summaryrefslogtreecommitdiff
path: root/doc/api/vulnerability_exports.md
blob: e4853920cab242d4c362aeb45ab9be31bcd8b042 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
---
stage: Secure
group: Threat Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# Vulnerability export API **(ULTIMATE)**

> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/197494) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10. [Updated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30397) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.0.

WARNING:
This API is in an alpha stage and considered unstable.
The response payload may be subject to change or breakage
across GitLab releases.

Every API call to vulnerability exports must be [authenticated](README.md#authentication).

## Create a project-level vulnerability export

Creates a new vulnerability export for a project.

Vulnerability export permissions inherit permissions from their project. If a project is
private and a user isn't a member of the project to which the vulnerability
belongs, requests to that project return a `404 Not Found` status code.
Vulnerability exports can be only accessed by the export's author.

If an authenticated user doesn't have permission to
[create a new vulnerability](../user/permissions.md#project-members-permissions),
this request results in a `403` status code.

```plaintext
POST /security/projects/:id/vulnerability_exports
```

| Attribute           | Type              | Required   | Description                                                                                                                  |
| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------|
| `id`                | integer or string | yes        | The ID or [URL-encoded path](README.md#namespaced-path-encoding) of the project which the authenticated user is a member of |

```shell
curl --header POST "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/vulnerability_exports"
```

The created vulnerability export is automatically deleted after 1 hour.

Example response:

```json
{
  "id": 2,
  "created_at": "2020-03-30T09:35:38.746Z",
  "project_id": 1,
  "group_id": null,
  "format": "csv",
  "status": "created",
  "started_at": null,
  "finished_at": null,
  "_links": {
    "self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
    "download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
  }
}
```

## Create a group-level vulnerability export

Creates a new vulnerability export for a group.

Vulnerability export permissions inherit permissions from their group. If a group is
private and a user isn't a member of the group to which the vulnerability
belongs, requests to that group return a `404 Not Found` status code.
Vulnerability exports can be only accessed by the export's author.

If an authenticated user doesn't have permission to
[create a new vulnerability](../user/permissions.md#group-members-permissions),
this request results in a `403` status code.

```plaintext
POST /security/groups/:id/vulnerability_exports
```

| Attribute           | Type              | Required   | Description                                                                                                                  |
| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------|
| `id`                | integer or string | yes        | The ID or [URL-encoded path](README.md#namespaced-path-encoding) of the group which the authenticated user is a member of |

```shell
curl --header POST "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/groups/1/vulnerability_exports"
```

The created vulnerability export is automatically deleted after 1 hour.

Example response:

```json
{
  "id": 2,
  "created_at": "2020-03-30T09:35:38.746Z",
  "project_id": null,
  "group_id": 1,
  "format": "csv",
  "status": "created",
  "started_at": null,
  "finished_at": null,
  "_links": {
    "self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
    "download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
  }
}
```

## Create an instance-level vulnerability export

Creates a new vulnerability export for the projects of the user selected in the Security Dashboard.

```plaintext
POST /security/vulnerability_exports
```

```shell
curl --header POST "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports"
```

The created vulnerability export is automatically deleted after one hour.

Example response:

```json
{
  "id": 2,
  "created_at": "2020-03-30T09:35:38.746Z",
  "project_id": null,
  "group_id": null,
  "format": "csv",
  "status": "created",
  "started_at": null,
  "finished_at": null,
  "_links": {
    "self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
    "download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
  }
}
```

## Get single vulnerability export

Gets a single vulnerability export.

```plaintext
GET /security/vulnerability_exports/:id
```

| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer or string | yes | The vulnerability export's ID |

```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports/2"
```

If the vulnerability export isn't finished, the response is `202 Accepted`.

Example response:

```json
{
  "id": 2,
  "created_at": "2020-03-30T09:35:38.746Z",
  "project_id": 1,
  "group_id": null,
  "format": "csv",
  "status": "finished",
  "started_at": "2020-03-30T09:36:54.469Z",
  "finished_at": "2020-03-30T09:36:55.008Z",
  "_links": {
    "self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
    "download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
  }
}
```

## Download vulnerability export

Downloads a single vulnerability export.

```plaintext
GET /security/vulnerability_exports/:id/download
```

| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer or string | yes | The vulnerability export's ID |

```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
```

The response is `404 Not Found` if the vulnerability export is not finished yet or was not found.

Example response:

```csv
Group Name,Project Name,Scanner Type,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers
Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2017-16997 in glibc,,CVE-2017-16997 in glibc,critical,CVE-2017-16997
Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2017-18269 in glibc,,CVE-2017-18269 in glibc,critical,CVE-2017-18269
Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2018-1000001 in glibc,,CVE-2018-1000001 in glibc,high,CVE-2018-1000001
Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2016-10228 in glibc,,CVE-2016-10228 in glibc,medium,CVE-2016-10228
Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2010-4052 in glibc,,CVE-2010-4052 in glibc,low,CVE-2010-4052
Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2018-18520 in elfutils,,CVE-2018-18520 in elfutils,low,CVE-2018-18520
Gitlab.org,Defend,container_scanning,Clair,detected,CVE-2018-16869 in nettle,,CVE-2018-16869 in nettle,unknown,CVE-2018-16869,CWE-1
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Regular Expression Denial of Service in debug,,Regular Expression Denial of Service in debug,unknown,CVE-2021-1234,CWE-2,"""yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a"""
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js,,Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js,unknown,,,"""yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,Predictable pseudorandom number generator,,Predictable pseudorandom number generator,medium,,,"""818bf5dacb291e15d9e6dc3c5ac32178:PREDICTABLE_RANDOM:src/main/java/com/gitlab/security_products/tests/App.java:47"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,Cipher with no integrity,,Cipher with no integrity,medium,,,"""e6449b89335daf53c0db4c0219bc1634:CIPHER_INTEGRITY:src/main/java/com/gitlab/security_products/tests/App.java:29"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,Predictable pseudorandom number generator,,Predictable pseudorandom number generator,medium,,,"""e8ff1d01f74cd372f78da8f5247d3e73:PREDICTABLE_RANDOM:src/main/java/com/gitlab/security_products/tests/App.java:41"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,ECB mode is insecure,,ECB mode is insecure,medium,,,"""ea0f905fc76f2739d5f10a1fd1e37a10:ECB_MODE:src/main/java/com/gitlab/security_products/tests/App.java:29"""
```