Update report schema documentation for SAST

c6fb90de · Igor Frenkel · Russell Dickenson · 13ee246a · c6fb90de
Commit c6fb90de authored Jun 14, 2020 by Igor Frenkel Committed by Russell Dickenson Jun 14, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 38 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +3 -38

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -364,11 +364,10 @@ analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`,

 ## Reports JSON format

-CAUTION: **Caution:**
-The JSON report artifacts are not a public API of SAST and their format may change in the future.
+The SAST tool emits a JSON report file. For more information, see the
+[schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json).

-The SAST tool emits a JSON report file. Here is an example of the report structure with all important parts of
-it highlighted:
+Here's an example SAST report:

 ```json-doc
 {
@@ -443,40 +442,6 @@ it highlighted:
 }
 ```

-CAUTION: **Deprecation:**
-Beginning with GitLab 12.9, SAST no longer reports `undefined` severity and confidence levels.
-
-Here is the description of the report file structure nodes and their meaning. All fields are mandatory in
-the report JSON unless stated otherwise. Presence of optional fields depends on the underlying analyzers being used.
-
-| Report JSON node                        | Function |
-|-----------------------------------------|----------|
-| `version`                               | Report syntax version used to generate this JSON. |
-| `vulnerabilities`                       | Array of vulnerability objects. |
-| `vulnerabilities[].id`                  | Unique identifier of the vulnerability. |
-| `vulnerabilities[].category`            | Where this vulnerability belongs (such as SAST, Dependency Scanning). For SAST, it will always be `sast`. |
-| `vulnerabilities[].name`                | Name of the vulnerability. Must not include the occurrence's specific information. Optional. |
-| `vulnerabilities[].message`             | A short text that describes the vulnerability, it may include the occurrence's specific information. Optional. |
-| `vulnerabilities[].description`         | A long text that describes the vulnerability. Optional. |
-| `vulnerabilities[].cve`                 | (**DEPRECATED - use `vulnerabilities[].id` instead**) A fingerprint string value that represents a concrete occurrence of the vulnerability. It's used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**.                                                                                                                                      |
-| `vulnerabilities[].severity`            | How much the vulnerability impacts the software. Possible values: `Info`, `Unknown`, `Low`, `Medium`, `High`, `Critical`. |
-| `vulnerabilities[].confidence`          | How reliable the vulnerability's assessment is. Possible values: `Ignore`, `Unknown`, `Experimental`, `Low`, `Medium`, `High`, `Confirmed`. |
-| `vulnerabilities[].solution`            | Explanation of how to fix the vulnerability. Optional. |
-| `vulnerabilities[].scanner`             | A node that describes the analyzer used to find this vulnerability. |
-| `vulnerabilities[].scanner.id`          | ID of the scanner as a snake_case string. |
-| `vulnerabilities[].scanner.name`        | Name of the scanner, for display purposes. |
-| `vulnerabilities[].location`            | A node that tells where the vulnerability is located. |
-| `vulnerabilities[].location.file`       | Path to the file where the vulnerability is located. Optional. |
-| `vulnerabilities[].location.start_line` | The first line of the code affected by the vulnerability. Optional. |
-| `vulnerabilities[].location.end_line`   | The last line of the code affected by the vulnerability. Optional. |
-| `vulnerabilities[].location.class`      | If specified, provides the name of the class where the vulnerability is located. Optional. |
-| `vulnerabilities[].location.method`     | If specified, provides the name of the method where the vulnerability is located. Optional. |
-| `vulnerabilities[].identifiers`         | An ordered array of references that identify a vulnerability on internal or external databases. |
-| `vulnerabilities[].identifiers[].type`  | Type of the identifier. Possible values: common identifier types (among `cve`, `cwe`, `osvdb`, and `usn`) or analyzer-dependent ones (like `bandit_test_id` for [Bandit analyzer](https://wiki.openstack.org/wiki/Security/Projects/Bandit)). |
-| `vulnerabilities[].identifiers[].name`  | Name of the identifier for display purposes. |
-| `vulnerabilities[].identifiers[].value` | Value of the identifier for matching purposes. |
-| `vulnerabilities[].identifiers[].url`   | URL to identifier's documentation. Optional. |
-
 ## Secret detection

 GitLab is also able to detect secrets and credentials that have been unintentionally pushed to the