2020-09-11 17:08:44 -04:00
---
stage: Secure
group: Threat Insights
2020-11-26 01:09:20 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-09-11 17:08:44 -04:00
---
2020-05-06 05:10:02 -04:00
# Vulnerability export API **(ULTIMATE)**
2020-04-09 14:09:34 -04:00
2021-09-07 08:11:26 -04:00
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/197494) in GitLab 12.10. [Updated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30397) in GitLab 13.0.
2020-04-09 14:09:34 -04:00
2020-12-04 16:09:29 -05:00
WARNING:
2022-02-28 07:15:45 -05:00
This API is in an [Alpha ](../policy/alpha-beta-support.md#alpha-features ) stage and considered unstable.
2020-04-09 14:09:34 -04:00
The response payload may be subject to change or breakage
across GitLab releases.
2021-06-28 11:08:03 -04:00
Every API call to vulnerability exports must be [authenticated ](index.md#authentication ).
2020-04-09 14:09:34 -04:00
2020-05-06 05:10:02 -04:00
## Create a project-level vulnerability export
Creates a new vulnerability export for a project.
2020-04-09 14:09:34 -04:00
Vulnerability export permissions inherit permissions from their project. If a project is
private and a user isn't a member of the project to which the vulnerability
belongs, requests to that project return a `404 Not Found` status code.
Vulnerability exports can be only accessed by the export's author.
If an authenticated user doesn't have permission to
[create a new vulnerability ](../user/permissions.md#project-members-permissions ),
this request results in a `403` status code.
```plaintext
2020-05-06 05:10:02 -04:00
POST /security/projects/:id/vulnerability_exports
2020-04-09 14:09:34 -04:00
```
| Attribute | Type | Required | Description |
| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------|
2021-06-28 11:08:03 -04:00
| `id` | integer or string | yes | The ID or [URL-encoded path ](index.md#namespaced-path-encoding ) of the project which the authenticated user is a member of |
2020-04-09 14:09:34 -04:00
```shell
2021-01-31 22:09:02 -05:00
curl --request POST --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/security/projects/1/vulnerability_exports"
2020-04-09 14:09:34 -04:00
```
2020-05-18 20:07:58 -04:00
The created vulnerability export is automatically deleted after 1 hour.
2020-04-09 14:09:34 -04:00
Example response:
```json
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": 1,
2020-05-18 20:07:58 -04:00
"group_id": null,
"format": "csv",
"status": "created",
"started_at": null,
"finished_at": null,
"_links": {
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
}
}
```
## Create a group-level vulnerability export
Creates a new vulnerability export for a group.
Vulnerability export permissions inherit permissions from their group. If a group is
private and a user isn't a member of the group to which the vulnerability
belongs, requests to that group return a `404 Not Found` status code.
Vulnerability exports can be only accessed by the export's author.
If an authenticated user doesn't have permission to
[create a new vulnerability ](../user/permissions.md#group-members-permissions ),
this request results in a `403` status code.
```plaintext
POST /security/groups/:id/vulnerability_exports
```
| Attribute | Type | Required | Description |
| ------------------- | ----------------- | ---------- | -----------------------------------------------------------------------------------------------------------------------------|
2021-06-28 11:08:03 -04:00
| `id` | integer or string | yes | The ID or [URL-encoded path ](index.md#namespaced-path-encoding ) of the group which the authenticated user is a member of |
2020-05-18 20:07:58 -04:00
```shell
2021-01-31 22:09:02 -05:00
curl --request POST --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/security/groups/1/vulnerability_exports"
2020-05-18 20:07:58 -04:00
```
The created vulnerability export is automatically deleted after 1 hour.
Example response:
```json
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": null,
"group_id": 1,
2020-04-09 14:09:34 -04:00
"format": "csv",
"status": "created",
"started_at": null,
"finished_at": null,
"_links": {
2020-05-06 05:10:02 -04:00
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
}
}
```
## Create an instance-level vulnerability export
Creates a new vulnerability export for the projects of the user selected in the Security Dashboard.
```plaintext
POST /security/vulnerability_exports
```
```shell
2021-01-31 22:09:02 -05:00
curl --request POST --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/security/vulnerability_exports"
2020-05-06 05:10:02 -04:00
```
The created vulnerability export is automatically deleted after one hour.
Example response:
```json
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": null,
2020-05-18 20:07:58 -04:00
"group_id": null,
2020-05-06 05:10:02 -04:00
"format": "csv",
"status": "created",
"started_at": null,
"finished_at": null,
"_links": {
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
2020-04-09 14:09:34 -04:00
}
}
```
## Get single vulnerability export
Gets a single vulnerability export.
```plaintext
2020-05-06 05:10:02 -04:00
GET /security/vulnerability_exports/:id
2020-04-09 14:09:34 -04:00
```
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
2020-05-06 05:10:02 -04:00
| `id` | integer or string | yes | The vulnerability export's ID |
2020-04-09 14:09:34 -04:00
```shell
2020-05-27 20:08:37 -04:00
curl --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/security/vulnerability_exports/2"
2020-04-09 14:09:34 -04:00
```
If the vulnerability export isn't finished, the response is `202 Accepted` .
Example response:
```json
{
"id": 2,
"created_at": "2020-03-30T09:35:38.746Z",
"project_id": 1,
2020-05-18 20:07:58 -04:00
"group_id": null,
2020-04-09 14:09:34 -04:00
"format": "csv",
"status": "finished",
"started_at": "2020-03-30T09:36:54.469Z",
"finished_at": "2020-03-30T09:36:55.008Z",
"_links": {
2020-05-06 05:10:02 -04:00
"self": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2",
"download": "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
2020-04-09 14:09:34 -04:00
}
}
```
## Download vulnerability export
Downloads a single vulnerability export.
```plaintext
2020-05-06 05:10:02 -04:00
GET /security/vulnerability_exports/:id/download
2020-04-09 14:09:34 -04:00
```
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
2020-05-06 05:10:02 -04:00
| `id` | integer or string | yes | The vulnerability export's ID |
2020-04-09 14:09:34 -04:00
```shell
2020-05-27 20:08:37 -04:00
curl --header "PRIVATE-TOKEN: < your_access_token > " "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
2020-04-09 14:09:34 -04:00
```
2020-11-19 13:09:13 -05:00
The response is `404 Not Found` if the vulnerability export is not finished yet or was not found.
2020-04-09 14:09:34 -04:00
Example response:
```csv
2021-08-18 23:10:47 -04:00
Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers
2021-06-02 14:10:01 -04:00
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2017-16997 in glibc,,CVE-2017-16997 in glibc,critical,CVE-2017-16997
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2017-18269 in glibc,,CVE-2017-18269 in glibc,critical,CVE-2017-18269
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2018-1000001 in glibc,,CVE-2018-1000001 in glibc,high,CVE-2018-1000001
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2016-10228 in glibc,,CVE-2016-10228 in glibc,medium,CVE-2016-10228
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2010-4052 in glibc,,CVE-2010-4052 in glibc,low,CVE-2010-4052
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2018-18520 in elfutils,,CVE-2018-18520 in elfutils,low,CVE-2018-18520
Gitlab.org,Defend,container_scanning,Trivy,detected,CVE-2018-16869 in nettle,,CVE-2018-16869 in nettle,unknown,CVE-2018-16869,CWE-1
2020-09-25 14:09:46 -04:00
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Regular Expression Denial of Service in debug,,Regular Expression Denial of Service in debug,unknown,CVE-2021-1234,CWE-2,"""yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a"""
Gitlab.org,Defend,dependency_scanning,Gemnasium,detected,Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js,,Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js,unknown,,,"""yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,Predictable pseudorandom number generator,,Predictable pseudorandom number generator,medium,,,"""818bf5dacb291e15d9e6dc3c5ac32178:PREDICTABLE_RANDOM:src/main/java/com/gitlab/security_products/tests/App.java:47"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,Cipher with no integrity,,Cipher with no integrity,medium,,,"""e6449b89335daf53c0db4c0219bc1634:CIPHER_INTEGRITY:src/main/java/com/gitlab/security_products/tests/App.java:29"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,Predictable pseudorandom number generator,,Predictable pseudorandom number generator,medium,,,"""e8ff1d01f74cd372f78da8f5247d3e73:PREDICTABLE_RANDOM:src/main/java/com/gitlab/security_products/tests/App.java:41"""
Gitlab.org,Defend,sast,Find Security Bugs,detected,ECB mode is insecure,,ECB mode is insecure,medium,,,"""ea0f905fc76f2739d5f10a1fd1e37a10:ECB_MODE:src/main/java/com/gitlab/security_products/tests/App.java:29"""
```