summaryrefslogtreecommitdiff
path: root/doc/api/project_vulnerabilities.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/api/project_vulnerabilities.md')
-rw-r--r--doc/api/project_vulnerabilities.md215
1 files changed, 215 insertions, 0 deletions
diff --git a/doc/api/project_vulnerabilities.md b/doc/api/project_vulnerabilities.md
new file mode 100644
index 00000000000..84bbc789b0c
--- /dev/null
+++ b/doc/api/project_vulnerabilities.md
@@ -0,0 +1,215 @@
+# Project Vulnerabilities API **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
+
+CAUTION: **Caution:**
+This API is currently in development and is protected by a **disabled**
+[feature flag](../development/feature_flags/index.md).
+On a self-managed GitLab instance, an administrator can enable it by starting the Rails console
+(`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`.
+To test if the Vulnerabilities API was successfully enabled, run the following command:
+`Feature.enabled?(:first_class_vulnerabilities)`.
+
+CAUTION: **Caution:**
+This API is in an alpha stage and considered unstable.
+The response payload may be subject to change or breakage
+across GitLab releases.
+
+Every API call to vulnerabilities must be [authenticated](README.md#authentication).
+
+Vulnerability permissions inherit permissions from their project. If a project is
+private, and a user isn't a member of the project to which the vulnerability
+belongs, requests to that project will return a `404 Not Found` status code.
+
+## Vulnerabilities pagination
+
+API results are paginated, and `GET` requests return 20 results at a time by default.
+
+Read more on [pagination](README.md#pagination).
+
+## List project vulnerabilities
+
+List all of a project's vulnerabilities.
+
+If an authenticated user does not have permission to
+[use the Project Security Dashboard](../user/permissions.md#project-members-permissions),
+`GET` requests for vulnerabilities of this project will result in a `403` status code.
+
+```plaintext
+GET /projects/:id/vulnerabilities
+```
+
+| Attribute | Type | Required | Description |
+| ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user. |
+
+```bash
+curl --header "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/projects/4/vulnerabilities
+```
+
+Example response:
+
+```json
+[
+ {
+ "author_id": 1,
+ "confidence": "medium",
+ "created_at": "2020-04-07T14:01:04.655Z",
+ "description": null,
+ "dismissed_at": null,
+ "dismissed_by_id": null,
+ "due_date": null,
+ "finding": {
+ "confidence": "medium",
+ "created_at": "2020-04-07T14:01:04.630Z",
+ "id": 103,
+ "location_fingerprint": "228998b5db51d86d3b091939e2f5873ada0a14a1",
+ "metadata_version": "2.0",
+ "name": "Regular Expression Denial of Service in debug",
+ "primary_identifier_id": 135,
+ "project_fingerprint": "05e7cc9978ca495cf739a9f707ed34811e41c615",
+ "project_id": 24,
+ "raw_metadata": "{\"category\":\"dependency_scanning\",\"name\":\"Regular Expression Denial of Service\",\"message\":\"Regular Expression Denial of Service in debug\",\"description\":\"The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.\",\"cve\":\"yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a\",\"severity\":\"Unknown\",\"solution\":\"Upgrade to latest versions.\",\"scanner\":{\"id\":\"gemnasium\",\"name\":\"Gemnasium\"},\"location\":{\"file\":\"yarn.lock\",\"dependency\":{\"package\":{\"name\":\"debug\"},\"version\":\"1.0.5\"}},\"identifiers\":[{\"type\":\"gemnasium\",\"name\":\"Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a\",\"value\":\"37283ed4-0380-40d7-ada7-2d994afcc62a\",\"url\":\"https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories\"}],\"links\":[{\"url\":\"https://nodesecurity.io/advisories/534\"},{\"url\":\"https://github.com/visionmedia/debug/issues/501\"},{\"url\":\"https://github.com/visionmedia/debug/pull/504\"}],\"remediations\":[null]}",
+ "report_type": "dependency_scanning",
+ "scanner_id": 63,
+ "severity": "low",
+ "updated_at": "2020-04-07T14:01:04.664Z",
+ "uuid": "f1d528ae-d0cc-47f6-a72f-936cec846ae7",
+ "vulnerability_id": 103
+ },
+ "id": 103,
+ "last_edited_at": null,
+ "last_edited_by_id": null,
+ "project": {
+ "created_at": "2020-04-07T13:54:25.634Z",
+ "description": "",
+ "id": 24,
+ "name": "security-reports",
+ "name_with_namespace": "gitlab-org / security-reports",
+ "path": "security-reports",
+ "path_with_namespace": "gitlab-org/security-reports"
+ },
+ "project_default_branch": "master",
+ "report_type": "dependency_scanning",
+ "resolved_at": null,
+ "resolved_by_id": null,
+ "resolved_on_default_branch": false,
+ "severity": "low",
+ "start_date": null,
+ "state": "detected",
+ "title": "Regular Expression Denial of Service in debug",
+ "updated_at": "2020-04-07T14:01:04.655Z",
+ "updated_by_id": null
+ }
+]
+```
+
+## New vulnerability
+
+Creates a new vulnerability.
+
+If an authenticated user does not have a permission to
+[create a new vulnerability](../user/permissions.md#project-members-permissions),
+this request will result in a `403` status code.
+
+```plaintext
+POST /projects/:id/vulnerabilities?finding_id=<your_finding_id>
+```
+
+| Attribute | Type | Required | Description |
+| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------|
+| `id` | integer or string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) which the authenticated user is a member of |
+| `finding_id` | integer or string | yes | The ID of a Vulnerability Finding from which the new Vulnerability will be created |
+
+The other attributes of a newly created Vulnerability are populated from
+its source Vulnerability Finding, or with these default values:
+
+| Attribute | Value |
+|--------------|-------------------------------------------------------|
+| `author` | The authenticated user |
+| `title` | The `name` attribute of a Vulnerability Finding |
+| `state` | `opened` |
+| `severity` | The `severity` attribute of a Vulnerability Finding |
+| `confidence` | The `confidence` attribute of a Vulnerability Finding |
+
+```shell
+curl --header POST "PRIVATE-TOKEN: <your_access_token>" https://gitlab.example.com/api/v4/projects/1/vulnerabilities?finding_id=1
+```
+
+Example response:
+
+```json
+{
+ "author_id": 1,
+ "confidence": "medium",
+ "created_at": "2020-04-07T14:01:04.655Z",
+ "description": null,
+ "dismissed_at": null,
+ "dismissed_by_id": null,
+ "due_date": null,
+ "finding": {
+ "confidence": "medium",
+ "created_at": "2020-04-07T14:01:04.630Z",
+ "id": 103,
+ "location_fingerprint": "228998b5db51d86d3b091939e2f5873ada0a14a1",
+ "metadata_version": "2.0",
+ "name": "Regular Expression Denial of Service in debug",
+ "primary_identifier_id": 135,
+ "project_fingerprint": "05e7cc9978ca495cf739a9f707ed34811e41c615",
+ "project_id": 24,
+ "raw_metadata": "{\"category\":\"dependency_scanning\",\"name\":\"Regular Expression Denial of Service\",\"message\":\"Regular Expression Denial of Service in debug\",\"description\":\"The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.\",\"cve\":\"yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a\",\"severity\":\"Unknown\",\"solution\":\"Upgrade to latest versions.\",\"scanner\":{\"id\":\"gemnasium\",\"name\":\"Gemnasium\"},\"location\":{\"file\":\"yarn.lock\",\"dependency\":{\"package\":{\"name\":\"debug\"},\"version\":\"1.0.5\"}},\"identifiers\":[{\"type\":\"gemnasium\",\"name\":\"Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a\",\"value\":\"37283ed4-0380-40d7-ada7-2d994afcc62a\",\"url\":\"https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories\"}],\"links\":[{\"url\":\"https://nodesecurity.io/advisories/534\"},{\"url\":\"https://github.com/visionmedia/debug/issues/501\"},{\"url\":\"https://github.com/visionmedia/debug/pull/504\"}],\"remediations\":[null]}",
+ "report_type": "dependency_scanning",
+ "scanner_id": 63,
+ "severity": "low",
+ "updated_at": "2020-04-07T14:01:04.664Z",
+ "uuid": "f1d528ae-d0cc-47f6-a72f-936cec846ae7",
+ "vulnerability_id": 103
+ },
+ "id": 103,
+ "last_edited_at": null,
+ "last_edited_by_id": null,
+ "project": {
+ "created_at": "2020-04-07T13:54:25.634Z",
+ "description": "",
+ "id": 24,
+ "name": "security-reports",
+ "name_with_namespace": "gitlab-org / security-reports",
+ "path": "security-reports",
+ "path_with_namespace": "gitlab-org/security-reports"
+ },
+ "project_default_branch": "master",
+ "report_type": "dependency_scanning",
+ "resolved_at": null,
+ "resolved_by_id": null,
+ "resolved_on_default_branch": false,
+ "severity": "low",
+ "start_date": null,
+ "state": "detected",
+ "title": "Regular Expression Denial of Service in debug",
+ "updated_at": "2020-04-07T14:01:04.655Z",
+ "updated_by_id": null
+}
+```
+
+### Errors
+
+This error occurs when a Finding chosen to create a Vulnerability from is not found, or
+is already associated with a different Vulnerability:
+
+```plaintext
+A Vulnerability Finding is not found or already attached to a different Vulnerability
+```
+
+Status code: `400`
+
+Example response:
+
+```json
+{
+ "message": {
+ "base": [
+ "finding is not found or is already attached to a vulnerability"
+ ]
+ }
+}
+```
View Lorry Controller Status