{{< details >}}
- Tier: 旗舰版
- Offering: JihuLab.com, 私有化部署
{{< /details >}}
{{< history >}}
-
last_edited_at在极狐GitLab 16.7 中弃用。 -
start_date在极狐GitLab 16.7 中弃用。 -
updated_by_id在极狐GitLab 16.7 中弃用。 -
last_edited_by_id在极狐GitLab 16.7 中弃用。 -
due_date在极狐GitLab 16.7 中弃用。
{{< /history >}}
{{< alert type=”note” >}}
之前的漏洞 API 已经被重命名为漏洞发现 API,其文档也移动至另外一个位置。此文档现在描述新的漏洞 API,能够对漏洞提供访问。
{{< /alert >}}
{{< alert type=”warning” >}}
此 API 在准备弃用,是不稳定的。响应体数据格式可能随极狐GitLab版本迭代发生变更或出现兼容性破坏,请改用 GraphQL API。更多信息请参阅 GraphQL examples。
{{< /alert >}}
每个访问漏洞的 API 调用都必须经过身份验证。
如果经过身份验证的用户没有权限查看漏洞报告,此请求将返回 403 Forbidden 状态码。
单个漏洞
获取单个漏洞
GET /vulnerabilities/:id
| 属性 | 类型 | 必需 | 描述 |
|---|---|---|---|
id |
整数或字符串 | 是 | 要获取的漏洞 ID |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
示例响应:
{
"id": 1,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "opened",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
确认漏洞
确认给定的漏洞。如果漏洞已经确认,则返回状态码 304。
如果经过身份验证的用户没有权限更改漏洞状态,此请求将返回 403 状态码。
POST /vulnerabilities/:id/confirm
| 属性 | 类型 | 必需 | 描述 |
|---|---|---|---|
id |
整数或字符串 | 是 | 要确认的漏洞 ID |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm"
示例响应:
{
"id": 2,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "confirmed",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
解决漏洞
解决给定的漏洞。如果漏洞已经解决,则返回状态码 304。
如果经过身份验证的用户没有权限更改漏洞状态,此请求将返回 403 状态码。
POST /vulnerabilities/:id/resolve
| 属性 | 类型 | 必需 | 描述 |
|---|---|---|---|
id |
整数或字符串 | 是 | 要解决的漏洞 ID |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve"
示例响应:
{
"id": 2,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "resolved",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
忽略漏洞
忽略给定的漏洞。如果漏洞已经被忽略,则返回状态码 304。
如果经过身份验证的用户没有权限更改漏洞状态,此请求将返回 403 状态码。
POST /vulnerabilities/:id/dismiss
| 属性 | 类型 | 必需 | 描述 |
|---|---|---|---|
id |
整数或字符串 | 是 | 要忽略的漏洞 ID |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss"
示例响应:
{
"id": 2,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "closed",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
恢复漏洞到检测状态
将给定的漏洞恢复到检测状态。如果漏洞已经处于检测状态,则返回状态码 304。
如果经过身份验证的用户没有权限更改漏洞状态,此请求将返回 403 状态码。
POST /vulnerabilities/:id/revert
| 属性 | 类型 | 必需 | 描述 |
|---|---|---|---|
id |
整数或字符串 | 是 | 要恢复到检测状态的漏洞 ID |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/revert"
示例响应:
{
"id": 2,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "detected",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
使用 GraphQL 替换漏洞 REST API
为了准备即将弃用漏洞 REST API 端点,请使用以下示例通过 GraphQL API 执行等效操作。
GraphQL - 单个漏洞
{
vulnerability(id: "gid://gitlab/Vulnerability/20345379") {
title
description
state
severity
reportType
project {
id
name
fullPath
}
detectedAt
confirmedAt
resolvedAt
resolvedBy {
id
username
}
}
}
示例响应:
{
"data": {
"vulnerability": {
"title": "Improper Input Validation in railties",
"description": "A remote code execution vulnerability in development mode Rails beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.",
"state": "RESOLVED",
"severity": "CRITICAL",
"reportType": "DEPENDENCY_SCANNING",
"project": {
"id": "gid://gitlab/Project/6102100",
"name": "security-reports",
"fullPath": "gitlab-examples/security/security-reports"
},
"detectedAt": "2021-10-14T03:13:41Z",
"confirmedAt": "2021-12-14T01:45:56Z",
"resolvedAt": "2021-12-14T01:45:59Z",
"resolvedBy": {
"id": "gid://gitlab/User/480804",
"username": "thiagocsf"
}
}
}
}
GraphQL - 确认漏洞
使用 Mutation.vulnerabilityConfirm。
mutation {
vulnerabilityConfirm(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
vulnerability {
state
}
errors
}
}
示例响应:
{
"data": {
"vulnerabilityConfirm": {
"vulnerability": {
"state": "CONFIRMED"
},
"errors": []
}
}
}
GraphQL - 解决漏洞
使用 Mutation.vulnerabilityResolve。
mutation {
vulnerabilityResolve(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
vulnerability {
state
}
errors
}
}
示例响应:
{
"data": {
"vulnerabilityConfirm": {
"vulnerability": {
"state": "RESOLVED"
},
"errors": []
}
}
}
GraphQL - 忽略漏洞
使用 Mutation.vulnerabilityDismiss。
mutation {
vulnerabilityDismiss(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
vulnerability {
state
}
errors
}
}
示例响应:
{
"data": {
"vulnerabilityConfirm": {
"vulnerability": {
"state": "DISMISSED"
},
"errors": []
}
}
}
GraphQL - 恢复漏洞到检测状态
使用 Mutation.vulnerabilityRevertToDetected。
mutation {
vulnerabilityRevertToDetected(input: { id: "gid://gitlab/Vulnerability/20345379"}) {
vulnerability {
state
}
errors
}
}
示例响应:
{
"data": {
"vulnerabilityConfirm": {
"vulnerability": {
"state": "DETECTED"
},
"errors": []
}
}
}