382.md 6.2 KB
Newer Older
Lab机器人's avatar
readme  
Lab机器人 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
# Vulnerability Findings API

> 原文:[https://docs.gitlab.com/ee/api/vulnerability_findings.html](https://docs.gitlab.com/ee/api/vulnerability_findings.html)

*   [Vulnerability findings pagination](#vulnerability-findings-pagination)
*   [List project vulnerability findings](#list-project-vulnerability-findings)

# Vulnerability Findings API[](#vulnerability-findings-api-ultimate "Permalink")

在 GitLab Ultimate 12.5 中[引入](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/19029) .

**注意:**此 API 资源已从"漏洞"重命名为"漏洞发现",因为这些漏洞是为服务即将到来的[独立漏洞对象](https://gitlab.com/gitlab-org/gitlab/-/issues/13561)而保留的. 要修复与以前的 Vulnerabilities API 的任何损坏的集成,请将`vulnerabilities` URL 部分更改为`vulnerabilities` _ `vulnerability_findings` .

每个对漏洞发现的 API 调用都必须经过[身份验证](README.html#authentication) .

漏洞发现是项目约束的实体. 如果用户不是项目成员,并且该项目是私有项目,则对该项目的请求将产生`404`状态代码.

如果用户能够访问该项目但无权[使用 Project Security 仪表板](../user/permissions.html#project-members-permissions) ,则任何对此项目的漏洞发现的请求都将生成`403`状态代码.

**警告:**此 API 处于 alpha 阶段,被认为是不稳定的. 响应有效载荷可能会在 GitLab 版本之间发生更改或损坏.

## Vulnerability findings pagination[](#vulnerability-findings-pagination "Permalink")

默认情况下,因为 API 结果是分页的,所以`GET`请求一次返回 20 个结果.

阅读有关[分页的](README.html#pagination)更多信息.

## List project vulnerability findings[](#list-project-vulnerability-findings "Permalink")

列出项目的所有漏洞发现.

```
GET /projects/:id/vulnerability_findings
GET /projects/:id/vulnerability_findings?report_type=sast
GET /projects/:id/vulnerability_findings?report_type=container_scanning
GET /projects/:id/vulnerability_findings?report_type=sast,dast
GET /projects/:id/vulnerability_findings?scope=all
GET /projects/:id/vulnerability_findings?scope=dismissed
GET /projects/:id/vulnerability_findings?severity=high
GET /projects/:id/vulnerability_findings?confidence=unknown,experimental
GET /projects/:id/vulnerability_findings?scanner=bandit,find_sec_bugs
GET /projects/:id/vulnerability_findings?pipeline_id=42 
```

**弃用:**从 GitLab 12.9 开始,不再报告`undefined`严重性和可信度级别.

| Attribute | Type | Required | Description |
| --- | --- | --- | --- |
| `id` | integer/string | yes | 经过身份验证的用户[所属的项目](README.html#namespaced-path-encoding)的 ID 或[URL 编码路径](README.html#namespaced-path-encoding) . |
| `report_type` | 字符串数组 | no | 返回属于指定报告类型的漏洞发现. 有效值: `sast``dast``dependency_scanning``container_scanning` . 默认为全部. |
| `scope` | string | no | 返回给定范围内的漏洞发现结果: `all`或已`dismissed` . 默认为`dismissed` . |
| `severity` | 字符串数组 | no | 返回属于指定严重性级别的漏洞发现: `info``unknown``low``medium``high``critical` . 默认为全部. |
| `confidence` | 字符串数组 | no | 返回属于指定置信度的漏洞发现: `ignore``unknown``experimental``low``medium``high``confirmed` . 默认为全部. |
| `scanner` | 字符串数组 | no | 返回指定扫描程序检测到的漏洞发现. |
| `pipeline_id` | integer/string | no | 返回属于指定管道的漏洞发现. |

```
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings" 
```

Example response:

```
[  {  "id":  null,  "report_type":  "dependency_scanning",  "name":  "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js",  "severity":  "unknown",  "confidence":  "undefined",  "scanner":  {  "external_id":  "gemnasium",  "name":  "Gemnasium"  },  "identifiers":  [  {  "external_type":  "gemnasium",  "external_id":  "9952e574-7b5b-46fa-a270-aeb694198a98",  "name":  "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98",  "url":  "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories"  },  {  "external_type":  "cve",  "external_id":  "CVE-2017-11429",  "name":  "CVE-2017-11429",  "url":  "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429"  }  ],  "project_fingerprint":  "fa6f5b6c5d240b834ac5e901dc69f9484cef89ec",  "create_vulnerability_feedback_issue_path":  "/tests/yarn-remediation-test/vulnerability_feedback",  "create_vulnerability_feedback_merge_request_path":  "/tests/yarn-remediation-test/vulnerability_feedback",  "create_vulnerability_feedback_dismissal_path":  "/tests/yarn-remediation-test/vulnerability_feedback",  "project":  {  "id":  31,  "name":  "yarn-remediation-test",  "full_path":  "/tests/yarn-remediation-test",  "full_name":  "tests / yarn-remediation-test"  },  "dismissal_feedback":  null,  "issue_feedback":  null,  "merge_request_feedback":  null,  "description":  "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.",  "links":  [  {  "url":  "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279"  },  {  "url":  "https://www.kb.cert.org/vuls/id/475445"  },  {  "url":  "https://github.com/Clever/saml2/issues/127"  }  ],  "location":  {  "file":  "yarn.lock",  "dependency":  {  "package":  {  "name":  "saml2-js"  },  "version":  "1.5.0"  }  },  "solution":  "Upgrade to fixed version.\r\n",  "blob_path":  "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock"  }  ] 
```