Help us learn about your current experience with the documentation. Take the survey.

漏洞 API

Tier: Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

先前的漏洞 API 已重命名为漏洞发现 API 并且其文档已移至其他位置。本文档现在描述了新的漏洞 API，该 API 提供对漏洞的访问。

此 API 正在被弃用且被认为不稳定。响应负载可能会在 GitLab 版本之间发生变化或损坏。请改用 GraphQL API。有关更多信息，请参阅 GraphQL 示例。

每个漏洞的 API 调用都必须经过身份验证。

如果经过身份验证的用户没有权限查看漏洞报告，此请求将返回 403 Forbidden 状态码。

单个漏洞

获取单个漏洞

GET /vulnerabilities/:id

Attribute	Type	Required	Description
`id`	integer or string	yes	要获取的漏洞 ID

curl --request GET \
  --header "PRIVATE-TOKEN: <your_access_token>" \
  --url "https://gitlab.example.com/api/v4/vulnerabilities/1"

Example response:

{
  "id": 1,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "opened",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null
}

确认漏洞

确认给定的漏洞。如果漏洞已确认，则返回状态码 304。

如果经过身份验证的用户没有权限更改漏洞状态，此请求将导致 403 状态码。

POST /vulnerabilities/:id/confirm

Attribute	Type	Required	Description
`id`	integer or string	yes	要确认的漏洞 ID

curl --request POST \
  --header "PRIVATE-TOKEN: <your_access_token>" \
  --url "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm"

Example response:

{
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "confirmed",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null
}

解决漏洞

解决给定的漏洞。如果漏洞已解决，则返回状态码 304。

如果经过身份验证的用户没有权限更改漏洞状态，此请求将导致 403 状态码。

POST /vulnerabilities/:id/resolve

Attribute	Type	Required	Description
`id`	integer or string	yes	要解决的漏洞 ID

curl --request POST \
  --header "PRIVATE-TOKEN: <your_access_token>" \
  --url "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve"

Example response:

{
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "resolved",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null
}

忽略漏洞

忽略给定的漏洞。如果漏洞已被忽略，则返回状态码 304。

如果经过身份验证的用户没有权限更改漏洞状态，此请求将导致 403 状态码。

POST /vulnerabilities/:id/dismiss

Attribute	Type	Required	Description
`id`	integer or string	yes	要忽略的漏洞 ID

curl --request POST \
  --header "PRIVATE-TOKEN: <your_access_token>" \
  --url "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss"

Example response:

{
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "closed",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null
}

将漏洞恢复到检测状态

将给定的漏洞恢复到检测状态。如果漏洞已处于检测状态，则返回状态码 304。

如果经过身份验证的用户没有权限更改漏洞状态，此请求将导致 403 状态码。

POST /vulnerabilities/:id/revert

Attribute	Type	Required	Description
`id`	integer or string	yes	要恢复到检测状态的漏洞 ID

curl --request POST \
  --header "PRIVATE-TOKEN: <your_access_token>" \
  --url "https://gitlab.example.com/api/v4/vulnerabilities/5/revert"

Example response:

{
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "detected",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null
}

用 GraphQL 替换漏洞 REST API

为准备漏洞 REST API 端点的即将弃用，请使用以下示例通过 GraphQL API 执行等效操作。

GraphQL - 单个漏洞

使用 Query.vulnerability。

{
  vulnerability(id: "gid://gitlab/Vulnerability/20345379") {
    title
    description
    state
    severity
    reportType
    project {
      id
      name
      fullPath
    }
    detectedAt
    confirmedAt
    resolvedAt
    resolvedBy {
      id
      username
    }
  }
}

Example response:

{
  "data": {
    "vulnerability": {
      "title": "Improper Input Validation in railties",
      "description": "A remote code execution vulnerability in development mode Rails beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.",
      "state": "RESOLVED",
      "severity": "CRITICAL",
      "reportType": "DEPENDENCY_SCANNING",
      "project": {
        "id": "gid://gitlab/Project/6102100",
        "name": "security-reports",
        "fullPath": "gitlab-examples/security/security-reports"
      },
      "detectedAt": "2021-10-14T03:13:41Z",
      "confirmedAt": "2021-12-14T01:45:56Z",
      "resolvedAt": "2021-12-14T01:45:59Z",
      "resolvedBy": {
        "id": "gid://gitlab/User/480804",
        "username": "thiagocsf"
      }
    }
  }
}

GraphQL - 确认漏洞

使用 Mutation.vulnerabilityConfirm。

mutation {
  vulnerabilityConfirm(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
    vulnerability {
      state
    }
    errors
  }
}

Example response:

{
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "CONFIRMED"
      },
      "errors": []
    }
  }
}

GraphQL - 解决漏洞

使用 Mutation.vulnerabilityResolve。

mutation {
  vulnerabilityResolve(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
    vulnerability {
      state
    }
    errors
  }
}

Example response:

{
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "RESOLVED"
      },
      "errors": []
    }
  }
}

GraphQL - 忽略漏洞

使用 Mutation.vulnerabilityDismiss。

mutation {
  vulnerabilityDismiss(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
    vulnerability {
      state
    }
    errors
  }
}

Example response:

{
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "DISMISSED"
      },
      "errors": []
    }
  }
}

GraphQL - 将漏洞恢复到检测状态

使用 Mutation.vulnerabilityRevertToDetected。

mutation {
  vulnerabilityRevertToDetected(input: { id: "gid://gitlab/Vulnerability/20345379"}) {
    vulnerability {
      state
    }
    errors
  }
}

Example response:

{
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "DETECTED"
      },
      "errors": []
    }
  }
}