gitlab-security_report_schemas 0.1.0.min15.1.0.max15.1.0 → 0.1.1.min15.0.0.max15.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (89) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +6 -9
  3. data/README.md +14 -10
  4. data/RUNBOOK.md +28 -0
  5. data/Rakefile +1 -1
  6. data/gem_version +1 -1
  7. data/gitlab-security_report_schemas.gemspec +1 -1
  8. data/lib/gitlab/security_report_schemas/configuration.rb +2 -2
  9. data/lib/gitlab/security_report_schemas/version.rb +1 -3
  10. data/schemas/15.0.0/cluster-image-scanning-report-format.json +946 -0
  11. data/schemas/15.0.0/container-scanning-report-format.json +880 -0
  12. data/schemas/15.0.0/coverage-fuzzing-report-format.json +836 -0
  13. data/schemas/15.0.0/dast-report-format.json +1241 -0
  14. data/schemas/15.0.0/dependency-scanning-report-format.json +944 -0
  15. data/schemas/15.0.0/sast-report-format.json +831 -0
  16. data/schemas/15.0.0/secret-detection-report-format.json +854 -0
  17. data/schemas/15.0.1/cluster-image-scanning-report-format.json +980 -0
  18. data/schemas/15.0.1/container-scanning-report-format.json +914 -0
  19. data/schemas/15.0.1/coverage-fuzzing-report-format.json +870 -0
  20. data/schemas/15.0.1/dast-report-format.json +1275 -0
  21. data/schemas/15.0.1/dependency-scanning-report-format.json +978 -0
  22. data/schemas/15.0.1/sast-report-format.json +865 -0
  23. data/schemas/15.0.1/secret-detection-report-format.json +888 -0
  24. data/schemas/15.0.2/cluster-image-scanning-report-format.json +980 -0
  25. data/schemas/15.0.2/container-scanning-report-format.json +912 -0
  26. data/schemas/15.0.2/coverage-fuzzing-report-format.json +870 -0
  27. data/schemas/15.0.2/dast-report-format.json +1275 -0
  28. data/schemas/15.0.2/dependency-scanning-report-format.json +978 -0
  29. data/schemas/15.0.2/sast-report-format.json +865 -0
  30. data/schemas/15.0.2/secret-detection-report-format.json +888 -0
  31. data/schemas/15.0.4/cluster-image-scanning-report-format.json +984 -0
  32. data/schemas/15.0.4/container-scanning-report-format.json +916 -0
  33. data/schemas/15.0.4/coverage-fuzzing-report-format.json +874 -0
  34. data/schemas/15.0.4/dast-report-format.json +1279 -0
  35. data/schemas/15.0.4/dependency-scanning-report-format.json +982 -0
  36. data/schemas/15.0.4/sast-report-format.json +869 -0
  37. data/schemas/15.0.4/secret-detection-report-format.json +893 -0
  38. data/schemas/15.0.5/cluster-image-scanning-report-format.json +1035 -0
  39. data/schemas/15.0.5/container-scanning-report-format.json +967 -0
  40. data/schemas/15.0.5/coverage-fuzzing-report-format.json +925 -0
  41. data/schemas/15.0.5/dast-report-format.json +1330 -0
  42. data/schemas/15.0.5/dependency-scanning-report-format.json +1033 -0
  43. data/schemas/15.0.5/sast-report-format.json +920 -0
  44. data/schemas/15.0.5/secret-detection-report-format.json +944 -0
  45. data/schemas/15.0.6/cluster-image-scanning-report-format.json +1035 -0
  46. data/schemas/15.0.6/container-scanning-report-format.json +967 -0
  47. data/schemas/15.0.6/coverage-fuzzing-report-format.json +925 -0
  48. data/schemas/15.0.6/dast-report-format.json +1330 -0
  49. data/schemas/15.0.6/dependency-scanning-report-format.json +1033 -0
  50. data/schemas/15.0.6/sast-report-format.json +920 -0
  51. data/schemas/15.0.6/secret-detection-report-format.json +944 -0
  52. data/schemas/15.0.7/cluster-image-scanning-report-format.json +1085 -0
  53. data/schemas/15.0.7/container-scanning-report-format.json +1017 -0
  54. data/schemas/15.0.7/coverage-fuzzing-report-format.json +975 -0
  55. data/schemas/15.0.7/dast-report-format.json +1380 -0
  56. data/schemas/15.0.7/dependency-scanning-report-format.json +1083 -0
  57. data/schemas/15.0.7/sast-report-format.json +970 -0
  58. data/schemas/15.0.7/secret-detection-report-format.json +994 -0
  59. data/schemas/15.1.1/cluster-image-scanning-report-format.json +1065 -0
  60. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  61. data/schemas/15.1.1/container-scanning-report-format.json +998 -0
  62. data/schemas/15.1.1/coverage-fuzzing-report-format.json +975 -0
  63. data/schemas/15.1.1/dast-report-format.json +1380 -0
  64. data/schemas/15.1.1/dependency-scanning-report-format.json +986 -0
  65. data/schemas/15.1.1/sast-report-format.json +970 -0
  66. data/schemas/15.1.1/secret-detection-report-format.json +994 -0
  67. data/schemas/15.1.2/cluster-image-scanning-report-format.json +1190 -0
  68. data/schemas/15.1.2/container-scanning-report-format.json +1123 -0
  69. data/schemas/15.1.2/coverage-fuzzing-report-format.json +1100 -0
  70. data/schemas/15.1.2/dast-report-format.json +1505 -0
  71. data/schemas/15.1.2/dependency-scanning-report-format.json +1111 -0
  72. data/schemas/15.1.2/sast-report-format.json +1095 -0
  73. data/schemas/15.1.2/secret-detection-report-format.json +1119 -0
  74. data/schemas/15.1.3/cluster-image-scanning-report-format.json +1190 -0
  75. data/schemas/15.1.3/container-scanning-report-format.json +1123 -0
  76. data/schemas/15.1.3/coverage-fuzzing-report-format.json +1100 -0
  77. data/schemas/15.1.3/dast-report-format.json +1505 -0
  78. data/schemas/15.1.3/dependency-scanning-report-format.json +1111 -0
  79. data/schemas/15.1.3/sast-report-format.json +1095 -0
  80. data/schemas/15.1.3/secret-detection-report-format.json +1119 -0
  81. data/schemas/15.1.4/cluster-image-scanning-report-format.json +1190 -0
  82. data/schemas/15.1.4/container-scanning-report-format.json +1123 -0
  83. data/schemas/15.1.4/coverage-fuzzing-report-format.json +1100 -0
  84. data/schemas/15.1.4/dast-report-format.json +1505 -0
  85. data/schemas/15.1.4/dependency-scanning-report-format.json +1111 -0
  86. data/schemas/15.1.4/sast-report-format.json +1095 -0
  87. data/schemas/15.1.4/secret-detection-report-format.json +1119 -0
  88. data/supported_versions +11 -0
  89. metadata +83 -4
data/schemas/15.0.1/dast-report-format.json ADDED
@@ -0,0 +1,1275 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dast-report-format.json",
4
+ "title": "Report format for GitLab DAST",
5
+ "description": "This schema provides the the report format for Dynamic Application Security Testing (https://docs.gitlab.com/ee/user/application_security/dast).",
6
+ "definitions": {
7
+ "detail_type": {
8
+ "oneOf": [
9
+ {
10
+ "$ref": "#/definitions/named_list"
11
+ },
12
+ {
13
+ "$ref": "#/definitions/list"
14
+ },
15
+ {
16
+ "$ref": "#/definitions/table"
17
+ },
18
+ {
19
+ "$ref": "#/definitions/text"
20
+ },
21
+ {
22
+ "$ref": "#/definitions/url"
23
+ },
24
+ {
25
+ "$ref": "#/definitions/code"
26
+ },
27
+ {
28
+ "$ref": "#/definitions/value"
29
+ },
30
+ {
31
+ "$ref": "#/definitions/diff"
32
+ },
33
+ {
34
+ "$ref": "#/definitions/markdown"
35
+ },
36
+ {
37
+ "$ref": "#/definitions/commit"
38
+ },
39
+ {
40
+ "$ref": "#/definitions/file_location"
41
+ },
42
+ {
43
+ "$ref": "#/definitions/module_location"
44
+ }
45
+ ]
46
+ },
47
+ "text_value": {
48
+ "type": "string"
49
+ },
50
+ "named_field": {
51
+ "type": "object",
52
+ "required": [
53
+ "name"
54
+ ],
55
+ "properties": {
56
+ "name": {
57
+ "$ref": "#/definitions/text_value",
58
+ "minLength": 1
59
+ },
60
+ "description": {
61
+ "$ref": "#/definitions/text_value"
62
+ }
63
+ }
64
+ },
65
+ "named_list": {
66
+ "type": "object",
67
+ "description": "An object with named and typed fields",
68
+ "required": [
69
+ "type",
70
+ "items"
71
+ ],
72
+ "properties": {
73
+ "type": {
74
+ "const": "named-list"
75
+ },
76
+ "items": {
77
+ "type": "object",
78
+ "patternProperties": {
79
+ "^.*$": {
80
+ "allOf": [
81
+ {
82
+ "$ref": "#/definitions/named_field"
83
+ },
84
+ {
85
+ "$ref": "#/definitions/detail_type"
86
+ }
87
+ ]
88
+ }
89
+ }
90
+ }
91
+ }
92
+ },
93
+ "list": {
94
+ "type": "object",
95
+ "description": "A list of typed fields",
96
+ "required": [
97
+ "type",
98
+ "items"
99
+ ],
100
+ "properties": {
101
+ "type": {
102
+ "const": "list"
103
+ },
104
+ "items": {
105
+ "type": "array",
106
+ "items": {
107
+ "$ref": "#/definitions/detail_type"
108
+ }
109
+ }
110
+ }
111
+ },
112
+ "table": {
113
+ "type": "object",
114
+ "description": "A table of typed fields",
115
+ "required": [
116
+ "type",
117
+ "rows"
118
+ ],
119
+ "properties": {
120
+ "type": {
121
+ "const": "table"
122
+ },
123
+ "header": {
124
+ "type": "array",
125
+ "items": {
126
+ "$ref": "#/definitions/detail_type"
127
+ }
128
+ },
129
+ "rows": {
130
+ "type": "array",
131
+ "items": {
132
+ "type": "array",
133
+ "items": {
134
+ "$ref": "#/definitions/detail_type"
135
+ }
136
+ }
137
+ }
138
+ }
139
+ },
140
+ "text": {
141
+ "type": "object",
142
+ "description": "Raw text",
143
+ "required": [
144
+ "type",
145
+ "value"
146
+ ],
147
+ "properties": {
148
+ "type": {
149
+ "const": "text"
150
+ },
151
+ "value": {
152
+ "$ref": "#/definitions/text_value"
153
+ }
154
+ }
155
+ },
156
+ "url": {
157
+ "type": "object",
158
+ "description": "A single URL",
159
+ "required": [
160
+ "type",
161
+ "href"
162
+ ],
163
+ "properties": {
164
+ "type": {
165
+ "const": "url"
166
+ },
167
+ "text": {
168
+ "$ref": "#/definitions/text_value"
169
+ },
170
+ "href": {
171
+ "type": "string",
172
+ "minLength": 1,
173
+ "examples": [
174
+ "http://mysite.com"
175
+ ]
176
+ }
177
+ }
178
+ },
179
+ "code": {
180
+ "type": "object",
181
+ "description": "A codeblock",
182
+ "required": [
183
+ "type",
184
+ "value"
185
+ ],
186
+ "properties": {
187
+ "type": {
188
+ "const": "code"
189
+ },
190
+ "value": {
191
+ "type": "string"
192
+ },
193
+ "lang": {
194
+ "type": "string",
195
+ "description": "A programming language"
196
+ }
197
+ }
198
+ },
199
+ "value": {
200
+ "type": "object",
201
+ "description": "A field that can store a range of types of value",
202
+ "required": [
203
+ "type",
204
+ "value"
205
+ ],
206
+ "properties": {
207
+ "type": {
208
+ "const": "value"
209
+ },
210
+ "value": {
211
+ "type": [
212
+ "number",
213
+ "string",
214
+ "boolean"
215
+ ]
216
+ }
217
+ }
218
+ },
219
+ "diff": {
220
+ "type": "object",
221
+ "description": "A diff",
222
+ "required": [
223
+ "type",
224
+ "before",
225
+ "after"
226
+ ],
227
+ "properties": {
228
+ "type": {
229
+ "const": "diff"
230
+ },
231
+ "before": {
232
+ "type": "string"
233
+ },
234
+ "after": {
235
+ "type": "string"
236
+ }
237
+ }
238
+ },
239
+ "markdown": {
240
+ "type": "object",
241
+ "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
242
+ "required": [
243
+ "type",
244
+ "value"
245
+ ],
246
+ "properties": {
247
+ "type": {
248
+ "const": "markdown"
249
+ },
250
+ "value": {
251
+ "$ref": "#/definitions/text_value",
252
+ "examples": [
253
+ "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
254
+ ]
255
+ }
256
+ }
257
+ },
258
+ "commit": {
259
+ "type": "object",
260
+ "description": "A commit/tag/branch within the GitLab project",
261
+ "required": [
262
+ "type",
263
+ "value"
264
+ ],
265
+ "properties": {
266
+ "type": {
267
+ "const": "commit"
268
+ },
269
+ "value": {
270
+ "type": "string",
271
+ "description": "The commit SHA",
272
+ "minLength": 1
273
+ }
274
+ }
275
+ },
276
+ "file_location": {
277
+ "type": "object",
278
+ "description": "A location within a file in the project",
279
+ "required": [
280
+ "type",
281
+ "file_name",
282
+ "line_start"
283
+ ],
284
+ "properties": {
285
+ "type": {
286
+ "const": "file-location"
287
+ },
288
+ "file_name": {
289
+ "type": "string",
290
+ "minLength": 1
291
+ },
292
+ "line_start": {
293
+ "type": "integer"
294
+ },
295
+ "line_end": {
296
+ "type": "integer"
297
+ }
298
+ }
299
+ },
300
+ "module_location": {
301
+ "type": "object",
302
+ "description": "A location within a binary module of the form module+relative_offset",
303
+ "required": [
304
+ "type",
305
+ "module_name",
306
+ "offset"
307
+ ],
308
+ "properties": {
309
+ "type": {
310
+ "const": "module-location"
311
+ },
312
+ "module_name": {
313
+ "type": "string",
314
+ "minLength": 1,
315
+ "examples": [
316
+ "compiled_binary"
317
+ ]
318
+ },
319
+ "offset": {
320
+ "type": "integer",
321
+ "examples": [
322
+ 100
323
+ ]
324
+ }
325
+ }
326
+ }
327
+ },
328
+ "self": {
329
+ "version": "15.0.1"
330
+ },
331
+ "required": [
332
+ "scan",
333
+ "version",
334
+ "vulnerabilities"
335
+ ],
336
+ "additionalProperties": true,
337
+ "properties": {
338
+ "scan": {
339
+ "type": "object",
340
+ "required": [
341
+ "analyzer",
342
+ "end_time",
343
+ "scanned_resources",
344
+ "scanner",
345
+ "start_time",
346
+ "status",
347
+ "type"
348
+ ],
349
+ "properties": {
350
+ "end_time": {
351
+ "type": "string",
352
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
353
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
354
+ "examples": [
355
+ "2020-01-28T03:26:02"
356
+ ]
357
+ },
358
+ "messages": {
359
+ "type": "array",
360
+ "items": {
361
+ "type": "object",
362
+ "description": "Communication intended for the initiator of a scan.",
363
+ "required": [
364
+ "level",
365
+ "value"
366
+ ],
367
+ "properties": {
368
+ "level": {
369
+ "type": "string",
370
+ "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
371
+ "enum": [
372
+ "info",
373
+ "warn",
374
+ "fatal"
375
+ ],
376
+ "examples": [
377
+ "info"
378
+ ]
379
+ },
380
+ "value": {
381
+ "type": "string",
382
+ "description": "The message to communicate.",
383
+ "minLength": 1,
384
+ "examples": [
385
+ "Permission denied, scanning aborted"
386
+ ]
387
+ }
388
+ }
389
+ }
390
+ },
391
+ "analyzer": {
392
+ "type": "object",
393
+ "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
394
+ "required": [
395
+ "id",
396
+ "name",
397
+ "version",
398
+ "vendor"
399
+ ],
400
+ "properties": {
401
+ "id": {
402
+ "type": "string",
403
+ "description": "Unique id that identifies the analyzer.",
404
+ "minLength": 1,
405
+ "examples": [
406
+ "gitlab-dast"
407
+ ]
408
+ },
409
+ "name": {
410
+ "type": "string",
411
+ "description": "A human readable value that identifies the analyzer, not required to be unique.",
412
+ "minLength": 1,
413
+ "examples": [
414
+ "GitLab DAST"
415
+ ]
416
+ },
417
+ "url": {
418
+ "type": "string",
419
+ "pattern": "^https?://.+",
420
+ "description": "A link to more information about the analyzer.",
421
+ "examples": [
422
+ "https://docs.gitlab.com/ee/user/application_security/dast"
423
+ ]
424
+ },
425
+ "vendor": {
426
+ "description": "The vendor/maintainer of the analyzer.",
427
+ "type": "object",
428
+ "required": [
429
+ "name"
430
+ ],
431
+ "properties": {
432
+ "name": {
433
+ "type": "string",
434
+ "description": "The name of the vendor.",
435
+ "minLength": 1,
436
+ "examples": [
437
+ "GitLab"
438
+ ]
439
+ }
440
+ }
441
+ },
442
+ "version": {
443
+ "type": "string",
444
+ "description": "The version of the analyzer.",
445
+ "minLength": 1,
446
+ "examples": [
447
+ "1.0.2"
448
+ ]
449
+ }
450
+ }
451
+ },
452
+ "scanner": {
453
+ "type": "object",
454
+ "description": "Object defining the scanner used to perform the scan.",
455
+ "required": [
456
+ "id",
457
+ "name",
458
+ "version",
459
+ "vendor"
460
+ ],
461
+ "properties": {
462
+ "id": {
463
+ "type": "string",
464
+ "description": "Unique id that identifies the scanner.",
465
+ "minLength": 1,
466
+ "examples": [
467
+ "my-sast-scanner"
468
+ ]
469
+ },
470
+ "name": {
471
+ "type": "string",
472
+ "description": "A human readable value that identifies the scanner, not required to be unique.",
473
+ "minLength": 1,
474
+ "examples": [
475
+ "My SAST Scanner"
476
+ ]
477
+ },
478
+ "url": {
479
+ "type": "string",
480
+ "description": "A link to more information about the scanner.",
481
+ "examples": [
482
+ "https://scanner.url"
483
+ ]
484
+ },
485
+ "version": {
486
+ "type": "string",
487
+ "description": "The version of the scanner.",
488
+ "minLength": 1,
489
+ "examples": [
490
+ "1.0.2"
491
+ ]
492
+ },
493
+ "vendor": {
494
+ "description": "The vendor/maintainer of the scanner.",
495
+ "type": "object",
496
+ "required": [
497
+ "name"
498
+ ],
499
+ "properties": {
500
+ "name": {
501
+ "type": "string",
502
+ "description": "The name of the vendor.",
503
+ "minLength": 1,
504
+ "examples": [
505
+ "GitLab"
506
+ ]
507
+ }
508
+ }
509
+ }
510
+ }
511
+ },
512
+ "start_time": {
513
+ "type": "string",
514
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
515
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
516
+ "examples": [
517
+ "2020-02-14T16:01:59"
518
+ ]
519
+ },
520
+ "status": {
521
+ "type": "string",
522
+ "description": "Result of the scan.",
523
+ "enum": [
524
+ "success",
525
+ "failure"
526
+ ]
527
+ },
528
+ "type": {
529
+ "type": "string",
530
+ "description": "Type of the scan.",
531
+ "enum": [
532
+ "dast",
533
+ "api_fuzzing"
534
+ ]
535
+ },
536
+ "primary_identifiers": {
537
+ "type": "array",
538
+ "description": "An array containing an exhaustive list of primary identifiers for which the analyzer may return results",
539
+ "items": {
540
+ "type": "object",
541
+ "required": [
542
+ "type",
543
+ "name",
544
+ "value"
545
+ ],
546
+ "properties": {
547
+ "type": {
548
+ "type": "string",
549
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
550
+ "minLength": 1
551
+ },
552
+ "name": {
553
+ "type": "string",
554
+ "description": "Human-readable name of the identifier.",
555
+ "minLength": 1
556
+ },
557
+ "url": {
558
+ "type": "string",
559
+ "description": "URL of the identifier's documentation.",
560
+ "pattern": "^https?://.+"
561
+ },
562
+ "value": {
563
+ "type": "string",
564
+ "description": "Value of the identifier, for matching purpose.",
565
+ "minLength": 1
566
+ }
567
+ }
568
+ }
569
+ },
570
+ "scanned_resources": {
571
+ "type": "array",
572
+ "description": "The attack surface scanned by DAST.",
573
+ "items": {
574
+ "type": "object",
575
+ "required": [
576
+ "method",
577
+ "url",
578
+ "type"
579
+ ],
580
+ "properties": {
581
+ "method": {
582
+ "type": "string",
583
+ "minLength": 1,
584
+ "description": "HTTP method of the scanned resource.",
585
+ "examples": [
586
+ "GET",
587
+ "POST",
588
+ "HEAD"
589
+ ]
590
+ },
591
+ "url": {
592
+ "type": "string",
593
+ "minLength": 1,
594
+ "description": "URL of the scanned resource.",
595
+ "examples": [
596
+ "http://my.site.com/a-page"
597
+ ]
598
+ },
599
+ "type": {
600
+ "type": "string",
601
+ "minLength": 1,
602
+ "description": "Type of the scanned resource, for DAST, this must be 'url'.",
603
+ "examples": [
604
+ "url"
605
+ ]
606
+ }
607
+ }
608
+ }
609
+ }
610
+ }
611
+ },
612
+ "schema": {
613
+ "type": "string",
614
+ "description": "URI pointing to the validating security report schema.",
615
+ "pattern": "^https?://.+"
616
+ },
617
+ "version": {
618
+ "type": "string",
619
+ "description": "The version of the schema to which the JSON report conforms.",
620
+ "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
621
+ },
622
+ "vulnerabilities": {
623
+ "type": "array",
624
+ "description": "Array of vulnerability objects.",
625
+ "items": {
626
+ "type": "object",
627
+ "description": "Describes the vulnerability using GitLab Flavored Markdown",
628
+ "required": [
629
+ "id",
630
+ "identifiers",
631
+ "location"
632
+ ],
633
+ "properties": {
634
+ "id": {
635
+ "type": "string",
636
+ "minLength": 1,
637
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
638
+ "examples": [
639
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
640
+ ]
641
+ },
642
+ "name": {
643
+ "type": "string",
644
+ "maxLength": 255,
645
+ "description": "The name of the vulnerability. This must not include the finding's specific information."
646
+ },
647
+ "description": {
648
+ "type": "string",
649
+ "maxLength": 1048576,
650
+ "description": "A long text section describing the vulnerability more fully."
651
+ },
652
+ "severity": {
653
+ "type": "string",
654
+ "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
655
+ "enum": [
656
+ "Info",
657
+ "Unknown",
658
+ "Low",
659
+ "Medium",
660
+ "High",
661
+ "Critical"
662
+ ]
663
+ },
664
+ "solution": {
665
+ "type": "string",
666
+ "maxLength": 7000,
667
+ "description": "Explanation of how to fix the vulnerability."
668
+ },
669
+ "identifiers": {
670
+ "type": "array",
671
+ "minItems": 1,
672
+ "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
673
+ "items": {
674
+ "type": "object",
675
+ "required": [
676
+ "type",
677
+ "name",
678
+ "value"
679
+ ],
680
+ "properties": {
681
+ "type": {
682
+ "type": "string",
683
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
684
+ "minLength": 1
685
+ },
686
+ "name": {
687
+ "type": "string",
688
+ "description": "Human-readable name of the identifier.",
689
+ "minLength": 1
690
+ },
691
+ "url": {
692
+ "type": "string",
693
+ "description": "URL of the identifier's documentation.",
694
+ "pattern": "^https?://.+"
695
+ },
696
+ "value": {
697
+ "type": "string",
698
+ "description": "Value of the identifier, for matching purpose.",
699
+ "minLength": 1
700
+ }
701
+ }
702
+ }
703
+ },
704
+ "links": {
705
+ "type": "array",
706
+ "description": "An array of references to external documentation or articles that describe the vulnerability.",
707
+ "items": {
708
+ "type": "object",
709
+ "required": [
710
+ "url"
711
+ ],
712
+ "properties": {
713
+ "name": {
714
+ "type": "string",
715
+ "description": "Name of the vulnerability details link."
716
+ },
717
+ "url": {
718
+ "type": "string",
719
+ "description": "URL of the vulnerability details document.",
720
+ "pattern": "^https?://.+"
721
+ }
722
+ }
723
+ }
724
+ },
725
+ "details": {
726
+ "$ref": "#/definitions/named_list/properties/items"
727
+ },
728
+ "tracking": {
729
+ "description": "Describes how this vulnerability should be tracked as the project changes.",
730
+ "oneOf": [
731
+ {
732
+ "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
733
+ "required": [
734
+ "items"
735
+ ],
736
+ "properties": {
737
+ "type": {
738
+ "const": "source"
739
+ },
740
+ "items": {
741
+ "type": "array",
742
+ "items": {
743
+ "description": "An item that should be tracked using source-specific tracking methods.",
744
+ "type": "object",
745
+ "required": [
746
+ "signatures"
747
+ ],
748
+ "properties": {
749
+ "file": {
750
+ "type": "string",
751
+ "description": "Path to the file where the vulnerability is located."
752
+ },
753
+ "start_line": {
754
+ "type": "number",
755
+ "description": "The first line of the file that includes the vulnerability."
756
+ },
757
+ "end_line": {
758
+ "type": "number",
759
+ "description": "The last line of the file that includes the vulnerability."
760
+ },
761
+ "signatures": {
762
+ "type": "array",
763
+ "description": "An array of calculated tracking signatures for this tracking item.",
764
+ "minItems": 1,
765
+ "items": {
766
+ "description": "A calculated tracking signature value and metadata.",
767
+ "required": [
768
+ "algorithm",
769
+ "value"
770
+ ],
771
+ "properties": {
772
+ "algorithm": {
773
+ "type": "string",
774
+ "description": "The algorithm used to generate the signature."
775
+ },
776
+ "value": {
777
+ "type": "string",
778
+ "description": "The result of this signature algorithm."
779
+ }
780
+ }
781
+ }
782
+ }
783
+ }
784
+ }
785
+ }
786
+ }
787
+ }
788
+ ],
789
+ "properties": {
790
+ "type": {
791
+ "type": "string",
792
+ "description": "Each tracking type must declare its own type."
793
+ }
794
+ }
795
+ },
796
+ "flags": {
797
+ "description": "Flags that can be attached to vulnerabilities.",
798
+ "type": "array",
799
+ "items": {
800
+ "type": "object",
801
+ "description": "Informational flags identified and assigned to a vulnerability.",
802
+ "required": [
803
+ "type",
804
+ "origin",
805
+ "description"
806
+ ],
807
+ "properties": {
808
+ "type": {
809
+ "type": "string",
810
+ "minLength": 1,
811
+ "description": "Result of the scan.",
812
+ "enum": [
813
+ "flagged-as-likely-false-positive"
814
+ ]
815
+ },
816
+ "origin": {
817
+ "minLength": 1,
818
+ "description": "Tool that issued the flag.",
819
+ "type": "string"
820
+ },
821
+ "description": {
822
+ "minLength": 1,
823
+ "description": "What the flag is about.",
824
+ "type": "string"
825
+ }
826
+ }
827
+ }
828
+ },
829
+ "evidence": {
830
+ "type": "object",
831
+ "properties": {
832
+ "source": {
833
+ "type": "object",
834
+ "description": "Source of evidence",
835
+ "required": [
836
+ "id",
837
+ "name"
838
+ ],
839
+ "properties": {
840
+ "id": {
841
+ "type": "string",
842
+ "minLength": 1,
843
+ "description": "Unique source identifier",
844
+ "examples": [
845
+ "assert:LogAnalysis",
846
+ "assert:StatusCode"
847
+ ]
848
+ },
849
+ "name": {
850
+ "type": "string",
851
+ "minLength": 1,
852
+ "description": "Source display name",
853
+ "examples": [
854
+ "Log Analysis",
855
+ "Status Code"
856
+ ]
857
+ },
858
+ "url": {
859
+ "type": "string",
860
+ "description": "Link to additional information",
861
+ "examples": [
862
+ "https://docs.gitlab.com/ee/development/integrations/secure.html"
863
+ ]
864
+ }
865
+ }
866
+ },
867
+ "summary": {
868
+ "type": "string",
869
+ "description": "Human readable string containing evidence of the vulnerability.",
870
+ "examples": [
871
+ "Credit card 4111111111111111 found",
872
+ "Server leaked information nginx/1.17.6"
873
+ ]
874
+ },
875
+ "request": {
876
+ "type": "object",
877
+ "description": "An HTTP request.",
878
+ "required": [
879
+ "headers",
880
+ "method",
881
+ "url"
882
+ ],
883
+ "properties": {
884
+ "headers": {
885
+ "type": "array",
886
+ "description": "HTTP headers present on the request.",
887
+ "items": {
888
+ "type": "object",
889
+ "required": [
890
+ "name",
891
+ "value"
892
+ ],
893
+ "properties": {
894
+ "name": {
895
+ "type": "string",
896
+ "minLength": 1,
897
+ "description": "Name of the HTTP header.",
898
+ "examples": [
899
+ "Accept",
900
+ "Content-Length",
901
+ "Content-Type"
902
+ ]
903
+ },
904
+ "value": {
905
+ "type": "string",
906
+ "description": "Value of the HTTP header.",
907
+ "examples": [
908
+ "*/*",
909
+ "560",
910
+ "application/json; charset=utf-8"
911
+ ]
912
+ }
913
+ }
914
+ }
915
+ },
916
+ "method": {
917
+ "type": "string",
918
+ "minLength": 1,
919
+ "description": "HTTP method used in the request.",
920
+ "examples": [
921
+ "GET",
922
+ "POST"
923
+ ]
924
+ },
925
+ "url": {
926
+ "type": "string",
927
+ "minLength": 1,
928
+ "description": "URL of the request.",
929
+ "examples": [
930
+ "http://my.site.com/vulnerable-endpoint?show-credit-card"
931
+ ]
932
+ },
933
+ "body": {
934
+ "type": "string",
935
+ "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
936
+ "examples": [
937
+ "user=jsmith&first=%27&last=smith"
938
+ ]
939
+ }
940
+ }
941
+ },
942
+ "response": {
943
+ "type": "object",
944
+ "description": "An HTTP response.",
945
+ "required": [
946
+ "headers",
947
+ "reason_phrase",
948
+ "status_code"
949
+ ],
950
+ "properties": {
951
+ "headers": {
952
+ "type": "array",
953
+ "description": "HTTP headers present on the request.",
954
+ "items": {
955
+ "type": "object",
956
+ "required": [
957
+ "name",
958
+ "value"
959
+ ],
960
+ "properties": {
961
+ "name": {
962
+ "type": "string",
963
+ "minLength": 1,
964
+ "description": "Name of the HTTP header.",
965
+ "examples": [
966
+ "Accept",
967
+ "Content-Length",
968
+ "Content-Type"
969
+ ]
970
+ },
971
+ "value": {
972
+ "type": "string",
973
+ "description": "Value of the HTTP header.",
974
+ "examples": [
975
+ "*/*",
976
+ "560",
977
+ "application/json; charset=utf-8"
978
+ ]
979
+ }
980
+ }
981
+ }
982
+ },
983
+ "reason_phrase": {
984
+ "type": "string",
985
+ "description": "HTTP reason phrase of the response.",
986
+ "examples": [
987
+ "OK",
988
+ "Internal Server Error"
989
+ ]
990
+ },
991
+ "status_code": {
992
+ "type": "integer",
993
+ "description": "HTTP status code of the response.",
994
+ "examples": [
995
+ 200,
996
+ 500
997
+ ]
998
+ },
999
+ "body": {
1000
+ "type": "string",
1001
+ "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1002
+ "examples": [
1003
+ "{\"user_id\": 2}"
1004
+ ]
1005
+ }
1006
+ }
1007
+ },
1008
+ "supporting_messages": {
1009
+ "type": "array",
1010
+ "description": "Array of supporting http messages.",
1011
+ "items": {
1012
+ "type": "object",
1013
+ "description": "A supporting http message.",
1014
+ "required": [
1015
+ "name"
1016
+ ],
1017
+ "properties": {
1018
+ "name": {
1019
+ "type": "string",
1020
+ "minLength": 1,
1021
+ "description": "Message display name.",
1022
+ "examples": [
1023
+ "Unmodified",
1024
+ "Recorded"
1025
+ ]
1026
+ },
1027
+ "request": {
1028
+ "type": "object",
1029
+ "description": "An HTTP request.",
1030
+ "required": [
1031
+ "headers",
1032
+ "method",
1033
+ "url"
1034
+ ],
1035
+ "properties": {
1036
+ "headers": {
1037
+ "type": "array",
1038
+ "description": "HTTP headers present on the request.",
1039
+ "items": {
1040
+ "type": "object",
1041
+ "required": [
1042
+ "name",
1043
+ "value"
1044
+ ],
1045
+ "properties": {
1046
+ "name": {
1047
+ "type": "string",
1048
+ "minLength": 1,
1049
+ "description": "Name of the HTTP header.",
1050
+ "examples": [
1051
+ "Accept",
1052
+ "Content-Length",
1053
+ "Content-Type"
1054
+ ]
1055
+ },
1056
+ "value": {
1057
+ "type": "string",
1058
+ "description": "Value of the HTTP header.",
1059
+ "examples": [
1060
+ "*/*",
1061
+ "560",
1062
+ "application/json; charset=utf-8"
1063
+ ]
1064
+ }
1065
+ }
1066
+ }
1067
+ },
1068
+ "method": {
1069
+ "type": "string",
1070
+ "minLength": 1,
1071
+ "description": "HTTP method used in the request.",
1072
+ "examples": [
1073
+ "GET",
1074
+ "POST"
1075
+ ]
1076
+ },
1077
+ "url": {
1078
+ "type": "string",
1079
+ "minLength": 1,
1080
+ "description": "URL of the request.",
1081
+ "examples": [
1082
+ "http://my.site.com/vulnerable-endpoint?show-credit-card"
1083
+ ]
1084
+ },
1085
+ "body": {
1086
+ "type": "string",
1087
+ "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1088
+ "examples": [
1089
+ "user=jsmith&first=%27&last=smith"
1090
+ ]
1091
+ }
1092
+ }
1093
+ },
1094
+ "response": {
1095
+ "type": "object",
1096
+ "description": "An HTTP response.",
1097
+ "required": [
1098
+ "headers",
1099
+ "reason_phrase",
1100
+ "status_code"
1101
+ ],
1102
+ "properties": {
1103
+ "headers": {
1104
+ "type": "array",
1105
+ "description": "HTTP headers present on the request.",
1106
+ "items": {
1107
+ "type": "object",
1108
+ "required": [
1109
+ "name",
1110
+ "value"
1111
+ ],
1112
+ "properties": {
1113
+ "name": {
1114
+ "type": "string",
1115
+ "minLength": 1,
1116
+ "description": "Name of the HTTP header.",
1117
+ "examples": [
1118
+ "Accept",
1119
+ "Content-Length",
1120
+ "Content-Type"
1121
+ ]
1122
+ },
1123
+ "value": {
1124
+ "type": "string",
1125
+ "description": "Value of the HTTP header.",
1126
+ "examples": [
1127
+ "*/*",
1128
+ "560",
1129
+ "application/json; charset=utf-8"
1130
+ ]
1131
+ }
1132
+ }
1133
+ }
1134
+ },
1135
+ "reason_phrase": {
1136
+ "type": "string",
1137
+ "description": "HTTP reason phrase of the response.",
1138
+ "examples": [
1139
+ "OK",
1140
+ "Internal Server Error"
1141
+ ]
1142
+ },
1143
+ "status_code": {
1144
+ "type": "integer",
1145
+ "description": "HTTP status code of the response.",
1146
+ "examples": [
1147
+ 200,
1148
+ 500
1149
+ ]
1150
+ },
1151
+ "body": {
1152
+ "type": "string",
1153
+ "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1154
+ "examples": [
1155
+ "{\"user_id\": 2}"
1156
+ ]
1157
+ }
1158
+ }
1159
+ }
1160
+ }
1161
+ }
1162
+ }
1163
+ }
1164
+ },
1165
+ "location": {
1166
+ "type": "object",
1167
+ "description": "Identifies the vulnerability's location.",
1168
+ "properties": {
1169
+ "hostname": {
1170
+ "type": "string",
1171
+ "description": "The protocol, domain, and port of the application where the vulnerability was found."
1172
+ },
1173
+ "method": {
1174
+ "type": "string",
1175
+ "description": "The HTTP method that was used to request the URL where the vulnerability was found."
1176
+ },
1177
+ "param": {
1178
+ "type": "string",
1179
+ "description": "A value provided by a vulnerability rule related to the found vulnerability. Examples include a header value, or a parameter used in a HTTP POST."
1180
+ },
1181
+ "path": {
1182
+ "type": "string",
1183
+ "description": "The path of the URL where the vulnerability was found. Typically, this would start with a forward slash."
1184
+ }
1185
+ }
1186
+ },
1187
+ "assets": {
1188
+ "type": "array",
1189
+ "description": "Array of build assets associated with vulnerability.",
1190
+ "items": {
1191
+ "type": "object",
1192
+ "description": "Describes an asset associated with vulnerability.",
1193
+ "required": [
1194
+ "type",
1195
+ "name",
1196
+ "url"
1197
+ ],
1198
+ "properties": {
1199
+ "type": {
1200
+ "type": "string",
1201
+ "description": "The type of asset",
1202
+ "enum": [
1203
+ "http_session",
1204
+ "postman"
1205
+ ]
1206
+ },
1207
+ "name": {
1208
+ "type": "string",
1209
+ "minLength": 1,
1210
+ "description": "Display name for asset",
1211
+ "examples": [
1212
+ "HTTP Messages",
1213
+ "Postman Collection"
1214
+ ]
1215
+ },
1216
+ "url": {
1217
+ "type": "string",
1218
+ "minLength": 1,
1219
+ "description": "Link to asset in build artifacts",
1220
+ "examples": [
1221
+ "https://gitlab.com/gitlab-org/security-products/dast/-/jobs/626397001/artifacts/file//output/zap_session.data"
1222
+ ]
1223
+ }
1224
+ }
1225
+ }
1226
+ }
1227
+ }
1228
+ }
1229
+ },
1230
+ "remediations": {
1231
+ "type": "array",
1232
+ "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
1233
+ "items": {
1234
+ "type": "object",
1235
+ "required": [
1236
+ "fixes",
1237
+ "summary",
1238
+ "diff"
1239
+ ],
1240
+ "properties": {
1241
+ "fixes": {
1242
+ "type": "array",
1243
+ "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
1244
+ "items": {
1245
+ "type": "object",
1246
+ "required": [
1247
+ "id"
1248
+ ],
1249
+ "properties": {
1250
+ "id": {
1251
+ "type": "string",
1252
+ "minLength": 1,
1253
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
1254
+ "examples": [
1255
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
1256
+ ]
1257
+ }
1258
+ }
1259
+ }
1260
+ },
1261
+ "summary": {
1262
+ "type": "string",
1263
+ "minLength": 1,
1264
+ "description": "An overview of how the vulnerabilities were fixed."
1265
+ },
1266
+ "diff": {
1267
+ "type": "string",
1268
+ "minLength": 1,
1269
+ "description": "A base64-encoded remediation code diff, compatible with git apply."
1270
+ }
1271
+ }
1272
+ }
1273
+ }
1274
+ }
1275
+ }