极狐 GitLab Logo

项目漏洞 API

  1. Tier: 旗舰版
  2. Offering: JihuLab.com, 私有化部署
History
    1. last_edited_at 在极狐GitLab 16.7 中弃用。
    2. start_date 在极狐GitLab 16.7 中弃用。
    3. updated_by_id 在极狐GitLab 16.7 中弃用。
    4. last_edited_by_id 在极狐GitLab 16.7 中弃用。
    5. due_date 在极狐GitLab 16.7 中弃用。
此 API 正在考虑被弃用,可能会不稳定。响应数据格式可能随极狐GitLab版本更新发生变更或破坏性调整,建议改用 [GraphQL API](graphql/reference/_index.md#queryvulnerabilities)。

每次对漏洞的 API 调用都必须经过认证

漏洞权限从其项目继承。如果项目是私有的,且用户不是漏洞所属项目的成员,则对该项目的请求会返回 404 Not Found 状态码。

漏洞分页#

API 结果是分页的,GET 请求默认一次返回 20 个结果。

阅读更多关于分页的信息。

列出项目漏洞#

列出项目的所有漏洞。

如果经过认证的用户没有权限使用项目安全仪表板,则对该项目漏洞的 GET 请求会导致 403 状态码。

plaintext
GET /projects/:id/vulnerabilities
属性类型是否必需描述
idinteger 或 string项目的 ID 或 URL 编码路径
shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerabilities"

示例响应:

json
1[
2    {
3        "author_id": 1,
4        "confidence": "medium",
5        "created_at": "2020-04-07T14:01:04.655Z",
6        "description": null,
7        "dismissed_at": null,
8        "dismissed_by_id": null,
9        "finding": {
10            "confidence": "medium",
11            "created_at": "2020-04-07T14:01:04.630Z",
12            "id": 103,
13            "location_fingerprint": "228998b5db51d86d3b091939e2f5873ada0a14a1",
14            "metadata_version": "2.0",
15            "name": "Regular Expression Denial of Service in debug",
16            "primary_identifier_id": 135,
17            "project_fingerprint": "05e7cc9978ca495cf739a9f707ed34811e41c615",
18            "project_id": 24,
19            "raw_metadata": "{\"category\":\"dependency_scanning\",\"name\":\"Regular Expression Denial of Service\",\"message\":\"Regular Expression Denial of Service in debug\",\"description\":\"The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.\",\"cve\":\"yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a\",\"severity\":\"Unknown\",\"solution\":\"Upgrade to latest versions.\",\"scanner\":{\"id\":\"gemnasium\",\"name\":\"Gemnasium\"},\"location\":{\"file\":\"yarn.lock\",\"dependency\":{\"package\":{\"name\":\"debug\"},\"version\":\"1.0.5\"}},\"identifiers\":[{\"type\":\"gemnasium\",\"name\":\"Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a\",\"value\":\"37283ed4-0380-40d7-ada7-2d994afcc62a\",\"url\":\"https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories\"}],\"links\":[{\"url\":\"https://nodesecurity.io/advisories/534\"},{\"url\":\"https://github.com/visionmedia/debug/issues/501\"},{\"url\":\"https://github.com/visionmedia/debug/pull/504\"}],\"remediations\":[null]}",
20            "report_type": "dependency_scanning",
21            "scanner_id": 63,
22            "severity": "low",
23            "updated_at": "2020-04-07T14:01:04.664Z",
24            "uuid": "f1d528ae-d0cc-47f6-a72f-936cec846ae7",
25            "vulnerability_id": 103
26        },
27        "id": 103,
28        "project": {
29            "created_at": "2020-04-07T13:54:25.634Z",
30            "description": "",
31            "id": 24,
32            "name": "security-reports",
33            "name_with_namespace": "gitlab-org / security-reports",
34            "path": "security-reports",
35            "path_with_namespace": "gitlab-org/security-reports"
36        },
37        "project_default_branch": "main",
38        "report_type": "dependency_scanning",
39        "resolved_at": null,
40        "resolved_by_id": null,
41        "resolved_on_default_branch": false,
42        "severity": "low",
43        "state": "detected",
44        "title": "Regular Expression Denial of Service in debug",
45        "updated_at": "2020-04-07T14:01:04.655Z"
46    }
47]

新漏洞#

创建一个新漏洞。

如果经过认证的用户没有权限创建一个新漏洞,则此请求会导致 403 状态码。

plaintext
POST /projects/:id/vulnerabilities?finding_id=<your_finding_id>
属性类型是否必需描述
idinteger 或 string项目的 ID 或 URL 编码路径,经过认证的用户是其中的成员
finding_idinteger 或 string用于创建新漏洞的漏洞发现的 ID

新创建的漏洞的其他属性从其来源漏洞发现中填充,或使用这些默认值:

属性
author经过认证的用户
title漏洞发现的 name 属性
stateopened
severity漏洞发现的 severity 属性
confidence漏洞发现的 confidence 属性
shell
curl --header POST "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/vulnerabilities?finding_id=1"

示例响应:

json
1{
2    "author_id": 1,
3    "confidence": "medium",
4    "created_at": "2020-04-07T14:01:04.655Z",
5    "description": null,
6    "dismissed_at": null,
7    "dismissed_by_id": null,
8    "finding": {
9        "confidence": "medium",
10        "created_at": "2020-04-07T14:01:04.630Z",
11        "id": 103,
12        "location_fingerprint": "228998b5db51d86d3b091939e2f5873ada0a14a1",
13        "metadata_version": "2.0",
14        "name": "Regular Expression Denial of Service in debug",
15        "primary_identifier_id": 135,
16        "project_fingerprint": "05e7cc9978ca495cf739a9f707ed34811e41c615",
17        "project_id": 24,
18        "raw_metadata": "{\"category\":\"dependency_scanning\",\"name\":\"Regular Expression Denial of Service\",\"message\":\"Regular Expression Denial of Service in debug\",\"description\":\"The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.\",\"cve\":\"yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a\",\"severity\":\"Unknown\",\"solution\":\"Upgrade to latest versions.\",\"scanner\":{\"id\":\"gemnasium\",\"name\":\"Gemnasium\"},\"location\":{\"file\":\"yarn.lock\",\"dependency\":{\"package\":{\"name\":\"debug\"},\"version\":\"1.0.5\"}},\"identifiers\":[{\"type\":\"gemnasium\",\"name\":\"Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a\",\"value\":\"37283ed4-0380-40d7-ada7-2d994afcc62a\",\"url\":\"https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories\"}],\"links\":[{\"url\":\"https://nodesecurity.io/advisories/534\"},{\"url\":\"https://github.com/visionmedia/debug/issues/501\"},{\"url\":\"https://github.com/visionmedia/debug/pull/504\"}],\"remediations\":[null]}",
19        "report_type": "dependency_scanning",
20        "scanner_id": 63,
21        "severity": "low",
22        "updated_at": "2020-04-07T14:01:04.664Z",
23        "uuid": "f1d528ae-d0cc-47f6-a72f-936cec846ae7",
24        "vulnerability_id": 103
25    },
26    "id": 103,
27    "project": {
28        "created_at": "2020-04-07T13:54:25.634Z",
29        "description": "",
30        "id": 24,
31        "name": "security-reports",
32        "name_with_namespace": "gitlab-org / security-reports",
33        "path": "security-reports",
34        "path_with_namespace": "gitlab-org/security-reports"
35    },
36    "project_default_branch": "main",
37    "report_type": "dependency_scanning",
38    "resolved_at": null,
39    "resolved_by_id": null,
40    "resolved_on_default_branch": false,
41    "severity": "low",
42    "state": "detected",
43    "title": "Regular Expression Denial of Service in debug",
44    "updated_at": "2020-04-07T14:01:04.655Z"
45}

错误#

当选择用于创建漏洞的发现未找到或已与其他漏洞关联时,会发生此错误:

plaintext
A Vulnerability Finding is not found or already attached to a different Vulnerability

状态码:400

示例响应:

json
1{
2  "message": {
3    "base": [
4      "finding is not found or is already attached to a vulnerability"
5    ]
6  }
7}