gitlab-security_report_schemas 0.1.0.min15.1.0.max15.1.0 → 0.1.1.min15.0.0.max15.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (89) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +6 -9
  3. data/README.md +14 -10
  4. data/RUNBOOK.md +28 -0
  5. data/Rakefile +1 -1
  6. data/gem_version +1 -1
  7. data/gitlab-security_report_schemas.gemspec +1 -1
  8. data/lib/gitlab/security_report_schemas/configuration.rb +2 -2
  9. data/lib/gitlab/security_report_schemas/version.rb +1 -3
  10. data/schemas/15.0.0/cluster-image-scanning-report-format.json +946 -0
  11. data/schemas/15.0.0/container-scanning-report-format.json +880 -0
  12. data/schemas/15.0.0/coverage-fuzzing-report-format.json +836 -0
  13. data/schemas/15.0.0/dast-report-format.json +1241 -0
  14. data/schemas/15.0.0/dependency-scanning-report-format.json +944 -0
  15. data/schemas/15.0.0/sast-report-format.json +831 -0
  16. data/schemas/15.0.0/secret-detection-report-format.json +854 -0
  17. data/schemas/15.0.1/cluster-image-scanning-report-format.json +980 -0
  18. data/schemas/15.0.1/container-scanning-report-format.json +914 -0
  19. data/schemas/15.0.1/coverage-fuzzing-report-format.json +870 -0
  20. data/schemas/15.0.1/dast-report-format.json +1275 -0
  21. data/schemas/15.0.1/dependency-scanning-report-format.json +978 -0
  22. data/schemas/15.0.1/sast-report-format.json +865 -0
  23. data/schemas/15.0.1/secret-detection-report-format.json +888 -0
  24. data/schemas/15.0.2/cluster-image-scanning-report-format.json +980 -0
  25. data/schemas/15.0.2/container-scanning-report-format.json +912 -0
  26. data/schemas/15.0.2/coverage-fuzzing-report-format.json +870 -0
  27. data/schemas/15.0.2/dast-report-format.json +1275 -0
  28. data/schemas/15.0.2/dependency-scanning-report-format.json +978 -0
  29. data/schemas/15.0.2/sast-report-format.json +865 -0
  30. data/schemas/15.0.2/secret-detection-report-format.json +888 -0
  31. data/schemas/15.0.4/cluster-image-scanning-report-format.json +984 -0
  32. data/schemas/15.0.4/container-scanning-report-format.json +916 -0
  33. data/schemas/15.0.4/coverage-fuzzing-report-format.json +874 -0
  34. data/schemas/15.0.4/dast-report-format.json +1279 -0
  35. data/schemas/15.0.4/dependency-scanning-report-format.json +982 -0
  36. data/schemas/15.0.4/sast-report-format.json +869 -0
  37. data/schemas/15.0.4/secret-detection-report-format.json +893 -0
  38. data/schemas/15.0.5/cluster-image-scanning-report-format.json +1035 -0
  39. data/schemas/15.0.5/container-scanning-report-format.json +967 -0
  40. data/schemas/15.0.5/coverage-fuzzing-report-format.json +925 -0
  41. data/schemas/15.0.5/dast-report-format.json +1330 -0
  42. data/schemas/15.0.5/dependency-scanning-report-format.json +1033 -0
  43. data/schemas/15.0.5/sast-report-format.json +920 -0
  44. data/schemas/15.0.5/secret-detection-report-format.json +944 -0
  45. data/schemas/15.0.6/cluster-image-scanning-report-format.json +1035 -0
  46. data/schemas/15.0.6/container-scanning-report-format.json +967 -0
  47. data/schemas/15.0.6/coverage-fuzzing-report-format.json +925 -0
  48. data/schemas/15.0.6/dast-report-format.json +1330 -0
  49. data/schemas/15.0.6/dependency-scanning-report-format.json +1033 -0
  50. data/schemas/15.0.6/sast-report-format.json +920 -0
  51. data/schemas/15.0.6/secret-detection-report-format.json +944 -0
  52. data/schemas/15.0.7/cluster-image-scanning-report-format.json +1085 -0
  53. data/schemas/15.0.7/container-scanning-report-format.json +1017 -0
  54. data/schemas/15.0.7/coverage-fuzzing-report-format.json +975 -0
  55. data/schemas/15.0.7/dast-report-format.json +1380 -0
  56. data/schemas/15.0.7/dependency-scanning-report-format.json +1083 -0
  57. data/schemas/15.0.7/sast-report-format.json +970 -0
  58. data/schemas/15.0.7/secret-detection-report-format.json +994 -0
  59. data/schemas/15.1.1/cluster-image-scanning-report-format.json +1065 -0
  60. data/schemas/15.1.1/container-scanning-for-registry-report-format.json +0 -0
  61. data/schemas/15.1.1/container-scanning-report-format.json +998 -0
  62. data/schemas/15.1.1/coverage-fuzzing-report-format.json +975 -0
  63. data/schemas/15.1.1/dast-report-format.json +1380 -0
  64. data/schemas/15.1.1/dependency-scanning-report-format.json +986 -0
  65. data/schemas/15.1.1/sast-report-format.json +970 -0
  66. data/schemas/15.1.1/secret-detection-report-format.json +994 -0
  67. data/schemas/15.1.2/cluster-image-scanning-report-format.json +1190 -0
  68. data/schemas/15.1.2/container-scanning-report-format.json +1123 -0
  69. data/schemas/15.1.2/coverage-fuzzing-report-format.json +1100 -0
  70. data/schemas/15.1.2/dast-report-format.json +1505 -0
  71. data/schemas/15.1.2/dependency-scanning-report-format.json +1111 -0
  72. data/schemas/15.1.2/sast-report-format.json +1095 -0
  73. data/schemas/15.1.2/secret-detection-report-format.json +1119 -0
  74. data/schemas/15.1.3/cluster-image-scanning-report-format.json +1190 -0
  75. data/schemas/15.1.3/container-scanning-report-format.json +1123 -0
  76. data/schemas/15.1.3/coverage-fuzzing-report-format.json +1100 -0
  77. data/schemas/15.1.3/dast-report-format.json +1505 -0
  78. data/schemas/15.1.3/dependency-scanning-report-format.json +1111 -0
  79. data/schemas/15.1.3/sast-report-format.json +1095 -0
  80. data/schemas/15.1.3/secret-detection-report-format.json +1119 -0
  81. data/schemas/15.1.4/cluster-image-scanning-report-format.json +1190 -0
  82. data/schemas/15.1.4/container-scanning-report-format.json +1123 -0
  83. data/schemas/15.1.4/coverage-fuzzing-report-format.json +1100 -0
  84. data/schemas/15.1.4/dast-report-format.json +1505 -0
  85. data/schemas/15.1.4/dependency-scanning-report-format.json +1111 -0
  86. data/schemas/15.1.4/sast-report-format.json +1095 -0
  87. data/schemas/15.1.4/secret-detection-report-format.json +1119 -0
  88. data/supported_versions +11 -0
  89. metadata +83 -4
data/schemas/15.1.1/container-scanning-report-format.json ADDED
@@ -0,0 +1,998 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/container-scanning-report-format.json",
4
+ "title": "Report format for GitLab Container Scanning",
5
+ "description": "This schema provides the the report format for Container Scanning (https://docs.gitlab.com/ee/user/application_security/container_scanning).",
6
+ "definitions": {
7
+ "detail_type": {
8
+ "oneOf": [
9
+ {
10
+ "$ref": "#/definitions/named_list"
11
+ },
12
+ {
13
+ "$ref": "#/definitions/list"
14
+ },
15
+ {
16
+ "$ref": "#/definitions/table"
17
+ },
18
+ {
19
+ "$ref": "#/definitions/text"
20
+ },
21
+ {
22
+ "$ref": "#/definitions/url"
23
+ },
24
+ {
25
+ "$ref": "#/definitions/code"
26
+ },
27
+ {
28
+ "$ref": "#/definitions/value"
29
+ },
30
+ {
31
+ "$ref": "#/definitions/diff"
32
+ },
33
+ {
34
+ "$ref": "#/definitions/markdown"
35
+ },
36
+ {
37
+ "$ref": "#/definitions/commit"
38
+ },
39
+ {
40
+ "$ref": "#/definitions/file_location"
41
+ },
42
+ {
43
+ "$ref": "#/definitions/module_location"
44
+ }
45
+ ]
46
+ },
47
+ "text_value": {
48
+ "type": "string"
49
+ },
50
+ "named_field": {
51
+ "type": "object",
52
+ "required": [
53
+ "name"
54
+ ],
55
+ "properties": {
56
+ "name": {
57
+ "$ref": "#/definitions/text_value",
58
+ "type": "string",
59
+ "minLength": 1
60
+ },
61
+ "description": {
62
+ "$ref": "#/definitions/text_value"
63
+ }
64
+ }
65
+ },
66
+ "named_list": {
67
+ "type": "object",
68
+ "description": "An object with named and typed fields",
69
+ "required": [
70
+ "type",
71
+ "items"
72
+ ],
73
+ "properties": {
74
+ "type": {
75
+ "const": "named-list"
76
+ },
77
+ "items": {
78
+ "type": "object",
79
+ "patternProperties": {
80
+ "^.*$": {
81
+ "allOf": [
82
+ {
83
+ "$ref": "#/definitions/named_field"
84
+ },
85
+ {
86
+ "$ref": "#/definitions/detail_type"
87
+ }
88
+ ]
89
+ }
90
+ }
91
+ }
92
+ }
93
+ },
94
+ "list": {
95
+ "type": "object",
96
+ "description": "A list of typed fields",
97
+ "required": [
98
+ "type",
99
+ "items"
100
+ ],
101
+ "properties": {
102
+ "type": {
103
+ "const": "list"
104
+ },
105
+ "items": {
106
+ "type": "array",
107
+ "items": {
108
+ "$ref": "#/definitions/detail_type"
109
+ }
110
+ }
111
+ }
112
+ },
113
+ "table": {
114
+ "type": "object",
115
+ "description": "A table of typed fields",
116
+ "required": [
117
+ "type",
118
+ "rows"
119
+ ],
120
+ "properties": {
121
+ "type": {
122
+ "const": "table"
123
+ },
124
+ "header": {
125
+ "type": "array",
126
+ "items": {
127
+ "$ref": "#/definitions/detail_type"
128
+ }
129
+ },
130
+ "rows": {
131
+ "type": "array",
132
+ "items": {
133
+ "type": "array",
134
+ "items": {
135
+ "$ref": "#/definitions/detail_type"
136
+ }
137
+ }
138
+ }
139
+ }
140
+ },
141
+ "text": {
142
+ "type": "object",
143
+ "description": "Raw text",
144
+ "required": [
145
+ "type",
146
+ "value"
147
+ ],
148
+ "properties": {
149
+ "type": {
150
+ "const": "text"
151
+ },
152
+ "value": {
153
+ "$ref": "#/definitions/text_value"
154
+ }
155
+ }
156
+ },
157
+ "url": {
158
+ "type": "object",
159
+ "description": "A single URL",
160
+ "required": [
161
+ "type",
162
+ "href"
163
+ ],
164
+ "properties": {
165
+ "type": {
166
+ "const": "url"
167
+ },
168
+ "text": {
169
+ "$ref": "#/definitions/text_value"
170
+ },
171
+ "href": {
172
+ "type": "string",
173
+ "minLength": 1,
174
+ "examples": [
175
+ "http://mysite.com"
176
+ ]
177
+ }
178
+ }
179
+ },
180
+ "code": {
181
+ "type": "object",
182
+ "description": "A codeblock",
183
+ "required": [
184
+ "type",
185
+ "value"
186
+ ],
187
+ "properties": {
188
+ "type": {
189
+ "const": "code"
190
+ },
191
+ "value": {
192
+ "type": "string"
193
+ },
194
+ "lang": {
195
+ "type": "string",
196
+ "description": "A programming language"
197
+ }
198
+ }
199
+ },
200
+ "value": {
201
+ "type": "object",
202
+ "description": "A field that can store a range of types of value",
203
+ "required": [
204
+ "type",
205
+ "value"
206
+ ],
207
+ "properties": {
208
+ "type": {
209
+ "const": "value"
210
+ },
211
+ "value": {
212
+ "type": [
213
+ "number",
214
+ "string",
215
+ "boolean"
216
+ ]
217
+ }
218
+ }
219
+ },
220
+ "diff": {
221
+ "type": "object",
222
+ "description": "A diff",
223
+ "required": [
224
+ "type",
225
+ "before",
226
+ "after"
227
+ ],
228
+ "properties": {
229
+ "type": {
230
+ "const": "diff"
231
+ },
232
+ "before": {
233
+ "type": "string"
234
+ },
235
+ "after": {
236
+ "type": "string"
237
+ }
238
+ }
239
+ },
240
+ "markdown": {
241
+ "type": "object",
242
+ "description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
243
+ "required": [
244
+ "type",
245
+ "value"
246
+ ],
247
+ "properties": {
248
+ "type": {
249
+ "const": "markdown"
250
+ },
251
+ "value": {
252
+ "$ref": "#/definitions/text_value",
253
+ "examples": [
254
+ "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
255
+ ]
256
+ }
257
+ }
258
+ },
259
+ "commit": {
260
+ "type": "object",
261
+ "description": "A commit/tag/branch within the GitLab project",
262
+ "required": [
263
+ "type",
264
+ "value"
265
+ ],
266
+ "properties": {
267
+ "type": {
268
+ "const": "commit"
269
+ },
270
+ "value": {
271
+ "type": "string",
272
+ "description": "The commit SHA",
273
+ "minLength": 1
274
+ }
275
+ }
276
+ },
277
+ "file_location": {
278
+ "type": "object",
279
+ "description": "A location within a file in the project",
280
+ "required": [
281
+ "type",
282
+ "file_name",
283
+ "line_start"
284
+ ],
285
+ "properties": {
286
+ "type": {
287
+ "const": "file-location"
288
+ },
289
+ "file_name": {
290
+ "type": "string",
291
+ "minLength": 1
292
+ },
293
+ "line_start": {
294
+ "type": "integer"
295
+ },
296
+ "line_end": {
297
+ "type": "integer"
298
+ }
299
+ }
300
+ },
301
+ "module_location": {
302
+ "type": "object",
303
+ "description": "A location within a binary module of the form module+relative_offset",
304
+ "required": [
305
+ "type",
306
+ "module_name",
307
+ "offset"
308
+ ],
309
+ "properties": {
310
+ "type": {
311
+ "const": "module-location"
312
+ },
313
+ "module_name": {
314
+ "type": "string",
315
+ "minLength": 1,
316
+ "examples": [
317
+ "compiled_binary"
318
+ ]
319
+ },
320
+ "offset": {
321
+ "type": "integer",
322
+ "examples": [
323
+ 100
324
+ ]
325
+ }
326
+ }
327
+ }
328
+ },
329
+ "self": {
330
+ "version": "15.1.1"
331
+ },
332
+ "type": "object",
333
+ "required": [
334
+ "scan",
335
+ "version",
336
+ "vulnerabilities"
337
+ ],
338
+ "additionalProperties": true,
339
+ "properties": {
340
+ "scan": {
341
+ "type": "object",
342
+ "required": [
343
+ "analyzer",
344
+ "end_time",
345
+ "scanner",
346
+ "start_time",
347
+ "status",
348
+ "type"
349
+ ],
350
+ "properties": {
351
+ "end_time": {
352
+ "type": "string",
353
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
354
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
355
+ "examples": [
356
+ "2020-01-28T03:26:02"
357
+ ]
358
+ },
359
+ "messages": {
360
+ "type": "array",
361
+ "items": {
362
+ "type": "object",
363
+ "description": "Communication intended for the initiator of a scan.",
364
+ "required": [
365
+ "level",
366
+ "value"
367
+ ],
368
+ "properties": {
369
+ "level": {
370
+ "type": "string",
371
+ "description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
372
+ "enum": [
373
+ "info",
374
+ "warn",
375
+ "fatal"
376
+ ],
377
+ "examples": [
378
+ "info"
379
+ ]
380
+ },
381
+ "value": {
382
+ "type": "string",
383
+ "description": "The message to communicate.",
384
+ "minLength": 1,
385
+ "examples": [
386
+ "Permission denied, scanning aborted"
387
+ ]
388
+ }
389
+ }
390
+ }
391
+ },
392
+ "options": {
393
+ "type": "array",
394
+ "items": {
395
+ "type": "object",
396
+ "description": "A configuration option used for this scan.",
397
+ "required": [
398
+ "name",
399
+ "value"
400
+ ],
401
+ "properties": {
402
+ "name": {
403
+ "type": "string",
404
+ "description": "The configuration option name.",
405
+ "maxLength": 255,
406
+ "minLength": 1,
407
+ "examples": [
408
+ "DAST_FF_ENABLE_BAS",
409
+ "DOCKER_TLS_CERTDIR",
410
+ "DS_MAX_DEPTH",
411
+ "SECURE_LOG_LEVEL"
412
+ ]
413
+ },
414
+ "source": {
415
+ "type": "string",
416
+ "description": "The source of this option.",
417
+ "enum": [
418
+ "argument",
419
+ "file",
420
+ "env_variable",
421
+ "other"
422
+ ]
423
+ },
424
+ "value": {
425
+ "type": [
426
+ "boolean",
427
+ "integer",
428
+ "null",
429
+ "string"
430
+ ],
431
+ "description": "The value used for this scan.",
432
+ "examples": [
433
+ true,
434
+ 2,
435
+ null,
436
+ "fatal",
437
+ ""
438
+ ]
439
+ }
440
+ }
441
+ }
442
+ },
443
+ "analyzer": {
444
+ "type": "object",
445
+ "description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
446
+ "required": [
447
+ "id",
448
+ "name",
449
+ "version",
450
+ "vendor"
451
+ ],
452
+ "properties": {
453
+ "id": {
454
+ "type": "string",
455
+ "description": "Unique id that identifies the analyzer.",
456
+ "minLength": 1,
457
+ "examples": [
458
+ "gitlab-dast"
459
+ ]
460
+ },
461
+ "name": {
462
+ "type": "string",
463
+ "description": "A human readable value that identifies the analyzer, not required to be unique.",
464
+ "minLength": 1,
465
+ "examples": [
466
+ "GitLab DAST"
467
+ ]
468
+ },
469
+ "url": {
470
+ "type": "string",
471
+ "pattern": "^https?://.+",
472
+ "description": "A link to more information about the analyzer.",
473
+ "examples": [
474
+ "https://docs.gitlab.com/ee/user/application_security/dast"
475
+ ]
476
+ },
477
+ "vendor": {
478
+ "description": "The vendor/maintainer of the analyzer.",
479
+ "type": "object",
480
+ "required": [
481
+ "name"
482
+ ],
483
+ "properties": {
484
+ "name": {
485
+ "type": "string",
486
+ "description": "The name of the vendor.",
487
+ "minLength": 1,
488
+ "examples": [
489
+ "GitLab"
490
+ ]
491
+ }
492
+ }
493
+ },
494
+ "version": {
495
+ "type": "string",
496
+ "description": "The version of the analyzer.",
497
+ "minLength": 1,
498
+ "examples": [
499
+ "1.0.2"
500
+ ]
501
+ }
502
+ }
503
+ },
504
+ "scanner": {
505
+ "type": "object",
506
+ "description": "Object defining the scanner used to perform the scan.",
507
+ "required": [
508
+ "id",
509
+ "name",
510
+ "version",
511
+ "vendor"
512
+ ],
513
+ "properties": {
514
+ "id": {
515
+ "type": "string",
516
+ "description": "Unique id that identifies the scanner.",
517
+ "minLength": 1,
518
+ "examples": [
519
+ "my-sast-scanner"
520
+ ]
521
+ },
522
+ "name": {
523
+ "type": "string",
524
+ "description": "A human readable value that identifies the scanner, not required to be unique.",
525
+ "minLength": 1,
526
+ "examples": [
527
+ "My SAST Scanner"
528
+ ]
529
+ },
530
+ "url": {
531
+ "type": "string",
532
+ "description": "A link to more information about the scanner.",
533
+ "examples": [
534
+ "https://scanner.url"
535
+ ]
536
+ },
537
+ "version": {
538
+ "type": "string",
539
+ "description": "The version of the scanner.",
540
+ "minLength": 1,
541
+ "examples": [
542
+ "1.0.2"
543
+ ]
544
+ },
545
+ "vendor": {
546
+ "description": "The vendor/maintainer of the scanner.",
547
+ "type": "object",
548
+ "required": [
549
+ "name"
550
+ ],
551
+ "properties": {
552
+ "name": {
553
+ "type": "string",
554
+ "description": "The name of the vendor.",
555
+ "minLength": 1,
556
+ "examples": [
557
+ "GitLab"
558
+ ]
559
+ }
560
+ }
561
+ }
562
+ }
563
+ },
564
+ "start_time": {
565
+ "type": "string",
566
+ "description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
567
+ "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
568
+ "examples": [
569
+ "2020-02-14T16:01:59"
570
+ ]
571
+ },
572
+ "status": {
573
+ "type": "string",
574
+ "description": "Result of the scan.",
575
+ "enum": [
576
+ "success",
577
+ "failure"
578
+ ]
579
+ },
580
+ "type": {
581
+ "type": "string",
582
+ "description": "Type of the scan.",
583
+ "enum": [
584
+ "container_scanning",
585
+ "container_scanning_for_registry"
586
+ ]
587
+ },
588
+ "primary_identifiers": {
589
+ "type": "array",
590
+ "description": "An unordered array containing an exhaustive list of primary identifiers for which the analyzer may return results",
591
+ "items": {
592
+ "type": "object",
593
+ "required": [
594
+ "type",
595
+ "name",
596
+ "value"
597
+ ],
598
+ "properties": {
599
+ "type": {
600
+ "type": "string",
601
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
602
+ "minLength": 1
603
+ },
604
+ "name": {
605
+ "type": "string",
606
+ "description": "Human-readable name of the identifier.",
607
+ "minLength": 1
608
+ },
609
+ "url": {
610
+ "type": "string",
611
+ "description": "URL of the identifier's documentation.",
612
+ "pattern": "^(https?|ftp)://.+"
613
+ },
614
+ "value": {
615
+ "type": "string",
616
+ "description": "Value of the identifier, for matching purpose.",
617
+ "minLength": 1
618
+ }
619
+ }
620
+ }
621
+ }
622
+ }
623
+ },
624
+ "schema": {
625
+ "type": "string",
626
+ "description": "URI pointing to the validating security report schema.",
627
+ "pattern": "^https?://.+"
628
+ },
629
+ "version": {
630
+ "type": "string",
631
+ "description": "The version of the schema to which the JSON report conforms.",
632
+ "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
633
+ },
634
+ "vulnerabilities": {
635
+ "type": "array",
636
+ "description": "Array of vulnerability objects.",
637
+ "items": {
638
+ "type": "object",
639
+ "description": "Describes the vulnerability using GitLab Flavored Markdown",
640
+ "required": [
641
+ "id",
642
+ "identifiers",
643
+ "location"
644
+ ],
645
+ "properties": {
646
+ "id": {
647
+ "type": "string",
648
+ "minLength": 1,
649
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
650
+ "examples": [
651
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
652
+ ]
653
+ },
654
+ "name": {
655
+ "type": "string",
656
+ "maxLength": 255,
657
+ "description": "The name of the vulnerability. This must not include the finding's specific information."
658
+ },
659
+ "description": {
660
+ "type": "string",
661
+ "maxLength": 1048576,
662
+ "description": "A long text section describing the vulnerability more fully."
663
+ },
664
+ "severity": {
665
+ "type": "string",
666
+ "description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
667
+ "enum": [
668
+ "Info",
669
+ "Unknown",
670
+ "Low",
671
+ "Medium",
672
+ "High",
673
+ "Critical"
674
+ ]
675
+ },
676
+ "solution": {
677
+ "type": "string",
678
+ "maxLength": 7000,
679
+ "description": "Explanation of how to fix the vulnerability."
680
+ },
681
+ "identifiers": {
682
+ "type": "array",
683
+ "minItems": 1,
684
+ "description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
685
+ "items": {
686
+ "type": "object",
687
+ "required": [
688
+ "type",
689
+ "name",
690
+ "value"
691
+ ],
692
+ "properties": {
693
+ "type": {
694
+ "type": "string",
695
+ "description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
696
+ "minLength": 1
697
+ },
698
+ "name": {
699
+ "type": "string",
700
+ "description": "Human-readable name of the identifier.",
701
+ "minLength": 1
702
+ },
703
+ "url": {
704
+ "type": "string",
705
+ "description": "URL of the identifier's documentation.",
706
+ "pattern": "^(https?|ftp)://.+"
707
+ },
708
+ "value": {
709
+ "type": "string",
710
+ "description": "Value of the identifier, for matching purpose.",
711
+ "minLength": 1
712
+ }
713
+ }
714
+ }
715
+ },
716
+ "cvss_vectors": {
717
+ "type": "array",
718
+ "minItems": 1,
719
+ "maxItems": 10,
720
+ "description": "An ordered array of CVSS vectors, each issued by a vendor to rate the vulnerability. The first item in the array is used as the primary CVSS vector, and is used to filter and sort the vulnerability.",
721
+ "items": {
722
+ "oneOf": [
723
+ {
724
+ "type": "object",
725
+ "properties": {
726
+ "vendor": {
727
+ "type": "string",
728
+ "minLength": 1,
729
+ "default": "unknown"
730
+ },
731
+ "vector": {
732
+ "type": "string",
733
+ "minLength": 16,
734
+ "maxLength": 128,
735
+ "pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
736
+ }
737
+ },
738
+ "required": [
739
+ "vendor",
740
+ "vector"
741
+ ]
742
+ },
743
+ {
744
+ "type": "object",
745
+ "properties": {
746
+ "vendor": {
747
+ "type": "string",
748
+ "minLength": 1,
749
+ "default": "unknown"
750
+ },
751
+ "vector": {
752
+ "type": "string",
753
+ "minLength": 32,
754
+ "maxLength": 128,
755
+ "pattern": "^CVSS:3[.][01]/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
756
+ }
757
+ },
758
+ "required": [
759
+ "vendor",
760
+ "vector"
761
+ ]
762
+ }
763
+ ]
764
+ }
765
+ },
766
+ "links": {
767
+ "type": "array",
768
+ "description": "An array of references to external documentation or articles that describe the vulnerability.",
769
+ "items": {
770
+ "type": "object",
771
+ "required": [
772
+ "url"
773
+ ],
774
+ "properties": {
775
+ "name": {
776
+ "type": "string",
777
+ "description": "Name of the vulnerability details link."
778
+ },
779
+ "url": {
780
+ "type": "string",
781
+ "description": "URL of the vulnerability details document.",
782
+ "pattern": "^(https?|ftp)://.+"
783
+ }
784
+ }
785
+ }
786
+ },
787
+ "details": {
788
+ "$ref": "#/definitions/named_list/properties/items"
789
+ },
790
+ "tracking": {
791
+ "type": "object",
792
+ "description": "Describes how this vulnerability should be tracked as the project changes.",
793
+ "oneOf": [
794
+ {
795
+ "description": "Declares that a series of items should be tracked using source-specific tracking methods.",
796
+ "required": [
797
+ "items"
798
+ ],
799
+ "properties": {
800
+ "type": {
801
+ "const": "source"
802
+ },
803
+ "items": {
804
+ "type": "array",
805
+ "items": {
806
+ "description": "An item that should be tracked using source-specific tracking methods.",
807
+ "type": "object",
808
+ "required": [
809
+ "signatures"
810
+ ],
811
+ "properties": {
812
+ "file": {
813
+ "type": "string",
814
+ "description": "Path to the file where the vulnerability is located."
815
+ },
816
+ "start_line": {
817
+ "type": "number",
818
+ "description": "The first line of the file that includes the vulnerability."
819
+ },
820
+ "end_line": {
821
+ "type": "number",
822
+ "description": "The last line of the file that includes the vulnerability."
823
+ },
824
+ "signatures": {
825
+ "type": "array",
826
+ "description": "An array of calculated tracking signatures for this tracking item.",
827
+ "minItems": 1,
828
+ "items": {
829
+ "description": "A calculated tracking signature value and metadata.",
830
+ "type": "object",
831
+ "required": [
832
+ "algorithm",
833
+ "value"
834
+ ],
835
+ "properties": {
836
+ "algorithm": {
837
+ "type": "string",
838
+ "description": "The algorithm used to generate the signature."
839
+ },
840
+ "value": {
841
+ "type": "string",
842
+ "description": "The result of this signature algorithm."
843
+ }
844
+ }
845
+ }
846
+ }
847
+ }
848
+ }
849
+ }
850
+ }
851
+ }
852
+ ],
853
+ "properties": {
854
+ "type": {
855
+ "type": "string",
856
+ "description": "Each tracking type must declare its own type."
857
+ }
858
+ }
859
+ },
860
+ "flags": {
861
+ "description": "Flags that can be attached to vulnerabilities.",
862
+ "type": "array",
863
+ "items": {
864
+ "type": "object",
865
+ "description": "Informational flags identified and assigned to a vulnerability.",
866
+ "required": [
867
+ "type",
868
+ "origin",
869
+ "description"
870
+ ],
871
+ "properties": {
872
+ "type": {
873
+ "type": "string",
874
+ "minLength": 1,
875
+ "description": "Result of the scan.",
876
+ "enum": [
877
+ "flagged-as-likely-false-positive"
878
+ ]
879
+ },
880
+ "origin": {
881
+ "minLength": 1,
882
+ "description": "Tool that issued the flag.",
883
+ "type": "string"
884
+ },
885
+ "description": {
886
+ "minLength": 1,
887
+ "description": "What the flag is about.",
888
+ "type": "string"
889
+ }
890
+ }
891
+ }
892
+ },
893
+ "location": {
894
+ "type": "object",
895
+ "description": "Identifies the vulnerability's location.",
896
+ "required": [
897
+ "dependency",
898
+ "operating_system",
899
+ "image"
900
+ ],
901
+ "properties": {
902
+ "dependency": {
903
+ "type": "object",
904
+ "description": "Describes the dependency of a project where the vulnerability is located.",
905
+ "required": [
906
+ "package",
907
+ "version"
908
+ ],
909
+ "properties": {
910
+ "package": {
911
+ "type": "object",
912
+ "description": "Provides information on the package where the vulnerability is located.",
913
+ "required": [
914
+ "name"
915
+ ],
916
+ "properties": {
917
+ "name": {
918
+ "type": "string",
919
+ "description": "Name of the package where the vulnerability is located."
920
+ }
921
+ }
922
+ },
923
+ "version": {
924
+ "type": "string",
925
+ "description": "Version of the vulnerable package."
926
+ },
927
+ "direct": {
928
+ "type": "boolean",
929
+ "description": "Tells whether this is a direct, top-level dependency of the scanned project."
930
+ }
931
+ }
932
+ },
933
+ "operating_system": {
934
+ "type": "string",
935
+ "minLength": 1,
936
+ "description": "The operating system that contains the vulnerable package."
937
+ },
938
+ "image": {
939
+ "type": "string",
940
+ "minLength": 1,
941
+ "description": "The analyzed Docker image."
942
+ },
943
+ "default_branch_image": {
944
+ "type": "string",
945
+ "maxLength": 255,
946
+ "description": "The name of the image on the default branch."
947
+ }
948
+ }
949
+ }
950
+ }
951
+ }
952
+ },
953
+ "remediations": {
954
+ "type": "array",
955
+ "description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
956
+ "items": {
957
+ "type": "object",
958
+ "required": [
959
+ "fixes",
960
+ "summary",
961
+ "diff"
962
+ ],
963
+ "properties": {
964
+ "fixes": {
965
+ "type": "array",
966
+ "description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
967
+ "items": {
968
+ "type": "object",
969
+ "required": [
970
+ "id"
971
+ ],
972
+ "properties": {
973
+ "id": {
974
+ "type": "string",
975
+ "minLength": 1,
976
+ "description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
977
+ "examples": [
978
+ "642735a5-1425-428d-8d4e-3c854885a3c9"
979
+ ]
980
+ }
981
+ }
982
+ }
983
+ },
984
+ "summary": {
985
+ "type": "string",
986
+ "minLength": 1,
987
+ "description": "An overview of how the vulnerabilities were fixed."
988
+ },
989
+ "diff": {
990
+ "type": "string",
991
+ "minLength": 1,
992
+ "description": "A base64-encoded remediation code diff, compatible with git apply."
993
+ }
994
+ }
995
+ }
996
+ }
997
+ }
998
+ }