Help us learn about your current experience with the documentation. Take the survey.
漏洞发现 API
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
此 API 资源从 Vulnerabilities 重命名为 Vulnerability Findings,因为 Vulnerabilities 保留用于提供 Vulnerability objects。
要修复与旧版 Vulnerabilities API 的任何集成问题,请将 URL 部分中的 vulnerabilities 更改为 vulnerability_findings。
每次对漏洞发现的 API 调用都必须进行 身份验证。
如果用户没有 使用项目安全仪表板的权限,
对该项目漏洞发现的任何请求都会返回 403 Forbidden 状态码。
此 API 正在被弃用且被认为不稳定。 响应数据可能会在 GitLab 版本更新时发生变化或失效。 请改用 GraphQL API。更多信息请参见 GraphQL 示例
漏洞发现分页
默认情况下,GET 请求每次返回 20 个结果,因为 API 结果是分页的。
更多关于 分页 的信息。
列出项目漏洞发现
列出项目的所有漏洞发现。
GET /projects/:id/vulnerability_findings
GET /projects/:id/vulnerability_findings?report_type=sast
GET /projects/:id/vulnerability_findings?report_type=container_scanning
GET /projects/:id/vulnerability_findings?report_type=sast,dast
GET /projects/:id/vulnerability_findings?scope=all
GET /projects/:id/vulnerability_findings?scope=dismissed
GET /projects/:id/vulnerability_findings?severity=high
GET /projects/:id/vulnerability_findings?pipeline_id=42| 属性 | 类型 | 必需 | 描述 |
|---|---|---|---|
id |
integer/string | 是 | 认证用户所属项目的 ID 或 URL 编码路径。 |
report_type |
string array | 否 | 返回指定报告类型的漏洞发现。有效值:sast、dast、dependency_scanning 或 container_scanning。默认为全部。 |
scope |
string | 否 | 返回指定范围的漏洞发现:all 或 dismissed。默认为 dismissed。 |
severity |
string array | 否 | 返回指定严重程度的漏洞发现:info、unknown、low、medium、high 或 critical。默认为全部。 |
pipeline_id |
integer/string | 否 | 返回指定流水线的漏洞发现。 |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings"示例响应:
[
{
"id": null,
"report_type": "sast",
"name": "可能的命令注入",
"severity": "high",
"scanner": {
"external_id": "brakeman",
"name": "Brakeman",
"vendor": "GitLab"
},
"identifiers": [
{
"external_type": "brakeman_warning_code",
"external_id": "14",
"name": "Brakeman 警告代码 14",
"url": "https://brakemanscanner.org/docs/warning_types/command_injection/"
}
],
"uuid": "ad5e3be3-a193-55f5-a200-bc12865fb09c",
"create_jira_issue_url": null,
"false_positive": true,
"create_vulnerability_feedback_issue_path": "/root/test-false-positive/-/vulnerability_feedback",
"create_vulnerability_feedback_merge_request_path": "/root/test-false-positive/-/vulnerability_feedback",
"create_vulnerability_feedback_dismissal_path": "/root/test-false-positive/-/vulnerability_feedback",
"project": {
"id": 2,
"name": "测试误报",
"full_path": "/root/test-false-positive",
"full_name": "管理员 / 测试误报"
},
"dismissal_feedback": null,
"issue_feedback": null,
"merge_request_feedback": null,
"description": null,
"links": [],
"location": {
"file": "app/controllers/users_controller.rb",
"start_line": 42,
"class": "UsersController",
"method": "list_users"
},
"remediations": [
null
],
"solution": null,
"evidence": null,
"request": null,
"response": null,
"evidence_source": null,
"supporting_messages": [],
"assets": [],
"details": {},
"state": "detected",
"scan": {
"type": "sast",
"status": "success",
"start_time": "2021-09-02T20:55:48",
"end_time": "2021-09-02T20:55:48"
},
"blob_path": "/root/test-false-positive/-/blob/dfd75607752a839bbc9c7362d111effaa470fecd/app/controllers/users_controller.rb#L42"
}
]用 GraphQL 替换漏洞发现 REST API
为了准备即将弃用的 Vulnerability Findings REST API 端点,请使用以下示例通过 GraphQL API 执行等效操作。
GraphQL - 项目漏洞发现
使用 Pipeline.securityReportFindings。
query VulnerabilityFindings {
project(fullPath: "gitlab-examples/security/security-reports") {
pipelines(first:1) {
nodes {
securityReportFindings(first:1) {
nodes {
title
severity
state
scanner {
externalId
name
vendor
}
identifiers {
externalType
externalId
name
url
}
uuid
falsePositive
description
location {
... on VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
... on VulnerabilityLocationContainerScanning {
dependency {
package {
name
}
version
}
image
operatingSystem
}
... on VulnerabilityLocationDependencyScanning {
file
blobPath
dependency {
version
}
}
}
remediations {
diff
summary
}
solution
evidence {
request {
body
headers {
name
value
}
method
url
}
}
}
}
}
}
}
}示例响应:
{
"data": {
"project": {
"pipelines": {
"nodes": [
{
"securityReportFindings": {
"nodes": [
{
"title": "不可信数据反序列化",
"severity": "CRITICAL",
"state": "CONFIRMED",
"scanner": {
"externalId": "gemnasium",
"name": "Gemnasium",
"vendor": "GitLab"
},
"identifiers": [
{
"externalType": "gemnasium",
"externalId": "b60c2d6b-9083-4a97-a1b2-f7dc79bff74c",
"name": "Gemnasium-b60c2d6b-9083-4a97-a1b2-f7dc79bff74c",
"url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/activerecord/CVE-2022-32224.yml"
},
{
"externalType": "cve",
"externalId": "CVE-2022-32224",
"name": "CVE-2022-32224",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224"
},
{
"externalType": "ghsa",
"externalId": "GHSA-3hhc-qp5v-9p2j",
"name": "GHSA-3hhc-qp5v-9p2j",
"url": "https://github.com/advisories/GHSA-3hhc-qp5v-9p2j"
}
],
"uuid": "c9e40395-72cd-54f5-962f-e1d52c0dffab",
"falsePositive": false,
"description": "在 Active Record < 7.0.3.1、<6.1.6.1、<6.0.5.1 和 <5.2.8.1 中使用 YAML 序列化列时,可能存在升级为 RCE 的漏洞,这可能允许能够操纵数据库数据(如通过 SQL 注入)的攻击者升级为 RCE。",
"location": {
"file": "dependency-scanning-files/Gemfile.lock",
"blobPath": null,
"dependency": {
"version": "5.0.0"
}
},
"remediations": [],
"solution": "升级到 5.2.8.1、6.0.5.1、6.1.6.1、7.0.3.1 或更高版本。",
"evidence": null
}
]
}
}
]
}
}
}
}