Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
3ef9553486
commit
ebc7110bd9
|
@ -609,7 +609,8 @@ Alternatively, you can use the variable `SECURE_ANALYZERS_PREFIX` to override th
|
|||
|
||||
## Reports
|
||||
|
||||
The DAST job can emit various reports.
|
||||
The DAST tool outputs a report file in JSON format by default. However, this tool can also generate reports in
|
||||
Markdown, HTML, and XML. For more information, see the [schema for DAST reports](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/dast-report-format.json).
|
||||
|
||||
### List of URLs scanned
|
||||
|
||||
|
|
|
@ -346,11 +346,10 @@ analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`,
|
|||
|
||||
## Reports JSON format
|
||||
|
||||
CAUTION: **Caution:**
|
||||
The JSON report artifacts are not a public API of SAST and their format may change in the future.
|
||||
The SAST tool emits a JSON report file. For more information, see the
|
||||
[schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json).
|
||||
|
||||
The SAST tool emits a JSON report file. Here is an example of the report structure with all important parts of
|
||||
it highlighted:
|
||||
Here's an example SAST report:
|
||||
|
||||
```json-doc
|
||||
{
|
||||
|
@ -425,40 +424,6 @@ it highlighted:
|
|||
}
|
||||
```
|
||||
|
||||
CAUTION: **Deprecation:**
|
||||
Beginning with GitLab 12.9, SAST no longer reports `undefined` severity and confidence levels.
|
||||
|
||||
Here is the description of the report file structure nodes and their meaning. All fields are mandatory in
|
||||
the report JSON unless stated otherwise. Presence of optional fields depends on the underlying analyzers being used.
|
||||
|
||||
| Report JSON node | Function |
|
||||
|-----------------------------------------|----------|
|
||||
| `version` | Report syntax version used to generate this JSON. |
|
||||
| `vulnerabilities` | Array of vulnerability objects. |
|
||||
| `vulnerabilities[].id` | Unique identifier of the vulnerability. |
|
||||
| `vulnerabilities[].category` | Where this vulnerability belongs (such as SAST, Dependency Scanning). For SAST, it will always be `sast`. |
|
||||
| `vulnerabilities[].name` | Name of the vulnerability. Must not include the occurrence's specific information. Optional. |
|
||||
| `vulnerabilities[].message` | A short text that describes the vulnerability, it may include the occurrence's specific information. Optional. |
|
||||
| `vulnerabilities[].description` | A long text that describes the vulnerability. Optional. |
|
||||
| `vulnerabilities[].cve` | (**DEPRECATED - use `vulnerabilities[].id` instead**) A fingerprint string value that represents a concrete occurrence of the vulnerability. It's used to determine whether two vulnerability occurrences are same or different. May not be 100% accurate. **This is NOT a [CVE](https://cve.mitre.org/)**. |
|
||||
| `vulnerabilities[].severity` | How much the vulnerability impacts the software. Possible values: `Info`, `Unknown`, `Low`, `Medium`, `High`, `Critical`. |
|
||||
| `vulnerabilities[].confidence` | How reliable the vulnerability's assessment is. Possible values: `Ignore`, `Unknown`, `Experimental`, `Low`, `Medium`, `High`, `Confirmed`. |
|
||||
| `vulnerabilities[].solution` | Explanation of how to fix the vulnerability. Optional. |
|
||||
| `vulnerabilities[].scanner` | A node that describes the analyzer used to find this vulnerability. |
|
||||
| `vulnerabilities[].scanner.id` | ID of the scanner as a snake_case string. |
|
||||
| `vulnerabilities[].scanner.name` | Name of the scanner, for display purposes. |
|
||||
| `vulnerabilities[].location` | A node that tells where the vulnerability is located. |
|
||||
| `vulnerabilities[].location.file` | Path to the file where the vulnerability is located. Optional. |
|
||||
| `vulnerabilities[].location.start_line` | The first line of the code affected by the vulnerability. Optional. |
|
||||
| `vulnerabilities[].location.end_line` | The last line of the code affected by the vulnerability. Optional. |
|
||||
| `vulnerabilities[].location.class` | If specified, provides the name of the class where the vulnerability is located. Optional. |
|
||||
| `vulnerabilities[].location.method` | If specified, provides the name of the method where the vulnerability is located. Optional. |
|
||||
| `vulnerabilities[].identifiers` | An ordered array of references that identify a vulnerability on internal or external databases. |
|
||||
| `vulnerabilities[].identifiers[].type` | Type of the identifier. Possible values: common identifier types (among `cve`, `cwe`, `osvdb`, and `usn`) or analyzer-dependent ones (like `bandit_test_id` for [Bandit analyzer](https://wiki.openstack.org/wiki/Security/Projects/Bandit)). |
|
||||
| `vulnerabilities[].identifiers[].name` | Name of the identifier for display purposes. |
|
||||
| `vulnerabilities[].identifiers[].value` | Value of the identifier for matching purposes. |
|
||||
| `vulnerabilities[].identifiers[].url` | URL to identifier's documentation. Optional. |
|
||||
|
||||
## Secret detection
|
||||
|
||||
Learn more about [Secret Detection](../secret_detection).
|
||||
|
|
Loading…
Reference in New Issue