gitlab-security_report_schemas 0.1.0.min15.1.0.max15.1.0 → 0.1.1.min15.0.0.max15.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (89) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +6 -9
  3. data/README.md +14 -10
  4. data/RUNBOOK.md +28 -0
  5. data/Rakefile +1 -1
  6. data/gem_version +1 -1
  7. data/gitlab-security_report_schemas.gemspec +1 -1
  8. data/lib/gitlab/security_report_schemas/configuration.rb +2 -2
  9. data/lib/gitlab/security_report_schemas/version.rb +1 -3
  10. data/schemas/15.0.0/cluster-image-scanning-report-format.json +946 -0
  11. data/schemas/15.0.0/container-scanning-report-format.json +880 -0
  12. data/schemas/15.0.0/coverage-fuzzing-report-format.json +836 -0
  13. data/schemas/15.0.0/dast-report-format.json +1241 -0
  14. data/schemas/15.0.0/dependency-scanning-report-format.json +944 -0
  15. data/schemas/15.0.0/sast-report-format.json +831 -0
  16. data/schemas/15.0.0/secret-detection-report-format.json +854 -0
  17. data/schemas/15.0.1/cluster-image-scanning-report-format.json +980 -0
  18. data/schemas/15.0.1/container-scanning-report-format.json +914 -0
  19. data/schemas/15.0.1/coverage-fuzzing-report-format.json +870 -0
  20. data/schemas/15.0.1/dast-report-format.json +1275 -0
  21. data/schemas/15.0.1/dependency-scanning-report-format.json +978 -0
  22. data/schemas/15.0.1/sast-report-format.json +865 -0
  23. data/schemas/15.0.1/secret-detection-report-format.json +888 -0
  24. data/schemas/15.0.2/cluster-image-scanning-report-format.json +980 -0
  25. data/schemas/15.0.2/container-scanning-report-format.json +912 -0
  26. data/schemas/15.0.2/coverage-fuzzing-report-format.json +870 -0
  27. data/schemas/15.0.2/dast-report-format.json +1275 -0
  28. data/schemas/15.0.2/dependency-scanning-report-format.json +978 -0
  29. data/schemas/15.0.2/sast-report-format.json +865 -0
  30. data/schemas/15.0.2/secret-detection-report-format.json +888 -0
  31. data/schemas/15.0.4/cluster-image-scanning-report-format.json +984 -0
  32. data/schemas/15.0.4/container-scanning-report-format.json +916 -0
  33. data/schemas/15.0.4/coverage-fuzzing-report-format.json +874 -0
  34. data/schemas/15.0.4/dast-report-format.json +1279 -0
  35. data/schemas/15.0.4/dependency-scanning-report-format.json +982 -0
  36. data/schemas/15.0.4/sast-report-format.json +869 -0
  37. data/schemas/15.0.4/secret-detection-report-format.json +893 -0
  38. data/schemas/15.0.5/cluster-image-scanning-report-format.json +1035 -0
  39. data/schemas/15.0.5/container-scanning-report-format.json +967 -0
  40. data/schemas/15.0.5/coverage-fuzzing-report-format.json +925 -0
  41. data/schemas/15.0.5/dast-report-format.json +1330 -0
  42. data/schemas/15.0.5/dependency-scanning-report-format.json +1033 -0
  43. data/schemas/15.0.5/sast-report-format.json +920 -0
  44. data/schemas/15.0.5/secret-detection-report-format.json +944 -0
  45. data/schemas/15.0.6/cluster-image-scanning-report-format.json +1035 -0
  46. data/schemas/15.0.6/container-scanning-report-format.json +967 -0
  47. data/schemas/15.0.6/coverage-fuzzing-report-format.json +925 -0
  48. data/schemas/15.0.6/dast-report-format.json +1330 -0
  49. data/schemas/15.0.6/dependency-scanning-report-format.json +1033 -0
  50. data/schemas/15.0.6/sast-report-format.json +920 -0
  51. data/schemas/15.0.6/secret-detection-report-format.json +944 -0
  52. data/schemas/15.0.7/cluster-image-scanning-report-format.json +1085 -0
  53. data/schemas/15.0.7/container-scanning-report-format.json +1017 -0
  54. data/schemas/15.0.7/coverage-fuzzing-report-format.json +975 -0
  55. data/schemas/15.0.7/dast-report-format.json +1380 -0
  56. data/schemas/15.0.7/dependency-scanning-report-format.json +1083 -0
  57. data/schemas/15.0.7/sast-report-format.json +970 -0
  58. data/schemas/15.0.7/secret-detection-report-format.json +994 -0
  59. data/schemas/15.1.1/cluster-image-scanning-report-format.json +1065 -0
  60. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  61. data/schemas/15.1.1/container-scanning-report-format.json +998 -0
  62. data/schemas/15.1.1/coverage-fuzzing-report-format.json +975 -0
  63. data/schemas/15.1.1/dast-report-format.json +1380 -0
  64. data/schemas/15.1.1/dependency-scanning-report-format.json +986 -0
  65. data/schemas/15.1.1/sast-report-format.json +970 -0
  66. data/schemas/15.1.1/secret-detection-report-format.json +994 -0
  67. data/schemas/15.1.2/cluster-image-scanning-report-format.json +1190 -0
  68. data/schemas/15.1.2/container-scanning-report-format.json +1123 -0
  69. data/schemas/15.1.2/coverage-fuzzing-report-format.json +1100 -0
  70. data/schemas/15.1.2/dast-report-format.json +1505 -0
  71. data/schemas/15.1.2/dependency-scanning-report-format.json +1111 -0
  72. data/schemas/15.1.2/sast-report-format.json +1095 -0
  73. data/schemas/15.1.2/secret-detection-report-format.json +1119 -0
  74. data/schemas/15.1.3/cluster-image-scanning-report-format.json +1190 -0
  75. data/schemas/15.1.3/container-scanning-report-format.json +1123 -0
  76. data/schemas/15.1.3/coverage-fuzzing-report-format.json +1100 -0
  77. data/schemas/15.1.3/dast-report-format.json +1505 -0
  78. data/schemas/15.1.3/dependency-scanning-report-format.json +1111 -0
  79. data/schemas/15.1.3/sast-report-format.json +1095 -0
  80. data/schemas/15.1.3/secret-detection-report-format.json +1119 -0
  81. data/schemas/15.1.4/cluster-image-scanning-report-format.json +1190 -0
  82. data/schemas/15.1.4/container-scanning-report-format.json +1123 -0
  83. data/schemas/15.1.4/coverage-fuzzing-report-format.json +1100 -0
  84. data/schemas/15.1.4/dast-report-format.json +1505 -0
  85. data/schemas/15.1.4/dependency-scanning-report-format.json +1111 -0
  86. data/schemas/15.1.4/sast-report-format.json +1095 -0
  87. data/schemas/15.1.4/secret-detection-report-format.json +1119 -0
  88. data/supported_versions +11 -0
  89. metadata +83 -4
data/schemas/15.0.5/dast-report-format.json ADDED
@@ -0,0 +1,1330 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dast-report-format.json",
4
+ "title": "Report format for GitLab DAST",
5
+ "description": "This schema provides the the report format for Dynamic Application Security Testing (https://docs.gitlab.com/ee/user/application_security/dast).",
6
+ "definitions": {
7
+ "detail_type": {
8
+ "oneOf": [
9
+ {
10
+ "$ref": "#/definitions/named_list"
11
+ },
12
+ {
13
+ "$ref": "#/definitions/list"
14
+ },
15
+ {
16
+ "$ref": "#/definitions/table"
17
+ },
18
+ {
19
+ "$ref": "#/definitions/text"
20
+ },
21
+ {
22
+ "$ref": "#/definitions/url"
23
+ },
24
+ {
25
+ "$ref": "#/definitions/code"
26
+ },
27
+ {
28
+ "$ref": "#/definitions/value"
29
+ },
30
+ {
31
+ "$ref": "#/definitions/diff"
32
+ },
33
+ {
34
+ "$ref": "#/definitions/markdown"
35
+ },
36
+ {
37
+ "$ref": "#/definitions/commit"
38
+ },
39
+ {
40
+ "$ref": "#/definitions/file_location"
41
+ },
42
+ {
43
+ "$ref": "#/definitions/module_location"
44
+ }
45
+ ]
46
+ },
47
+ "text_value": {
48
+ "type": "string"
49
+ },
50
+ "named_field": {
51
+ "type": "object",
52
+ "required": [
53
+ "name"
54
+ ],
55
+ "properties": {
56
+ "name": {
57
+ "$ref": "#/definitions/text_value",
58
+ "type": "string",
59
+ "minLength": 1
60
+ },
61
+ "description": {
62
+ "$ref": "#/definitions/text_value"
63
+ }
64
+ }
65
+ },
66
+ "named_list": {
67
+ "type": "object",
68
+ "description": "An object with named and typed fields",
69
+ "required": [
70
+ "type",
71
+ "items"
72
+ ],
73
+ "properties": {
74
+ "type": {
75
+ "const": "named-list"
76
+ },
77
+ "items": {
78
+ "type": "object",
79
+ "patternProperties": {
80
+ "^.*$": {
81
+ "allOf": [
82
+ {
83
+ "$ref": "#/definitions/named_field"
84
+ },
85
+ {
86
+ "$ref": "#/definitions/detail_type"
87
+ }
88
+ ]
89
+ }
90
+ }
91
+ }
92
+ }
93
+ },
94
+ "list": {
95
+ "type": "object",
96
+ "description": "A list of typed fields",
97
+ "required": [
98
+ "type",
99
+ "items"
100
+ ],
101
+ "properties": {
102
+ "type": {
103
+ "const": "list"
104
+ },
105
+ "items": {
106
+ "type": "array",
107
+ "items": {
108
+ "$ref": "#/definitions/detail_type"
109
+ }
110
+ }
111
+ }
112
+ },
113
+ "table": {
114
+ "type": "object",
115
+ "description": "A table of typed fields",
116
+ "required": [
117
+ "type",
118
+ "rows"
119
+ ],
120
+ "properties": {
121
+ "type": {
122
+ "const": "table"
123
+ },
124
+ "header": {
125
+ "type": "array",
126
+ "items": {
127
+ "$ref": "#/definitions/detail_type"
128
+ }
129
+ },
130
+ "rows": {
131
+ "type": "array",
132
+ "items": {
133
+ "type": "array",
134
+ "items": {
135
+ "$ref": "#/definitions/detail_type"
136
+ }
137
+ }
138
+ }
139
+ }
140
+ },
141
+ "text": {
142
+ "type": "object",
143
+ "description": "Raw text",
144
+ "required": [
145
+ "type",
146
+ "value"
147
+ ],
148
+ "properties": {
149
+ "type": {
150
+ "const": "text"
151
+ },
152
+ "value": {
153
+ "$ref": "#/definitions/text_value"
154
+ }
155
+ }
156
+ },
157
+ "url": {
158
+ "type": "object",
159
+ "description": "A single URL",
160
+ "required": [
161
+ "type",
162
+ "href"
163
+ ],
164
+ "properties": {
165
+ "type": {
166
+ "const": "url"
167
+ },
168
+ "text": {
169
+ "$ref": "#/definitions/text_value"
170
+ },
171
+ "href": {
172
+ "type": "string",
173
+ "minLength": 1,
174
+ "examples": [
175
+ "http://mysite.com"
176
+ ]
177
+ }
178
+ }
179
+ },
180
+ "code": {
181
+ "type": "object",
182
+ "description": "A codeblock",
183
+ "required": [
184
+ "type",
185
+ "value"
186
+ ],
187
+ "properties": {
188
+ "type": {
189
+ "const": "code"
190
+ },
191
+ "value": {
192
+ "type": "string"
193
+ },
194
+ "lang": {
195
+ "type": "string",
196
+ "description": "A programming language"
197
+ }
198
+ }
199
+ },
200
+ "value": {
201
+ "type": "object",
202
+ "description": "A field that can store a range of types of value",
203
+ "required": [
204
+ "type",
205
+ "value"
206
+ ],
207
+ "properties": {
208
+ "type": {
209
+ "const": "value"
210
+ },
211
+ "value": {
212
+ "type": [
213
+ "number",
214
+ "string",
215
+ "boolean"
216
+ ]
217
+ }
218
+ }
219
+ },
220
+ "diff": {
221
+ "type": "object",
222
+ "description": "A diff",
223
+ "required": [
224
+ "type",
225
+ "before",
226
+ "after"
227
+ ],
228
+ "properties": {
229
+ "type": {
230
+ "const": "diff"
231
+ },
232
+ "before": {
233
+ "type": "string"
234
+ },
235
+ "after": {
236
+ "type": "string"
237
+ }
238
+ }
239
+ },
240
+ "markdown": {
241
+ "type": "object",
242
+ "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
243
+ "required": [
244
+ "type",
245
+ "value"
246
+ ],
247
+ "properties": {
248
+ "type": {
249
+ "const": "markdown"
250
+ },
251
+ "value": {
252
+ "$ref": "#/definitions/text_value",
253
+ "examples": [
254
+ "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
255
+ ]
256
+ }
257
+ }
258
+ },
259
+ "commit": {
260
+ "type": "object",
261
+ "description": "A commit/tag/branch within the GitLab project",
262
+ "required": [
263
+ "type",
264
+ "value"
265
+ ],
266
+ "properties": {
267
+ "type": {
268
+ "const": "commit"
269
+ },
270
+ "value": {
271
+ "type": "string",
272
+ "description": "The commit SHA",
273
+ "minLength": 1
274
+ }
275
+ }
276
+ },
277
+ "file_location": {
278
+ "type": "object",
279
+ "description": "A location within a file in the project",
280
+ "required": [
281
+ "type",
282
+ "file_name",
283
+ "line_start"
284
+ ],
285
+ "properties": {
286
+ "type": {
287
+ "const": "file-location"
288
+ },
289
+ "file_name": {
290
+ "type": "string",
291
+ "minLength": 1
292
+ },
293
+ "line_start": {
294
+ "type": "integer"
295
+ },
296
+ "line_end": {
297
+ "type": "integer"
298
+ }
299
+ }
300
+ },
301
+ "module_location": {
302
+ "type": "object",
303
+ "description": "A location within a binary module of the form module+relative_offset",
304
+ "required": [
305
+ "type",
306
+ "module_name",
307
+ "offset"
308
+ ],
309
+ "properties": {
310
+ "type": {
311
+ "const": "module-location"
312
+ },
313
+ "module_name": {
314
+ "type": "string",
315
+ "minLength": 1,
316
+ "examples": [
317
+ "compiled_binary"
318
+ ]
319
+ },
320
+ "offset": {
321
+ "type": "integer",
322
+ "examples": [
323
+ 100
324
+ ]
325
+ }
326
+ }
327
+ }
328
+ },
329
+ "self": {
330
+ "version": "15.0.5"
331
+ },
332
+ "type": "object",
333
+ "required": [
334
+ "scan",
335
+ "version",
336
+ "vulnerabilities"
337
+ ],
338
+ "additionalProperties": true,
339
+ "properties": {
340
+ "scan": {
341
+ "type": "object",
342
+ "required": [
343
+ "analyzer",
344
+ "end_time",
345
+ "scanned_resources",
346
+ "scanner",
347
+ "start_time",
348
+ "status",
349
+ "type"
350
+ ],
351
+ "properties": {
352
+ "end_time": {
353
+ "type": "string",
354
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
355
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
356
+ "examples": [
357
+ "2020-01-28T03:26:02"
358
+ ]
359
+ },
360
+ "messages": {
361
+ "type": "array",
362
+ "items": {
363
+ "type": "object",
364
+ "description": "Communication intended for the initiator of a scan.",
365
+ "required": [
366
+ "level",
367
+ "value"
368
+ ],
369
+ "properties": {
370
+ "level": {
371
+ "type": "string",
372
+ "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
373
+ "enum": [
374
+ "info",
375
+ "warn",
376
+ "fatal"
377
+ ],
378
+ "examples": [
379
+ "info"
380
+ ]
381
+ },
382
+ "value": {
383
+ "type": "string",
384
+ "description": "The message to communicate.",
385
+ "minLength": 1,
386
+ "examples": [
387
+ "Permission denied, scanning aborted"
388
+ ]
389
+ }
390
+ }
391
+ }
392
+ },
393
+ "options": {
394
+ "type": "array",
395
+ "items": {
396
+ "type": "object",
397
+ "description": "A configuration option used for this scan.",
398
+ "required": [
399
+ "name",
400
+ "value"
401
+ ],
402
+ "properties": {
403
+ "name": {
404
+ "type": "string",
405
+ "description": "The configuration option name.",
406
+ "maxLength": 255,
407
+ "minLength": 1,
408
+ "examples": [
409
+ "DAST_FF_ENABLE_BAS",
410
+ "DOCKER_TLS_CERTDIR",
411
+ "DS_MAX_DEPTH",
412
+ "SECURE_LOG_LEVEL"
413
+ ]
414
+ },
415
+ "source": {
416
+ "type": "string",
417
+ "description": "The source of this option.",
418
+ "enum": [
419
+ "argument",
420
+ "file",
421
+ "env_variable",
422
+ "other"
423
+ ]
424
+ },
425
+ "value": {
426
+ "type": [
427
+ "boolean",
428
+ "integer",
429
+ "null",
430
+ "string"
431
+ ],
432
+ "description": "The value used for this scan.",
433
+ "examples": [
434
+ true,
435
+ 2,
436
+ null,
437
+ "fatal",
438
+ ""
439
+ ]
440
+ }
441
+ }
442
+ }
443
+ },
444
+ "analyzer": {
445
+ "type": "object",
446
+ "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
447
+ "required": [
448
+ "id",
449
+ "name",
450
+ "version",
451
+ "vendor"
452
+ ],
453
+ "properties": {
454
+ "id": {
455
+ "type": "string",
456
+ "description": "Unique id that identifies the analyzer.",
457
+ "minLength": 1,
458
+ "examples": [
459
+ "gitlab-dast"
460
+ ]
461
+ },
462
+ "name": {
463
+ "type": "string",
464
+ "description": "A human readable value that identifies the analyzer, not required to be unique.",
465
+ "minLength": 1,
466
+ "examples": [
467
+ "GitLab DAST"
468
+ ]
469
+ },
470
+ "url": {
471
+ "type": "string",
472
+ "pattern": "^https?://.+",
473
+ "description": "A link to more information about the analyzer.",
474
+ "examples": [
475
+ "https://docs.gitlab.com/ee/user/application_security/dast"
476
+ ]
477
+ },
478
+ "vendor": {
479
+ "description": "The vendor/maintainer of the analyzer.",
480
+ "type": "object",
481
+ "required": [
482
+ "name"
483
+ ],
484
+ "properties": {
485
+ "name": {
486
+ "type": "string",
487
+ "description": "The name of the vendor.",
488
+ "minLength": 1,
489
+ "examples": [
490
+ "GitLab"
491
+ ]
492
+ }
493
+ }
494
+ },
495
+ "version": {
496
+ "type": "string",
497
+ "description": "The version of the analyzer.",
498
+ "minLength": 1,
499
+ "examples": [
500
+ "1.0.2"
501
+ ]
502
+ }
503
+ }
504
+ },
505
+ "scanner": {
506
+ "type": "object",
507
+ "description": "Object defining the scanner used to perform the scan.",
508
+ "required": [
509
+ "id",
510
+ "name",
511
+ "version",
512
+ "vendor"
513
+ ],
514
+ "properties": {
515
+ "id": {
516
+ "type": "string",
517
+ "description": "Unique id that identifies the scanner.",
518
+ "minLength": 1,
519
+ "examples": [
520
+ "my-sast-scanner"
521
+ ]
522
+ },
523
+ "name": {
524
+ "type": "string",
525
+ "description": "A human readable value that identifies the scanner, not required to be unique.",
526
+ "minLength": 1,
527
+ "examples": [
528
+ "My SAST Scanner"
529
+ ]
530
+ },
531
+ "url": {
532
+ "type": "string",
533
+ "description": "A link to more information about the scanner.",
534
+ "examples": [
535
+ "https://scanner.url"
536
+ ]
537
+ },
538
+ "version": {
539
+ "type": "string",
540
+ "description": "The version of the scanner.",
541
+ "minLength": 1,
542
+ "examples": [
543
+ "1.0.2"
544
+ ]
545
+ },
546
+ "vendor": {
547
+ "description": "The vendor/maintainer of the scanner.",
548
+ "type": "object",
549
+ "required": [
550
+ "name"
551
+ ],
552
+ "properties": {
553
+ "name": {
554
+ "type": "string",
555
+ "description": "The name of the vendor.",
556
+ "minLength": 1,
557
+ "examples": [
558
+ "GitLab"
559
+ ]
560
+ }
561
+ }
562
+ }
563
+ }
564
+ },
565
+ "start_time": {
566
+ "type": "string",
567
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
568
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
569
+ "examples": [
570
+ "2020-02-14T16:01:59"
571
+ ]
572
+ },
573
+ "status": {
574
+ "type": "string",
575
+ "description": "Result of the scan.",
576
+ "enum": [
577
+ "success",
578
+ "failure"
579
+ ]
580
+ },
581
+ "type": {
582
+ "type": "string",
583
+ "description": "Type of the scan.",
584
+ "enum": [
585
+ "dast",
586
+ "api_fuzzing"
587
+ ]
588
+ },
589
+ "primary_identifiers": {
590
+ "type": "array",
591
+ "description": "An unordered array containing an exhaustive list of primary identifiers for which the analyzer may return results",
592
+ "items": {
593
+ "type": "object",
594
+ "required": [
595
+ "type",
596
+ "name",
597
+ "value"
598
+ ],
599
+ "properties": {
600
+ "type": {
601
+ "type": "string",
602
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
603
+ "minLength": 1
604
+ },
605
+ "name": {
606
+ "type": "string",
607
+ "description": "Human-readable name of the identifier.",
608
+ "minLength": 1
609
+ },
610
+ "url": {
611
+ "type": "string",
612
+ "description": "URL of the identifier's documentation.",
613
+ "pattern": "^https?://.+"
614
+ },
615
+ "value": {
616
+ "type": "string",
617
+ "description": "Value of the identifier, for matching purpose.",
618
+ "minLength": 1
619
+ }
620
+ }
621
+ }
622
+ },
623
+ "scanned_resources": {
624
+ "type": "array",
625
+ "description": "The attack surface scanned by DAST.",
626
+ "items": {
627
+ "type": "object",
628
+ "required": [
629
+ "method",
630
+ "url",
631
+ "type"
632
+ ],
633
+ "properties": {
634
+ "method": {
635
+ "type": "string",
636
+ "minLength": 1,
637
+ "description": "HTTP method of the scanned resource.",
638
+ "examples": [
639
+ "GET",
640
+ "POST",
641
+ "HEAD"
642
+ ]
643
+ },
644
+ "url": {
645
+ "type": "string",
646
+ "minLength": 1,
647
+ "description": "URL of the scanned resource.",
648
+ "examples": [
649
+ "http://my.site.com/a-page"
650
+ ]
651
+ },
652
+ "type": {
653
+ "type": "string",
654
+ "minLength": 1,
655
+ "description": "Type of the scanned resource, for DAST, this must be 'url'.",
656
+ "examples": [
657
+ "url"
658
+ ]
659
+ }
660
+ }
661
+ }
662
+ }
663
+ }
664
+ },
665
+ "schema": {
666
+ "type": "string",
667
+ "description": "URI pointing to the validating security report schema.",
668
+ "pattern": "^https?://.+"
669
+ },
670
+ "version": {
671
+ "type": "string",
672
+ "description": "The version of the schema to which the JSON report conforms.",
673
+ "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
674
+ },
675
+ "vulnerabilities": {
676
+ "type": "array",
677
+ "description": "Array of vulnerability objects.",
678
+ "items": {
679
+ "type": "object",
680
+ "description": "Describes the vulnerability using GitLab Flavored Markdown",
681
+ "required": [
682
+ "id",
683
+ "identifiers",
684
+ "location"
685
+ ],
686
+ "properties": {
687
+ "id": {
688
+ "type": "string",
689
+ "minLength": 1,
690
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
691
+ "examples": [
692
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
693
+ ]
694
+ },
695
+ "name": {
696
+ "type": "string",
697
+ "maxLength": 255,
698
+ "description": "The name of the vulnerability. This must not include the finding's specific information."
699
+ },
700
+ "description": {
701
+ "type": "string",
702
+ "maxLength": 1048576,
703
+ "description": "A long text section describing the vulnerability more fully."
704
+ },
705
+ "severity": {
706
+ "type": "string",
707
+ "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
708
+ "enum": [
709
+ "Info",
710
+ "Unknown",
711
+ "Low",
712
+ "Medium",
713
+ "High",
714
+ "Critical"
715
+ ]
716
+ },
717
+ "solution": {
718
+ "type": "string",
719
+ "maxLength": 7000,
720
+ "description": "Explanation of how to fix the vulnerability."
721
+ },
722
+ "identifiers": {
723
+ "type": "array",
724
+ "minItems": 1,
725
+ "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
726
+ "items": {
727
+ "type": "object",
728
+ "required": [
729
+ "type",
730
+ "name",
731
+ "value"
732
+ ],
733
+ "properties": {
734
+ "type": {
735
+ "type": "string",
736
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
737
+ "minLength": 1
738
+ },
739
+ "name": {
740
+ "type": "string",
741
+ "description": "Human-readable name of the identifier.",
742
+ "minLength": 1
743
+ },
744
+ "url": {
745
+ "type": "string",
746
+ "description": "URL of the identifier's documentation.",
747
+ "pattern": "^https?://.+"
748
+ },
749
+ "value": {
750
+ "type": "string",
751
+ "description": "Value of the identifier, for matching purpose.",
752
+ "minLength": 1
753
+ }
754
+ }
755
+ }
756
+ },
757
+ "links": {
758
+ "type": "array",
759
+ "description": "An array of references to external documentation or articles that describe the vulnerability.",
760
+ "items": {
761
+ "type": "object",
762
+ "required": [
763
+ "url"
764
+ ],
765
+ "properties": {
766
+ "name": {
767
+ "type": "string",
768
+ "description": "Name of the vulnerability details link."
769
+ },
770
+ "url": {
771
+ "type": "string",
772
+ "description": "URL of the vulnerability details document.",
773
+ "pattern": "^https?://.+"
774
+ }
775
+ }
776
+ }
777
+ },
778
+ "details": {
779
+ "$ref": "#/definitions/named_list/properties/items"
780
+ },
781
+ "tracking": {
782
+ "type": "object",
783
+ "description": "Describes how this vulnerability should be tracked as the project changes.",
784
+ "oneOf": [
785
+ {
786
+ "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
787
+ "required": [
788
+ "items"
789
+ ],
790
+ "properties": {
791
+ "type": {
792
+ "const": "source"
793
+ },
794
+ "items": {
795
+ "type": "array",
796
+ "items": {
797
+ "description": "An item that should be tracked using source-specific tracking methods.",
798
+ "type": "object",
799
+ "required": [
800
+ "signatures"
801
+ ],
802
+ "properties": {
803
+ "file": {
804
+ "type": "string",
805
+ "description": "Path to the file where the vulnerability is located."
806
+ },
807
+ "start_line": {
808
+ "type": "number",
809
+ "description": "The first line of the file that includes the vulnerability."
810
+ },
811
+ "end_line": {
812
+ "type": "number",
813
+ "description": "The last line of the file that includes the vulnerability."
814
+ },
815
+ "signatures": {
816
+ "type": "array",
817
+ "description": "An array of calculated tracking signatures for this tracking item.",
818
+ "minItems": 1,
819
+ "items": {
820
+ "description": "A calculated tracking signature value and metadata.",
821
+ "type": "object",
822
+ "required": [
823
+ "algorithm",
824
+ "value"
825
+ ],
826
+ "properties": {
827
+ "algorithm": {
828
+ "type": "string",
829
+ "description": "The algorithm used to generate the signature."
830
+ },
831
+ "value": {
832
+ "type": "string",
833
+ "description": "The result of this signature algorithm."
834
+ }
835
+ }
836
+ }
837
+ }
838
+ }
839
+ }
840
+ }
841
+ }
842
+ }
843
+ ],
844
+ "properties": {
845
+ "type": {
846
+ "type": "string",
847
+ "description": "Each tracking type must declare its own type."
848
+ }
849
+ }
850
+ },
851
+ "flags": {
852
+ "description": "Flags that can be attached to vulnerabilities.",
853
+ "type": "array",
854
+ "items": {
855
+ "type": "object",
856
+ "description": "Informational flags identified and assigned to a vulnerability.",
857
+ "required": [
858
+ "type",
859
+ "origin",
860
+ "description"
861
+ ],
862
+ "properties": {
863
+ "type": {
864
+ "type": "string",
865
+ "minLength": 1,
866
+ "description": "Result of the scan.",
867
+ "enum": [
868
+ "flagged-as-likely-false-positive"
869
+ ]
870
+ },
871
+ "origin": {
872
+ "minLength": 1,
873
+ "description": "Tool that issued the flag.",
874
+ "type": "string"
875
+ },
876
+ "description": {
877
+ "minLength": 1,
878
+ "description": "What the flag is about.",
879
+ "type": "string"
880
+ }
881
+ }
882
+ }
883
+ },
884
+ "evidence": {
885
+ "type": "object",
886
+ "properties": {
887
+ "source": {
888
+ "type": "object",
889
+ "description": "Source of evidence",
890
+ "required": [
891
+ "id",
892
+ "name"
893
+ ],
894
+ "properties": {
895
+ "id": {
896
+ "type": "string",
897
+ "minLength": 1,
898
+ "description": "Unique source identifier",
899
+ "examples": [
900
+ "assert:LogAnalysis",
901
+ "assert:StatusCode"
902
+ ]
903
+ },
904
+ "name": {
905
+ "type": "string",
906
+ "minLength": 1,
907
+ "description": "Source display name",
908
+ "examples": [
909
+ "Log Analysis",
910
+ "Status Code"
911
+ ]
912
+ },
913
+ "url": {
914
+ "type": "string",
915
+ "description": "Link to additional information",
916
+ "examples": [
917
+ "https://docs.gitlab.com/ee/development/integrations/secure.html"
918
+ ]
919
+ }
920
+ }
921
+ },
922
+ "summary": {
923
+ "type": "string",
924
+ "description": "Human readable string containing evidence of the vulnerability.",
925
+ "examples": [
926
+ "Credit card 4111111111111111 found",
927
+ "Server leaked information nginx/1.17.6"
928
+ ]
929
+ },
930
+ "request": {
931
+ "type": "object",
932
+ "description": "An HTTP request.",
933
+ "required": [
934
+ "headers",
935
+ "method",
936
+ "url"
937
+ ],
938
+ "properties": {
939
+ "headers": {
940
+ "type": "array",
941
+ "description": "HTTP headers present on the request.",
942
+ "items": {
943
+ "type": "object",
944
+ "required": [
945
+ "name",
946
+ "value"
947
+ ],
948
+ "properties": {
949
+ "name": {
950
+ "type": "string",
951
+ "minLength": 1,
952
+ "description": "Name of the HTTP header.",
953
+ "examples": [
954
+ "Accept",
955
+ "Content-Length",
956
+ "Content-Type"
957
+ ]
958
+ },
959
+ "value": {
960
+ "type": "string",
961
+ "description": "Value of the HTTP header.",
962
+ "examples": [
963
+ "*/*",
964
+ "560",
965
+ "application/json; charset=utf-8"
966
+ ]
967
+ }
968
+ }
969
+ }
970
+ },
971
+ "method": {
972
+ "type": "string",
973
+ "minLength": 1,
974
+ "description": "HTTP method used in the request.",
975
+ "examples": [
976
+ "GET",
977
+ "POST"
978
+ ]
979
+ },
980
+ "url": {
981
+ "type": "string",
982
+ "minLength": 1,
983
+ "description": "URL of the request.",
984
+ "examples": [
985
+ "http://my.site.com/vulnerable-endpoint?show-credit-card"
986
+ ]
987
+ },
988
+ "body": {
989
+ "type": "string",
990
+ "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
991
+ "examples": [
992
+ "user=jsmith&first=%27&last=smith"
993
+ ]
994
+ }
995
+ }
996
+ },
997
+ "response": {
998
+ "type": "object",
999
+ "description": "An HTTP response.",
1000
+ "required": [
1001
+ "headers",
1002
+ "reason_phrase",
1003
+ "status_code"
1004
+ ],
1005
+ "properties": {
1006
+ "headers": {
1007
+ "type": "array",
1008
+ "description": "HTTP headers present on the request.",
1009
+ "items": {
1010
+ "type": "object",
1011
+ "required": [
1012
+ "name",
1013
+ "value"
1014
+ ],
1015
+ "properties": {
1016
+ "name": {
1017
+ "type": "string",
1018
+ "minLength": 1,
1019
+ "description": "Name of the HTTP header.",
1020
+ "examples": [
1021
+ "Accept",
1022
+ "Content-Length",
1023
+ "Content-Type"
1024
+ ]
1025
+ },
1026
+ "value": {
1027
+ "type": "string",
1028
+ "description": "Value of the HTTP header.",
1029
+ "examples": [
1030
+ "*/*",
1031
+ "560",
1032
+ "application/json; charset=utf-8"
1033
+ ]
1034
+ }
1035
+ }
1036
+ }
1037
+ },
1038
+ "reason_phrase": {
1039
+ "type": "string",
1040
+ "description": "HTTP reason phrase of the response.",
1041
+ "examples": [
1042
+ "OK",
1043
+ "Internal Server Error"
1044
+ ]
1045
+ },
1046
+ "status_code": {
1047
+ "type": "integer",
1048
+ "description": "HTTP status code of the response.",
1049
+ "examples": [
1050
+ 200,
1051
+ 500
1052
+ ]
1053
+ },
1054
+ "body": {
1055
+ "type": "string",
1056
+ "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1057
+ "examples": [
1058
+ "{\"user_id\": 2}"
1059
+ ]
1060
+ }
1061
+ }
1062
+ },
1063
+ "supporting_messages": {
1064
+ "type": "array",
1065
+ "description": "Array of supporting http messages.",
1066
+ "items": {
1067
+ "type": "object",
1068
+ "description": "A supporting http message.",
1069
+ "required": [
1070
+ "name"
1071
+ ],
1072
+ "properties": {
1073
+ "name": {
1074
+ "type": "string",
1075
+ "minLength": 1,
1076
+ "description": "Message display name.",
1077
+ "examples": [
1078
+ "Unmodified",
1079
+ "Recorded"
1080
+ ]
1081
+ },
1082
+ "request": {
1083
+ "type": "object",
1084
+ "description": "An HTTP request.",
1085
+ "required": [
1086
+ "headers",
1087
+ "method",
1088
+ "url"
1089
+ ],
1090
+ "properties": {
1091
+ "headers": {
1092
+ "type": "array",
1093
+ "description": "HTTP headers present on the request.",
1094
+ "items": {
1095
+ "type": "object",
1096
+ "required": [
1097
+ "name",
1098
+ "value"
1099
+ ],
1100
+ "properties": {
1101
+ "name": {
1102
+ "type": "string",
1103
+ "minLength": 1,
1104
+ "description": "Name of the HTTP header.",
1105
+ "examples": [
1106
+ "Accept",
1107
+ "Content-Length",
1108
+ "Content-Type"
1109
+ ]
1110
+ },
1111
+ "value": {
1112
+ "type": "string",
1113
+ "description": "Value of the HTTP header.",
1114
+ "examples": [
1115
+ "*/*",
1116
+ "560",
1117
+ "application/json; charset=utf-8"
1118
+ ]
1119
+ }
1120
+ }
1121
+ }
1122
+ },
1123
+ "method": {
1124
+ "type": "string",
1125
+ "minLength": 1,
1126
+ "description": "HTTP method used in the request.",
1127
+ "examples": [
1128
+ "GET",
1129
+ "POST"
1130
+ ]
1131
+ },
1132
+ "url": {
1133
+ "type": "string",
1134
+ "minLength": 1,
1135
+ "description": "URL of the request.",
1136
+ "examples": [
1137
+ "http://my.site.com/vulnerable-endpoint?show-credit-card"
1138
+ ]
1139
+ },
1140
+ "body": {
1141
+ "type": "string",
1142
+ "description": "Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1143
+ "examples": [
1144
+ "user=jsmith&first=%27&last=smith"
1145
+ ]
1146
+ }
1147
+ }
1148
+ },
1149
+ "response": {
1150
+ "type": "object",
1151
+ "description": "An HTTP response.",
1152
+ "required": [
1153
+ "headers",
1154
+ "reason_phrase",
1155
+ "status_code"
1156
+ ],
1157
+ "properties": {
1158
+ "headers": {
1159
+ "type": "array",
1160
+ "description": "HTTP headers present on the request.",
1161
+ "items": {
1162
+ "type": "object",
1163
+ "required": [
1164
+ "name",
1165
+ "value"
1166
+ ],
1167
+ "properties": {
1168
+ "name": {
1169
+ "type": "string",
1170
+ "minLength": 1,
1171
+ "description": "Name of the HTTP header.",
1172
+ "examples": [
1173
+ "Accept",
1174
+ "Content-Length",
1175
+ "Content-Type"
1176
+ ]
1177
+ },
1178
+ "value": {
1179
+ "type": "string",
1180
+ "description": "Value of the HTTP header.",
1181
+ "examples": [
1182
+ "*/*",
1183
+ "560",
1184
+ "application/json; charset=utf-8"
1185
+ ]
1186
+ }
1187
+ }
1188
+ }
1189
+ },
1190
+ "reason_phrase": {
1191
+ "type": "string",
1192
+ "description": "HTTP reason phrase of the response.",
1193
+ "examples": [
1194
+ "OK",
1195
+ "Internal Server Error"
1196
+ ]
1197
+ },
1198
+ "status_code": {
1199
+ "type": "integer",
1200
+ "description": "HTTP status code of the response.",
1201
+ "examples": [
1202
+ 200,
1203
+ 500
1204
+ ]
1205
+ },
1206
+ "body": {
1207
+ "type": "string",
1208
+ "description": "Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
1209
+ "examples": [
1210
+ "{\"user_id\": 2}"
1211
+ ]
1212
+ }
1213
+ }
1214
+ }
1215
+ }
1216
+ }
1217
+ }
1218
+ }
1219
+ },
1220
+ "location": {
1221
+ "type": "object",
1222
+ "description": "Identifies the vulnerability's location.",
1223
+ "properties": {
1224
+ "hostname": {
1225
+ "type": "string",
1226
+ "description": "The protocol, domain, and port of the application where the vulnerability was found."
1227
+ },
1228
+ "method": {
1229
+ "type": "string",
1230
+ "description": "The HTTP method that was used to request the URL where the vulnerability was found."
1231
+ },
1232
+ "param": {
1233
+ "type": "string",
1234
+ "description": "A value provided by a vulnerability rule related to the found vulnerability. Examples include a header value, or a parameter used in a HTTP POST."
1235
+ },
1236
+ "path": {
1237
+ "type": "string",
1238
+ "description": "The path of the URL where the vulnerability was found. Typically, this would start with a forward slash."
1239
+ }
1240
+ }
1241
+ },
1242
+ "assets": {
1243
+ "type": "array",
1244
+ "description": "Array of build assets associated with vulnerability.",
1245
+ "items": {
1246
+ "type": "object",
1247
+ "description": "Describes an asset associated with vulnerability.",
1248
+ "required": [
1249
+ "type",
1250
+ "name",
1251
+ "url"
1252
+ ],
1253
+ "properties": {
1254
+ "type": {
1255
+ "type": "string",
1256
+ "description": "The type of asset",
1257
+ "enum": [
1258
+ "http_session",
1259
+ "postman"
1260
+ ]
1261
+ },
1262
+ "name": {
1263
+ "type": "string",
1264
+ "minLength": 1,
1265
+ "description": "Display name for asset",
1266
+ "examples": [
1267
+ "HTTP Messages",
1268
+ "Postman Collection"
1269
+ ]
1270
+ },
1271
+ "url": {
1272
+ "type": "string",
1273
+ "minLength": 1,
1274
+ "description": "Link to asset in build artifacts",
1275
+ "examples": [
1276
+ "https://gitlab.com/gitlab-org/security-products/dast/-/jobs/626397001/artifacts/file//output/zap_session.data"
1277
+ ]
1278
+ }
1279
+ }
1280
+ }
1281
+ }
1282
+ }
1283
+ }
1284
+ },
1285
+ "remediations": {
1286
+ "type": "array",
1287
+ "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
1288
+ "items": {
1289
+ "type": "object",
1290
+ "required": [
1291
+ "fixes",
1292
+ "summary",
1293
+ "diff"
1294
+ ],
1295
+ "properties": {
1296
+ "fixes": {
1297
+ "type": "array",
1298
+ "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
1299
+ "items": {
1300
+ "type": "object",
1301
+ "required": [
1302
+ "id"
1303
+ ],
1304
+ "properties": {
1305
+ "id": {
1306
+ "type": "string",
1307
+ "minLength": 1,
1308
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
1309
+ "examples": [
1310
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
1311
+ ]
1312
+ }
1313
+ }
1314
+ }
1315
+ },
1316
+ "summary": {
1317
+ "type": "string",
1318
+ "minLength": 1,
1319
+ "description": "An overview of how the vulnerabilities were fixed."
1320
+ },
1321
+ "diff": {
1322
+ "type": "string",
1323
+ "minLength": 1,
1324
+ "description": "A base64-encoded remediation code diff, compatible with git apply."
1325
+ }
1326
+ }
1327
+ }
1328
+ }
1329
+ }
1330
+ }