Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/api/vulnerability_findings.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/api/vulnerability_findings.md')
-rw-r--r--doc/api/vulnerability_findings.md210
1 files changed, 117 insertions, 93 deletions
diff --git a/doc/api/vulnerability_findings.md b/doc/api/vulnerability_findings.md
index a031e07fddf..05ae42d9100 100644
--- a/doc/api/vulnerability_findings.md
+++ b/doc/api/vulnerability_findings.md
@@ -142,63 +142,81 @@ To prepare for the [upcoming deprecation](https://gitlab.com/groups/gitlab-org/-
the Vulnerability Findings REST API endpoint, use the examples below to perform the equivalent operations
with the GraphQL API.
-### GraphQL - Project vulnerabilities
+### GraphQL - Project vulnerability findings
-Use [`Project.vulnerabilities`](graphql/reference/index.md#projectvulnerabilities).
+Use [`Pipeline.securityReportFindings`](graphql/reference/index.md#pipelinesecurityreportfindings).
```graphql
-{
- project(fullPath: "root/security-reports") {
- vulnerabilities {
- nodes{
- id
- reportType
- title
- severity
- scanner {
- externalId
- name
- vendor
- }
- identifiers {
- externalType
- externalId
- name
- url
- }
- falsePositive
- project {
- id
- name
- fullPath
- }
- description
- links {
- name
- url
- }
- location {
- ... on
- VulnerabilityLocationSast {
- file
- startLine
- endLine
- vulnerableClass
- vulnerableMethod
- blobPath
- }
- }
- details {
- ... on
- VulnerabilityDetailCode {
+query VulnerabilityFindings {
+ project(fullPath: "gitlab-examples/security/security-reports") {
+ pipelines(first:1) {
+ nodes {
+ securityReportFindings(first:1) {
+ nodes {
+ title
+ severity
+ state
+ scanner {
+ externalId
+ name
+ vendor
+ }
+ identifiers {
+ externalType
+ externalId
+ name
+ url
+ }
+ uuid
+ falsePositive
description
- fieldName
- lang
- name
- value
+ location {
+ ... on VulnerabilityLocationSast {
+ file
+ startLine
+ endLine
+ vulnerableClass
+ vulnerableMethod
+ blobPath
+ }
+
+ ... on VulnerabilityLocationContainerScanning {
+ dependency {
+ package {
+ name
+ }
+ version
+ }
+ image
+ operatingSystem
+ }
+
+ ... on VulnerabilityLocationDependencyScanning {
+ file
+ blobPath
+ dependency {
+ version
+ }
+ }
+ }
+ remediations {
+ diff
+ summary
+ }
+ solution
+ evidence {
+ request {
+ body
+ headers {
+ name
+ value
+ }
+ method
+ url
+ }
+ }
}
}
- state
}
}
}
@@ -211,50 +229,56 @@ Example response:
{
"data": {
"project": {
- "vulnerabilities": {
+ "pipelines": {
"nodes": [
{
- "id": "gid://gitlab/Vulnerability/236",
- "reportType": "SAST",
- "title": "Generic Object Injection Sink",
- "severity": "CRITICAL",
- "scanner": {
- "externalId": "eslint",
- "name": "ESLint",
- "vendor": "GitLab"
- },
- "identifiers": [
- {
- "externalType": "eslint_rule_id",
- "externalId": "security/detect-object-injection",
- "name": "ESLint rule ID security/detect-object-injection",
- "url": "https://github.com/nodesecurity/eslint-plugin-security#detect-object-injection"
- },
- {
- "externalType": "cwe",
- "externalId": "94",
- "name": "CWE-94",
- "url": "https://cwe.mitre.org/data/definitions/94.html"
- }
- ],
- "falsePositive": false,
- "project": {
- "id": "gid://gitlab/Project/20",
- "name": "Security Reports",
- "fullPath": "root/security-reports"
- },
- "description": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.",
- "links": [],
- "location": {
- "file": "src/js/main.js",
- "startLine": "28",
- "endLine": "28",
- "vulnerableClass": null,
- "vulnerableMethod": null,
- "blobPath": "/root/security-reports/-/blob/91031428a5b5dbb81e8d889738b1875c1bfea787/src/js/main.js"
- },
- "details": [],
- "state": "DETECTED"
+ "securityReportFindings": {
+ "nodes": [
+ {
+ "title": "Deserialization of Untrusted Data",
+ "severity": "CRITICAL",
+ "state": "CONFIRMED",
+ "scanner": {
+ "externalId": "gemnasium",
+ "name": "Gemnasium",
+ "vendor": "GitLab"
+ },
+ "identifiers": [
+ {
+ "externalType": "gemnasium",
+ "externalId": "b60c2d6b-9083-4a97-a1b2-f7dc79bff74c",
+ "name": "Gemnasium-b60c2d6b-9083-4a97-a1b2-f7dc79bff74c",
+ "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/activerecord/CVE-2022-32224.yml"
+ },
+ {
+ "externalType": "cve",
+ "externalId": "CVE-2022-32224",
+ "name": "CVE-2022-32224",
+ "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224"
+ },
+ {
+ "externalType": "ghsa",
+ "externalId": "GHSA-3hhc-qp5v-9p2j",
+ "name": "GHSA-3hhc-qp5v-9p2j",
+ "url": "https://github.com/advisories/GHSA-3hhc-qp5v-9p2j"
+ }
+ ],
+ "uuid": "c9e40395-72cd-54f5-962f-e1d52c0dffab",
+ "falsePositive": false,
+ "description": "A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.",
+ "location": {
+ "file": "dependency-scanning-files/Gemfile.lock",
+ "blobPath": null,
+ "dependency": {
+ "version": "5.0.0"
+ }
+ },
+ "remediations": [],
+ "solution": "Upgrade to versions 5.2.8.1, 6.0.5.1, 6.1.6.1, 7.0.3.1 or above.",
+ "evidence": null
+ }
+ ]
+ }
}
]
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-04 18:27:02 +0300