"title":"Report format for GitLab Cluster Image Scanning",
"description":"This schema provides the the report format for Cluster Image Scanning (https://docs.gitlab.com/ee/user/application_security/cluster_image_scanning/).",
"definitions":{
"detail_type":{
"oneOf":[
{
"$ref":"#/definitions/named_list"
},
{
"$ref":"#/definitions/list"
},
{
"$ref":"#/definitions/table"
},
{
"$ref":"#/definitions/text"
},
{
"$ref":"#/definitions/url"
},
{
"$ref":"#/definitions/code"
},
{
"$ref":"#/definitions/value"
},
{
"$ref":"#/definitions/diff"
},
{
"$ref":"#/definitions/markdown"
},
{
"$ref":"#/definitions/commit"
},
{
"$ref":"#/definitions/file_location"
},
{
"$ref":"#/definitions/module_location"
}
]
},
"text_value":{
"type":"string"
},
"named_field":{
"type":"object",
"required":[
"name"
],
"properties":{
"name":{
"$ref":"#/definitions/text_value",
"minLength":1
},
"description":{
"$ref":"#/definitions/text_value"
}
}
},
"named_list":{
"type":"object",
"description":"An object with named and typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"named-list"
},
"items":{
"type":"object",
"patternProperties":{
"^.*$":{
"allOf":[
{
"$ref":"#/definitions/named_field"
},
{
"$ref":"#/definitions/detail_type"
}
]
}
}
}
}
},
"list":{
"type":"object",
"description":"A list of typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"list"
},
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
},
"table":{
"type":"object",
"description":"A table of typed fields",
"required":[
"type",
"rows"
],
"properties":{
"type":{
"const":"table"
},
"header":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
},
"rows":{
"type":"array",
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
}
},
"text":{
"type":"object",
"description":"Raw text",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"text"
},
"value":{
"$ref":"#/definitions/text_value"
}
}
},
"url":{
"type":"object",
"description":"A single URL",
"required":[
"type",
"href"
],
"properties":{
"type":{
"const":"url"
},
"text":{
"$ref":"#/definitions/text_value"
},
"href":{
"type":"string",
"minLength":1,
"examples":[
"http://mysite.com"
]
}
}
},
"code":{
"type":"object",
"description":"A codeblock",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"code"
},
"value":{
"type":"string"
},
"lang":{
"type":"string",
"description":"A programming language"
}
}
},
"value":{
"type":"object",
"description":"A field that can store a range of types of value",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"value"
},
"value":{
"type":[
"number",
"string",
"boolean"
]
}
}
},
"diff":{
"type":"object",
"description":"A diff",
"required":[
"type",
"before",
"after"
],
"properties":{
"type":{
"const":"diff"
},
"before":{
"type":"string"
},
"after":{
"type":"string"
}
}
},
"markdown":{
"type":"object",
"description":"GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"markdown"
},
"value":{
"$ref":"#/definitions/text_value",
"examples":[
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
]
}
}
},
"commit":{
"type":"object",
"description":"A commit/tag/branch within the GitLab project",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"commit"
},
"value":{
"type":"string",
"description":"The commit SHA",
"minLength":1
}
}
},
"file_location":{
"type":"object",
"description":"A location within a file in the project",
"required":[
"type",
"file_name",
"line_start"
],
"properties":{
"type":{
"const":"file-location"
},
"file_name":{
"type":"string",
"minLength":1
},
"line_start":{
"type":"integer"
},
"line_end":{
"type":"integer"
}
}
},
"module_location":{
"type":"object",
"description":"A location within a binary module of the form module+relative_offset",
"required":[
"type",
"module_name",
"offset"
],
"properties":{
"type":{
"const":"module-location"
},
"module_name":{
"type":"string",
"minLength":1,
"examples":[
"compiled_binary"
]
},
"offset":{
"type":"integer",
"examples":[
100
]
}
}
}
},
"self":{
"version":"14.0.4"
},
"required":[
"version",
"vulnerabilities"
],
"additionalProperties":true,
"properties":{
"scan":{
"type":"object",
"required":[
"end_time",
"scanner",
"start_time",
"status",
"type"
],
"properties":{
"end_time":{
"type":"string",
"description":"ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
"description":"Communication intended for the initiator of a scan.",
"required":[
"level",
"value"
],
"properties":{
"level":{
"type":"string",
"description":"Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
"enum":[
"info",
"warn",
"fatal"
],
"examples":[
"info"
]
},
"value":{
"type":"string",
"description":"The message to communicate.",
"minLength":1,
"examples":[
"Permission denied, scanning aborted"
]
}
}
}
},
"analyzer":{
"type":"object",
"description":"Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
"required":[
"id",
"name",
"version",
"vendor"
],
"properties":{
"id":{
"type":"string",
"description":"Unique id that identifies the analyzer.",
"minLength":1,
"examples":[
"gitlab-dast"
]
},
"name":{
"type":"string",
"description":"A human readable value that identifies the analyzer, not required to be unique.",
"minLength":1,
"examples":[
"GitLab DAST"
]
},
"url":{
"type":"string",
"format":"uri",
"pattern":"^https?://.+",
"description":"A link to more information about the analyzer.",
"description":"URI pointing to the validating security report schema.",
"format":"uri"
},
"version":{
"type":"string",
"description":"The version of the schema to which the JSON report conforms.",
"pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"vulnerabilities":{
"type":"array",
"description":"Array of vulnerability objects.",
"items":{
"type":"object",
"description":"Describes the vulnerability.",
"required":[
"category",
"cve",
"identifiers",
"location",
"scanner"
],
"properties":{
"id":{
"type":"string",
"description":"Unique identifier of the vulnerability. This is recommended to be a UUID.",
"examples":[
"642735a5-1425-428d-8d4e-3c854885a3c9"
]
},
"category":{
"type":"string",
"minLength":1,
"description":"Describes where this vulnerability belongs (for example, SAST, Dependency Scanning, and so on)."
},
"name":{
"type":"string",
"description":"The name of the vulnerability. This must not include the finding's specific information."
},
"message":{
"type":"string",
"description":"A short text section that describes the vulnerability. This may include the finding's specific information."
},
"description":{
"type":"string",
"description":"A long text section describing the vulnerability more fully."
},
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
},
"severity":{
"type":"string",
"description":"How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
"enum":[
"Info",
"Unknown",
"Low",
"Medium",
"High",
"Critical"
]
},
"confidence":{
"type":"string",
"description":"How reliable the vulnerability's assessment is. Possible values are Ignore, Unknown, Experimental, Low, Medium, High, and Confirmed. Note that some analyzers may not report all these possible values.",
"enum":[
"Ignore",
"Unknown",
"Experimental",
"Low",
"Medium",
"High",
"Confirmed"
]
},
"solution":{
"type":"string",
"description":"Explanation of how to fix the vulnerability."
},
"scanner":{
"description":"Describes the scanner used to find this vulnerability.",
"type":"object",
"required":[
"id",
"name"
],
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"The scanner's ID, as a snake_case string."
},
"name":{
"type":"string",
"minLength":1,
"description":"Human-readable name of the scanner."
}
}
},
"identifiers":{
"type":"array",
"minItems":1,
"description":"An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
"items":{
"type":"object",
"required":[
"type",
"name",
"value"
],
"properties":{
"type":{
"type":"string",
"description":"for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
"minLength":1
},
"name":{
"type":"string",
"description":"Human-readable name of the identifier.",
"minLength":1
},
"url":{
"type":"string",
"description":"URL of the identifier's documentation.",
"format":"uri"
},
"value":{
"type":"string",
"description":"Value of the identifier, for matching purpose.",
"minLength":1
}
}
}
},
"links":{
"type":"array",
"description":"An array of references to external documentation or articles that describe the vulnerability.",
"items":{
"type":"object",
"required":[
"url"
],
"properties":{
"name":{
"type":"string",
"description":"Name of the vulnerability details link."
},
"url":{
"type":"string",
"description":"URL of the vulnerability details document.",
"description":"Describes how this vulnerability should be tracked as the project changes.",
"oneOf":[
{
"description":"Declares that a series of items should be tracked using source-specific tracking methods.",
"required":[
"items"
],
"properties":{
"type":{
"const":"source"
},
"items":{
"type":"array",
"items":{
"description":"An item that should be tracked using source-specific tracking methods.",
"type":"object",
"required":[
"signatures"
],
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located."
},
"start_line":{
"type":"number",
"description":"The first line of the file that includes the vulnerability."
},
"end_line":{
"type":"number",
"description":"The last line of the file that includes the vulnerability."
},
"signatures":{
"type":"array",
"description":"An array of calculated tracking signatures for this tracking item.",
"minItems":1,
"items":{
"description":"A calculated tracking signature value and metadata.",
"required":[
"algorithm",
"value"
],
"properties":{
"algorithm":{
"type":"string",
"description":"The algorithm used to generate the signature."
},
"value":{
"type":"string",
"description":"The result of this signature algorithm."
}
}
}
}
}
}
}
}
}
],
"properties":{
"type":{
"type":"string",
"description":"Each tracking type must declare its own type."
}
}
},
"flags":{
"description":"Flags that can be attached to vulnerabilities.",
"type":"array",
"items":{
"type":"object",
"description":"Informational flags identified and assigned to a vulnerability.",
"required":[
"type",
"origin",
"description"
],
"properties":{
"type":{
"type":"string",
"minLength":1,
"description":"Result of the scan.",
"enum":[
"flagged-as-likely-false-positive"
]
},
"origin":{
"minLength":1,
"description":"Tool that issued the flag.",
"type":"string"
},
"description":{
"minLength":1,
"description":"What the flag is about.",
"type":"string"
}
}
}
},
"location":{
"type":"object",
"description":"Identifies the vulnerability's location.",
"required":[
"dependency",
"image",
"kubernetes_resource"
],
"properties":{
"dependency":{
"type":"object",
"description":"Describes the dependency of a project where the vulnerability is located.",
"properties":{
"package":{
"type":"object",
"description":"Provides information on the package where the vulnerability is located.",
"properties":{
"name":{
"type":"string",
"description":"Name of the package where the vulnerability is located."
}
}
},
"version":{
"type":"string",
"description":"Version of the vulnerable package."
},
"iid":{
"description":"ID that identifies the dependency in the scope of a dependency file.",
"type":"number"
},
"direct":{
"type":"boolean",
"description":"Tells whether this is a direct, top-level dependency of the scanned project."
},
"dependency_path":{
"type":"array",
"description":"Ancestors of the dependency, starting from a direct project dependency, and ending with an immediate parent of the dependency. The dependency itself is excluded from the path. Direct dependencies have no path.",
"items":{
"type":"object",
"required":[
"iid"
],
"properties":{
"iid":{
"type":"number",
"description":"ID that is unique in the scope of a parent object, and specific to the resource type."
}
}
}
}
}
},
"operating_system":{
"type":"string",
"minLength":1,
"maxLength":255,
"description":"The operating system that contains the vulnerable package."
},
"image":{
"type":"string",
"minLength":1,
"description":"The analyzed Docker image.",
"examples":[
"index.docker.io/library/nginx:1.21"
]
},
"kubernetes_resource":{
"type":"object",
"description":"The specific Kubernetes resource that was scanned.",
"required":[
"namespace",
"kind",
"name",
"container_name"
],
"properties":{
"namespace":{
"type":"string",
"minLength":1,
"maxLength":255,
"description":"The Kubernetes namespace the resource that had its image scanned.",
"examples":[
"default",
"staging",
"production"
]
},
"kind":{
"type":"string",
"minLength":1,
"maxLength":255,
"description":"The Kubernetes kind the resource that had its image scanned.",
"examples":[
"Deployment",
"DaemonSet"
]
},
"name":{
"type":"string",
"minLength":1,
"maxLength":255,
"description":"The name of the resource that had its image scanned.",
"examples":[
"nginx-ingress"
]
},
"container_name":{
"type":"string",
"minLength":1,
"maxLength":255,
"description":"The name of the container that had its image scanned.",
"examples":[
"nginx"
]
},
"agent_id":{
"type":"string",
"minLength":1,
"maxLength":255,
"description":"The GitLab ID of the Kubernetes Agent which performed the scan.",
"examples":[
"1234"
]
},
"cluster_id":{
"type":"string",
"minLength":1,
"maxLength":255,
"description":"The GitLab ID of the Kubernetes cluster when using cluster integration.",
"examples":[
"1234"
]
}
}
}
}
}
}
}
},
"remediations":{
"type":"array",
"description":"An array of objects containing information on available remediations, along with patch diffs to apply.",
"items":{
"type":"object",
"required":[
"fixes",
"summary",
"diff"
],
"properties":{
"fixes":{
"type":"array",
"description":"An array of strings that represent references to vulnerabilities fixed by this remediation.",
"items":{
"type":"object",
"required":[
"cve"
],
"properties":{
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
}
}
}
},
"summary":{
"type":"string",
"minLength":1,
"description":"An overview of how the vulnerabilities were fixed."
},
"diff":{
"type":"string",
"minLength":1,
"description":"A base64-encoded remediation code diff, compatible with git apply."
"title":"Report format for GitLab Container Scanning",
"description":"This schema provides the the report format for Container Scanning (https://docs.gitlab.com/ee/user/application_security/container_scanning).",
"definitions":{
"detail_type":{
"oneOf":[
{
"$ref":"#/definitions/named_list"
},
{
"$ref":"#/definitions/list"
},
{
"$ref":"#/definitions/table"
},
{
"$ref":"#/definitions/text"
},
{
"$ref":"#/definitions/url"
},
{
"$ref":"#/definitions/code"
},
{
"$ref":"#/definitions/value"
},
{
"$ref":"#/definitions/diff"
},
{
"$ref":"#/definitions/markdown"
},
{
"$ref":"#/definitions/commit"
},
{
"$ref":"#/definitions/file_location"
},
{
"$ref":"#/definitions/module_location"
}
]
},
"text_value":{
"type":"string"
},
"named_field":{
"type":"object",
"required":[
"name"
],
"properties":{
"name":{
"$ref":"#/definitions/text_value",
"minLength":1
},
"description":{
"$ref":"#/definitions/text_value"
}
}
},
"named_list":{
"type":"object",
"description":"An object with named and typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"named-list"
},
"items":{
"type":"object",
"patternProperties":{
"^.*$":{
"allOf":[
{
"$ref":"#/definitions/named_field"
},
{
"$ref":"#/definitions/detail_type"
}
]
}
}
}
}
},
"list":{
"type":"object",
"description":"A list of typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"list"
},
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
},
"table":{
"type":"object",
"description":"A table of typed fields",
"required":[
"type",
"rows"
],
"properties":{
"type":{
"const":"table"
},
"header":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
},
"rows":{
"type":"array",
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
}
},
"text":{
"type":"object",
"description":"Raw text",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"text"
},
"value":{
"$ref":"#/definitions/text_value"
}
}
},
"url":{
"type":"object",
"description":"A single URL",
"required":[
"type",
"href"
],
"properties":{
"type":{
"const":"url"
},
"text":{
"$ref":"#/definitions/text_value"
},
"href":{
"type":"string",
"minLength":1,
"examples":[
"http://mysite.com"
]
}
}
},
"code":{
"type":"object",
"description":"A codeblock",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"code"
},
"value":{
"type":"string"
},
"lang":{
"type":"string",
"description":"A programming language"
}
}
},
"value":{
"type":"object",
"description":"A field that can store a range of types of value",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"value"
},
"value":{
"type":[
"number",
"string",
"boolean"
]
}
}
},
"diff":{
"type":"object",
"description":"A diff",
"required":[
"type",
"before",
"after"
],
"properties":{
"type":{
"const":"diff"
},
"before":{
"type":"string"
},
"after":{
"type":"string"
}
}
},
"markdown":{
"type":"object",
"description":"GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"markdown"
},
"value":{
"$ref":"#/definitions/text_value",
"examples":[
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
]
}
}
},
"commit":{
"type":"object",
"description":"A commit/tag/branch within the GitLab project",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"commit"
},
"value":{
"type":"string",
"description":"The commit SHA",
"minLength":1
}
}
},
"file_location":{
"type":"object",
"description":"A location within a file in the project",
"required":[
"type",
"file_name",
"line_start"
],
"properties":{
"type":{
"const":"file-location"
},
"file_name":{
"type":"string",
"minLength":1
},
"line_start":{
"type":"integer"
},
"line_end":{
"type":"integer"
}
}
},
"module_location":{
"type":"object",
"description":"A location within a binary module of the form module+relative_offset",
"required":[
"type",
"module_name",
"offset"
],
"properties":{
"type":{
"const":"module-location"
},
"module_name":{
"type":"string",
"minLength":1,
"examples":[
"compiled_binary"
]
},
"offset":{
"type":"integer",
"examples":[
100
]
}
}
}
},
"self":{
"version":"14.0.4"
},
"required":[
"version",
"vulnerabilities"
],
"additionalProperties":true,
"properties":{
"scan":{
"type":"object",
"required":[
"end_time",
"scanner",
"start_time",
"status",
"type"
],
"properties":{
"end_time":{
"type":"string",
"description":"ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
"description":"Communication intended for the initiator of a scan.",
"required":[
"level",
"value"
],
"properties":{
"level":{
"type":"string",
"description":"Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
"enum":[
"info",
"warn",
"fatal"
],
"examples":[
"info"
]
},
"value":{
"type":"string",
"description":"The message to communicate.",
"minLength":1,
"examples":[
"Permission denied, scanning aborted"
]
}
}
}
},
"analyzer":{
"type":"object",
"description":"Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
"required":[
"id",
"name",
"version",
"vendor"
],
"properties":{
"id":{
"type":"string",
"description":"Unique id that identifies the analyzer.",
"minLength":1,
"examples":[
"gitlab-dast"
]
},
"name":{
"type":"string",
"description":"A human readable value that identifies the analyzer, not required to be unique.",
"minLength":1,
"examples":[
"GitLab DAST"
]
},
"url":{
"type":"string",
"format":"uri",
"pattern":"^https?://.+",
"description":"A link to more information about the analyzer.",
"description":"URI pointing to the validating security report schema.",
"format":"uri"
},
"version":{
"type":"string",
"description":"The version of the schema to which the JSON report conforms.",
"pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"vulnerabilities":{
"type":"array",
"description":"Array of vulnerability objects.",
"items":{
"type":"object",
"description":"Describes the vulnerability.",
"required":[
"category",
"cve",
"identifiers",
"location",
"scanner"
],
"properties":{
"id":{
"type":"string",
"description":"Unique identifier of the vulnerability. This is recommended to be a UUID.",
"examples":[
"642735a5-1425-428d-8d4e-3c854885a3c9"
]
},
"category":{
"type":"string",
"minLength":1,
"description":"Describes where this vulnerability belongs (for example, SAST, Dependency Scanning, and so on)."
},
"name":{
"type":"string",
"description":"The name of the vulnerability. This must not include the finding's specific information."
},
"message":{
"type":"string",
"description":"A short text section that describes the vulnerability. This may include the finding's specific information."
},
"description":{
"type":"string",
"description":"A long text section describing the vulnerability more fully."
},
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
},
"severity":{
"type":"string",
"description":"How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
"enum":[
"Info",
"Unknown",
"Low",
"Medium",
"High",
"Critical"
]
},
"confidence":{
"type":"string",
"description":"How reliable the vulnerability's assessment is. Possible values are Ignore, Unknown, Experimental, Low, Medium, High, and Confirmed. Note that some analyzers may not report all these possible values.",
"enum":[
"Ignore",
"Unknown",
"Experimental",
"Low",
"Medium",
"High",
"Confirmed"
]
},
"solution":{
"type":"string",
"description":"Explanation of how to fix the vulnerability."
},
"scanner":{
"description":"Describes the scanner used to find this vulnerability.",
"type":"object",
"required":[
"id",
"name"
],
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"The scanner's ID, as a snake_case string."
},
"name":{
"type":"string",
"minLength":1,
"description":"Human-readable name of the scanner."
}
}
},
"identifiers":{
"type":"array",
"minItems":1,
"description":"An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
"items":{
"type":"object",
"required":[
"type",
"name",
"value"
],
"properties":{
"type":{
"type":"string",
"description":"for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
"minLength":1
},
"name":{
"type":"string",
"description":"Human-readable name of the identifier.",
"minLength":1
},
"url":{
"type":"string",
"description":"URL of the identifier's documentation.",
"format":"uri"
},
"value":{
"type":"string",
"description":"Value of the identifier, for matching purpose.",
"minLength":1
}
}
}
},
"links":{
"type":"array",
"description":"An array of references to external documentation or articles that describe the vulnerability.",
"items":{
"type":"object",
"required":[
"url"
],
"properties":{
"name":{
"type":"string",
"description":"Name of the vulnerability details link."
},
"url":{
"type":"string",
"description":"URL of the vulnerability details document.",
"description":"Describes how this vulnerability should be tracked as the project changes.",
"oneOf":[
{
"description":"Declares that a series of items should be tracked using source-specific tracking methods.",
"required":[
"items"
],
"properties":{
"type":{
"const":"source"
},
"items":{
"type":"array",
"items":{
"description":"An item that should be tracked using source-specific tracking methods.",
"type":"object",
"required":[
"signatures"
],
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located."
},
"start_line":{
"type":"number",
"description":"The first line of the file that includes the vulnerability."
},
"end_line":{
"type":"number",
"description":"The last line of the file that includes the vulnerability."
},
"signatures":{
"type":"array",
"description":"An array of calculated tracking signatures for this tracking item.",
"minItems":1,
"items":{
"description":"A calculated tracking signature value and metadata.",
"required":[
"algorithm",
"value"
],
"properties":{
"algorithm":{
"type":"string",
"description":"The algorithm used to generate the signature."
},
"value":{
"type":"string",
"description":"The result of this signature algorithm."
}
}
}
}
}
}
}
}
}
],
"properties":{
"type":{
"type":"string",
"description":"Each tracking type must declare its own type."
}
}
},
"flags":{
"description":"Flags that can be attached to vulnerabilities.",
"type":"array",
"items":{
"type":"object",
"description":"Informational flags identified and assigned to a vulnerability.",
"required":[
"type",
"origin",
"description"
],
"properties":{
"type":{
"type":"string",
"minLength":1,
"description":"Result of the scan.",
"enum":[
"flagged-as-likely-false-positive"
]
},
"origin":{
"minLength":1,
"description":"Tool that issued the flag.",
"type":"string"
},
"description":{
"minLength":1,
"description":"What the flag is about.",
"type":"string"
}
}
}
},
"location":{
"type":"object",
"description":"Identifies the vulnerability's location.",
"required":[
"dependency",
"operating_system",
"image"
],
"properties":{
"dependency":{
"type":"object",
"description":"Describes the dependency of a project where the vulnerability is located.",
"properties":{
"package":{
"type":"object",
"description":"Provides information on the package where the vulnerability is located.",
"properties":{
"name":{
"type":"string",
"description":"Name of the package where the vulnerability is located."
}
}
},
"version":{
"type":"string",
"description":"Version of the vulnerable package."
},
"iid":{
"description":"ID that identifies the dependency in the scope of a dependency file.",
"type":"number"
},
"direct":{
"type":"boolean",
"description":"Tells whether this is a direct, top-level dependency of the scanned project."
},
"dependency_path":{
"type":"array",
"description":"Ancestors of the dependency, starting from a direct project dependency, and ending with an immediate parent of the dependency. The dependency itself is excluded from the path. Direct dependencies have no path.",
"items":{
"type":"object",
"required":[
"iid"
],
"properties":{
"iid":{
"type":"number",
"description":"ID that is unique in the scope of a parent object, and specific to the resource type."
}
}
}
}
}
},
"operating_system":{
"type":"string",
"minLength":1,
"description":"The operating system that contains the vulnerable package."
},
"image":{
"type":"string",
"minLength":1,
"description":"The analyzed Docker image."
}
}
}
}
}
},
"remediations":{
"type":"array",
"description":"An array of objects containing information on available remediations, along with patch diffs to apply.",
"items":{
"type":"object",
"required":[
"fixes",
"summary",
"diff"
],
"properties":{
"fixes":{
"type":"array",
"description":"An array of strings that represent references to vulnerabilities fixed by this remediation.",
"items":{
"type":"object",
"required":[
"cve"
],
"properties":{
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
}
}
}
},
"summary":{
"type":"string",
"minLength":1,
"description":"An overview of how the vulnerabilities were fixed."
},
"diff":{
"type":"string",
"minLength":1,
"description":"A base64-encoded remediation code diff, compatible with git apply."
"description":"This schema provides the report format for Coverage Guided Fuzz Testing (https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing).",
"definitions":{
"detail_type":{
"oneOf":[
{
"$ref":"#/definitions/named_list"
},
{
"$ref":"#/definitions/list"
},
{
"$ref":"#/definitions/table"
},
{
"$ref":"#/definitions/text"
},
{
"$ref":"#/definitions/url"
},
{
"$ref":"#/definitions/code"
},
{
"$ref":"#/definitions/value"
},
{
"$ref":"#/definitions/diff"
},
{
"$ref":"#/definitions/markdown"
},
{
"$ref":"#/definitions/commit"
},
{
"$ref":"#/definitions/file_location"
},
{
"$ref":"#/definitions/module_location"
}
]
},
"text_value":{
"type":"string"
},
"named_field":{
"type":"object",
"required":[
"name"
],
"properties":{
"name":{
"$ref":"#/definitions/text_value",
"minLength":1
},
"description":{
"$ref":"#/definitions/text_value"
}
}
},
"named_list":{
"type":"object",
"description":"An object with named and typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"named-list"
},
"items":{
"type":"object",
"patternProperties":{
"^.*$":{
"allOf":[
{
"$ref":"#/definitions/named_field"
},
{
"$ref":"#/definitions/detail_type"
}
]
}
}
}
}
},
"list":{
"type":"object",
"description":"A list of typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"list"
},
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
},
"table":{
"type":"object",
"description":"A table of typed fields",
"required":[
"type",
"rows"
],
"properties":{
"type":{
"const":"table"
},
"header":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
},
"rows":{
"type":"array",
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
}
},
"text":{
"type":"object",
"description":"Raw text",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"text"
},
"value":{
"$ref":"#/definitions/text_value"
}
}
},
"url":{
"type":"object",
"description":"A single URL",
"required":[
"type",
"href"
],
"properties":{
"type":{
"const":"url"
},
"text":{
"$ref":"#/definitions/text_value"
},
"href":{
"type":"string",
"minLength":1,
"examples":[
"http://mysite.com"
]
}
}
},
"code":{
"type":"object",
"description":"A codeblock",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"code"
},
"value":{
"type":"string"
},
"lang":{
"type":"string",
"description":"A programming language"
}
}
},
"value":{
"type":"object",
"description":"A field that can store a range of types of value",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"value"
},
"value":{
"type":[
"number",
"string",
"boolean"
]
}
}
},
"diff":{
"type":"object",
"description":"A diff",
"required":[
"type",
"before",
"after"
],
"properties":{
"type":{
"const":"diff"
},
"before":{
"type":"string"
},
"after":{
"type":"string"
}
}
},
"markdown":{
"type":"object",
"description":"GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"markdown"
},
"value":{
"$ref":"#/definitions/text_value",
"examples":[
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
]
}
}
},
"commit":{
"type":"object",
"description":"A commit/tag/branch within the GitLab project",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"commit"
},
"value":{
"type":"string",
"description":"The commit SHA",
"minLength":1
}
}
},
"file_location":{
"type":"object",
"description":"A location within a file in the project",
"required":[
"type",
"file_name",
"line_start"
],
"properties":{
"type":{
"const":"file-location"
},
"file_name":{
"type":"string",
"minLength":1
},
"line_start":{
"type":"integer"
},
"line_end":{
"type":"integer"
}
}
},
"module_location":{
"type":"object",
"description":"A location within a binary module of the form module+relative_offset",
"required":[
"type",
"module_name",
"offset"
],
"properties":{
"type":{
"const":"module-location"
},
"module_name":{
"type":"string",
"minLength":1,
"examples":[
"compiled_binary"
]
},
"offset":{
"type":"integer",
"examples":[
100
]
}
}
}
},
"self":{
"version":"14.0.4"
},
"required":[
"version",
"vulnerabilities"
],
"additionalProperties":true,
"properties":{
"scan":{
"type":"object",
"required":[
"end_time",
"scanner",
"start_time",
"status",
"type"
],
"properties":{
"end_time":{
"type":"string",
"description":"ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
"description":"Communication intended for the initiator of a scan.",
"required":[
"level",
"value"
],
"properties":{
"level":{
"type":"string",
"description":"Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
"enum":[
"info",
"warn",
"fatal"
],
"examples":[
"info"
]
},
"value":{
"type":"string",
"description":"The message to communicate.",
"minLength":1,
"examples":[
"Permission denied, scanning aborted"
]
}
}
}
},
"analyzer":{
"type":"object",
"description":"Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
"required":[
"id",
"name",
"version",
"vendor"
],
"properties":{
"id":{
"type":"string",
"description":"Unique id that identifies the analyzer.",
"minLength":1,
"examples":[
"gitlab-dast"
]
},
"name":{
"type":"string",
"description":"A human readable value that identifies the analyzer, not required to be unique.",
"minLength":1,
"examples":[
"GitLab DAST"
]
},
"url":{
"type":"string",
"format":"uri",
"pattern":"^https?://.+",
"description":"A link to more information about the analyzer.",
"description":"URI pointing to the validating security report schema.",
"format":"uri"
},
"version":{
"type":"string",
"description":"The version of the schema to which the JSON report conforms.",
"pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"vulnerabilities":{
"type":"array",
"description":"Array of vulnerability objects.",
"items":{
"type":"object",
"description":"Describes the vulnerability.",
"required":[
"category",
"cve",
"identifiers",
"location",
"scanner"
],
"properties":{
"id":{
"type":"string",
"description":"Unique identifier of the vulnerability. This is recommended to be a UUID.",
"examples":[
"642735a5-1425-428d-8d4e-3c854885a3c9"
]
},
"category":{
"type":"string",
"minLength":1,
"description":"Describes where this vulnerability belongs (for example, SAST, Dependency Scanning, and so on)."
},
"name":{
"type":"string",
"description":"The name of the vulnerability. This must not include the finding's specific information."
},
"message":{
"type":"string",
"description":"A short text section that describes the vulnerability. This may include the finding's specific information."
},
"description":{
"type":"string",
"description":"A long text section describing the vulnerability more fully."
},
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
},
"severity":{
"type":"string",
"description":"How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
"enum":[
"Info",
"Unknown",
"Low",
"Medium",
"High",
"Critical"
]
},
"confidence":{
"type":"string",
"description":"How reliable the vulnerability's assessment is. Possible values are Ignore, Unknown, Experimental, Low, Medium, High, and Confirmed. Note that some analyzers may not report all these possible values.",
"enum":[
"Ignore",
"Unknown",
"Experimental",
"Low",
"Medium",
"High",
"Confirmed"
]
},
"solution":{
"type":"string",
"description":"Explanation of how to fix the vulnerability."
},
"scanner":{
"description":"Describes the scanner used to find this vulnerability.",
"type":"object",
"required":[
"id",
"name"
],
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"The scanner's ID, as a snake_case string."
},
"name":{
"type":"string",
"minLength":1,
"description":"Human-readable name of the scanner."
}
}
},
"identifiers":{
"type":"array",
"minItems":1,
"description":"An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
"items":{
"type":"object",
"required":[
"type",
"name",
"value"
],
"properties":{
"type":{
"type":"string",
"description":"for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
"minLength":1
},
"name":{
"type":"string",
"description":"Human-readable name of the identifier.",
"minLength":1
},
"url":{
"type":"string",
"description":"URL of the identifier's documentation.",
"format":"uri"
},
"value":{
"type":"string",
"description":"Value of the identifier, for matching purpose.",
"minLength":1
}
}
}
},
"links":{
"type":"array",
"description":"An array of references to external documentation or articles that describe the vulnerability.",
"items":{
"type":"object",
"required":[
"url"
],
"properties":{
"name":{
"type":"string",
"description":"Name of the vulnerability details link."
},
"url":{
"type":"string",
"description":"URL of the vulnerability details document.",
"description":"Describes how this vulnerability should be tracked as the project changes.",
"oneOf":[
{
"description":"Declares that a series of items should be tracked using source-specific tracking methods.",
"required":[
"items"
],
"properties":{
"type":{
"const":"source"
},
"items":{
"type":"array",
"items":{
"description":"An item that should be tracked using source-specific tracking methods.",
"type":"object",
"required":[
"signatures"
],
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located."
},
"start_line":{
"type":"number",
"description":"The first line of the file that includes the vulnerability."
},
"end_line":{
"type":"number",
"description":"The last line of the file that includes the vulnerability."
},
"signatures":{
"type":"array",
"description":"An array of calculated tracking signatures for this tracking item.",
"minItems":1,
"items":{
"description":"A calculated tracking signature value and metadata.",
"required":[
"algorithm",
"value"
],
"properties":{
"algorithm":{
"type":"string",
"description":"The algorithm used to generate the signature."
},
"value":{
"type":"string",
"description":"The result of this signature algorithm."
}
}
}
}
}
}
}
}
}
],
"properties":{
"type":{
"type":"string",
"description":"Each tracking type must declare its own type."
}
}
},
"flags":{
"description":"Flags that can be attached to vulnerabilities.",
"type":"array",
"items":{
"type":"object",
"description":"Informational flags identified and assigned to a vulnerability.",
"required":[
"type",
"origin",
"description"
],
"properties":{
"type":{
"type":"string",
"minLength":1,
"description":"Result of the scan.",
"enum":[
"flagged-as-likely-false-positive"
]
},
"origin":{
"minLength":1,
"description":"Tool that issued the flag.",
"type":"string"
},
"description":{
"minLength":1,
"description":"What the flag is about.",
"type":"string"
}
}
}
},
"location":{
"description":"The location of the error",
"type":"object",
"properties":{
"crash_address":{
"type":"string",
"description":"The relative address in memory were the crash occurred.",
"examples":[
"0xabababab"
]
},
"stacktrace_snippet":{
"type":"string",
"description":"The stack trace recorded during fuzzing resulting the crash.",
"examples":[
"func_a+0xabcd\nfunc_b+0xabcc"
]
},
"crash_state":{
"type":"string",
"description":"Minimised and normalized crash stack-trace (called crash_state).",
"examples":[
"func_a+0xa\nfunc_b+0xb\nfunc_c+0xc"
]
},
"crash_type":{
"type":"string",
"description":"Type of the crash.",
"examples":[
"Heap-Buffer-overflow",
"Division-by-zero"
]
}
}
}
}
}
},
"remediations":{
"type":"array",
"description":"An array of objects containing information on available remediations, along with patch diffs to apply.",
"items":{
"type":"object",
"required":[
"fixes",
"summary",
"diff"
],
"properties":{
"fixes":{
"type":"array",
"description":"An array of strings that represent references to vulnerabilities fixed by this remediation.",
"items":{
"type":"object",
"required":[
"cve"
],
"properties":{
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
}
}
}
},
"summary":{
"type":"string",
"minLength":1,
"description":"An overview of how the vulnerabilities were fixed."
},
"diff":{
"type":"string",
"minLength":1,
"description":"A base64-encoded remediation code diff, compatible with git apply."
"description":"This schema provides the the report format for Dynamic Application Security Testing (https://docs.gitlab.com/ee/user/application_security/dast).",
"definitions":{
"detail_type":{
"oneOf":[
{
"$ref":"#/definitions/named_list"
},
{
"$ref":"#/definitions/list"
},
{
"$ref":"#/definitions/table"
},
{
"$ref":"#/definitions/text"
},
{
"$ref":"#/definitions/url"
},
{
"$ref":"#/definitions/code"
},
{
"$ref":"#/definitions/value"
},
{
"$ref":"#/definitions/diff"
},
{
"$ref":"#/definitions/markdown"
},
{
"$ref":"#/definitions/commit"
},
{
"$ref":"#/definitions/file_location"
},
{
"$ref":"#/definitions/module_location"
}
]
},
"text_value":{
"type":"string"
},
"named_field":{
"type":"object",
"required":[
"name"
],
"properties":{
"name":{
"$ref":"#/definitions/text_value",
"minLength":1
},
"description":{
"$ref":"#/definitions/text_value"
}
}
},
"named_list":{
"type":"object",
"description":"An object with named and typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"named-list"
},
"items":{
"type":"object",
"patternProperties":{
"^.*$":{
"allOf":[
{
"$ref":"#/definitions/named_field"
},
{
"$ref":"#/definitions/detail_type"
}
]
}
}
}
}
},
"list":{
"type":"object",
"description":"A list of typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"list"
},
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
},
"table":{
"type":"object",
"description":"A table of typed fields",
"required":[
"type",
"rows"
],
"properties":{
"type":{
"const":"table"
},
"header":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
},
"rows":{
"type":"array",
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
}
},
"text":{
"type":"object",
"description":"Raw text",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"text"
},
"value":{
"$ref":"#/definitions/text_value"
}
}
},
"url":{
"type":"object",
"description":"A single URL",
"required":[
"type",
"href"
],
"properties":{
"type":{
"const":"url"
},
"text":{
"$ref":"#/definitions/text_value"
},
"href":{
"type":"string",
"minLength":1,
"examples":[
"http://mysite.com"
]
}
}
},
"code":{
"type":"object",
"description":"A codeblock",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"code"
},
"value":{
"type":"string"
},
"lang":{
"type":"string",
"description":"A programming language"
}
}
},
"value":{
"type":"object",
"description":"A field that can store a range of types of value",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"value"
},
"value":{
"type":[
"number",
"string",
"boolean"
]
}
}
},
"diff":{
"type":"object",
"description":"A diff",
"required":[
"type",
"before",
"after"
],
"properties":{
"type":{
"const":"diff"
},
"before":{
"type":"string"
},
"after":{
"type":"string"
}
}
},
"markdown":{
"type":"object",
"description":"GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"markdown"
},
"value":{
"$ref":"#/definitions/text_value",
"examples":[
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
]
}
}
},
"commit":{
"type":"object",
"description":"A commit/tag/branch within the GitLab project",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"commit"
},
"value":{
"type":"string",
"description":"The commit SHA",
"minLength":1
}
}
},
"file_location":{
"type":"object",
"description":"A location within a file in the project",
"required":[
"type",
"file_name",
"line_start"
],
"properties":{
"type":{
"const":"file-location"
},
"file_name":{
"type":"string",
"minLength":1
},
"line_start":{
"type":"integer"
},
"line_end":{
"type":"integer"
}
}
},
"module_location":{
"type":"object",
"description":"A location within a binary module of the form module+relative_offset",
"required":[
"type",
"module_name",
"offset"
],
"properties":{
"type":{
"const":"module-location"
},
"module_name":{
"type":"string",
"minLength":1,
"examples":[
"compiled_binary"
]
},
"offset":{
"type":"integer",
"examples":[
100
]
}
}
}
},
"self":{
"version":"14.0.4"
},
"required":[
"version",
"vulnerabilities"
],
"additionalProperties":true,
"properties":{
"scan":{
"type":"object",
"required":[
"end_time",
"scanned_resources",
"scanner",
"start_time",
"status",
"type"
],
"properties":{
"end_time":{
"type":"string",
"description":"ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
"description":"Communication intended for the initiator of a scan.",
"required":[
"level",
"value"
],
"properties":{
"level":{
"type":"string",
"description":"Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
"enum":[
"info",
"warn",
"fatal"
],
"examples":[
"info"
]
},
"value":{
"type":"string",
"description":"The message to communicate.",
"minLength":1,
"examples":[
"Permission denied, scanning aborted"
]
}
}
}
},
"analyzer":{
"type":"object",
"description":"Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
"required":[
"id",
"name",
"version",
"vendor"
],
"properties":{
"id":{
"type":"string",
"description":"Unique id that identifies the analyzer.",
"minLength":1,
"examples":[
"gitlab-dast"
]
},
"name":{
"type":"string",
"description":"A human readable value that identifies the analyzer, not required to be unique.",
"minLength":1,
"examples":[
"GitLab DAST"
]
},
"url":{
"type":"string",
"format":"uri",
"pattern":"^https?://.+",
"description":"A link to more information about the analyzer.",
"description":"The attack surface scanned by DAST.",
"items":{
"type":"object",
"required":[
"method",
"url",
"type"
],
"properties":{
"method":{
"type":"string",
"minLength":1,
"description":"HTTP method of the scanned resource.",
"examples":[
"GET",
"POST",
"HEAD"
]
},
"url":{
"type":"string",
"minLength":1,
"description":"URL of the scanned resource.",
"examples":[
"http://my.site.com/a-page"
]
},
"type":{
"type":"string",
"minLength":1,
"description":"Type of the scanned resource, for DAST, this must be 'url'.",
"examples":[
"url"
]
}
}
}
}
}
},
"schema":{
"type":"string",
"description":"URI pointing to the validating security report schema.",
"format":"uri"
},
"version":{
"type":"string",
"description":"The version of the schema to which the JSON report conforms.",
"pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"vulnerabilities":{
"type":"array",
"description":"Array of vulnerability objects.",
"items":{
"type":"object",
"description":"Describes the vulnerability.",
"required":[
"category",
"cve",
"identifiers",
"location",
"scanner"
],
"properties":{
"id":{
"type":"string",
"description":"Unique identifier of the vulnerability. This is recommended to be a UUID.",
"examples":[
"642735a5-1425-428d-8d4e-3c854885a3c9"
]
},
"category":{
"type":"string",
"minLength":1,
"description":"Describes where this vulnerability belongs (for example, SAST, Dependency Scanning, and so on)."
},
"name":{
"type":"string",
"description":"The name of the vulnerability. This must not include the finding's specific information."
},
"message":{
"type":"string",
"description":"A short text section that describes the vulnerability. This may include the finding's specific information."
},
"description":{
"type":"string",
"description":"A long text section describing the vulnerability more fully."
},
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
},
"severity":{
"type":"string",
"description":"How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
"enum":[
"Info",
"Unknown",
"Low",
"Medium",
"High",
"Critical"
]
},
"confidence":{
"type":"string",
"description":"How reliable the vulnerability's assessment is. Possible values are Ignore, Unknown, Experimental, Low, Medium, High, and Confirmed. Note that some analyzers may not report all these possible values.",
"enum":[
"Ignore",
"Unknown",
"Experimental",
"Low",
"Medium",
"High",
"Confirmed"
]
},
"solution":{
"type":"string",
"description":"Explanation of how to fix the vulnerability."
},
"scanner":{
"description":"Describes the scanner used to find this vulnerability.",
"type":"object",
"required":[
"id",
"name"
],
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"The scanner's ID, as a snake_case string."
},
"name":{
"type":"string",
"minLength":1,
"description":"Human-readable name of the scanner."
}
}
},
"identifiers":{
"type":"array",
"minItems":1,
"description":"An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
"items":{
"type":"object",
"required":[
"type",
"name",
"value"
],
"properties":{
"type":{
"type":"string",
"description":"for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
"minLength":1
},
"name":{
"type":"string",
"description":"Human-readable name of the identifier.",
"minLength":1
},
"url":{
"type":"string",
"description":"URL of the identifier's documentation.",
"format":"uri"
},
"value":{
"type":"string",
"description":"Value of the identifier, for matching purpose.",
"minLength":1
}
}
}
},
"links":{
"type":"array",
"description":"An array of references to external documentation or articles that describe the vulnerability.",
"items":{
"type":"object",
"required":[
"url"
],
"properties":{
"name":{
"type":"string",
"description":"Name of the vulnerability details link."
},
"url":{
"type":"string",
"description":"URL of the vulnerability details document.",
"description":"Body of the request for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
"examples":[
"user=jsmith&first=%27&last=smith"
]
}
}
},
"response":{
"type":"object",
"description":"An HTTP response.",
"required":[
"headers",
"reason_phrase",
"status_code"
],
"properties":{
"headers":{
"type":"array",
"description":"HTTP headers present on the request.",
"items":{
"type":"object",
"required":[
"name",
"value"
],
"properties":{
"name":{
"type":"string",
"minLength":1,
"description":"Name of the HTTP header.",
"examples":[
"Accept",
"Content-Length",
"Content-Type"
]
},
"value":{
"type":"string",
"minLength":1,
"description":"Value of the HTTP header.",
"examples":[
"*/*",
"560",
"application/json; charset=utf-8"
]
}
}
}
},
"reason_phrase":{
"type":"string",
"description":"HTTP reason phrase of the response.",
"examples":[
"OK",
"Internal Server Error"
]
},
"status_code":{
"type":"integer",
"description":"HTTP status code of the response.",
"examples":[
200,
500
]
},
"body":{
"type":"string",
"description":"Body of the response for display purposes. Body must be suitable for display (not binary), and truncated to a reasonable size.",
"examples":[
"{\"user_id\": 2}"
]
}
}
}
}
}
}
}
},
"location":{
"type":"object",
"description":"Identifies the vulnerability's location.",
"properties":{
"hostname":{
"type":"string",
"description":"The protocol, domain, and port of the application where the vulnerability was found."
},
"method":{
"type":"string",
"description":"The HTTP method that was used to request the URL where the vulnerability was found."
},
"param":{
"type":"string",
"description":"A value provided by a vulnerability rule related to the found vulnerability. Examples include a header value, or a parameter used in a HTTP POST."
},
"path":{
"type":"string",
"description":"The path of the URL where the vulnerability was found. Typically, this would start with a forward slash."
}
}
},
"assets":{
"type":"array",
"description":"Array of build assets associated with vulnerability.",
"items":{
"type":"object",
"description":"Describes an asset associated with vulnerability.",
"description":"An array of objects containing information on available remediations, along with patch diffs to apply.",
"items":{
"type":"object",
"required":[
"fixes",
"summary",
"diff"
],
"properties":{
"fixes":{
"type":"array",
"description":"An array of strings that represent references to vulnerabilities fixed by this remediation.",
"items":{
"type":"object",
"required":[
"cve"
],
"properties":{
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
}
}
}
},
"summary":{
"type":"string",
"minLength":1,
"description":"An overview of how the vulnerabilities were fixed."
},
"diff":{
"type":"string",
"minLength":1,
"description":"A base64-encoded remediation code diff, compatible with git apply."
"title":"Report format for GitLab Dependency Scanning",
"description":"This schema provides the the report format for Dependency Scanning analyzers (https://docs.gitlab.com/ee/user/application_security/dependency_scanning).",
"definitions":{
"detail_type":{
"oneOf":[
{
"$ref":"#/definitions/named_list"
},
{
"$ref":"#/definitions/list"
},
{
"$ref":"#/definitions/table"
},
{
"$ref":"#/definitions/text"
},
{
"$ref":"#/definitions/url"
},
{
"$ref":"#/definitions/code"
},
{
"$ref":"#/definitions/value"
},
{
"$ref":"#/definitions/diff"
},
{
"$ref":"#/definitions/markdown"
},
{
"$ref":"#/definitions/commit"
},
{
"$ref":"#/definitions/file_location"
},
{
"$ref":"#/definitions/module_location"
}
]
},
"text_value":{
"type":"string"
},
"named_field":{
"type":"object",
"required":[
"name"
],
"properties":{
"name":{
"$ref":"#/definitions/text_value",
"minLength":1
},
"description":{
"$ref":"#/definitions/text_value"
}
}
},
"named_list":{
"type":"object",
"description":"An object with named and typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"named-list"
},
"items":{
"type":"object",
"patternProperties":{
"^.*$":{
"allOf":[
{
"$ref":"#/definitions/named_field"
},
{
"$ref":"#/definitions/detail_type"
}
]
}
}
}
}
},
"list":{
"type":"object",
"description":"A list of typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"list"
},
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
},
"table":{
"type":"object",
"description":"A table of typed fields",
"required":[
"type",
"rows"
],
"properties":{
"type":{
"const":"table"
},
"header":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
},
"rows":{
"type":"array",
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
}
},
"text":{
"type":"object",
"description":"Raw text",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"text"
},
"value":{
"$ref":"#/definitions/text_value"
}
}
},
"url":{
"type":"object",
"description":"A single URL",
"required":[
"type",
"href"
],
"properties":{
"type":{
"const":"url"
},
"text":{
"$ref":"#/definitions/text_value"
},
"href":{
"type":"string",
"minLength":1,
"examples":[
"http://mysite.com"
]
}
}
},
"code":{
"type":"object",
"description":"A codeblock",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"code"
},
"value":{
"type":"string"
},
"lang":{
"type":"string",
"description":"A programming language"
}
}
},
"value":{
"type":"object",
"description":"A field that can store a range of types of value",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"value"
},
"value":{
"type":[
"number",
"string",
"boolean"
]
}
}
},
"diff":{
"type":"object",
"description":"A diff",
"required":[
"type",
"before",
"after"
],
"properties":{
"type":{
"const":"diff"
},
"before":{
"type":"string"
},
"after":{
"type":"string"
}
}
},
"markdown":{
"type":"object",
"description":"GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"markdown"
},
"value":{
"$ref":"#/definitions/text_value",
"examples":[
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
]
}
}
},
"commit":{
"type":"object",
"description":"A commit/tag/branch within the GitLab project",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"commit"
},
"value":{
"type":"string",
"description":"The commit SHA",
"minLength":1
}
}
},
"file_location":{
"type":"object",
"description":"A location within a file in the project",
"required":[
"type",
"file_name",
"line_start"
],
"properties":{
"type":{
"const":"file-location"
},
"file_name":{
"type":"string",
"minLength":1
},
"line_start":{
"type":"integer"
},
"line_end":{
"type":"integer"
}
}
},
"module_location":{
"type":"object",
"description":"A location within a binary module of the form module+relative_offset",
"required":[
"type",
"module_name",
"offset"
],
"properties":{
"type":{
"const":"module-location"
},
"module_name":{
"type":"string",
"minLength":1,
"examples":[
"compiled_binary"
]
},
"offset":{
"type":"integer",
"examples":[
100
]
}
}
}
},
"self":{
"version":"14.0.4"
},
"required":[
"dependency_files",
"version",
"vulnerabilities"
],
"additionalProperties":true,
"properties":{
"scan":{
"type":"object",
"required":[
"end_time",
"scanner",
"start_time",
"status",
"type"
],
"properties":{
"end_time":{
"type":"string",
"description":"ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
"description":"Communication intended for the initiator of a scan.",
"required":[
"level",
"value"
],
"properties":{
"level":{
"type":"string",
"description":"Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
"enum":[
"info",
"warn",
"fatal"
],
"examples":[
"info"
]
},
"value":{
"type":"string",
"description":"The message to communicate.",
"minLength":1,
"examples":[
"Permission denied, scanning aborted"
]
}
}
}
},
"analyzer":{
"type":"object",
"description":"Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
"required":[
"id",
"name",
"version",
"vendor"
],
"properties":{
"id":{
"type":"string",
"description":"Unique id that identifies the analyzer.",
"minLength":1,
"examples":[
"gitlab-dast"
]
},
"name":{
"type":"string",
"description":"A human readable value that identifies the analyzer, not required to be unique.",
"minLength":1,
"examples":[
"GitLab DAST"
]
},
"url":{
"type":"string",
"format":"uri",
"pattern":"^https?://.+",
"description":"A link to more information about the analyzer.",
"description":"URI pointing to the validating security report schema.",
"format":"uri"
},
"version":{
"type":"string",
"description":"The version of the schema to which the JSON report conforms.",
"pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"vulnerabilities":{
"type":"array",
"description":"Array of vulnerability objects.",
"items":{
"type":"object",
"description":"Describes the vulnerability.",
"required":[
"category",
"cve",
"identifiers",
"location",
"scanner"
],
"properties":{
"id":{
"type":"string",
"description":"Unique identifier of the vulnerability. This is recommended to be a UUID.",
"examples":[
"642735a5-1425-428d-8d4e-3c854885a3c9"
]
},
"category":{
"type":"string",
"minLength":1,
"description":"Describes where this vulnerability belongs (for example, SAST, Dependency Scanning, and so on)."
},
"name":{
"type":"string",
"description":"The name of the vulnerability. This must not include the finding's specific information."
},
"message":{
"type":"string",
"description":"A short text section that describes the vulnerability. This may include the finding's specific information."
},
"description":{
"type":"string",
"description":"A long text section describing the vulnerability more fully."
},
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
},
"severity":{
"type":"string",
"description":"How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
"enum":[
"Info",
"Unknown",
"Low",
"Medium",
"High",
"Critical"
]
},
"confidence":{
"type":"string",
"description":"How reliable the vulnerability's assessment is. Possible values are Ignore, Unknown, Experimental, Low, Medium, High, and Confirmed. Note that some analyzers may not report all these possible values.",
"enum":[
"Ignore",
"Unknown",
"Experimental",
"Low",
"Medium",
"High",
"Confirmed"
]
},
"solution":{
"type":"string",
"description":"Explanation of how to fix the vulnerability."
},
"scanner":{
"description":"Describes the scanner used to find this vulnerability.",
"type":"object",
"required":[
"id",
"name"
],
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"The scanner's ID, as a snake_case string."
},
"name":{
"type":"string",
"minLength":1,
"description":"Human-readable name of the scanner."
}
}
},
"identifiers":{
"type":"array",
"minItems":1,
"description":"An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
"items":{
"type":"object",
"required":[
"type",
"name",
"value"
],
"properties":{
"type":{
"type":"string",
"description":"for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
"minLength":1
},
"name":{
"type":"string",
"description":"Human-readable name of the identifier.",
"minLength":1
},
"url":{
"type":"string",
"description":"URL of the identifier's documentation.",
"format":"uri"
},
"value":{
"type":"string",
"description":"Value of the identifier, for matching purpose.",
"minLength":1
}
}
}
},
"links":{
"type":"array",
"description":"An array of references to external documentation or articles that describe the vulnerability.",
"items":{
"type":"object",
"required":[
"url"
],
"properties":{
"name":{
"type":"string",
"description":"Name of the vulnerability details link."
},
"url":{
"type":"string",
"description":"URL of the vulnerability details document.",
"description":"Describes how this vulnerability should be tracked as the project changes.",
"oneOf":[
{
"description":"Declares that a series of items should be tracked using source-specific tracking methods.",
"required":[
"items"
],
"properties":{
"type":{
"const":"source"
},
"items":{
"type":"array",
"items":{
"description":"An item that should be tracked using source-specific tracking methods.",
"type":"object",
"required":[
"signatures"
],
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located."
},
"start_line":{
"type":"number",
"description":"The first line of the file that includes the vulnerability."
},
"end_line":{
"type":"number",
"description":"The last line of the file that includes the vulnerability."
},
"signatures":{
"type":"array",
"description":"An array of calculated tracking signatures for this tracking item.",
"minItems":1,
"items":{
"description":"A calculated tracking signature value and metadata.",
"required":[
"algorithm",
"value"
],
"properties":{
"algorithm":{
"type":"string",
"description":"The algorithm used to generate the signature."
},
"value":{
"type":"string",
"description":"The result of this signature algorithm."
}
}
}
}
}
}
}
}
}
],
"properties":{
"type":{
"type":"string",
"description":"Each tracking type must declare its own type."
}
}
},
"flags":{
"description":"Flags that can be attached to vulnerabilities.",
"type":"array",
"items":{
"type":"object",
"description":"Informational flags identified and assigned to a vulnerability.",
"required":[
"type",
"origin",
"description"
],
"properties":{
"type":{
"type":"string",
"minLength":1,
"description":"Result of the scan.",
"enum":[
"flagged-as-likely-false-positive"
]
},
"origin":{
"minLength":1,
"description":"Tool that issued the flag.",
"type":"string"
},
"description":{
"minLength":1,
"description":"What the flag is about.",
"type":"string"
}
}
}
},
"location":{
"type":"object",
"description":"Identifies the vulnerability's location.",
"required":[
"file",
"dependency"
],
"properties":{
"file":{
"type":"string",
"minLength":1,
"description":"Path to the manifest or lock file where the dependency is declared (such as yarn.lock)."
},
"dependency":{
"type":"object",
"description":"Describes the dependency of a project where the vulnerability is located.",
"properties":{
"package":{
"type":"object",
"description":"Provides information on the package where the vulnerability is located.",
"properties":{
"name":{
"type":"string",
"description":"Name of the package where the vulnerability is located."
}
}
},
"version":{
"type":"string",
"description":"Version of the vulnerable package."
},
"iid":{
"description":"ID that identifies the dependency in the scope of a dependency file.",
"type":"number"
},
"direct":{
"type":"boolean",
"description":"Tells whether this is a direct, top-level dependency of the scanned project."
},
"dependency_path":{
"type":"array",
"description":"Ancestors of the dependency, starting from a direct project dependency, and ending with an immediate parent of the dependency. The dependency itself is excluded from the path. Direct dependencies have no path.",
"items":{
"type":"object",
"required":[
"iid"
],
"properties":{
"iid":{
"type":"number",
"description":"ID that is unique in the scope of a parent object, and specific to the resource type."
}
}
}
}
}
}
}
}
}
}
},
"remediations":{
"type":"array",
"description":"An array of objects containing information on available remediations, along with patch diffs to apply.",
"items":{
"type":"object",
"required":[
"fixes",
"summary",
"diff"
],
"properties":{
"fixes":{
"type":"array",
"description":"An array of strings that represent references to vulnerabilities fixed by this remediation.",
"items":{
"type":"object",
"required":[
"cve"
],
"properties":{
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
}
}
}
},
"summary":{
"type":"string",
"minLength":1,
"description":"An overview of how the vulnerabilities were fixed."
},
"diff":{
"type":"string",
"minLength":1,
"description":"A base64-encoded remediation code diff, compatible with git apply."
}
}
}
},
"dependency_files":{
"type":"array",
"description":"List of dependency files identified in the project.",
"items":{
"type":"object",
"required":[
"path",
"package_manager",
"dependencies"
],
"properties":{
"path":{
"type":"string",
"minLength":1
},
"package_manager":{
"type":"string",
"minLength":1
},
"dependencies":{
"type":"array",
"items":{
"type":"object",
"description":"Describes the dependency of a project where the vulnerability is located.",
"properties":{
"package":{
"type":"object",
"description":"Provides information on the package where the vulnerability is located.",
"properties":{
"name":{
"type":"string",
"description":"Name of the package where the vulnerability is located."
}
}
},
"version":{
"type":"string",
"description":"Version of the vulnerable package."
},
"iid":{
"description":"ID that identifies the dependency in the scope of a dependency file.",
"type":"number"
},
"direct":{
"type":"boolean",
"description":"Tells whether this is a direct, top-level dependency of the scanned project."
},
"dependency_path":{
"type":"array",
"description":"Ancestors of the dependency, starting from a direct project dependency, and ending with an immediate parent of the dependency. The dependency itself is excluded from the path. Direct dependencies have no path.",
"items":{
"type":"object",
"required":[
"iid"
],
"properties":{
"iid":{
"type":"number",
"description":"ID that is unique in the scope of a parent object, and specific to the resource type."
"description":"This schema provides the report format for Static Application Security Testing analyzers (https://docs.gitlab.com/ee/user/application_security/sast).",
"definitions":{
"detail_type":{
"oneOf":[
{
"$ref":"#/definitions/named_list"
},
{
"$ref":"#/definitions/list"
},
{
"$ref":"#/definitions/table"
},
{
"$ref":"#/definitions/text"
},
{
"$ref":"#/definitions/url"
},
{
"$ref":"#/definitions/code"
},
{
"$ref":"#/definitions/value"
},
{
"$ref":"#/definitions/diff"
},
{
"$ref":"#/definitions/markdown"
},
{
"$ref":"#/definitions/commit"
},
{
"$ref":"#/definitions/file_location"
},
{
"$ref":"#/definitions/module_location"
}
]
},
"text_value":{
"type":"string"
},
"named_field":{
"type":"object",
"required":[
"name"
],
"properties":{
"name":{
"$ref":"#/definitions/text_value",
"minLength":1
},
"description":{
"$ref":"#/definitions/text_value"
}
}
},
"named_list":{
"type":"object",
"description":"An object with named and typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"named-list"
},
"items":{
"type":"object",
"patternProperties":{
"^.*$":{
"allOf":[
{
"$ref":"#/definitions/named_field"
},
{
"$ref":"#/definitions/detail_type"
}
]
}
}
}
}
},
"list":{
"type":"object",
"description":"A list of typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"list"
},
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
},
"table":{
"type":"object",
"description":"A table of typed fields",
"required":[
"type",
"rows"
],
"properties":{
"type":{
"const":"table"
},
"header":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
},
"rows":{
"type":"array",
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
}
},
"text":{
"type":"object",
"description":"Raw text",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"text"
},
"value":{
"$ref":"#/definitions/text_value"
}
}
},
"url":{
"type":"object",
"description":"A single URL",
"required":[
"type",
"href"
],
"properties":{
"type":{
"const":"url"
},
"text":{
"$ref":"#/definitions/text_value"
},
"href":{
"type":"string",
"minLength":1,
"examples":[
"http://mysite.com"
]
}
}
},
"code":{
"type":"object",
"description":"A codeblock",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"code"
},
"value":{
"type":"string"
},
"lang":{
"type":"string",
"description":"A programming language"
}
}
},
"value":{
"type":"object",
"description":"A field that can store a range of types of value",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"value"
},
"value":{
"type":[
"number",
"string",
"boolean"
]
}
}
},
"diff":{
"type":"object",
"description":"A diff",
"required":[
"type",
"before",
"after"
],
"properties":{
"type":{
"const":"diff"
},
"before":{
"type":"string"
},
"after":{
"type":"string"
}
}
},
"markdown":{
"type":"object",
"description":"GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"markdown"
},
"value":{
"$ref":"#/definitions/text_value",
"examples":[
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
]
}
}
},
"commit":{
"type":"object",
"description":"A commit/tag/branch within the GitLab project",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"commit"
},
"value":{
"type":"string",
"description":"The commit SHA",
"minLength":1
}
}
},
"file_location":{
"type":"object",
"description":"A location within a file in the project",
"required":[
"type",
"file_name",
"line_start"
],
"properties":{
"type":{
"const":"file-location"
},
"file_name":{
"type":"string",
"minLength":1
},
"line_start":{
"type":"integer"
},
"line_end":{
"type":"integer"
}
}
},
"module_location":{
"type":"object",
"description":"A location within a binary module of the form module+relative_offset",
"required":[
"type",
"module_name",
"offset"
],
"properties":{
"type":{
"const":"module-location"
},
"module_name":{
"type":"string",
"minLength":1,
"examples":[
"compiled_binary"
]
},
"offset":{
"type":"integer",
"examples":[
100
]
}
}
}
},
"self":{
"version":"14.0.4"
},
"required":[
"version",
"vulnerabilities"
],
"additionalProperties":true,
"properties":{
"scan":{
"type":"object",
"required":[
"end_time",
"scanner",
"start_time",
"status",
"type"
],
"properties":{
"end_time":{
"type":"string",
"description":"ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
"description":"Communication intended for the initiator of a scan.",
"required":[
"level",
"value"
],
"properties":{
"level":{
"type":"string",
"description":"Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
"enum":[
"info",
"warn",
"fatal"
],
"examples":[
"info"
]
},
"value":{
"type":"string",
"description":"The message to communicate.",
"minLength":1,
"examples":[
"Permission denied, scanning aborted"
]
}
}
}
},
"analyzer":{
"type":"object",
"description":"Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
"required":[
"id",
"name",
"version",
"vendor"
],
"properties":{
"id":{
"type":"string",
"description":"Unique id that identifies the analyzer.",
"minLength":1,
"examples":[
"gitlab-dast"
]
},
"name":{
"type":"string",
"description":"A human readable value that identifies the analyzer, not required to be unique.",
"minLength":1,
"examples":[
"GitLab DAST"
]
},
"url":{
"type":"string",
"format":"uri",
"pattern":"^https?://.+",
"description":"A link to more information about the analyzer.",
"description":"URI pointing to the validating security report schema.",
"format":"uri"
},
"version":{
"type":"string",
"description":"The version of the schema to which the JSON report conforms.",
"pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"vulnerabilities":{
"type":"array",
"description":"Array of vulnerability objects.",
"items":{
"type":"object",
"description":"Describes the vulnerability.",
"required":[
"category",
"cve",
"identifiers",
"location",
"scanner"
],
"properties":{
"id":{
"type":"string",
"description":"Unique identifier of the vulnerability. This is recommended to be a UUID.",
"examples":[
"642735a5-1425-428d-8d4e-3c854885a3c9"
]
},
"category":{
"type":"string",
"minLength":1,
"description":"Describes where this vulnerability belongs (for example, SAST, Dependency Scanning, and so on)."
},
"name":{
"type":"string",
"description":"The name of the vulnerability. This must not include the finding's specific information."
},
"message":{
"type":"string",
"description":"A short text section that describes the vulnerability. This may include the finding's specific information."
},
"description":{
"type":"string",
"description":"A long text section describing the vulnerability more fully."
},
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
},
"severity":{
"type":"string",
"description":"How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
"enum":[
"Info",
"Unknown",
"Low",
"Medium",
"High",
"Critical"
]
},
"confidence":{
"type":"string",
"description":"How reliable the vulnerability's assessment is. Possible values are Ignore, Unknown, Experimental, Low, Medium, High, and Confirmed. Note that some analyzers may not report all these possible values.",
"enum":[
"Ignore",
"Unknown",
"Experimental",
"Low",
"Medium",
"High",
"Confirmed"
]
},
"solution":{
"type":"string",
"description":"Explanation of how to fix the vulnerability."
},
"scanner":{
"description":"Describes the scanner used to find this vulnerability.",
"type":"object",
"required":[
"id",
"name"
],
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"The scanner's ID, as a snake_case string."
},
"name":{
"type":"string",
"minLength":1,
"description":"Human-readable name of the scanner."
}
}
},
"identifiers":{
"type":"array",
"minItems":1,
"description":"An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
"items":{
"type":"object",
"required":[
"type",
"name",
"value"
],
"properties":{
"type":{
"type":"string",
"description":"for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
"minLength":1
},
"name":{
"type":"string",
"description":"Human-readable name of the identifier.",
"minLength":1
},
"url":{
"type":"string",
"description":"URL of the identifier's documentation.",
"format":"uri"
},
"value":{
"type":"string",
"description":"Value of the identifier, for matching purpose.",
"minLength":1
}
}
}
},
"links":{
"type":"array",
"description":"An array of references to external documentation or articles that describe the vulnerability.",
"items":{
"type":"object",
"required":[
"url"
],
"properties":{
"name":{
"type":"string",
"description":"Name of the vulnerability details link."
},
"url":{
"type":"string",
"description":"URL of the vulnerability details document.",
"description":"Describes how this vulnerability should be tracked as the project changes.",
"oneOf":[
{
"description":"Declares that a series of items should be tracked using source-specific tracking methods.",
"required":[
"items"
],
"properties":{
"type":{
"const":"source"
},
"items":{
"type":"array",
"items":{
"description":"An item that should be tracked using source-specific tracking methods.",
"type":"object",
"required":[
"signatures"
],
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located."
},
"start_line":{
"type":"number",
"description":"The first line of the file that includes the vulnerability."
},
"end_line":{
"type":"number",
"description":"The last line of the file that includes the vulnerability."
},
"signatures":{
"type":"array",
"description":"An array of calculated tracking signatures for this tracking item.",
"minItems":1,
"items":{
"description":"A calculated tracking signature value and metadata.",
"required":[
"algorithm",
"value"
],
"properties":{
"algorithm":{
"type":"string",
"description":"The algorithm used to generate the signature."
},
"value":{
"type":"string",
"description":"The result of this signature algorithm."
}
}
}
}
}
}
}
}
}
],
"properties":{
"type":{
"type":"string",
"description":"Each tracking type must declare its own type."
}
}
},
"flags":{
"description":"Flags that can be attached to vulnerabilities.",
"type":"array",
"items":{
"type":"object",
"description":"Informational flags identified and assigned to a vulnerability.",
"required":[
"type",
"origin",
"description"
],
"properties":{
"type":{
"type":"string",
"minLength":1,
"description":"Result of the scan.",
"enum":[
"flagged-as-likely-false-positive"
]
},
"origin":{
"minLength":1,
"description":"Tool that issued the flag.",
"type":"string"
},
"description":{
"minLength":1,
"description":"What the flag is about.",
"type":"string"
}
}
}
},
"location":{
"type":"object",
"description":"Identifies the vulnerability's location.",
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located."
},
"start_line":{
"type":"number",
"description":"The first line of the code affected by the vulnerability."
},
"end_line":{
"type":"number",
"description":"The last line of the code affected by the vulnerability."
},
"class":{
"type":"string",
"description":"Provides the name of the class where the vulnerability is located."
},
"method":{
"type":"string",
"description":"Provides the name of the method where the vulnerability is located."
}
}
},
"raw_source_code_extract":{
"type":"string",
"description":"Provides an unsanitized excerpt of the affected source code."
}
}
}
},
"remediations":{
"type":"array",
"description":"An array of objects containing information on available remediations, along with patch diffs to apply.",
"items":{
"type":"object",
"required":[
"fixes",
"summary",
"diff"
],
"properties":{
"fixes":{
"type":"array",
"description":"An array of strings that represent references to vulnerabilities fixed by this remediation.",
"items":{
"type":"object",
"required":[
"cve"
],
"properties":{
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
}
}
}
},
"summary":{
"type":"string",
"minLength":1,
"description":"An overview of how the vulnerabilities were fixed."
},
"diff":{
"type":"string",
"minLength":1,
"description":"A base64-encoded remediation code diff, compatible with git apply."
"title":"Report format for GitLab Secret Detection",
"description":"This schema provides the the report format for the Secret Detection analyzer (https://docs.gitlab.com/ee/user/application_security/secret_detection)",
"definitions":{
"detail_type":{
"oneOf":[
{
"$ref":"#/definitions/named_list"
},
{
"$ref":"#/definitions/list"
},
{
"$ref":"#/definitions/table"
},
{
"$ref":"#/definitions/text"
},
{
"$ref":"#/definitions/url"
},
{
"$ref":"#/definitions/code"
},
{
"$ref":"#/definitions/value"
},
{
"$ref":"#/definitions/diff"
},
{
"$ref":"#/definitions/markdown"
},
{
"$ref":"#/definitions/commit"
},
{
"$ref":"#/definitions/file_location"
},
{
"$ref":"#/definitions/module_location"
}
]
},
"text_value":{
"type":"string"
},
"named_field":{
"type":"object",
"required":[
"name"
],
"properties":{
"name":{
"$ref":"#/definitions/text_value",
"minLength":1
},
"description":{
"$ref":"#/definitions/text_value"
}
}
},
"named_list":{
"type":"object",
"description":"An object with named and typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"named-list"
},
"items":{
"type":"object",
"patternProperties":{
"^.*$":{
"allOf":[
{
"$ref":"#/definitions/named_field"
},
{
"$ref":"#/definitions/detail_type"
}
]
}
}
}
}
},
"list":{
"type":"object",
"description":"A list of typed fields",
"required":[
"type",
"items"
],
"properties":{
"type":{
"const":"list"
},
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
},
"table":{
"type":"object",
"description":"A table of typed fields",
"required":[
"type",
"rows"
],
"properties":{
"type":{
"const":"table"
},
"header":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
},
"rows":{
"type":"array",
"items":{
"type":"array",
"items":{
"$ref":"#/definitions/detail_type"
}
}
}
}
},
"text":{
"type":"object",
"description":"Raw text",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"text"
},
"value":{
"$ref":"#/definitions/text_value"
}
}
},
"url":{
"type":"object",
"description":"A single URL",
"required":[
"type",
"href"
],
"properties":{
"type":{
"const":"url"
},
"text":{
"$ref":"#/definitions/text_value"
},
"href":{
"type":"string",
"minLength":1,
"examples":[
"http://mysite.com"
]
}
}
},
"code":{
"type":"object",
"description":"A codeblock",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"code"
},
"value":{
"type":"string"
},
"lang":{
"type":"string",
"description":"A programming language"
}
}
},
"value":{
"type":"object",
"description":"A field that can store a range of types of value",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"value"
},
"value":{
"type":[
"number",
"string",
"boolean"
]
}
}
},
"diff":{
"type":"object",
"description":"A diff",
"required":[
"type",
"before",
"after"
],
"properties":{
"type":{
"const":"diff"
},
"before":{
"type":"string"
},
"after":{
"type":"string"
}
}
},
"markdown":{
"type":"object",
"description":"GitLab flavoured markdown, see https://docs.gitlab.com/ee/user/markdown.html",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"markdown"
},
"value":{
"$ref":"#/definitions/text_value",
"examples":[
"Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)"
]
}
}
},
"commit":{
"type":"object",
"description":"A commit/tag/branch within the GitLab project",
"required":[
"type",
"value"
],
"properties":{
"type":{
"const":"commit"
},
"value":{
"type":"string",
"description":"The commit SHA",
"minLength":1
}
}
},
"file_location":{
"type":"object",
"description":"A location within a file in the project",
"required":[
"type",
"file_name",
"line_start"
],
"properties":{
"type":{
"const":"file-location"
},
"file_name":{
"type":"string",
"minLength":1
},
"line_start":{
"type":"integer"
},
"line_end":{
"type":"integer"
}
}
},
"module_location":{
"type":"object",
"description":"A location within a binary module of the form module+relative_offset",
"required":[
"type",
"module_name",
"offset"
],
"properties":{
"type":{
"const":"module-location"
},
"module_name":{
"type":"string",
"minLength":1,
"examples":[
"compiled_binary"
]
},
"offset":{
"type":"integer",
"examples":[
100
]
}
}
}
},
"self":{
"version":"14.0.4"
},
"required":[
"version",
"vulnerabilities"
],
"additionalProperties":true,
"properties":{
"scan":{
"type":"object",
"required":[
"end_time",
"scanner",
"start_time",
"status",
"type"
],
"properties":{
"end_time":{
"type":"string",
"description":"ISO8601 UTC value with format yyyy-mm-ddThh:mm:ss, representing when the scan finished.",
"description":"Communication intended for the initiator of a scan.",
"required":[
"level",
"value"
],
"properties":{
"level":{
"type":"string",
"description":"Describes the severity of the communication. Use info to communicate normal scan behaviour; warn to communicate a potentially recoverable problem, or a partial error; fatal to communicate an issue that causes the scan to halt.",
"enum":[
"info",
"warn",
"fatal"
],
"examples":[
"info"
]
},
"value":{
"type":"string",
"description":"The message to communicate.",
"minLength":1,
"examples":[
"Permission denied, scanning aborted"
]
}
}
}
},
"analyzer":{
"type":"object",
"description":"Object defining the analyzer used to perform the scan. Analyzers typically delegate to an underlying scanner to run the scan.",
"required":[
"id",
"name",
"version",
"vendor"
],
"properties":{
"id":{
"type":"string",
"description":"Unique id that identifies the analyzer.",
"minLength":1,
"examples":[
"gitlab-dast"
]
},
"name":{
"type":"string",
"description":"A human readable value that identifies the analyzer, not required to be unique.",
"minLength":1,
"examples":[
"GitLab DAST"
]
},
"url":{
"type":"string",
"format":"uri",
"pattern":"^https?://.+",
"description":"A link to more information about the analyzer.",
"description":"URI pointing to the validating security report schema.",
"format":"uri"
},
"version":{
"type":"string",
"description":"The version of the schema to which the JSON report conforms.",
"pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$"
},
"vulnerabilities":{
"type":"array",
"description":"Array of vulnerability objects.",
"items":{
"type":"object",
"description":"Describes the vulnerability.",
"required":[
"category",
"cve",
"identifiers",
"location",
"scanner"
],
"properties":{
"id":{
"type":"string",
"description":"Unique identifier of the vulnerability. This is recommended to be a UUID.",
"examples":[
"642735a5-1425-428d-8d4e-3c854885a3c9"
]
},
"category":{
"type":"string",
"minLength":1,
"description":"Describes where this vulnerability belongs (for example, SAST, Dependency Scanning, and so on)."
},
"name":{
"type":"string",
"description":"The name of the vulnerability. This must not include the finding's specific information."
},
"message":{
"type":"string",
"description":"A short text section that describes the vulnerability. This may include the finding's specific information."
},
"description":{
"type":"string",
"description":"A long text section describing the vulnerability more fully."
},
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
},
"severity":{
"type":"string",
"description":"How much the vulnerability impacts the software. Possible values are Info, Unknown, Low, Medium, High, or Critical. Note that some analyzers may not report all these possible values.",
"enum":[
"Info",
"Unknown",
"Low",
"Medium",
"High",
"Critical"
]
},
"confidence":{
"type":"string",
"description":"How reliable the vulnerability's assessment is. Possible values are Ignore, Unknown, Experimental, Low, Medium, High, and Confirmed. Note that some analyzers may not report all these possible values.",
"enum":[
"Ignore",
"Unknown",
"Experimental",
"Low",
"Medium",
"High",
"Confirmed"
]
},
"solution":{
"type":"string",
"description":"Explanation of how to fix the vulnerability."
},
"scanner":{
"description":"Describes the scanner used to find this vulnerability.",
"type":"object",
"required":[
"id",
"name"
],
"properties":{
"id":{
"type":"string",
"minLength":1,
"description":"The scanner's ID, as a snake_case string."
},
"name":{
"type":"string",
"minLength":1,
"description":"Human-readable name of the scanner."
}
}
},
"identifiers":{
"type":"array",
"minItems":1,
"description":"An ordered array of references that identify a vulnerability on internal or external databases. The first identifier is the Primary Identifier, which has special meaning.",
"items":{
"type":"object",
"required":[
"type",
"name",
"value"
],
"properties":{
"type":{
"type":"string",
"description":"for example, cve, cwe, osvdb, usn, or an analyzer-dependent type such as gemnasium).",
"minLength":1
},
"name":{
"type":"string",
"description":"Human-readable name of the identifier.",
"minLength":1
},
"url":{
"type":"string",
"description":"URL of the identifier's documentation.",
"format":"uri"
},
"value":{
"type":"string",
"description":"Value of the identifier, for matching purpose.",
"minLength":1
}
}
}
},
"links":{
"type":"array",
"description":"An array of references to external documentation or articles that describe the vulnerability.",
"items":{
"type":"object",
"required":[
"url"
],
"properties":{
"name":{
"type":"string",
"description":"Name of the vulnerability details link."
},
"url":{
"type":"string",
"description":"URL of the vulnerability details document.",
"description":"Describes how this vulnerability should be tracked as the project changes.",
"oneOf":[
{
"description":"Declares that a series of items should be tracked using source-specific tracking methods.",
"required":[
"items"
],
"properties":{
"type":{
"const":"source"
},
"items":{
"type":"array",
"items":{
"description":"An item that should be tracked using source-specific tracking methods.",
"type":"object",
"required":[
"signatures"
],
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located."
},
"start_line":{
"type":"number",
"description":"The first line of the file that includes the vulnerability."
},
"end_line":{
"type":"number",
"description":"The last line of the file that includes the vulnerability."
},
"signatures":{
"type":"array",
"description":"An array of calculated tracking signatures for this tracking item.",
"minItems":1,
"items":{
"description":"A calculated tracking signature value and metadata.",
"required":[
"algorithm",
"value"
],
"properties":{
"algorithm":{
"type":"string",
"description":"The algorithm used to generate the signature."
},
"value":{
"type":"string",
"description":"The result of this signature algorithm."
}
}
}
}
}
}
}
}
}
],
"properties":{
"type":{
"type":"string",
"description":"Each tracking type must declare its own type."
}
}
},
"flags":{
"description":"Flags that can be attached to vulnerabilities.",
"type":"array",
"items":{
"type":"object",
"description":"Informational flags identified and assigned to a vulnerability.",
"required":[
"type",
"origin",
"description"
],
"properties":{
"type":{
"type":"string",
"minLength":1,
"description":"Result of the scan.",
"enum":[
"flagged-as-likely-false-positive"
]
},
"origin":{
"minLength":1,
"description":"Tool that issued the flag.",
"type":"string"
},
"description":{
"minLength":1,
"description":"What the flag is about.",
"type":"string"
}
}
}
},
"location":{
"required":[
"commit"
],
"properties":{
"file":{
"type":"string",
"description":"Path to the file where the vulnerability is located"
},
"commit":{
"type":"object",
"description":"Represents the commit in which the vulnerability was detected",
"required":[
"sha"
],
"properties":{
"author":{
"type":"string"
},
"date":{
"type":"string"
},
"message":{
"type":"string"
},
"sha":{
"type":"string",
"minLength":1
}
}
},
"start_line":{
"type":"number",
"description":"The first line of the code affected by the vulnerability"
},
"end_line":{
"type":"number",
"description":"The last line of the code affected by the vulnerability"
},
"class":{
"type":"string",
"description":"Provides the name of the class where the vulnerability is located"
},
"method":{
"type":"string",
"description":"Provides the name of the method where the vulnerability is located"
}
}
},
"raw_source_code_extract":{
"type":"string",
"description":"Provides an unsanitized excerpt of the affected source code."
}
}
}
},
"remediations":{
"type":"array",
"description":"An array of objects containing information on available remediations, along with patch diffs to apply.",
"items":{
"type":"object",
"required":[
"fixes",
"summary",
"diff"
],
"properties":{
"fixes":{
"type":"array",
"description":"An array of strings that represent references to vulnerabilities fixed by this remediation.",
"items":{
"type":"object",
"required":[
"cve"
],
"properties":{
"cve":{
"type":"string",
"description":"(Deprecated - use vulnerabilities[].id instead) A fingerprint string value that represents a concrete finding. This is used to determine whether two findings are same, which may not be 100% accurate. Note that this is NOT a CVE as described by https://cve.mitre.org/."
}
}
}
},
"summary":{
"type":"string",
"minLength":1,
"description":"An overview of how the vulnerabilities were fixed."
},
"diff":{
"type":"string",
"minLength":1,
"description":"A base64-encoded remediation code diff, compatible with git apply."