Vulnerability Findings API

原文：https://docs.gitlab.com/ee/api/vulnerability_findings.html

• Vulnerability findings pagination
• List project vulnerability findings

Vulnerability Findings API

在 GitLab Ultimate 12.5 中引入 .

注意：此 API 资源已从”漏洞”重命名为”漏洞发现”，因为这些漏洞是为服务即将到来的独立漏洞对象而保留的. 要修复与以前的 Vulnerabilities API 的任何损坏的集成，请将vulnerabilities URL 部分更改为vulnerabilities _ vulnerability_findings .

每个对漏洞发现的 API 调用都必须经过身份验证 .

漏洞发现是项目约束的实体. 如果用户不是项目成员，并且该项目是私有项目，则对该项目的请求将产生404状态代码.

如果用户能够访问该项目但无权使用 Project Security 仪表板 ，则任何对此项目的漏洞发现的请求都将生成403状态代码.

警告：此 API 处于 alpha 阶段，被认为是不稳定的. 响应有效载荷可能会在 GitLab 版本之间发生更改或损坏.

Vulnerability findings pagination

默认情况下，因为 API 结果是分页的，所以GET请求一次返回 20 个结果.

阅读有关分页的更多信息.

List project vulnerability findings

列出项目的所有漏洞发现.

GET /projects/:id/vulnerability_findings
GET /projects/:id/vulnerability_findings?report_type=sast
GET /projects/:id/vulnerability_findings?report_type=container_scanning
GET /projects/:id/vulnerability_findings?report_type=sast,dast
GET /projects/:id/vulnerability_findings?scope=all
GET /projects/:id/vulnerability_findings?scope=dismissed
GET /projects/:id/vulnerability_findings?severity=high
GET /projects/:id/vulnerability_findings?confidence=unknown,experimental
GET /projects/:id/vulnerability_findings?scanner=bandit,find_sec_bugs
GET /projects/:id/vulnerability_findings?pipeline_id=42

弃用：从 GitLab 12.9 开始，不再报告undefined严重性和可信度级别.

curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings"

Example response:

[  {  "id":  null,  "report_type":  "dependency_scanning",  "name":  "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js",  "severity":  "unknown",  "confidence":  "undefined",  "scanner":  {  "external_id":  "gemnasium",  "name":  "Gemnasium"  },  "identifiers":  [  {  "external_type":  "gemnasium",  "external_id":  "9952e574-7b5b-46fa-a270-aeb694198a98",  "name":  "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98",  "url":  "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories"  },  {  "external_type":  "cve",  "external_id":  "CVE-2017-11429",  "name":  "CVE-2017-11429",  "url":  "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429"  }  ],  "project_fingerprint":  "fa6f5b6c5d240b834ac5e901dc69f9484cef89ec",  "create_vulnerability_feedback_issue_path":  "/tests/yarn-remediation-test/vulnerability_feedback",  "create_vulnerability_feedback_merge_request_path":  "/tests/yarn-remediation-test/vulnerability_feedback",  "create_vulnerability_feedback_dismissal_path":  "/tests/yarn-remediation-test/vulnerability_feedback",  "project":  {  "id":  31,  "name":  "yarn-remediation-test",  "full_path":  "/tests/yarn-remediation-test",  "full_name":  "tests / yarn-remediation-test"  },  "dismissal_feedback":  null,  "issue_feedback":  null,  "merge_request_feedback":  null,  "description":  "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.",  "links":  [  {  "url":  "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279"  },  {  "url":  "https://www.kb.cert.org/vuls/id/475445"  },  {  "url":  "https://github.com/Clever/saml2/issues/127"  }  ],  "location":  {  "file":  "yarn.lock",  "dependency":  {  "package":  {  "name":  "saml2-js"  },  "version":  "1.5.0"  }  },  "solution":  "Upgrade to fixed version.\r\n",  "blob_path":  "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock"  }  ]