{{< details >}}
- Tier: 旗舰版
- Offering: JihuLab.com, 私有化部署
{{< /details >}}
每次调用漏洞导出 API 必须进行认证。
创建项目级漏洞导出
创建一个项目的新漏洞导出。
如果经过身份验证的用户没有权限创建新漏洞,则此请求返回 403 Forbidden 状态码。
漏洞导出只能由导出的作者访问。
POST /security/projects/:id/vulnerability_exports
| 属性 | 类型 | 是否必需 | 描述 |
|---|---|---|---|
id |
integer 或 string | 是 | 经过身份验证的用户所属项目的 ID 或 URL 编码路径 |
send_email |
boolean | 否 | 设置为 true 时,在导出完成时向请求导出的用户发送电子邮件通知。 |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/projects/1/vulnerability_exports"
创建的漏洞导出会在 expires_at 字段指定的时间自动删除。
示例响应:
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": 1,
"group_id": null,
"format": "csv",
"status": "created",
"started_at": null,
"finished_at": null,
"send_email": false,
"expires_at": "2020-04-06T09:35:38.746Z",
"_links": {
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
}
}
创建群组级漏洞导出
创建一个群组的新漏洞导出。
如果经过身份验证的用户没有权限创建新漏洞,则此请求返回 403 Forbidden 状态码。
漏洞导出只能由导出的作者访问。
POST /security/groups/:id/vulnerability_exports
| 属性 | 类型 | 是否必需 | 描述 |
|---|---|---|---|
id |
integer 或 string | 是 | 经过身份验证的用户所属群组的 ID 或 URL 编码路径 |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/groups/1/vulnerability_exports"
创建的漏洞导出会在 expires_at 字段指定的时间自动删除。
示例响应:
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": null,
"group_id": 1,
"format": "csv",
"status": "created",
"started_at": null,
"finished_at": null,
"expires_at": "2020-04-06T09:35:38.746Z",
"_links": {
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
}
}
创建实例级漏洞导出
为安全仪表板中选择的用户项目创建一个新的漏洞导出。
POST /security/vulnerability_exports
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports"
创建的漏洞导出会在 expires_at 字段指定的时间自动删除。
示例响应:
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": null,
"group_id": null,
"format": "csv",
"status": "created",
"started_at": null,
"finished_at": null,
"expires_at": "2020-04-06T09:35:38.746Z",
"_links": {
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
}
}
获取单个漏洞导出
获取单个漏洞导出。
GET /security/vulnerability_exports/:id
| 属性 | 类型 | 是否必需 | 描述 |
|---|---|---|---|
id |
integer 或 string | 是 | 漏洞导出的 ID |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports/2"
如果漏洞导出尚未完成,响应为 202 Accepted。
示例响应:
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": 1,
"group_id": null,
"format": "csv",
"status": "finished",
"started_at": "2020-03-30T09:36:54.469Z",
"finished_at": "2020-03-30T09:36:55.008Z",
"expires_at": "2020-04-06T09:35:38.746Z",
"_links": {
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
}
}
下载漏洞导出
下载单个漏洞导出。
GET /security/vulnerability_exports/:id/download
| 属性 | 类型 | 是否必需 | 描述 |
|---|---|---|---|
id |
integer 或 string | 是 | 漏洞导出的 ID |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
如果漏洞导出尚未完成或未找到,响应为 404 Not Found。
示例响应:
Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,Comments,Full Path,CVSS Vectors,Dismissal Reason
Gitlab.org,Defend,container_scanning,Trivy,resolved,CVE-2019-14697 in musl-utils-1.1.20-r4,"musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",CVE-2019-14697 in musl-utils-1.1.20-r4,critical,CVE-2019-14697,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl-utils""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"2022-10-07 13:41:08 UTC|root|resolved|changed vulnerability status to resolved",group/project/1,,,
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2019-19242 in sqlite-libs-3.26.0-r3,"SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.",CVE-2019-19242 in sqlite-libs-3.26.0-r3,medium,CVE-2019-19242,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""sqlite-libs""}, ""version""=>""3.26.0-r3""}, ""operating_system""=>""alpine 3.9.2""}",true,"",group/project/2,,,
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2020-28928 in musl-1.1.20-r4,"In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",CVE-2020-28928 in musl-1.1.20-r4,medium,CVE-2020-28928,,"",2022-10-07 13:34:41 UTC,"{""image""=>""python:3.4-alpine"", ""dependency""=>{""package""=>{""name""=>""musl""}, ""version""=>""1.1.20-r4""}, ""operating_system""=>""alpine 3.9.2""}",true,"",group/project/3,,,
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.,Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rack,unknown,Gemfile.lock:rack:gemnasium:60b5a27f-4e4d-4ab4-8ae7-74b4b212e177,,Gemnasium-60b5a27f-4e4d-4ab4-8ae7-74b4b212e177; GHSA-wq4h-7r42-5hrr,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,group/project/4,,,
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Denial of Service Vulnerability in Rack Multipart Parsing in rack,"Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts.",Denial of Service Vulnerability in Rack Multipart Parsing in rack,unknown,Gemfile.lock:rack:gemnasium:20daa17a-47b5-4f79-80c2-cd8f2db9805c,,Gemnasium-20daa17a-47b5-4f79-80c2-cd8f2db9805c; GHSA-hxqx-xwvh-44m2,2022-10-14 13:16:00 UTC,"{""file""=>""Gemfile.lock"", ""dependency""=>{""package""=>{""name""=>""rack""}, ""version""=>""2.2.3""}}",false,group/project/5,,,
Gitlab.org,Defend,sast,Brakeman,detected,Possible SQL injection,,Possible SQL injection,medium,e52f23a259cd489168b4313317ac94a3f13bffde57b9635171c1a44a9f329e9a,,"""Brakeman Warning Code 0""",2022-10-13 15:16:36 UTC,"{""file""=>""main.rb"", ""class""=>""User"", ""method""=>""index"", ""start_line""=>3}",false,"",group/project/6,,,
Gitlab.org,Defend,sast,Semgrep,dismissed,Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'),"SQL Injection is a critical vulnerability that can lead to data or system compromise...",,critical,,CWE-89,SCS0002,2023-12-28 10:48:34 UTC,"{""file""=>""WebGoat/App_Code/DB/SqliteDbProvider.cs"", ""start_line""=>274}",false,"2023-12-28 10:51:32 UTC|root|Dismissed|""changed vulnerability status to Dismissed: Not Applicable and the following comment: ""dismiss 5""",gitlab-org/defend/579,,Not applicable,