漏洞发现 API
- Tier: 旗舰版
- Offering: JihuLab.com, 私有化部署
此 API 资源从漏洞重命名为漏洞发现,因为漏洞为漏洞对象所用。要修复和之前漏洞 API 集成带来的问题,将 `vulnerabilities` 更改为 `vulnerability_findings` 即可。
每次对漏洞发现的 API 调用都必须经过身份验证。
如果用户没有权限使用项目安全仪表板,那么对该项目的漏洞发现的任何请求都会返回 403 Forbidden 状态码。
此 API 正在被弃用且被视为不稳定。响应负载可能会在极狐GitLab 版本中更改或中断。请改用 [GraphQL API](graphql/reference/_index.md#queryvulnerabilities)。有关更多信息,请参见 [GraphQL 示例](vulnerabilities.md#replace-vulnerability-rest-api-with-graphql)。
漏洞发现分页
默认情况下,GET 请求一次返回 20 个结果,因为 API 结果是分页的。
阅读更多关于分页的信息。
列出项目漏洞发现
列出项目的所有漏洞发现。
plaintext1GET /projects/:id/vulnerability_findings 2GET /projects/:id/vulnerability_findings?report_type=sast 3GET /projects/:id/vulnerability_findings?report_type=container_scanning 4GET /projects/:id/vulnerability_findings?report_type=sast,dast 5GET /projects/:id/vulnerability_findings?scope=all 6GET /projects/:id/vulnerability_findings?scope=dismissed 7GET /projects/:id/vulnerability_findings?severity=high 8GET /projects/:id/vulnerability_findings?pipeline_id=42
| 属性 | 类型 | 必需 | 描述 |
|---|---|---|---|
| id | integer/string | 是 | 身份验证用户所属的项目的 ID 或 URL 编码路径。 |
| report_type | string array | 否 | 返回属于指定报告类型的漏洞发现。有效值:sast、dast、dependency_scanning 或 container_scanning。默认为全部。 |
| scope | string | 否 | 返回给定范围的漏洞发现:all 或 dismissed。默认为 dismissed。 |
| severity | string array | 否 | 返回属于指定严重级别的漏洞发现:info、unknown、low、medium、high 或 critical。默认为全部。 |
| pipeline_id | integer/string | 否 | 返回属于指定流水线的漏洞发现。 |
shellcurl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings"
示例响应:
json1[ 2 { 3 "id": null, 4 "report_type": "sast", 5 "name": "Possible command injection", 6 "severity": "high", 7 "scanner": { 8 "external_id": "brakeman", 9 "name": "Brakeman", 10 "vendor": "GitLab" 11 }, 12 "identifiers": [ 13 { 14 "external_type": "brakeman_warning_code", 15 "external_id": "14", 16 "name": "Brakeman Warning Code 14", 17 "url": "https://brakemanscanner.org/docs/warning_types/command_injection/" 18 } 19 ], 20 "project_fingerprint": "ac218b1770af030cfeef967752ab803c55afb36d", 21 "uuid": "ad5e3be3-a193-55f5-a200-bc12865fb09c", 22 "create_jira_issue_url": null, 23 "false_positive": true, 24 "create_vulnerability_feedback_issue_path": "/root/test-false-positive/-/vulnerability_feedback", 25 "create_vulnerability_feedback_merge_request_path": "/root/test-false-positive/-/vulnerability_feedback", 26 "create_vulnerability_feedback_dismissal_path": "/root/test-false-positive/-/vulnerability_feedback", 27 "project": { 28 "id": 2, 29 "name": "Test False Positive", 30 "full_path": "/root/test-false-positive", 31 "full_name": "Administrator / Test False Positive" 32 }, 33 "dismissal_feedback": null, 34 "issue_feedback": null, 35 "merge_request_feedback": null, 36 "description": null, 37 "links": [], 38 "location": { 39 "file": "app/controllers/users_controller.rb", 40 "start_line": 42, 41 "class": "UsersController", 42 "method": "list_users" 43 }, 44 "remediations": [ 45 null 46 ], 47 "solution": null, 48 "evidence": null, 49 "request": null, 50 "response": null, 51 "evidence_source": null, 52 "supporting_messages": [], 53 "assets": [], 54 "details": {}, 55 "state": "detected", 56 "scan": { 57 "type": "sast", 58 "status": "success", 59 "start_time": "2021-09-02T20:55:48", 60 "end_time": "2021-09-02T20:55:48" 61 }, 62 "blob_path": "/root/test-false-positive/-/blob/dfd75607752a839bbc9c7362d111effaa470fecd/app/controllers/users_controller.rb#L42" 63 } 64]
用 GraphQL 替换漏洞发现 REST API
为了为即将弃用的漏洞发现 REST API 端点做好准备,请使用下面的示例通过 GraphQL API 执行等效操作。
GraphQL - 项目漏洞发现
使用 Pipeline.securityReportFindings。
graphql1query VulnerabilityFindings { 2 project(fullPath: "gitlab-examples/security/security-reports") { 3 pipelines(first:1) { 4 nodes { 5 securityReportFindings(first:1) { 6 nodes { 7 title 8 severity 9 state 10 scanner { 11 externalId 12 name 13 vendor 14 } 15 identifiers { 16 externalType 17 externalId 18 name 19 url 20 } 21 uuid 22 falsePositive 23 description 24 location { 25 ... on VulnerabilityLocationSast { 26 file 27 startLine 28 endLine 29 vulnerableClass 30 vulnerableMethod 31 blobPath 32 } 33 34 ... on VulnerabilityLocationContainerScanning { 35 dependency { 36 package { 37 name 38 } 39 version 40 } 41 image 42 operatingSystem 43 } 44 45 ... on VulnerabilityLocationDependencyScanning { 46 file 47 blobPath 48 dependency { 49 version 50 } 51 } 52 } 53 remediations { 54 diff 55 summary 56 } 57 solution 58 evidence { 59 request { 60 body 61 headers { 62 name 63 value 64 } 65 method 66 url 67 } 68 } 69 } 70 } 71 } 72 } 73 } 74}
示例响应:
json1{ 2 "data": { 3 "project": { 4 "pipelines": { 5 "nodes": [ 6 { 7 "securityReportFindings": { 8 "nodes": [ 9 { 10 "title": "Deserialization of Untrusted Data", 11 "severity": "CRITICAL", 12 "state": "CONFIRMED", 13 "scanner": { 14 "externalId": "gemnasium", 15 "name": "Gemnasium", 16 "vendor": "GitLab" 17 }, 18 "identifiers": [ 19 { 20 "externalType": "gemnasium", 21 "externalId": "b60c2d6b-9083-4a97-a1b2-f7dc79bff74c", 22 "name": "Gemnasium-b60c2d6b-9083-4a97-a1b2-f7dc79bff74c", 23 "url": "https://jihulab.com/gitlab-cn/security-products/gemnasium-db/-/blob/master/gem/activerecord/CVE-2022-32224.yml" 24 }, 25 { 26 "externalType": "cve", 27 "externalId": "CVE-2022-32224", 28 "name": "CVE-2022-32224", 29 "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224" 30 }, 31 { 32 "externalType": "ghsa", 33 "externalId": "GHSA-3hhc-qp5v-9p2j", 34 "name": "GHSA-3hhc-qp5v-9p2j", 35 "url": "https://github.com/advisories/GHSA-3hhc-qp5v-9p2j" 36 } 37 ], 38 "uuid": "c9e40395-72cd-54f5-962f-e1d52c0dffab", 39 "falsePositive": false, 40 "description": "A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.", 41 "location": { 42 "file": "dependency-scanning-files/Gemfile.lock", 43 "blobPath": null, 44 "dependency": { 45 "version": "5.0.0" 46 } 47 }, 48 "remediations": [], 49 "solution": "Upgrade to versions 5.2.8.1, 6.0.5.1, 6.1.6.1, 7.0.3.1 or above.", 50 "evidence": null 51 } 52 ] 53 } 54 } 55 ] 56 } 57 } 58 } 59}