minLength": 1,
1149
- "description": "HTTP method used in the request.",
1150
- "examples": [
1151
- "GET",
1152
- "POST"
1153
- ]
1154
- },
1155
- "url": {
1156
- "type": "string",
1157
- "minLength": 1,
1158
- "description": "URL of the request.",
1159
- "examples": [
1160
- "http://my.site.com/vulnerable-endpoint?show-credit-card"
1161
- ]
1162
- },
1163
- "body": {
1164
- "type": "string",
1165
- "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1166
- "examples": [
1167
- "user=jsmith&first=%27&last=smith"
1168
- ]
1169
- }
1170
- }
1171
- },
1172
- "response": {
1173
- "type": "object",
1174
- "description": "An HTTP response.",
1175
- "required": [
1176
- "headers",
1177
- "reason_phrase",
1178
- "status_code"
1179
- ],
1180
- "properties": {
1181
- "headers": {
1182
- "type": "array",
1183
- "description": "HTTP headers present on the request.",
1184
- "items": {
1185
- "type": "object",
1186
- "required": [
1187
- "name",
1188
- "value"
1189
- ],
1190
- "properties": {
1191
- "name": {
1192
- "type": "string",
1193
- "minLength": 1,
1194
- "description": "Name of the HTTP header.",
1195
- "examples": [
1196
- "Accept",
1197
- "Content-Length",
1198
- "Content-Type"
1199
- ]
1200
- },
1201
- "value": {
1202
- "type": "string",
1203
- "description": "Value of the HTTP header.",
1204
- "examples": [
1205
- "*/*",
1206
- "560",
1207
- "application/json; charset=utf-8"
1208
- ]
1209
- }
1210
- }
1211
- }
1212
- },
1213
- "reason_phrase": {
1214
- "type": "string",
1215
- "description": "HTTP reason phrase of the response.",
1216
- "examples": [
1217
- "OK",
1218
- "Internal Server Error"
1219
- ]
1220
- },
1221
- "status_code": {
1222
- "type": "integer",
1223
- "description": "HTTP status code of the response.",
1224
- "examples": [
1225
- 200,
1226
- 500
1227
- ]
1228
- },
1229
- "body": {
1230
- "type": "string",
1231
- "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1232
- "examples": [
1233
- "{\"user_id\": 2}"
1234
- ]
1235
- }
1236
- }
1237
- },
1238
- "supporting_messages": {
1239
- "type": "array",
1240
- "description": "Array of supporting http messages.",
1241
- "items": {
1242
- "type": "object",
1243
- "description": "A supporting http message.",
1244
- "required": [
1245
- "name"
1246
- ],
1247
- "properties": {
1248
- "name": {
1249
- "type": "string",
1250
- "minLength": 1,
1251
- "description": "Message display name.",
1252
- "examples": [
1253
- "Unmodified",
1254
- "Recorded"
1255
- ]
1256
- },
1257
- "request": {
1258
- "type": "object",
1259
- "description": "An HTTP request.",
1260
- "required": [
1261
- "headers",
1262
- "method",
1263
- "url"
1264
- ],
1265
- "properties": {
1266
- "headers": {
1267
- "type": "array",
1268
- "description": "HTTP headers present on the request.",
1269
- "items": {
1270
- "type": "object",
1271
- "required": [
1272
- "name",
1273
- "value"
1274
- ],
1275
- "properties": {
1276
- "name": {
1277
- "type": "string",
1278
- "minLength": 1,
1279
- "description": "Name of the HTTP header.",
1280
- "examples": [
1281
- "Accept",
1282
- "Content-Length",
1283
- "Content-Type"
1284
- ]
1285
- },
1286
- "value": {
1287
- "type": "string",
1288
- "description": "Value of the HTTP header.",
1289
- "examples": [
1290
- "*/*",
1291
- "560",
1292
- "application/json; charset=utf-8"
1293
- ]
1294
- }
1295
- }
1296
- }
1297
- },
1298
- "method": {
1299
- "type": "string",
1300
- "minLength": 1,
1301
- "description": "HTTP method used in the request.",
1302
- "examples": [
1303
- "GET",
1304
- "POST"
1305
- ]
1306
- },
1307
- "url": {
1308
- "type": "string",
1309
- "minLength": 1,
1310
- "description": "URL of the request.",
1311
- "examples": [
1312
- "http://my.site.com/vulnerable-endpoint?show-credit-card"
1313
- ]
1314
- },
1315
- "body": {
1316
- "type": "string",
1317
- "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1318
- "examples": [
1319
- "user=jsmith&first=%27&last=smith"
1320
- ]
1321
- }
1322
- }
1323
- },
1324
- "response": {
1325
- "type": "object",
1326
- "description": "An HTTP response.",
1327
- "required": [
1328
- "headers",
1329
- "reason_phrase",
1330
- "status_code"
1331
- ],
1332
- "properties": {
1333
- "headers": {
1334
- "type": "array",
1335
- "description": "HTTP headers present on the request.",
1336
- "items": {
1337
- "type": "object",
1338
- "required": [
1339
- "name",
1340
- "value"
1341
- ],
1342
- "properties": {
1343
- "name": {
1344
- "type": "string",
1345
- "minLength": 1,
1346
- "description": "Name of the HTTP header.",
1347
- "examples": [
1348
- "Accept",
1349
- "Content-Length",
1350
- "Content-Type"
1351
- ]
1352
- },
1353
- "value": {
1354
- "type": "string",
1355
- "description": "Value of the HTTP header.",
1356
- "examples": [
1357
- "*/*",
1358
- "560",
1359
- "application/json; charset=utf-8"
1360
- ]
1361
- }
1362
- }
1363
- }
1364
- },
1365
- "reason_phrase": {
1366
- "type": "string",
1367
- "description": "HTTP reason phrase of the response.",
1368
- "examples": [
1369
- "OK",
1370
- "Internal Server Error"
1371
- ]
1372
- },
1373
- "status_code": {
1374
- "type": "integer",
1375
- "description": "HTTP status code of the response.",
1376
- "examples": [
1377
- 200,
1378
- 500
1379
- ]
1380
- },
1381
- "body": {
1382
- "type": "string",
1383
- "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1384
- "examples": [
1385
- "{\"user_id\": 2}"
1386
- ]
1387
- }
1388
- }
1389
- }
1390
- }
1391
- }
1392
- }
1393
- }
1394
- },
1395
- "location": {
1396
- "type": "object",
1397
- "description": "Identifies the vulnerability's location.",
1398
- "properties": {
1399
- "hostname": {
1400
- "type": "string",
1401
- "description": "The protocol, domain, and port of the application where the vulnerability was found."
1402
- },
1403
- "method": {
1404
- "type": "string",
1405
- "description": "The HTTP method that was used to request the URL where the vulnerability was found."
1406
- },
1407
- "param": {
1408
- "type": "string",
1409
- "description": "A value provided by a vulnerability rule related to the found vulnerability. Examples include a header value, or a parameter used in a HTTP POST."
1410
- },
1411
- "path": {
1412
- "type": "string",
1413
- "description": "The path of the URL where the vulnerability was found. Typically, this would start with a forward slash."
1414
- }
1415
- }
1416
- },
1417
- "assets": {
1418
- "type": "array",
1419
- "description": "Array of build assets associated with vulnerability.",
1420
- "items": {
1421
- "type": "object",
1422
- "description": "Describes an asset associated with vulnerability.",
1423
- "required": [
1424
- "type",
1425
- "name",
1426
- "url"
1427
- ],
1428
- "properties": {
1429
- "type": {
1430
- "type": "string",
1431
- "description": "The type of asset",
1432
- "enum": [
1433
- "http_session",
1434
- "postman"
1435
- ]
1436
- },
1437
- "name": {
1438
- "type": "string",
1439
- "minLength": 1,
1440
- "description": "Display name for asset",
1441
- "examples": [
1442
- "HTTP Messages",
1443
- "Postman Collection"
1444
- ]
1445
- },
1446
- "url": {
1447
- "type": "string",
1448
- "minLength": 1,
1449
- "description": "Link to asset in build artifacts",
1450
- "examples": [
1451
- "https://gitlab.com/gitlab-org/security-products/dast/-/jobs/626397001/artifacts/file//output/zap_session.data"
1452
- ]
1453
- }
1454
- }
1455
- }
1456
- }
1457
- }
1458
- }
1459
- },
1460
- "remediations": {
1461
- "type": "array",
1462
- "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
1463
- "items": {
1464
- "type": "object",
1465
- "required": [
1466
- "fixes",
1467
- "summary",
1468
- "diff"
1469
- ],
1470
- "properties": {
1471
- "fixes": {
1472
- "type": "array",
1473
- "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
1474
- "items": {
1475
- "type": "object",
1476
- "required": [
1477
- "id"
1478
- ],
1479
- "properties": {
1480
- "id": {
1481
- "type": "string",
1482
- "minLength": 1,
1483
- "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
1484
- "examples": [
1485
- "642735a5-1425-428d-8d4e-3c854885a3c9"
1486
- ]
1487
- }
1488
- }
1489
- }
1490
- },
1491
- "summary": {
1492
- "type": "string",
1493
- "minLength": 1,
1494
- "description": "An overview of how the vulnerabilities were fixed."
1495
- },
1496
- "diff": {
1497
- "type": "string",
1498
- "minLength": 1,
1499
- "description": "A base64-encoded remediation code diff, compatible with git apply."
1500
- }
1501
- }
1502
- }
1503
- }
1504
- }
1505
- }