2019-09-30 21:07:59 +05:30
|
|
|
# Vulnerabilities API **(ULTIMATE)**
|
2019-09-04 21:01:54 +05:30
|
|
|
|
2020-06-23 00:09:42 +05:30
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
|
2020-04-22 19:07:51 +05:30
|
|
|
|
|
|
|
NOTE: **Note:**
|
|
|
|
The former Vulnerabilities API was renamed to Vulnerability Findings API
|
|
|
|
and its documentation was moved to [a different location](vulnerability_findings.md).
|
|
|
|
This document now describes the new Vulnerabilities API that provides access to
|
2020-10-24 23:57:45 +05:30
|
|
|
[Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634).
|
2020-04-22 19:07:51 +05:30
|
|
|
|
|
|
|
CAUTION: **Caution:**
|
|
|
|
This API is in an alpha stage and considered unstable.
|
|
|
|
The response payload may be subject to change or breakage
|
|
|
|
across GitLab releases.
|
|
|
|
|
|
|
|
Every API call to vulnerabilities must be [authenticated](README.md#authentication).
|
|
|
|
|
|
|
|
Vulnerability permissions inherit permissions from their project. If a project is
|
|
|
|
private, and a user isn't a member of the project to which the vulnerability
|
|
|
|
belongs, requests to that project will return a `404 Not Found` status code.
|
|
|
|
|
|
|
|
## Single vulnerability
|
|
|
|
|
|
|
|
Gets a single vulnerability
|
|
|
|
|
|
|
|
```plaintext
|
|
|
|
GET /vulnerabilities/:id
|
|
|
|
```
|
|
|
|
|
|
|
|
| Attribute | Type | Required | Description |
|
|
|
|
| --------- | ---- | -------- | ----------- |
|
|
|
|
| `id` | integer or string | yes | The ID of a Vulnerability to get |
|
|
|
|
|
|
|
|
```shell
|
2020-06-23 00:09:42 +05:30
|
|
|
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
|
2020-04-22 19:07:51 +05:30
|
|
|
```
|
|
|
|
|
|
|
|
Example response:
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"id": 1,
|
|
|
|
"title": "Predictable pseudorandom number generator",
|
|
|
|
"description": null,
|
|
|
|
"state": "opened",
|
|
|
|
"severity": "medium",
|
|
|
|
"confidence": "medium",
|
|
|
|
"report_type": "sast",
|
|
|
|
"project": {
|
|
|
|
"id": 32,
|
|
|
|
"name": "security-reports",
|
|
|
|
"full_path": "/gitlab-examples/security/security-reports",
|
|
|
|
"full_name": "gitlab-examples / security / security-reports"
|
|
|
|
},
|
|
|
|
"author_id": 1,
|
|
|
|
"updated_by_id": null,
|
|
|
|
"last_edited_by_id": null,
|
|
|
|
"closed_by_id": null,
|
|
|
|
"start_date": null,
|
|
|
|
"due_date": null,
|
|
|
|
"created_at": "2019-10-13T15:08:40.219Z",
|
|
|
|
"updated_at": "2019-10-13T15:09:40.382Z",
|
|
|
|
"last_edited_at": null,
|
|
|
|
"closed_at": null
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Confirm vulnerability
|
|
|
|
|
|
|
|
Confirms a given vulnerability. Returns status code `304` if the vulnerability is already confirmed.
|
|
|
|
|
|
|
|
If an authenticated user does not have permission to
|
|
|
|
[confirm vulnerabilities](../user/permissions.md#project-members-permissions),
|
|
|
|
this request will result in a `403` status code.
|
|
|
|
|
|
|
|
```plaintext
|
|
|
|
POST /vulnerabilities/:id/confirm
|
|
|
|
```
|
|
|
|
|
|
|
|
| Attribute | Type | Required | Description |
|
|
|
|
| --------- | ---- | -------- | ----------- |
|
|
|
|
| `id` | integer or string | yes | The ID of a vulnerability to confirm |
|
|
|
|
|
|
|
|
```shell
|
|
|
|
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm"
|
|
|
|
```
|
|
|
|
|
|
|
|
Example response:
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"id": 2,
|
|
|
|
"title": "Predictable pseudorandom number generator",
|
|
|
|
"description": null,
|
|
|
|
"state": "confirmed",
|
|
|
|
"severity": "medium",
|
|
|
|
"confidence": "medium",
|
|
|
|
"report_type": "sast",
|
|
|
|
"project": {
|
|
|
|
"id": 32,
|
|
|
|
"name": "security-reports",
|
|
|
|
"full_path": "/gitlab-examples/security/security-reports",
|
|
|
|
"full_name": "gitlab-examples / security / security-reports"
|
|
|
|
},
|
|
|
|
"author_id": 1,
|
|
|
|
"updated_by_id": null,
|
|
|
|
"last_edited_by_id": null,
|
|
|
|
"closed_by_id": null,
|
|
|
|
"start_date": null,
|
|
|
|
"due_date": null,
|
|
|
|
"created_at": "2019-10-13T15:08:40.219Z",
|
|
|
|
"updated_at": "2019-10-13T15:09:40.382Z",
|
|
|
|
"last_edited_at": null,
|
|
|
|
"closed_at": null
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Resolve vulnerability
|
|
|
|
|
|
|
|
Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved.
|
|
|
|
|
|
|
|
If an authenticated user does not have permission to
|
|
|
|
[resolve vulnerabilities](../user/permissions.md#project-members-permissions),
|
|
|
|
this request will result in a `403` status code.
|
|
|
|
|
|
|
|
```plaintext
|
|
|
|
POST /vulnerabilities/:id/resolve
|
|
|
|
```
|
|
|
|
|
|
|
|
| Attribute | Type | Required | Description |
|
|
|
|
| --------- | ---- | -------- | ----------- |
|
|
|
|
| `id` | integer or string | yes | The ID of a Vulnerability to resolve |
|
|
|
|
|
|
|
|
```shell
|
|
|
|
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve"
|
|
|
|
```
|
|
|
|
|
|
|
|
Example response:
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"id": 2,
|
|
|
|
"title": "Predictable pseudorandom number generator",
|
|
|
|
"description": null,
|
|
|
|
"state": "resolved",
|
|
|
|
"severity": "medium",
|
|
|
|
"confidence": "medium",
|
|
|
|
"report_type": "sast",
|
|
|
|
"project": {
|
|
|
|
"id": 32,
|
|
|
|
"name": "security-reports",
|
|
|
|
"full_path": "/gitlab-examples/security/security-reports",
|
|
|
|
"full_name": "gitlab-examples / security / security-reports"
|
|
|
|
},
|
|
|
|
"author_id": 1,
|
|
|
|
"updated_by_id": null,
|
|
|
|
"last_edited_by_id": null,
|
|
|
|
"closed_by_id": null,
|
|
|
|
"start_date": null,
|
|
|
|
"due_date": null,
|
|
|
|
"created_at": "2019-10-13T15:08:40.219Z",
|
|
|
|
"updated_at": "2019-10-13T15:09:40.382Z",
|
|
|
|
"last_edited_at": null,
|
|
|
|
"closed_at": null
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Dismiss vulnerability
|
|
|
|
|
|
|
|
Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed.
|
|
|
|
|
|
|
|
If an authenticated user does not have permission to
|
|
|
|
[dismiss vulnerabilities](../user/permissions.md#project-members-permissions),
|
|
|
|
this request will result in a `403` status code.
|
|
|
|
|
|
|
|
```plaintext
|
|
|
|
POST /vulnerabilities/:id/dismiss
|
|
|
|
```
|
|
|
|
|
|
|
|
| Attribute | Type | Required | Description |
|
|
|
|
| --------- | ---- | -------- | ----------- |
|
|
|
|
| `id` | integer or string | yes | The ID of a vulnerability to dismiss |
|
|
|
|
|
|
|
|
```shell
|
|
|
|
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss"
|
|
|
|
```
|
|
|
|
|
|
|
|
Example response:
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"id": 2,
|
|
|
|
"title": "Predictable pseudorandom number generator",
|
|
|
|
"description": null,
|
|
|
|
"state": "closed",
|
|
|
|
"severity": "medium",
|
|
|
|
"confidence": "medium",
|
|
|
|
"report_type": "sast",
|
|
|
|
"project": {
|
|
|
|
"id": 32,
|
|
|
|
"name": "security-reports",
|
|
|
|
"full_path": "/gitlab-examples/security/security-reports",
|
|
|
|
"full_name": "gitlab-examples / security / security-reports"
|
|
|
|
},
|
|
|
|
"author_id": 1,
|
|
|
|
"updated_by_id": null,
|
|
|
|
"last_edited_by_id": null,
|
|
|
|
"closed_by_id": null,
|
|
|
|
"start_date": null,
|
|
|
|
"due_date": null,
|
|
|
|
"created_at": "2019-10-13T15:08:40.219Z",
|
|
|
|
"updated_at": "2019-10-13T15:09:40.382Z",
|
|
|
|
"last_edited_at": null,
|
|
|
|
"closed_at": null
|
|
|
|
}
|
|
|
|
```
|