gitlab-security_report_schemas 0.1.2.min15.0.0.max15.1.4 → 0.1.2.min15.0.0.max15.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/gem_version +1 -1
- data/schemas/15.2.0/cluster-image-scanning-report-format.json +1227 -0
- data/schemas/15.2.0/container-scanning-report-format.json +1160 -0
- data/schemas/15.2.0/coverage-fuzzing-report-format.json +1137 -0
- data/schemas/15.2.0/dast-report-format.json +1542 -0
- data/schemas/15.2.0/dependency-scanning-report-format.json +1148 -0
- data/schemas/15.2.0/sast-report-format.json +1132 -0
- data/schemas/15.2.0/secret-detection-report-format.json +1156 -0
- data/supported_versions +1 -0
- metadata +9 -2
@@ -0,0 +1,1148 @@
|
|
1
|
+
{
|
2
|
+
"$schema": "http://json-schema.org/draft-07/schema#",
|
3
|
+
"$id": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/master/dist/dependency-scanning-report-format.json",
|
4
|
+
"title": "Report format for GitLab Dependency Scanning",
|
5
|
+
"description": "This schema provides the the report format for Dependency Scanning analyzers (https://docs.gitlab.com/ee/user/application_security/dependency_scanning).",
|
6
|
+
"definitions": {
|
7
|
+
"detail_type": {
|
8
|
+
"oneOf": [
|
9
|
+
{
|
10
|
+
"$ref": "#/definitions/named_list"
|
11
|
+
},
|
12
|
+
{
|
13
|
+
"$ref": "#/definitions/list"
|
14
|
+
},
|
15
|
+
{
|
16
|
+
"$ref": "#/definitions/table"
|
17
|
+
},
|
18
|
+
{
|
19
|
+
"$ref": "#/definitions/text"
|
20
|
+
},
|
21
|
+
{
|
22
|
+
"$ref": "#/definitions/url"
|
23
|
+
},
|
24
|
+
{
|
25
|
+
"$ref": "#/definitions/code"
|
26
|
+
},
|
27
|
+
{
|
28
|
+
"$ref": "#/definitions/value"
|
29
|
+
},
|
30
|
+
{
|
31
|
+
"$ref": "#/definitions/diff"
|
32
|
+
},
|
33
|
+
{
|
34
|
+
"$ref": "#/definitions/markdown"
|
35
|
+
},
|
36
|
+
{
|
37
|
+
"$ref": "#/definitions/commit"
|
38
|
+
},
|
39
|
+
{
|
40
|
+
"$ref": "#/definitions/file_location"
|
41
|
+
},
|
42
|
+
{
|
43
|
+
"$ref": "#/definitions/module_location"
|
44
|
+
},
|
45
|
+
{
|
46
|
+
"$ref": "#/definitions/code_flows"
|
47
|
+
}
|
48
|
+
]
|
49
|
+
},
|
50
|
+
"text_value": {
|
51
|
+
"type": "string"
|
52
|
+
},
|
53
|
+
"named_field": {
|
54
|
+
"type": "object",
|
55
|
+
"required": [
|
56
|
+
"name"
|
57
|
+
],
|
58
|
+
"properties": {
|
59
|
+
"name": {
|
60
|
+
"$ref": "#/definitions/text_value",
|
61
|
+
"type": "string",
|
62
|
+
"minLength": 1
|
63
|
+
},
|
64
|
+
"description": {
|
65
|
+
"$ref": "#/definitions/text_value"
|
66
|
+
}
|
67
|
+
}
|
68
|
+
},
|
69
|
+
"named_list": {
|
70
|
+
"type": "object",
|
71
|
+
"description": "An object with named and typed fields",
|
72
|
+
"required": [
|
73
|
+
"type",
|
74
|
+
"items"
|
75
|
+
],
|
76
|
+
"properties": {
|
77
|
+
"type": {
|
78
|
+
"const": "named-list"
|
79
|
+
},
|
80
|
+
"items": {
|
81
|
+
"type": "object",
|
82
|
+
"patternProperties": {
|
83
|
+
"^.*$": {
|
84
|
+
"allOf": [
|
85
|
+
{
|
86
|
+
"$ref": "#/definitions/named_field"
|
87
|
+
},
|
88
|
+
{
|
89
|
+
"$ref": "#/definitions/detail_type"
|
90
|
+
}
|
91
|
+
]
|
92
|
+
}
|
93
|
+
}
|
94
|
+
}
|
95
|
+
}
|
96
|
+
},
|
97
|
+
"list": {
|
98
|
+
"type": "object",
|
99
|
+
"description": "A list of typed fields",
|
100
|
+
"required": [
|
101
|
+
"type",
|
102
|
+
"items"
|
103
|
+
],
|
104
|
+
"properties": {
|
105
|
+
"type": {
|
106
|
+
"const": "list"
|
107
|
+
},
|
108
|
+
"items": {
|
109
|
+
"type": "array",
|
110
|
+
"items": {
|
111
|
+
"$ref": "#/definitions/detail_type"
|
112
|
+
}
|
113
|
+
}
|
114
|
+
}
|
115
|
+
},
|
116
|
+
"table": {
|
117
|
+
"type": "object",
|
118
|
+
"description": "A table of typed fields",
|
119
|
+
"required": [
|
120
|
+
"type",
|
121
|
+
"rows"
|
122
|
+
],
|
123
|
+
"properties": {
|
124
|
+
"type": {
|
125
|
+
"const": "table"
|
126
|
+
},
|
127
|
+
"header": {
|
128
|
+
"type": "array",
|
129
|
+
"items": {
|
130
|
+
"$ref": "#/definitions/detail_type"
|
131
|
+
}
|
132
|
+
},
|
133
|
+
"rows": {
|
134
|
+
"type": "array",
|
135
|
+
"items": {
|
136
|
+
"type": "array",
|
137
|
+
"items": {
|
138
|
+
"$ref": "#/definitions/detail_type"
|
139
|
+
}
|
140
|
+
}
|
141
|
+
}
|
142
|
+
}
|
143
|
+
},
|
144
|
+
"text": {
|
145
|
+
"type": "object",
|
146
|
+
"description": "Raw text",
|
147
|
+
"required": [
|
148
|
+
"type",
|
149
|
+
"value"
|
150
|
+
],
|
151
|
+
"properties": {
|
152
|
+
"type": {
|
153
|
+
"const": "text"
|
154
|
+
},
|
155
|
+
"value": {
|
156
|
+
"$ref": "#/definitions/text_value"
|
157
|
+
}
|
158
|
+
}
|
159
|
+
},
|
160
|
+
"url": {
|
161
|
+
"type": "object",
|
162
|
+
"description": "A single URL",
|
163
|
+
"required": [
|
164
|
+
"type",
|
165
|
+
"href"
|
166
|
+
],
|
167
|
+
"properties": {
|
168
|
+
"type": {
|
169
|
+
"const": "url"
|
170
|
+
},
|
171
|
+
"text": {
|
172
|
+
"$ref": "#/definitions/text_value"
|
173
|
+
},
|
174
|
+
"href": {
|
175
|
+
"type": "string",
|
176
|
+
"minLength": 1,
|
177
|
+
"examples": [
|
178
|
+
"http://mysite.com"
|
179
|
+
]
|
180
|
+
}
|
181
|
+
}
|
182
|
+
},
|
183
|
+
"code": {
|
184
|
+
"type": "object",
|
185
|
+
"description": "A codeblock",
|
186
|
+
"required": [
|
187
|
+
"type",
|
188
|
+
"value"
|
189
|
+
],
|
190
|
+
"properties": {
|
191
|
+
"type": {
|
192
|
+
"const": "code"
|
193
|
+
},
|
194
|
+
"value": {
|
195
|
+
"type": "string"
|
196
|
+
},
|
197
|
+
"lang": {
|
198
|
+
"type": "string",
|
199
|
+
"description": "A programming language"
|
200
|
+
}
|
201
|
+
}
|
202
|
+
},
|
203
|
+
"value": {
|
204
|
+
"type": "object",
|
205
|
+
"description": "A field that can store a range of types of value",
|
206
|
+
"required": [
|
207
|
+
"type",
|
208
|
+
"value"
|
209
|
+
],
|
210
|
+
"properties": {
|
211
|
+
"type": {
|
212
|
+
"const": "value"
|
213
|
+
},
|
214
|
+
"value": {
|
215
|
+
"type": [
|
216
|
+
"number",
|
217
|
+
"string",
|
218
|
+
"boolean"
|
219
|
+
]
|
220
|
+
}
|
221
|
+
}
|
222
|
+
},
|
223
|
+
"diff": {
|
224
|
+
"type": "object",
|
225
|
+
"description": "A diff",
|
226
|
+
"required": [
|
227
|
+
"type",
|
228
|
+
"before",
|
229
|
+
"after"
|
230
|
+
],
|
231
|
+
"properties": {
|
232
|
+
"type": {
|
233
|
+
"const": "diff"
|
234
|
+
},
|
235
|
+
"before": {
|
236
|
+
"type": "string"
|
237
|
+
},
|
238
|
+
"after": {
|
239
|
+
"type": "string"
|
240
|
+
}
|
241
|
+
}
|
242
|
+
},
|
243
|
+
"markdown": {
|
244
|
+
"type": "object",
|
245
|
+
"description": "GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
|
246
|
+
"required": [
|
247
|
+
"type",
|
248
|
+
"value"
|
249
|
+
],
|
250
|
+
"properties": {
|
251
|
+
"type": {
|
252
|
+
"const": "markdown"
|
253
|
+
},
|
254
|
+
"value": {
|
255
|
+
"$ref": "#/definitions/text_value",
|
256
|
+
"examples": [
|
257
|
+
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
|
258
|
+
]
|
259
|
+
}
|
260
|
+
}
|
261
|
+
},
|
262
|
+
"commit": {
|
263
|
+
"type": "object",
|
264
|
+
"description": "A commit/tag/branch within the GitLab project",
|
265
|
+
"required": [
|
266
|
+
"type",
|
267
|
+
"value"
|
268
|
+
],
|
269
|
+
"properties": {
|
270
|
+
"type": {
|
271
|
+
"const": "commit"
|
272
|
+
},
|
273
|
+
"value": {
|
274
|
+
"type": "string",
|
275
|
+
"description": "The commit SHA",
|
276
|
+
"minLength": 1
|
277
|
+
}
|
278
|
+
}
|
279
|
+
},
|
280
|
+
"file_location": {
|
281
|
+
"type": "object",
|
282
|
+
"description": "A location within a file in the project",
|
283
|
+
"required": [
|
284
|
+
"type",
|
285
|
+
"file_name",
|
286
|
+
"line_start"
|
287
|
+
],
|
288
|
+
"properties": {
|
289
|
+
"type": {
|
290
|
+
"const": "file-location"
|
291
|
+
},
|
292
|
+
"file_name": {
|
293
|
+
"type": "string",
|
294
|
+
"minLength": 1
|
295
|
+
},
|
296
|
+
"line_start": {
|
297
|
+
"type": "integer",
|
298
|
+
"minimum": 1
|
299
|
+
},
|
300
|
+
"line_end": {
|
301
|
+
"type": "integer",
|
302
|
+
"minimum": 1
|
303
|
+
}
|
304
|
+
}
|
305
|
+
},
|
306
|
+
"module_location": {
|
307
|
+
"type": "object",
|
308
|
+
"description": "A location within a binary module of the form module+relative_offset",
|
309
|
+
"required": [
|
310
|
+
"type",
|
311
|
+
"module_name",
|
312
|
+
"offset"
|
313
|
+
],
|
314
|
+
"properties": {
|
315
|
+
"type": {
|
316
|
+
"const": "module-location"
|
317
|
+
},
|
318
|
+
"module_name": {
|
319
|
+
"type": "string",
|
320
|
+
"minLength": 1,
|
321
|
+
"examples": [
|
322
|
+
"compiled_binary"
|
323
|
+
]
|
324
|
+
},
|
325
|
+
"offset": {
|
326
|
+
"type": "integer",
|
327
|
+
"examples": [
|
328
|
+
100
|
329
|
+
]
|
330
|
+
}
|
331
|
+
}
|
332
|
+
},
|
333
|
+
"code_flow_node": {
|
334
|
+
"type": "object",
|
335
|
+
"description": "A code flow node representing a part of a vulnerability flow from source to sink",
|
336
|
+
"required": [
|
337
|
+
"file_location",
|
338
|
+
"node_type"
|
339
|
+
],
|
340
|
+
"properties": {
|
341
|
+
"type": {
|
342
|
+
"const": "code-flow-node"
|
343
|
+
},
|
344
|
+
"file_location": {
|
345
|
+
"$ref": "#/definitions/file_location"
|
346
|
+
},
|
347
|
+
"node_type": {
|
348
|
+
"type": "string",
|
349
|
+
"description": "Describes a code flow node type",
|
350
|
+
"enum": [
|
351
|
+
"source",
|
352
|
+
"sink",
|
353
|
+
"propagation"
|
354
|
+
]
|
355
|
+
}
|
356
|
+
},
|
357
|
+
"examples": [
|
358
|
+
{
|
359
|
+
"type": "code-flow-node",
|
360
|
+
"node_type": "propagation",
|
361
|
+
"file_location": {
|
362
|
+
"type": "file-location",
|
363
|
+
"file_name": "file_name.py",
|
364
|
+
"line_start": 4,
|
365
|
+
"line_end": 6
|
366
|
+
}
|
367
|
+
}
|
368
|
+
]
|
369
|
+
},
|
370
|
+
"code_flows": {
|
371
|
+
"type": "object",
|
372
|
+
"description": "A code flow representing a vulnerability flow from source to sink",
|
373
|
+
"required": [
|
374
|
+
"items",
|
375
|
+
"type"
|
376
|
+
],
|
377
|
+
"properties": {
|
378
|
+
"type": {
|
379
|
+
"const": "code-flows"
|
380
|
+
},
|
381
|
+
"items": {
|
382
|
+
"type": "array",
|
383
|
+
"minItems": 1,
|
384
|
+
"maxItems": 10,
|
385
|
+
"items": {
|
386
|
+
"type": "array",
|
387
|
+
"minItems": 1,
|
388
|
+
"items": {
|
389
|
+
"$ref": "#/definitions/code_flow_node"
|
390
|
+
}
|
391
|
+
}
|
392
|
+
}
|
393
|
+
},
|
394
|
+
"examples": [
|
395
|
+
{
|
396
|
+
"type": "code-flows",
|
397
|
+
"items": [
|
398
|
+
[
|
399
|
+
{
|
400
|
+
"type": "code-flow-node",
|
401
|
+
"node_type": "source",
|
402
|
+
"file_location": {
|
403
|
+
"type": "file-location",
|
404
|
+
"file_name": "file_name.py",
|
405
|
+
"line_start": 1,
|
406
|
+
"line_end": 2
|
407
|
+
}
|
408
|
+
},
|
409
|
+
{
|
410
|
+
"type": "code-flow-node",
|
411
|
+
"node_type": "propagation",
|
412
|
+
"file_location": {
|
413
|
+
"type": "file-location",
|
414
|
+
"file_name": "file_name.py",
|
415
|
+
"line_start": 3
|
416
|
+
}
|
417
|
+
},
|
418
|
+
{
|
419
|
+
"type": "code-flow-node",
|
420
|
+
"node_type": "sink",
|
421
|
+
"file_location": {
|
422
|
+
"type": "file-location",
|
423
|
+
"file_name": "file_name.py",
|
424
|
+
"line_start": 4,
|
425
|
+
"line_end": 6
|
426
|
+
}
|
427
|
+
}
|
428
|
+
],
|
429
|
+
[
|
430
|
+
{
|
431
|
+
"type": "code-flow-node",
|
432
|
+
"node_type": "source",
|
433
|
+
"file_location": {
|
434
|
+
"type": "file-location",
|
435
|
+
"file_name": "different_flow.py",
|
436
|
+
"line_start": 100,
|
437
|
+
"line_end": 102
|
438
|
+
}
|
439
|
+
},
|
440
|
+
{
|
441
|
+
"type": "code-flow-node",
|
442
|
+
"node_type": "sink",
|
443
|
+
"file_location": {
|
444
|
+
"type": "file-location",
|
445
|
+
"file_name": "file_name.py",
|
446
|
+
"line_start": 4,
|
447
|
+
"line_end": 6
|
448
|
+
}
|
449
|
+
}
|
450
|
+
]
|
451
|
+
]
|
452
|
+
}
|
453
|
+
]
|
454
|
+
}
|
455
|
+
},
|
456
|
+
"self": {
|
457
|
+
"version": "15.2.0"
|
458
|
+
},
|
459
|
+
"type": "object",
|
460
|
+
"required": [
|
461
|
+
"scan",
|
462
|
+
"version",
|
463
|
+
"vulnerabilities"
|
464
|
+
],
|
465
|
+
"additionalProperties": true,
|
466
|
+
"properties": {
|
467
|
+
"scan": {
|
468
|
+
"type": "object",
|
469
|
+
"required": [
|
470
|
+
"analyzer",
|
471
|
+
"end_time",
|
472
|
+
"scanner",
|
473
|
+
"start_time",
|
474
|
+
"status",
|
475
|
+
"type"
|
476
|
+
],
|
477
|
+
"properties": {
|
478
|
+
"end_time": {
|
479
|
+
"type": "string",
|
480
|
+
"description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
|
481
|
+
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
|
482
|
+
"examples": [
|
483
|
+
"2020-01-28T03:26:02"
|
484
|
+
]
|
485
|
+
},
|
486
|
+
"messages": {
|
487
|
+
"type": "array",
|
488
|
+
"items": {
|
489
|
+
"type": "object",
|
490
|
+
"description": "Communication intended for the initiator of a scan.",
|
491
|
+
"required": [
|
492
|
+
"level",
|
493
|
+
"value"
|
494
|
+
],
|
495
|
+
"properties": {
|
496
|
+
"level": {
|
497
|
+
"type": "string",
|
498
|
+
"description": "Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
|
499
|
+
"enum": [
|
500
|
+
"info",
|
501
|
+
"warn",
|
502
|
+
"fatal"
|
503
|
+
],
|
504
|
+
"examples": [
|
505
|
+
"info"
|
506
|
+
]
|
507
|
+
},
|
508
|
+
"value": {
|
509
|
+
"type": "string",
|
510
|
+
"description": "The message to communicate.",
|
511
|
+
"minLength": 1,
|
512
|
+
"examples": [
|
513
|
+
"Permission denied, scanning aborted"
|
514
|
+
]
|
515
|
+
}
|
516
|
+
}
|
517
|
+
}
|
518
|
+
},
|
519
|
+
"options": {
|
520
|
+
"type": "array",
|
521
|
+
"items": {
|
522
|
+
"type": "object",
|
523
|
+
"description": "A configuration option used for this scan.",
|
524
|
+
"required": [
|
525
|
+
"name",
|
526
|
+
"value"
|
527
|
+
],
|
528
|
+
"properties": {
|
529
|
+
"name": {
|
530
|
+
"type": "string",
|
531
|
+
"description": "The configuration option name.",
|
532
|
+
"maxLength": 255,
|
533
|
+
"minLength": 1,
|
534
|
+
"examples": [
|
535
|
+
"DAST_FF_ENABLE_BAS",
|
536
|
+
"DOCKER_TLS_CERTDIR",
|
537
|
+
"DS_MAX_DEPTH",
|
538
|
+
"SECURE_LOG_LEVEL"
|
539
|
+
]
|
540
|
+
},
|
541
|
+
"source": {
|
542
|
+
"type": "string",
|
543
|
+
"description": "The source of this option.",
|
544
|
+
"enum": [
|
545
|
+
"argument",
|
546
|
+
"file",
|
547
|
+
"env_variable",
|
548
|
+
"other"
|
549
|
+
]
|
550
|
+
},
|
551
|
+
"value": {
|
552
|
+
"type": [
|
553
|
+
"boolean",
|
554
|
+
"integer",
|
555
|
+
"null",
|
556
|
+
"string"
|
557
|
+
],
|
558
|
+
"description": "The value used for this scan.",
|
559
|
+
"examples": [
|
560
|
+
true,
|
561
|
+
2,
|
562
|
+
null,
|
563
|
+
"fatal",
|
564
|
+
""
|
565
|
+
]
|
566
|
+
}
|
567
|
+
}
|
568
|
+
}
|
569
|
+
},
|
570
|
+
"analyzer": {
|
571
|
+
"type": "object",
|
572
|
+
"description": "Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
|
573
|
+
"required": [
|
574
|
+
"id",
|
575
|
+
"name",
|
576
|
+
"version",
|
577
|
+
"vendor"
|
578
|
+
],
|
579
|
+
"properties": {
|
580
|
+
"id": {
|
581
|
+
"type": "string",
|
582
|
+
"description": "Unique id that identifies the analyzer.",
|
583
|
+
"minLength": 1,
|
584
|
+
"examples": [
|
585
|
+
"gitlab-dast"
|
586
|
+
]
|
587
|
+
},
|
588
|
+
"name": {
|
589
|
+
"type": "string",
|
590
|
+
"description": "A human readable value that identifies the analyzer, not required to be unique.",
|
591
|
+
"minLength": 1,
|
592
|
+
"examples": [
|
593
|
+
"GitLab DAST"
|
594
|
+
]
|
595
|
+
},
|
596
|
+
"url": {
|
597
|
+
"type": "string",
|
598
|
+
"pattern": "^https?://.+",
|
599
|
+
"description": "A link to more information about the analyzer.",
|
600
|
+
"examples": [
|
601
|
+
"https://docs.gitlab.com/ee/user/application_security/dast"
|
602
|
+
]
|
603
|
+
},
|
604
|
+
"vendor": {
|
605
|
+
"description": "The vendor/maintainer of the analyzer.",
|
606
|
+
"type": "object",
|
607
|
+
"required": [
|
608
|
+
"name"
|
609
|
+
],
|
610
|
+
"properties": {
|
611
|
+
"name": {
|
612
|
+
"type": "string",
|
613
|
+
"description": "The name of the vendor.",
|
614
|
+
"minLength": 1,
|
615
|
+
"examples": [
|
616
|
+
"GitLab"
|
617
|
+
]
|
618
|
+
}
|
619
|
+
}
|
620
|
+
},
|
621
|
+
"version": {
|
622
|
+
"type": "string",
|
623
|
+
"description": "The version of the analyzer.",
|
624
|
+
"minLength": 1,
|
625
|
+
"examples": [
|
626
|
+
"1.0.2"
|
627
|
+
]
|
628
|
+
}
|
629
|
+
}
|
630
|
+
},
|
631
|
+
"scanner": {
|
632
|
+
"type": "object",
|
633
|
+
"description": "Object defining the scanner used to perform the scan.",
|
634
|
+
"required": [
|
635
|
+
"id",
|
636
|
+
"name",
|
637
|
+
"version",
|
638
|
+
"vendor"
|
639
|
+
],
|
640
|
+
"properties": {
|
641
|
+
"id": {
|
642
|
+
"type": "string",
|
643
|
+
"description": "Unique id that identifies the scanner.",
|
644
|
+
"minLength": 1,
|
645
|
+
"examples": [
|
646
|
+
"my-sast-scanner"
|
647
|
+
]
|
648
|
+
},
|
649
|
+
"name": {
|
650
|
+
"type": "string",
|
651
|
+
"description": "A human readable value that identifies the scanner, not required to be unique.",
|
652
|
+
"minLength": 1,
|
653
|
+
"examples": [
|
654
|
+
"My SAST Scanner"
|
655
|
+
]
|
656
|
+
},
|
657
|
+
"url": {
|
658
|
+
"type": "string",
|
659
|
+
"description": "A link to more information about the scanner.",
|
660
|
+
"examples": [
|
661
|
+
"https://scanner.url"
|
662
|
+
]
|
663
|
+
},
|
664
|
+
"version": {
|
665
|
+
"type": "string",
|
666
|
+
"description": "The version of the scanner.",
|
667
|
+
"minLength": 1,
|
668
|
+
"examples": [
|
669
|
+
"1.0.2"
|
670
|
+
]
|
671
|
+
},
|
672
|
+
"vendor": {
|
673
|
+
"description": "The vendor/maintainer of the scanner.",
|
674
|
+
"type": "object",
|
675
|
+
"required": [
|
676
|
+
"name"
|
677
|
+
],
|
678
|
+
"properties": {
|
679
|
+
"name": {
|
680
|
+
"type": "string",
|
681
|
+
"description": "The name of the vendor.",
|
682
|
+
"minLength": 1,
|
683
|
+
"examples": [
|
684
|
+
"GitLab"
|
685
|
+
]
|
686
|
+
}
|
687
|
+
}
|
688
|
+
}
|
689
|
+
}
|
690
|
+
},
|
691
|
+
"start_time": {
|
692
|
+
"type": "string",
|
693
|
+
"description": "ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan started.",
|
694
|
+
"pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}$",
|
695
|
+
"examples": [
|
696
|
+
"2020-02-14T16:01:59"
|
697
|
+
]
|
698
|
+
},
|
699
|
+
"status": {
|
700
|
+
"type": "string",
|
701
|
+
"description": "Result of the scan.",
|
702
|
+
"enum": [
|
703
|
+
"success",
|
704
|
+
"failure"
|
705
|
+
]
|
706
|
+
},
|
707
|
+
"type": {
|
708
|
+
"type": "string",
|
709
|
+
"description": "Type of the scan.",
|
710
|
+
"enum": [
|
711
|
+
"dependency_scanning"
|
712
|
+
]
|
713
|
+
},
|
714
|
+
"primary_identifiers": {
|
715
|
+
"type": "array",
|
716
|
+
"description": "An unordered array containing an exhaustive list of primary identifiers for which the analyzer may return results",
|
717
|
+
"items": {
|
718
|
+
"type": "object",
|
719
|
+
"required": [
|
720
|
+
"type",
|
721
|
+
"name",
|
722
|
+
"value"
|
723
|
+
],
|
724
|
+
"properties": {
|
725
|
+
"type": {
|
726
|
+
"type": "string",
|
727
|
+
"description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
|
728
|
+
"minLength": 1
|
729
|
+
},
|
730
|
+
"name": {
|
731
|
+
"type": "string",
|
732
|
+
"description": "Human-readable name of the identifier.",
|
733
|
+
"minLength": 1
|
734
|
+
},
|
735
|
+
"url": {
|
736
|
+
"type": "string",
|
737
|
+
"description": "URL of the identifier's documentation.",
|
738
|
+
"pattern": "^(https?|ftp)://.+"
|
739
|
+
},
|
740
|
+
"value": {
|
741
|
+
"type": "string",
|
742
|
+
"description": "Value of the identifier, for matching purpose.",
|
743
|
+
"minLength": 1
|
744
|
+
}
|
745
|
+
}
|
746
|
+
}
|
747
|
+
},
|
748
|
+
"observability": {
|
749
|
+
"type": "object",
|
750
|
+
"description": "Internal GitLab use only. Observability data such as metrics collected by the analyzers.",
|
751
|
+
"properties": {
|
752
|
+
"events": {
|
753
|
+
"type": "array",
|
754
|
+
"description": "Internal GitLab use only. Array of events containing metrics logged via the GitLab internal event tracking system. Recommend working with the analytics instrumentation team to define events.",
|
755
|
+
"items": {
|
756
|
+
"type": "object",
|
757
|
+
"description": "Internal GitLab use only. An event with zero or more values. Additional properties can be used to collect various metrics associated with event. Recommend working with the analytics instrumentation team to define events.",
|
758
|
+
"required": [
|
759
|
+
"event"
|
760
|
+
],
|
761
|
+
"properties": {
|
762
|
+
"event": {
|
763
|
+
"type": "string",
|
764
|
+
"description": "Name of the event. Events must be defined and added to the security reports observability events allow list."
|
765
|
+
},
|
766
|
+
"property": {
|
767
|
+
"type": "string",
|
768
|
+
"description": "Data related to given event. Column in the data warehouse, fast to filter on in queries."
|
769
|
+
},
|
770
|
+
"label": {
|
771
|
+
"type": "string",
|
772
|
+
"description": "Data related to given event. Column in the data warehouse, fast to filter on in queries."
|
773
|
+
},
|
774
|
+
"value": {
|
775
|
+
"type": "number",
|
776
|
+
"description": "Data related to given event. Column in the data warehouse, fast to filter on in queries."
|
777
|
+
}
|
778
|
+
}
|
779
|
+
}
|
780
|
+
}
|
781
|
+
}
|
782
|
+
}
|
783
|
+
}
|
784
|
+
},
|
785
|
+
"schema": {
|
786
|
+
"type": "string",
|
787
|
+
"description": "URI pointing to the validating security report schema.",
|
788
|
+
"pattern": "^https?://.+"
|
789
|
+
},
|
790
|
+
"version": {
|
791
|
+
"type": "string",
|
792
|
+
"description": "The version of the schema to which the JSON report conforms.",
|
793
|
+
"pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
|
794
|
+
},
|
795
|
+
"vulnerabilities": {
|
796
|
+
"type": "array",
|
797
|
+
"description": "Array of vulnerability objects.",
|
798
|
+
"items": {
|
799
|
+
"type": "object",
|
800
|
+
"description": "Describes the vulnerability using GitLab Flavored Markdown",
|
801
|
+
"required": [
|
802
|
+
"id",
|
803
|
+
"identifiers",
|
804
|
+
"location"
|
805
|
+
],
|
806
|
+
"properties": {
|
807
|
+
"id": {
|
808
|
+
"type": "string",
|
809
|
+
"minLength": 1,
|
810
|
+
"description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
|
811
|
+
"examples": [
|
812
|
+
"642735a5-1425-428d-8d4e-3c854885a3c9"
|
813
|
+
]
|
814
|
+
},
|
815
|
+
"name": {
|
816
|
+
"type": "string",
|
817
|
+
"maxLength": 255,
|
818
|
+
"description": "The name of the vulnerability. This must not include the finding's specific information."
|
819
|
+
},
|
820
|
+
"description": {
|
821
|
+
"type": "string",
|
822
|
+
"maxLength": 1048576,
|
823
|
+
"description": "A long text section describing the vulnerability more fully."
|
824
|
+
},
|
825
|
+
"severity": {
|
826
|
+
"type": "string",
|
827
|
+
"description": "How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
|
828
|
+
"enum": [
|
829
|
+
"Info",
|
830
|
+
"Unknown",
|
831
|
+
"Low",
|
832
|
+
"Medium",
|
833
|
+
"High",
|
834
|
+
"Critical"
|
835
|
+
]
|
836
|
+
},
|
837
|
+
"solution": {
|
838
|
+
"type": "string",
|
839
|
+
"maxLength": 7000,
|
840
|
+
"description": "Explanation of how to fix the vulnerability."
|
841
|
+
},
|
842
|
+
"identifiers": {
|
843
|
+
"type": "array",
|
844
|
+
"minItems": 1,
|
845
|
+
"description": "An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
|
846
|
+
"items": {
|
847
|
+
"type": "object",
|
848
|
+
"required": [
|
849
|
+
"type",
|
850
|
+
"name",
|
851
|
+
"value"
|
852
|
+
],
|
853
|
+
"properties": {
|
854
|
+
"type": {
|
855
|
+
"type": "string",
|
856
|
+
"description": "for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
|
857
|
+
"minLength": 1
|
858
|
+
},
|
859
|
+
"name": {
|
860
|
+
"type": "string",
|
861
|
+
"description": "Human-readable name of the identifier.",
|
862
|
+
"minLength": 1
|
863
|
+
},
|
864
|
+
"url": {
|
865
|
+
"type": "string",
|
866
|
+
"description": "URL of the identifier's documentation.",
|
867
|
+
"pattern": "^(https?|ftp)://.+"
|
868
|
+
},
|
869
|
+
"value": {
|
870
|
+
"type": "string",
|
871
|
+
"description": "Value of the identifier, for matching purpose.",
|
872
|
+
"minLength": 1
|
873
|
+
}
|
874
|
+
}
|
875
|
+
}
|
876
|
+
},
|
877
|
+
"cvss_vectors": {
|
878
|
+
"type": "array",
|
879
|
+
"minItems": 1,
|
880
|
+
"maxItems": 10,
|
881
|
+
"description": "An ordered array of CVSS vectors, each issued by a vendor to rate the vulnerability. The first item in the array is used as the primary CVSS vector, and is used to filter and sort the vulnerability.",
|
882
|
+
"items": {
|
883
|
+
"oneOf": [
|
884
|
+
{
|
885
|
+
"type": "object",
|
886
|
+
"properties": {
|
887
|
+
"vendor": {
|
888
|
+
"type": "string",
|
889
|
+
"minLength": 1,
|
890
|
+
"default": "unknown"
|
891
|
+
},
|
892
|
+
"vector": {
|
893
|
+
"type": "string",
|
894
|
+
"minLength": 16,
|
895
|
+
"maxLength": 128,
|
896
|
+
"pattern": "^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$"
|
897
|
+
}
|
898
|
+
},
|
899
|
+
"required": [
|
900
|
+
"vendor",
|
901
|
+
"vector"
|
902
|
+
]
|
903
|
+
},
|
904
|
+
{
|
905
|
+
"type": "object",
|
906
|
+
"properties": {
|
907
|
+
"vendor": {
|
908
|
+
"type": "string",
|
909
|
+
"minLength": 1,
|
910
|
+
"default": "unknown"
|
911
|
+
},
|
912
|
+
"vector": {
|
913
|
+
"type": "string",
|
914
|
+
"minLength": 32,
|
915
|
+
"maxLength": 128,
|
916
|
+
"pattern": "^CVSS:3[.][01]/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$"
|
917
|
+
}
|
918
|
+
},
|
919
|
+
"required": [
|
920
|
+
"vendor",
|
921
|
+
"vector"
|
922
|
+
]
|
923
|
+
}
|
924
|
+
]
|
925
|
+
}
|
926
|
+
},
|
927
|
+
"links": {
|
928
|
+
"type": "array",
|
929
|
+
"description": "An array of references to external documentation or articles that describe the vulnerability.",
|
930
|
+
"items": {
|
931
|
+
"type": "object",
|
932
|
+
"required": [
|
933
|
+
"url"
|
934
|
+
],
|
935
|
+
"properties": {
|
936
|
+
"name": {
|
937
|
+
"type": "string",
|
938
|
+
"description": "Name of the vulnerability details link."
|
939
|
+
},
|
940
|
+
"url": {
|
941
|
+
"type": "string",
|
942
|
+
"description": "URL of the vulnerability details document.",
|
943
|
+
"pattern": "^(https?|ftp)://.+"
|
944
|
+
}
|
945
|
+
}
|
946
|
+
}
|
947
|
+
},
|
948
|
+
"details": {
|
949
|
+
"$ref": "#/definitions/named_list/properties/items"
|
950
|
+
},
|
951
|
+
"tracking": {
|
952
|
+
"type": "object",
|
953
|
+
"description": "Describes how this vulnerability should be tracked as the project changes.",
|
954
|
+
"oneOf": [
|
955
|
+
{
|
956
|
+
"description": "Declares that a series of items should be tracked using source-specific tracking methods.",
|
957
|
+
"required": [
|
958
|
+
"items"
|
959
|
+
],
|
960
|
+
"properties": {
|
961
|
+
"type": {
|
962
|
+
"const": "source"
|
963
|
+
},
|
964
|
+
"items": {
|
965
|
+
"type": "array",
|
966
|
+
"items": {
|
967
|
+
"description": "An item that should be tracked using source-specific tracking methods.",
|
968
|
+
"type": "object",
|
969
|
+
"required": [
|
970
|
+
"signatures"
|
971
|
+
],
|
972
|
+
"properties": {
|
973
|
+
"file": {
|
974
|
+
"type": "string",
|
975
|
+
"description": "Path to the file where the vulnerability is located."
|
976
|
+
},
|
977
|
+
"start_line": {
|
978
|
+
"type": "number",
|
979
|
+
"description": "The first line of the file that includes the vulnerability."
|
980
|
+
},
|
981
|
+
"end_line": {
|
982
|
+
"type": "number",
|
983
|
+
"description": "The last line of the file that includes the vulnerability."
|
984
|
+
},
|
985
|
+
"signatures": {
|
986
|
+
"type": "array",
|
987
|
+
"description": "An array of calculated tracking signatures for this tracking item.",
|
988
|
+
"minItems": 1,
|
989
|
+
"items": {
|
990
|
+
"description": "A calculated tracking signature value and metadata.",
|
991
|
+
"type": "object",
|
992
|
+
"required": [
|
993
|
+
"algorithm",
|
994
|
+
"value"
|
995
|
+
],
|
996
|
+
"properties": {
|
997
|
+
"algorithm": {
|
998
|
+
"type": "string",
|
999
|
+
"description": "The algorithm used to generate the signature."
|
1000
|
+
},
|
1001
|
+
"value": {
|
1002
|
+
"type": "string",
|
1003
|
+
"description": "The result of this signature algorithm."
|
1004
|
+
}
|
1005
|
+
}
|
1006
|
+
}
|
1007
|
+
}
|
1008
|
+
}
|
1009
|
+
}
|
1010
|
+
}
|
1011
|
+
}
|
1012
|
+
}
|
1013
|
+
],
|
1014
|
+
"properties": {
|
1015
|
+
"type": {
|
1016
|
+
"type": "string",
|
1017
|
+
"description": "Each tracking type must declare its own type."
|
1018
|
+
}
|
1019
|
+
}
|
1020
|
+
},
|
1021
|
+
"flags": {
|
1022
|
+
"description": "Flags that can be attached to vulnerabilities.",
|
1023
|
+
"type": "array",
|
1024
|
+
"items": {
|
1025
|
+
"type": "object",
|
1026
|
+
"description": "Informational flags identified and assigned to a vulnerability.",
|
1027
|
+
"required": [
|
1028
|
+
"type",
|
1029
|
+
"origin",
|
1030
|
+
"description"
|
1031
|
+
],
|
1032
|
+
"properties": {
|
1033
|
+
"type": {
|
1034
|
+
"type": "string",
|
1035
|
+
"minLength": 1,
|
1036
|
+
"description": "Result of the scan.",
|
1037
|
+
"enum": [
|
1038
|
+
"flagged-as-likely-false-positive"
|
1039
|
+
]
|
1040
|
+
},
|
1041
|
+
"origin": {
|
1042
|
+
"minLength": 1,
|
1043
|
+
"description": "Tool that issued the flag.",
|
1044
|
+
"type": "string"
|
1045
|
+
},
|
1046
|
+
"description": {
|
1047
|
+
"minLength": 1,
|
1048
|
+
"description": "What the flag is about.",
|
1049
|
+
"type": "string"
|
1050
|
+
}
|
1051
|
+
}
|
1052
|
+
}
|
1053
|
+
},
|
1054
|
+
"location": {
|
1055
|
+
"type": "object",
|
1056
|
+
"description": "Identifies the vulnerability's location.",
|
1057
|
+
"required": [
|
1058
|
+
"file",
|
1059
|
+
"dependency"
|
1060
|
+
],
|
1061
|
+
"properties": {
|
1062
|
+
"file": {
|
1063
|
+
"type": "string",
|
1064
|
+
"minLength": 1,
|
1065
|
+
"description": "Path to the manifest or lock file where the dependency is declared (such as yarn.lock)."
|
1066
|
+
},
|
1067
|
+
"dependency": {
|
1068
|
+
"type": "object",
|
1069
|
+
"description": "Describes the dependency of a project where the vulnerability is located.",
|
1070
|
+
"required": [
|
1071
|
+
"package",
|
1072
|
+
"version"
|
1073
|
+
],
|
1074
|
+
"properties": {
|
1075
|
+
"package": {
|
1076
|
+
"type": "object",
|
1077
|
+
"description": "Provides information on the package where the vulnerability is located.",
|
1078
|
+
"required": [
|
1079
|
+
"name"
|
1080
|
+
],
|
1081
|
+
"properties": {
|
1082
|
+
"name": {
|
1083
|
+
"type": "string",
|
1084
|
+
"description": "Name of the package where the vulnerability is located."
|
1085
|
+
}
|
1086
|
+
}
|
1087
|
+
},
|
1088
|
+
"version": {
|
1089
|
+
"type": "string",
|
1090
|
+
"description": "Version of the vulnerable package."
|
1091
|
+
},
|
1092
|
+
"direct": {
|
1093
|
+
"type": "boolean",
|
1094
|
+
"description": "Tells whether this is a direct, top-level dependency of the scanned project."
|
1095
|
+
}
|
1096
|
+
}
|
1097
|
+
}
|
1098
|
+
}
|
1099
|
+
}
|
1100
|
+
}
|
1101
|
+
}
|
1102
|
+
},
|
1103
|
+
"remediations": {
|
1104
|
+
"type": "array",
|
1105
|
+
"description": "An array of objects containing information on available remediations, along with patch diffs to apply.",
|
1106
|
+
"items": {
|
1107
|
+
"type": "object",
|
1108
|
+
"required": [
|
1109
|
+
"fixes",
|
1110
|
+
"summary",
|
1111
|
+
"diff"
|
1112
|
+
],
|
1113
|
+
"properties": {
|
1114
|
+
"fixes": {
|
1115
|
+
"type": "array",
|
1116
|
+
"description": "An array of strings that represent references to vulnerabilities fixed by this remediation.",
|
1117
|
+
"items": {
|
1118
|
+
"type": "object",
|
1119
|
+
"required": [
|
1120
|
+
"id"
|
1121
|
+
],
|
1122
|
+
"properties": {
|
1123
|
+
"id": {
|
1124
|
+
"type": "string",
|
1125
|
+
"minLength": 1,
|
1126
|
+
"description": "Unique identifier of the vulnerability. This is recommended to be a UUID.",
|
1127
|
+
"examples": [
|
1128
|
+
"642735a5-1425-428d-8d4e-3c854885a3c9"
|
1129
|
+
]
|
1130
|
+
}
|
1131
|
+
}
|
1132
|
+
}
|
1133
|
+
},
|
1134
|
+
"summary": {
|
1135
|
+
"type": "string",
|
1136
|
+
"minLength": 1,
|
1137
|
+
"description": "An overview of how the vulnerabilities were fixed."
|
1138
|
+
},
|
1139
|
+
"diff": {
|
1140
|
+
"type": "string",
|
1141
|
+
"minLength": 1,
|
1142
|
+
"description": "A base64-encoded remediation code diff, compatible with git apply."
|
1143
|
+
}
|
1144
|
+
}
|
1145
|
+
}
|
1146
|
+
}
|
1147
|
+
}
|
1148
|
+
}
|