gitlab-security_report_schemas 0.1.0.min15.1.0.max15.1.0 → 0.1.1.min15.0.0.max15.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (89) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +6 -9
  3. data/README.md +14 -10
  4. data/RUNBOOK.md +28 -0
  5. data/Rakefile +1 -1
  6. data/gem_version +1 -1
  7. data/gitlab-security_report_schemas.gemspec +1 -1
  8. data/lib/gitlab/security_report_schemas/configuration.rb +2 -2
  9. data/lib/gitlab/security_report_schemas/version.rb +1 -3
  10. data/schemas/15.0.0/cluster-image-scanning-report-format.json +946 -0
  11. data/schemas/15.0.0/container-scanning-report-format.json +880 -0
  12. data/schemas/15.0.0/coverage-fuzzing-report-format.json +836 -0
  13. data/schemas/15.0.0/dast-report-format.json +1241 -0
  14. data/schemas/15.0.0/dependency-scanning-report-format.json +944 -0
  15. data/schemas/15.0.0/sast-report-format.json +831 -0
  16. data/schemas/15.0.0/secret-detection-report-format.json +854 -0
  17. data/schemas/15.0.1/cluster-image-scanning-report-format.json +980 -0
  18. data/schemas/15.0.1/container-scanning-report-format.json +914 -0
  19. data/schemas/15.0.1/coverage-fuzzing-report-format.json +870 -0
  20. data/schemas/15.0.1/dast-report-format.json +1275 -0
  21. data/schemas/15.0.1/dependency-scanning-report-format.json +978 -0
  22. data/schemas/15.0.1/sast-report-format.json +865 -0
  23. data/schemas/15.0.1/secret-detection-report-format.json +888 -0
  24. data/schemas/15.0.2/cluster-image-scanning-report-format.json +980 -0
  25. data/schemas/15.0.2/container-scanning-report-format.json +912 -0
  26. data/schemas/15.0.2/coverage-fuzzing-report-format.json +870 -0
  27. data/schemas/15.0.2/dast-report-format.json +1275 -0
  28. data/schemas/15.0.2/dependency-scanning-report-format.json +978 -0
  29. data/schemas/15.0.2/sast-report-format.json +865 -0
  30. data/schemas/15.0.2/secret-detection-report-format.json +888 -0
  31. data/schemas/15.0.4/cluster-image-scanning-report-format.json +984 -0
  32. data/schemas/15.0.4/container-scanning-report-format.json +916 -0
  33. data/schemas/15.0.4/coverage-fuzzing-report-format.json +874 -0
  34. data/schemas/15.0.4/dast-report-format.json +1279 -0
  35. data/schemas/15.0.4/dependency-scanning-report-format.json +982 -0
  36. data/schemas/15.0.4/sast-report-format.json +869 -0
  37. data/schemas/15.0.4/secret-detection-report-format.json +893 -0
  38. data/schemas/15.0.5/cluster-image-scanning-report-format.json +1035 -0
  39. data/schemas/15.0.5/container-scanning-report-format.json +967 -0
  40. data/schemas/15.0.5/coverage-fuzzing-report-format.json +925 -0
  41. data/schemas/15.0.5/dast-report-format.json +1330 -0
  42. data/schemas/15.0.5/dependency-scanning-report-format.json +1033 -0
  43. data/schemas/15.0.5/sast-report-format.json +920 -0
  44. data/schemas/15.0.5/secret-detection-report-format.json +944 -0
  45. data/schemas/15.0.6/cluster-image-scanning-report-format.json +1035 -0
  46. data/schemas/15.0.6/container-scanning-report-format.json +967 -0
  47. data/schemas/15.0.6/coverage-fuzzing-report-format.json +925 -0
  48. data/schemas/15.0.6/dast-report-format.json +1330 -0
  49. data/schemas/15.0.6/dependency-scanning-report-format.json +1033 -0
  50. data/schemas/15.0.6/sast-report-format.json +920 -0
  51. data/schemas/15.0.6/secret-detection-report-format.json +944 -0
  52. data/schemas/15.0.7/cluster-image-scanning-report-format.json +1085 -0
  53. data/schemas/15.0.7/container-scanning-report-format.json +1017 -0
  54. data/schemas/15.0.7/coverage-fuzzing-report-format.json +975 -0
  55. data/schemas/15.0.7/dast-report-format.json +1380 -0
  56. data/schemas/15.0.7/dependency-scanning-report-format.json +1083 -0
  57. data/schemas/15.0.7/sast-report-format.json +970 -0
  58. data/schemas/15.0.7/secret-detection-report-format.json +994 -0
  59. data/schemas/15.1.1/cluster-image-scanning-report-format.json +1065 -0
  60. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  61. data/schemas/15.1.1/container-scanning-report-format.json +998 -0
  62. data/schemas/15.1.1/coverage-fuzzing-report-format.json +975 -0
  63. data/schemas/15.1.1/dast-report-format.json +1380 -0
  64. data/schemas/15.1.1/dependency-scanning-report-format.json +986 -0
  65. data/schemas/15.1.1/sast-report-format.json +970 -0
  66. data/schemas/15.1.1/secret-detection-report-format.json +994 -0
  67. data/schemas/15.1.2/cluster-image-scanning-report-format.json +1190 -0
  68. data/schemas/15.1.2/container-scanning-report-format.json +1123 -0
  69. data/schemas/15.1.2/coverage-fuzzing-report-format.json +1100 -0
  70. data/schemas/15.1.2/dast-report-format.json +1505 -0
  71. data/schemas/15.1.2/dependency-scanning-report-format.json +1111 -0
  72. data/schemas/15.1.2/sast-report-format.json +1095 -0
  73. data/schemas/15.1.2/secret-detection-report-format.json +1119 -0
  74. data/schemas/15.1.3/cluster-image-scanning-report-format.json +1190 -0
  75. data/schemas/15.1.3/container-scanning-report-format.json +1123 -0
  76. data/schemas/15.1.3/coverage-fuzzing-report-format.json +1100 -0
  77. data/schemas/15.1.3/dast-report-format.json +1505 -0
  78. data/schemas/15.1.3/dependency-scanning-report-format.json +1111 -0
  79. data/schemas/15.1.3/sast-report-format.json +1095 -0
  80. data/schemas/15.1.3/secret-detection-report-format.json +1119 -0
  81. data/schemas/15.1.4/cluster-image-scanning-report-format.json +1190 -0
  82. data/schemas/15.1.4/container-scanning-report-format.json +1123 -0
  83. data/schemas/15.1.4/coverage-fuzzing-report-format.json +1100 -0
  84. data/schemas/15.1.4/dast-report-format.json +1505 -0
  85. data/schemas/15.1.4/dependency-scanning-report-format.json +1111 -0
  86. data/schemas/15.1.4/sast-report-format.json +1095 -0
  87. data/schemas/15.1.4/secret-detection-report-format.json +1119 -0
  88. data/supported_versions +11 -0
  89. metadata +83 -4
data/schemas/15.0.2/container-scanning-report-format.json ADDED
@@ -0,0 +1,912 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/container-scanning-report-format.json",
4
+ "title": "Report format for GitLab Container Scanning",
5
+ "description": "This schema provides the the report format for Container Scanning (https://docs.gitlab.com/ee/user/application_security/container_scanning).",
6
+ "definitions": {
7
+ "detail_type": {
8
+ "oneOf": [
9
+ {
10
+ "$ref": "#/definitions/named_list"
11
+ },
12
+ {
13
+ "$ref": "#/definitions/list"
14
+ },
15
+ {
16
+ "$ref": "#/definitions/table"
17
+ },
18
+ {
19
+ "$ref": "#/definitions/text"
20
+ },
21
+ {
22
+ "$ref": "#/definitions/url"
23
+ },
24
+ {
25
+ "$ref": "#/definitions/code"
26
+ },
27
+ {
28
+ "$ref": "#/definitions/value"
29
+ },
30
+ {
31
+ "$ref": "#/definitions/diff"
32
+ },
33
+ {
34
+ "$ref": "#/definitions/markdown"
35
+ },
36
+ {
37
+ "$ref": "#/definitions/commit"
38
+ },
39
+ {
40
+ "$ref": "#/definitions/file_location"
41
+ },
42
+ {
43
+ "$ref": "#/definitions/module_location"
44
+ }
45
+ ]
46
+ },
47
+ "text_value": {
48
+ "type": "string"
49
+ },
50
+ "named_field": {
51
+ "type": "object",
52
+ "required": [
53
+ "name"
54
+ ],
55
+ "properties": {
56
+ "name": {
57
+ "$ref": "#/definitions/text_value",
58
+ "minLength": 1
59
+ },
60
+ "description": {
61
+ "$ref": "#/definitions/text_value"
62
+ }
63
+ }
64
+ },
65
+ "named_list": {
66
+ "type": "object",
67
+ "description": "An object with named and typed fields",
68
+ "required": [
69
+ "type",
70
+ "items"
71
+ ],
72
+ "properties": {
73
+ "type": {
74
+ "const": "named-list"
75
+ },
76
+ "items": {
77
+ "type": "object",
78
+ "patternProperties": {
79
+ "^.*$": {
80
+ "allOf": [
81
+ {
82
+ "$ref": "#/definitions/named_field"
83
+ },
84
+ {
85
+ "$ref": "#/definitions/detail_type"
86
+ }
87
+ ]
88
+ }
89
+ }
90
+ }
91
+ }
92
+ },
93
+ "list": {
94
+ "type": "object",
95
+ "description": "A list of typed fields",
96
+ "required": [
97
+ "type",
98
+ "items"
99
+ ],
100
+ "properties": {
101
+ "type": {
102
+ "const": "list"
103
+ },
104
+ "items": {
105
+ "type": "array",
106
+ "items": {
107
+ "$ref": "#/definitions/detail_type"
108
+ }
109
+ }
110
+ }
111
+ },
112
+ "table": {
113
+ "type": "object",
114
+ "description": "A table of typed fields",
115
+ "required": [
116
+ "type",
117
+ "rows"
118
+ ],
119
+ "properties": {
120
+ "type": {
121
+ "const": "table"
122
+ },
123
+ "header": {
124
+ "type": "array",
125
+ "items": {
126
+ "$ref": "#/definitions/detail_type"
127
+ }
128
+ },
129
+ "rows": {
130
+ "type": "array",
131
+ "items": {
132
+ "type": "array",
133
+ "items": {
134
+ "$ref": "#/definitions/detail_type"
135
+ }
136
+ }
137
+ }
138
+ }
139
+ },
140
+ "text": {
141
+ "type": "object",
142
+ "description": "Raw text",
143
+ "required": [
144
+ "type",
145
+ "value"
146
+ ],
147
+ "properties": {
148
+ "type": {
149
+ "const": "text"
150
+ },
151
+ "value": {
152
+ "$ref": "#/definitions/text_value"
153
+ }
154
+ }
155
+ },
156
+ "url": {
157
+ "type": "object",
158
+ "description": "A single URL",
159
+ "required": [
160
+ "type",
161
+ "href"
162
+ ],
163
+ "properties": {
164
+ "type": {
165
+ "const": "url"
166
+ },
167
+ "text": {
168
+ "$ref": "#/definitions/text_value"
169
+ },
170
+ "href": {
171
+ "type": "string",
172
+ "minLength": 1,
173
+ "examples": [
174
+ "http://mysite.com"
175
+ ]
176
+ }
177
+ }
178
+ },
179
+ "code": {
180
+ "type": "object",
181
+ "description": "A codeblock",
182
+ "required": [
183
+ "type",
184
+ "value"
185
+ ],
186
+ "properties": {
187
+ "type": {
188
+ "const": "code"
189
+ },
190
+ "value": {
191
+ "type": "string"
192
+ },
193
+ "lang": {
194
+ "type": "string",
195
+ "description": "A programming language"
196
+ }
197
+ }
198
+ },
199
+ "value": {
200
+ "type": "object",
201
+ "description": "A field that can store a range of types of value",
202
+ "required": [
203
+ "type",
204
+ "value"
205
+ ],
206
+ "properties": {
207
+ "type": {
208
+ "const": "value"
209
+ },
210
+ "value": {
211
+ "type": [
212
+ "number",
213
+ "string",
214
+ "boolean"
215
+ ]
216
+ }
217
+ }
218
+ },
219
+ "diff": {
220
+ "type": "object",
221
+ "description": "A diff",
222
+ "required": [
223
+ "type",
224
+ "before",
225
+ "after"
226
+ ],
227
+ "properties": {
228
+ "type": {
229
+ "const": "diff"
230
+ },
231
+ "before": {
232
+ "type": "string"
233
+ },
234
+ "after": {
235
+ "type": "string"
236
+ }
237
+ }
238
+ },
239
+ "markdown": {
240
+ "type": "object",
241
+ "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
242
+ "required": [
243
+ "type",
244
+ "value"
245
+ ],
246
+ "properties": {
247
+ "type": {
248
+ "const": "markdown"
249
+ },
250
+ "value": {
251
+ "$ref": "#/definitions/text_value",
252
+ "examples": [
253
+ "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
254
+ ]
255
+ }
256
+ }
257
+ },
258
+ "commit": {
259
+ "type": "object",
260
+ "description": "A commit/tag/branch within the GitLab project",
261
+ "required": [
262
+ "type",
263
+ "value"
264
+ ],
265
+ "properties": {
266
+ "type": {
267
+ "const": "commit"
268
+ },
269
+ "value": {
270
+ "type": "string",
271
+ "description": "The commit SHA",
272
+ "minLength": 1
273
+ }
274
+ }
275
+ },
276
+ "file_location": {
277
+ "type": "object",
278
+ "description": "A location within a file in the project",
279
+ "required": [
280
+ "type",
281
+ "file_name",
282
+ "line_start"
283
+ ],
284
+ "properties": {
285
+ "type": {
286
+ "const": "file-location"
287
+ },
288
+ "file_name": {
289
+ "type": "string",
290
+ "minLength": 1
291
+ },
292
+ "line_start": {
293
+ "type": "integer"
294
+ },
295
+ "line_end": {
296
+ "type": "integer"
297
+ }
298
+ }
299
+ },
300
+ "module_location": {
301
+ "type": "object",
302
+ "description": "A location within a binary module of the form module+relative_offset",
303
+ "required": [
304
+ "type",
305
+ "module_name",
306
+ "offset"
307
+ ],
308
+ "properties": {
309
+ "type": {
310
+ "const": "module-location"
311
+ },
312
+ "module_name": {
313
+ "type": "string",
314
+ "minLength": 1,
315
+ "examples": [
316
+ "compiled_binary"
317
+ ]
318
+ },
319
+ "offset": {
320
+ "type": "integer",
321
+ "examples": [
322
+ 100
323
+ ]
324
+ }
325
+ }
326
+ }
327
+ },
328
+ "self": {
329
+ "version": "15.0.2"
330
+ },
331
+ "required": [
332
+ "scan",
333
+ "version",
334
+ "vulnerabilities"
335
+ ],
336
+ "additionalProperties": true,
337
+ "properties": {
338
+ "scan": {
339
+ "type": "object",
340
+ "required": [
341
+ "analyzer",
342
+ "end_time",
343
+ "scanner",
344
+ "start_time",
345
+ "status",
346
+ "type"
347
+ ],
348
+ "properties": {
349
+ "end_time": {
350
+ "type": "string",
351
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
352
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
353
+ "examples": [
354
+ "2020-01-28T03:26:02"
355
+ ]
356
+ },
357
+ "messages": {
358
+ "type": "array",
359
+ "items": {
360
+ "type": "object",
361
+ "description": "Communication intended for the initiator of a scan.",
362
+ "required": [
363
+ "level",
364
+ "value"
365
+ ],
366
+ "properties": {
367
+ "level": {
368
+ "type": "string",
369
+ "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
370
+ "enum": [
371
+ "info",
372
+ "warn",
373
+ "fatal"
374
+ ],
375
+ "examples": [
376
+ "info"
377
+ ]
378
+ },
379
+ "value": {
380
+ "type": "string",
381
+ "description": "The message to communicate.",
382
+ "minLength": 1,
383
+ "examples": [
384
+ "Permission denied, scanning aborted"
385
+ ]
386
+ }
387
+ }
388
+ }
389
+ },
390
+ "analyzer": {
391
+ "type": "object",
392
+ "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
393
+ "required": [
394
+ "id",
395
+ "name",
396
+ "version",
397
+ "vendor"
398
+ ],
399
+ "properties": {
400
+ "id": {
401
+ "type": "string",
402
+ "description": "Unique id that identifies the analyzer.",
403
+ "minLength": 1,
404
+ "examples": [
405
+ "gitlab-dast"
406
+ ]
407
+ },
408
+ "name": {
409
+ "type": "string",
410
+ "description": "A human readable value that identifies the analyzer, not required to be unique.",
411
+ "minLength": 1,
412
+ "examples": [
413
+ "GitLab DAST"
414
+ ]
415
+ },
416
+ "url": {
417
+ "type": "string",
418
+ "pattern": "^https?://.+",
419
+ "description": "A link to more information about the analyzer.",
420
+ "examples": [
421
+ "https://docs.gitlab.com/ee/user/application_security/dast"
422
+ ]
423
+ },
424
+ "vendor": {
425
+ "description": "The vendor/maintainer of the analyzer.",
426
+ "type": "object",
427
+ "required": [
428
+ "name"
429
+ ],
430
+ "properties": {
431
+ "name": {
432
+ "type": "string",
433
+ "description": "The name of the vendor.",
434
+ "minLength": 1,
435
+ "examples": [
436
+ "GitLab"
437
+ ]
438
+ }
439
+ }
440
+ },
441
+ "version": {
442
+ "type": "string",
443
+ "description": "The version of the analyzer.",
444
+ "minLength": 1,
445
+ "examples": [
446
+ "1.0.2"
447
+ ]
448
+ }
449
+ }
450
+ },
451
+ "scanner": {
452
+ "type": "object",
453
+ "description": "Object defining the scanner used to perform the scan.",
454
+ "required": [
455
+ "id",
456
+ "name",
457
+ "version",
458
+ "vendor"
459
+ ],
460
+ "properties": {
461
+ "id": {
462
+ "type": "string",
463
+ "description": "Unique id that identifies the scanner.",
464
+ "minLength": 1,
465
+ "examples": [
466
+ "my-sast-scanner"
467
+ ]
468
+ },
469
+ "name": {
470
+ "type": "string",
471
+ "description": "A human readable value that identifies the scanner, not required to be unique.",
472
+ "minLength": 1,
473
+ "examples": [
474
+ "My SAST Scanner"
475
+ ]
476
+ },
477
+ "url": {
478
+ "type": "string",
479
+ "description": "A link to more information about the scanner.",
480
+ "examples": [
481
+ "https://scanner.url"
482
+ ]
483
+ },
484
+ "version": {
485
+ "type": "string",
486
+ "description": "The version of the scanner.",
487
+ "minLength": 1,
488
+ "examples": [
489
+ "1.0.2"
490
+ ]
491
+ },
492
+ "vendor": {
493
+ "description": "The vendor/maintainer of the scanner.",
494
+ "type": "object",
495
+ "required": [
496
+ "name"
497
+ ],
498
+ "properties": {
499
+ "name": {
500
+ "type": "string",
501
+ "description": "The name of the vendor.",
502
+ "minLength": 1,
503
+ "examples": [
504
+ "GitLab"
505
+ ]
506
+ }
507
+ }
508
+ }
509
+ }
510
+ },
511
+ "start_time": {
512
+ "type": "string",
513
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
514
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
515
+ "examples": [
516
+ "2020-02-14T16:01:59"
517
+ ]
518
+ },
519
+ "status": {
520
+ "type": "string",
521
+ "description": "Result of the scan.",
522
+ "enum": [
523
+ "success",
524
+ "failure"
525
+ ]
526
+ },
527
+ "type": {
528
+ "type": "string",
529
+ "description": "Type of the scan.",
530
+ "enum": [
531
+ "container_scanning"
532
+ ]
533
+ },
534
+ "primary_identifiers": {
535
+ "type": "array",
536
+ "description": "An array containing an exhaustive list of primary identifiers for which the analyzer may return results",
537
+ "items": {
538
+ "type": "object",
539
+ "required": [
540
+ "type",
541
+ "name",
542
+ "value"
543
+ ],
544
+ "properties": {
545
+ "type": {
546
+ "type": "string",
547
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
548
+ "minLength": 1
549
+ },
550
+ "name": {
551
+ "type": "string",
552
+ "description": "Human-readable name of the identifier.",
553
+ "minLength": 1
554
+ },
555
+ "url": {
556
+ "type": "string",
557
+ "description": "URL of the identifier's documentation.",
558
+ "pattern": "^https?://.+"
559
+ },
560
+ "value": {
561
+ "type": "string",
562
+ "description": "Value of the identifier, for matching purpose.",
563
+ "minLength": 1
564
+ }
565
+ }
566
+ }
567
+ }
568
+ }
569
+ },
570
+ "schema": {
571
+ "type": "string",
572
+ "description": "URI pointing to the validating security report schema.",
573
+ "pattern": "^https?://.+"
574
+ },
575
+ "version": {
576
+ "type": "string",
577
+ "description": "The version of the schema to which the JSON report conforms.",
578
+ "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
579
+ },
580
+ "vulnerabilities": {
581
+ "type": "array",
582
+ "description": "Array of vulnerability objects.",
583
+ "items": {
584
+ "type": "object",
585
+ "description": "Describes the vulnerability using GitLab Flavored Markdown",
586
+ "required": [
587
+ "id",
588
+ "identifiers",
589
+ "location"
590
+ ],
591
+ "properties": {
592
+ "id": {
593
+ "type": "string",
594
+ "minLength": 1,
595
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
596
+ "examples": [
597
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
598
+ ]
599
+ },
600
+ "name": {
601
+ "type": "string",
602
+ "maxLength": 255,
603
+ "description": "The name of the vulnerability. This must not include the finding's specific information."
604
+ },
605
+ "description": {
606
+ "type": "string",
607
+ "maxLength": 1048576,
608
+ "description": "A long text section describing the vulnerability more fully."
609
+ },
610
+ "severity": {
611
+ "type": "string",
612
+ "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
613
+ "enum": [
614
+ "Info",
615
+ "Unknown",
616
+ "Low",
617
+ "Medium",
618
+ "High",
619
+ "Critical"
620
+ ]
621
+ },
622
+ "solution": {
623
+ "type": "string",
624
+ "maxLength": 7000,
625
+ "description": "Explanation of how to fix the vulnerability."
626
+ },
627
+ "identifiers": {
628
+ "type": "array",
629
+ "minItems": 1,
630
+ "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
631
+ "items": {
632
+ "type": "object",
633
+ "required": [
634
+ "type",
635
+ "name",
636
+ "value"
637
+ ],
638
+ "properties": {
639
+ "type": {
640
+ "type": "string",
641
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
642
+ "minLength": 1
643
+ },
644
+ "name": {
645
+ "type": "string",
646
+ "description": "Human-readable name of the identifier.",
647
+ "minLength": 1
648
+ },
649
+ "url": {
650
+ "type": "string",
651
+ "description": "URL of the identifier's documentation.",
652
+ "pattern": "^https?://.+"
653
+ },
654
+ "value": {
655
+ "type": "string",
656
+ "description": "Value of the identifier, for matching purpose.",
657
+ "minLength": 1
658
+ }
659
+ }
660
+ }
661
+ },
662
+ "links": {
663
+ "type": "array",
664
+ "description": "An array of references to external documentation or articles that describe the vulnerability.",
665
+ "items": {
666
+ "type": "object",
667
+ "required": [
668
+ "url"
669
+ ],
670
+ "properties": {
671
+ "name": {
672
+ "type": "string",
673
+ "description": "Name of the vulnerability details link."
674
+ },
675
+ "url": {
676
+ "type": "string",
677
+ "description": "URL of the vulnerability details document.",
678
+ "pattern": "^https?://.+"
679
+ }
680
+ }
681
+ }
682
+ },
683
+ "details": {
684
+ "$ref": "#/definitions/named_list/properties/items"
685
+ },
686
+ "tracking": {
687
+ "description": "Describes how this vulnerability should be tracked as the project changes.",
688
+ "oneOf": [
689
+ {
690
+ "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
691
+ "required": [
692
+ "items"
693
+ ],
694
+ "properties": {
695
+ "type": {
696
+ "const": "source"
697
+ },
698
+ "items": {
699
+ "type": "array",
700
+ "items": {
701
+ "description": "An item that should be tracked using source-specific tracking methods.",
702
+ "type": "object",
703
+ "required": [
704
+ "signatures"
705
+ ],
706
+ "properties": {
707
+ "file": {
708
+ "type": "string",
709
+ "description": "Path to the file where the vulnerability is located."
710
+ },
711
+ "start_line": {
712
+ "type": "number",
713
+ "description": "The first line of the file that includes the vulnerability."
714
+ },
715
+ "end_line": {
716
+ "type": "number",
717
+ "description": "The last line of the file that includes the vulnerability."
718
+ },
719
+ "signatures": {
720
+ "type": "array",
721
+ "description": "An array of calculated tracking signatures for this tracking item.",
722
+ "minItems": 1,
723
+ "items": {
724
+ "description": "A calculated tracking signature value and metadata.",
725
+ "required": [
726
+ "algorithm",
727
+ "value"
728
+ ],
729
+ "properties": {
730
+ "algorithm": {
731
+ "type": "string",
732
+ "description": "The algorithm used to generate the signature."
733
+ },
734
+ "value": {
735
+ "type": "string",
736
+ "description": "The result of this signature algorithm."
737
+ }
738
+ }
739
+ }
740
+ }
741
+ }
742
+ }
743
+ }
744
+ }
745
+ }
746
+ ],
747
+ "properties": {
748
+ "type": {
749
+ "type": "string",
750
+ "description": "Each tracking type must declare its own type."
751
+ }
752
+ }
753
+ },
754
+ "flags": {
755
+ "description": "Flags that can be attached to vulnerabilities.",
756
+ "type": "array",
757
+ "items": {
758
+ "type": "object",
759
+ "description": "Informational flags identified and assigned to a vulnerability.",
760
+ "required": [
761
+ "type",
762
+ "origin",
763
+ "description"
764
+ ],
765
+ "properties": {
766
+ "type": {
767
+ "type": "string",
768
+ "minLength": 1,
769
+ "description": "Result of the scan.",
770
+ "enum": [
771
+ "flagged-as-likely-false-positive"
772
+ ]
773
+ },
774
+ "origin": {
775
+ "minLength": 1,
776
+ "description": "Tool that issued the flag.",
777
+ "type": "string"
778
+ },
779
+ "description": {
780
+ "minLength": 1,
781
+ "description": "What the flag is about.",
782
+ "type": "string"
783
+ }
784
+ }
785
+ }
786
+ },
787
+ "location": {
788
+ "type": "object",
789
+ "description": "Identifies the vulnerability's location.",
790
+ "required": [
791
+ "dependency",
792
+ "operating_system",
793
+ "image"
794
+ ],
795
+ "properties": {
796
+ "dependency": {
797
+ "type": "object",
798
+ "description": "Describes the dependency of a project where the vulnerability is located.",
799
+ "required": [
800
+ "package",
801
+ "version"
802
+ ],
803
+ "properties": {
804
+ "package": {
805
+ "type": "object",
806
+ "description": "Provides information on the package where the vulnerability is located.",
807
+ "required": [
808
+ "name"
809
+ ],
810
+ "properties": {
811
+ "name": {
812
+ "type": "string",
813
+ "description": "Name of the package where the vulnerability is located."
814
+ }
815
+ }
816
+ },
817
+ "version": {
818
+ "type": "string",
819
+ "description": "Version of the vulnerable package."
820
+ },
821
+ "iid": {
822
+ "description": "ID that identifies the dependency in the scope of a dependency file.",
823
+ "type": "number"
824
+ },
825
+ "direct": {
826
+ "type": "boolean",
827
+ "description": "Tells whether this is a direct, top-level dependency of the scanned project."
828
+ },
829
+ "dependency_path": {
830
+ "type": "array",
831
+ "description": "Ancestors of the dependency, starting from a direct project dependency, and ending with an immediate parent of the dependency. The dependency itself is excluded from the path. Direct dependencies have no path.",
832
+ "items": {
833
+ "type": "object",
834
+ "required": [
835
+ "iid"
836
+ ],
837
+ "properties": {
838
+ "iid": {
839
+ "type": "number",
840
+ "description": "ID that is unique in the scope of a parent object, and specific to the resource type."
841
+ }
842
+ }
843
+ }
844
+ }
845
+ }
846
+ },
847
+ "operating_system": {
848
+ "type": "string",
849
+ "minLength": 1,
850
+ "description": "The operating system that contains the vulnerable package."
851
+ },
852
+ "image": {
853
+ "type": "string",
854
+ "minLength": 1,
855
+ "description": "The analyzed Docker image."
856
+ },
857
+ "default_branch_image": {
858
+ "type": "string",
859
+ "maxLength": 255,
860
+ "description": "The name of the image on the default branch."
861
+ }
862
+ }
863
+ }
864
+ }
865
+ }
866
+ },
867
+ "remediations": {
868
+ "type": "array",
869
+ "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
870
+ "items": {
871
+ "type": "object",
872
+ "required": [
873
+ "fixes",
874
+ "summary",
875
+ "diff"
876
+ ],
877
+ "properties": {
878
+ "fixes": {
879
+ "type": "array",
880
+ "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
881
+ "items": {
882
+ "type": "object",
883
+ "required": [
884
+ "id"
885
+ ],
886
+ "properties": {
887
+ "id": {
888
+ "type": "string",
889
+ "minLength": 1,
890
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
891
+ "examples": [
892
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
893
+ ]
894
+ }
895
+ }
896
+ }
897
+ },
898
+ "summary": {
899
+ "type": "string",
900
+ "minLength": 1,
901
+ "description": "An overview of how the vulnerabilities were fixed."
902
+ },
903
+ "diff": {
904
+ "type": "string",
905
+ "minLength": 1,
906
+ "description": "A base64-encoded remediation code diff, compatible with git apply."
907
+ }
908
+ }
909
+ }
910
+ }
911
+ }
912
+ }