- Vulnerability findings pagination
- List project vulnerability findings
- Replace Vulnerability Findings REST API with GraphQL
Vulnerability Findings API
Introduced in GitLab 12.5.
vulnerabilities
URL part to be
vulnerability_findings
.Every API call to vulnerability findings must be authenticated.
If a user does not have permission to
use the Project Security Dashboard,
any request for vulnerability findings of this project returns a 403 Forbidden
status code.
Vulnerability findings pagination
By default, GET
requests return 20 results at a time because the API results
are paginated.
Read more on pagination.
List project vulnerability findings
List all of a project’s vulnerability findings.
GET /projects/:id/vulnerability_findings
GET /projects/:id/vulnerability_findings?report_type=sast
GET /projects/:id/vulnerability_findings?report_type=container_scanning
GET /projects/:id/vulnerability_findings?report_type=sast,dast
GET /projects/:id/vulnerability_findings?scope=all
GET /projects/:id/vulnerability_findings?scope=dismissed
GET /projects/:id/vulnerability_findings?severity=high
GET /projects/:id/vulnerability_findings?confidence=unknown,experimental
GET /projects/:id/vulnerability_findings?pipeline_id=42
undefined
severity and confidence level is no longer reported.Attribute | Type | Required | Description |
---|---|---|---|
id | integer/string | yes | The ID or URL-encoded path of the project which the authenticated user is a member of. |
report_type | string array | no | Returns vulnerability findings belonging to specified report type. Valid values: sast , dast , dependency_scanning , or container_scanning . Defaults to all. |
scope | string | no | Returns vulnerability findings for the given scope: all or dismissed . Defaults to dismissed . |
severity | string array | no | Returns vulnerability findings belonging to specified severity level: info , unknown , low , medium , high , or critical . Defaults to all. |
confidence | string array | no | Returns vulnerability findings belonging to specified confidence level: ignore , unknown , experimental , low , medium , high , or confirmed . Defaults to all. |
pipeline_id | integer/string | no | Returns vulnerability findings belonging to specified pipeline. |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings"
Example response:
[
{
"id": null,
"report_type": "sast",
"name": "Possible command injection",
"severity": "high",
"confidence": "high",
"scanner": {
"external_id": "brakeman",
"name": "Brakeman",
"vendor": "GitLab"
},
"identifiers": [
{
"external_type": "brakeman_warning_code",
"external_id": "14",
"name": "Brakeman Warning Code 14",
"url": "https://brakemanscanner.org/docs/warning_types/command_injection/"
}
],
"project_fingerprint": "ac218b1770af030cfeef967752ab803c55afb36d",
"uuid": "ad5e3be3-a193-55f5-a200-bc12865fb09c",
"create_jira_issue_url": null,
"false_positive": true,
"create_vulnerability_feedback_issue_path": "/root/test-false-positive/-/vulnerability_feedback",
"create_vulnerability_feedback_merge_request_path": "/root/test-false-positive/-/vulnerability_feedback",
"create_vulnerability_feedback_dismissal_path": "/root/test-false-positive/-/vulnerability_feedback",
"project": {
"id": 2,
"name": "Test False Positive",
"full_path": "/root/test-false-positive",
"full_name": "Administrator / Test False Positive"
},
"dismissal_feedback": null,
"issue_feedback": null,
"merge_request_feedback": null,
"description": null,
"links": [],
"location": {
"file": "app/controllers/users_controller.rb",
"start_line": 42,
"class": "UsersController",
"method": "list_users"
},
"remediations": [
null
],
"solution": null,
"evidence": null,
"request": null,
"response": null,
"evidence_source": null,
"supporting_messages": [],
"assets": [],
"details": {},
"state": "detected",
"scan": {
"type": "sast",
"status": "success",
"start_time": "2021-09-02T20:55:48",
"end_time": "2021-09-02T20:55:48"
},
"blob_path": "/root/test-false-positive/-/blob/dfd75607752a839bbc9c7362d111effaa470fecd/app/controllers/users_controller.rb#L42"
}
]
Replace Vulnerability Findings REST API with GraphQL
To prepare for the upcoming deprecation of the Vulnerability Findings REST API endpoint, use the examples below to perform the equivalent operations with the GraphQL API.
GraphQL - Project vulnerability findings
Use Pipeline.securityReportFindings
.
query VulnerabilityFindings {
project(fullPath: "gitlab-examples/security/security-reports") {
pipelines(first:1) {
nodes {
securityReportFindings(first:1) {
nodes {
title
severity
state
scanner {
externalId
name
vendor
}
identifiers {
externalType
externalId
name
url
}
uuid
falsePositive
description
location {
... on VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
... on VulnerabilityLocationContainerScanning {
dependency {
package {
name
}
version
}
image
operatingSystem
}
... on VulnerabilityLocationDependencyScanning {
file
blobPath
dependency {
version
}
}
}
remediations {
diff
summary
}
solution
evidence {
request {
body
headers {
name
value
}
method
url
}
}
}
}
}
}
}
}
Example response:
{
"data": {
"project": {
"pipelines": {
"nodes": [
{
"securityReportFindings": {
"nodes": [
{
"title": "Deserialization of Untrusted Data",
"severity": "CRITICAL",
"state": "CONFIRMED",
"scanner": {
"externalId": "gemnasium",
"name": "Gemnasium",
"vendor": "GitLab"
},
"identifiers": [
{
"externalType": "gemnasium",
"externalId": "b60c2d6b-9083-4a97-a1b2-f7dc79bff74c",
"name": "Gemnasium-b60c2d6b-9083-4a97-a1b2-f7dc79bff74c",
"url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/activerecord/CVE-2022-32224.yml"
},
{
"externalType": "cve",
"externalId": "CVE-2022-32224",
"name": "CVE-2022-32224",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224"
},
{
"externalType": "ghsa",
"externalId": "GHSA-3hhc-qp5v-9p2j",
"name": "GHSA-3hhc-qp5v-9p2j",
"url": "https://github.com/advisories/GHSA-3hhc-qp5v-9p2j"
}
],
"uuid": "c9e40395-72cd-54f5-962f-e1d52c0dffab",
"falsePositive": false,
"description": "A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.",
"location": {
"file": "dependency-scanning-files/Gemfile.lock",
"blobPath": null,
"dependency": {
"version": "5.0.0"
}
},
"remediations": [],
"solution": "Upgrade to versions 5.2.8.1, 6.0.5.1, 6.1.6.1, 7.0.3.1 or above.",
"evidence": null
}
]
}
}
]
}
}
}
}