# Security scanner integration
> 原文:[https://docs.gitlab.com/ee/development/integrations/secure.html](https://docs.gitlab.com/ee/development/integrations/secure.html)
* [Job definition](#job-definition)
* [Name](#name)
* [Image](#image)
* [Script](#script)
* [Stage](#stage)
* [Fail-safe](#fail-safe)
* [Artifacts](#artifacts)
* [Policies](#policies)
* [Policy checking example](#policy-checking-example)
* [Docker image](#docker-image)
* [Image size](#image-size)
* [Image tag](#image-tag)
* [Command line](#command-line)
* [Variables](#variables)
* [SAST and Dependency Scanning](#sast-and-dependency-scanning)
* [Container Scanning](#container-scanning)
* [Configuration files](#configuration-files)
* [Output file](#output-file)
* [Exit code](#exit-code)
* [Logging](#logging)
* [Logging level](#logging-level)
* [common logutil package](#common-logutil-package)
* [Report](#report)
* [Version](#version)
* [Vulnerabilities](#vulnerabilities)
* [ID](#id)
* [Category](#category)
* [Scanner](#scanner)
* [Name, message, and description](#name-message-and-description)
* [Solution](#solution)
* [Identifiers](#identifiers)
* [Location](#location)
* [Dependency Scanning](#dependency-scanning)
* [Container Scanning](#container-scanning-1)
* [SAST](#sast)
* [Tracking and merging vulnerabilities](#tracking-and-merging-vulnerabilities)
* [Severity and confidence](#severity-and-confidence)
* [Remediations](#remediations)
* [Summary](#summary)
* [Fixed vulnerabilities](#fixed-vulnerabilities)
* [Diff](#diff)
* [Limitations](#limitations)
* [Container Scanning](#container-scanning-2)
# Security scanner integration[](#security-scanner-integration "Permalink")
將安全掃描程序集成到 GitLab 包括為最終用戶提供[CI 作業定義,](../../ci/yaml/README.html#introduction)他們可以將其添加到 CI 配置文件中以掃描其 GitLab 項目. 然后,此 CI 作業應以 GitLab 指定的格式輸出其結果. 然后,這些結果將自動顯示在 GitLab 中的各個位置,例如管道視圖,合并請求小部件和安全儀表板.
掃描作業通常基于[Docker 映像](https://s0docs0docker0com.icopy.site/) ,該[映像](https://s0docs0docker0com.icopy.site/)包含掃描程序及其在獨立環境中的所有依賴性.
該頁面記錄了編寫實現安全掃描程序的 CI 作業的要求和準則,以及 Docker 映像的要求和準則.
## Job definition[](#job-definition "Permalink")
本節描述了要添加到安全掃描器的作業定義文件中的幾個重要字段. 有關這些以及其他可用字段的完整文檔,請參閱[CI 文檔](../../ci/yaml/README.html#image) .
### Name[](#name "Permalink")
為了保持一致性,掃描作業應以掃描儀的名字命名(小寫). 作業名稱是掃描的類型之后后綴: `_dependency_scanning` , `_container_scanning` , `_dast`和`_sast` . 例如,基于" MySec"掃描程序的依賴項掃描作業將被命名為`mysec_dependency_scanning` .
### Image[](#image "Permalink")
[`image`](../../ci/yaml/README.html#image)關鍵字用于指定包含安全掃描器的[Docker 映像](../../ci/docker/using_docker_images.html#what-is-an-image) .
### Script[](#script "Permalink")
[`script`](../../ci/yaml/README.html#script)關鍵字用于指定運行掃描儀的命令. 由于`script`條目不能為空,因此必須將其設置為執行掃描的命令. 無法依靠 Docker 映像的預定義`ENTRYPOINT`和`CMD`來自動執行掃描,而無需傳遞任何命令.
在作業定義中不應使用[`before_script`](../../ci/yaml/README.html#before_script-and-after_script) ,因為用戶可以在執行掃描之前依靠它來準備其項目. 例如,通常的做法是在執行 SAST 或依賴項掃描之前,使用`before_script`安裝特定項目所需的系統庫.
同樣,在作業定義中不應使用[`after_script`](../../ci/yaml/README.html#before_script-and-after_script) ,因為它可能會被用戶覆蓋.
### Stage[](#stage "Permalink")
為了保持一致性,掃描作業應盡可能屬于`test`階段. 可以省略[`stage`](../../ci/yaml/README.html#stage)關鍵字,因為`test`是默認值.
### Fail-safe[](#fail-safe "Permalink")
為了與[GitLab Security 范例](https://about.gitlab.com/direction/secure/#security-paradigm)保持一致,掃描作業在失敗時不應阻塞管道,因此[`allow_failure`](../../ci/yaml/README.html#allow_failure)參數設置為`true` .
### Artifacts[](#artifacts "Permalink")
掃描作業必須使用[`artifacts:reports`](../../ci/pipelines/job_artifacts.html#artifactsreports)關鍵字聲明與其執行的掃描類型相對應的[`artifacts:reports`](../../ci/pipelines/job_artifacts.html#artifactsreports) . 有效報告為: `dependency_scanning` , `container_scanning` , `dast`和`sast` .
例如,以下是 SAST 作業的定義,該作業生成一個名為`gl-sast-report.json`的文件,并將其作為 SAST 報告上載:
```
mysec_sast:
image: registry.gitlab.com/secure/mysec
artifacts:
reports:
sast: gl-sast-report.json
```
請注意, `gl-sast-report.json`是示例文件路徑,但可以使用任何其他文件名. 有關更多詳細信息,請參見["輸出文件"部分](#output-file) . 之所以將其作為 SAST 報告處理是因為它是在作業定義中的`reports:sast`鍵下聲明的,而不是因為文件名.
### Policies[](#policies "Permalink")
某些 GitLab 工作流程(例如[AutoDevOps](../../topics/autodevops/customize.html#disable-jobs) )定義了變量,以指示應禁用給定的掃描. 您可以通過查找諸如`DEPENDENCY_SCANNING_DISABLED` , `CONTAINER_SCANNING_DISABLED` , `SAST_DISABLED`和`DAST_DISABLED`變量來進行檢查. 根據掃描儀類型,如果合適,則應禁用運行自定義掃描儀.
GitLab 還定義了一個`CI_PROJECT_REPOSITORY_LANGUAGES`變量,該變量提供了存儲庫中的語言列表. 根據此值,掃描儀可能會做或可能不會做不同的事情. 目前,語言檢測依賴于[`linguist`](https://github.com/github/linguist) Ruby gem. 請參閱[GitLab CI / CD 預定義變量](../../ci/variables/predefined_variables.html) .
#### Policy checking example[](#policy-checking-example "Permalink")
此示例顯示如何跳過自定義的依賴項掃描作業`mysec_dependency_scanning` ,除非項目存儲庫包含 Java 源代碼并且啟用了`dependency_scanning`功能:
```
mysec_dependency_scanning:
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $GITLAB_FEATURES =~ /\bdependency_scanning\b/
exists:
- '**/*.java'
```
任何其他作業策略僅應由用戶根據其需求進行配置. 例如,預定義策略不應觸發特定分支或特定文件集更改時的掃描作業.
## Docker image[](#docker-image "Permalink")
Docker 映像是一個自包含的環境,將掃描儀與其依賴的所有庫和工具結合在一起. 將掃描程序打包到 Docker 映像中,無論掃描程序在哪臺計算機上運行,??其依賴關系和配置始終存在.
### Image size[](#image-size "Permalink")
根據 CI 基礎架構,CI 可能必須在每次作業運行時都獲取 Docker 映像. 為了使掃描作業快速運行并避免浪費帶寬,Docker 映像應盡可能小. 您的目標應該是 50MB 或更小. 如果無法做到這一點,請嘗試使其保持在 1.46 GB 以下,即 CD-ROM 的大小.
If the scanner requires a fully functional Linux environment, it is recommended to use a [Debian](https://www.debian.org/intro/about) “slim” distribution or [Alpine Linux](https://www.alpinelinux.org/). If possible, it is recommended to build the image from scratch, using the `FROM scratch` instruction, and to compile the scanner with all the libraries it needs. [Multi-stage builds](https://s0docs0docker0com.icopy.site/develop/develop-images/multistage-build/) might also help with keeping the image small.
為了保持較小的圖像大小,請考慮使用[Dive](https://github.com/wagoodman/dive#dive)分析 Docker 圖像中的圖層,以識別可能來自其他地方的膨脹.
In some cases, it might be difficult to remove files from an image. When this occurs, consider using [Zstandard](https://github.com/facebook/zstd) to compress files or large directories. Zstandard offers many different compression levels that can decrease the size of your image with very little impact to decompression speed. It may be helpful to automatically decompress any compressed directories as soon as an image launches. You can accomplish this by adding a step to the Docker image’s `/etc/bashrc` or to a specific user’s `$HOME/.bashrc`. Remember to change the entry point to launch a bash login shell if you chose the latter option.
以下是一些入門的示例:
* [https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/install.sh#L168-170](https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/install.sh#L168-170)
* [https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/.bashrc#L49](https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/.bashrc#L49)
### Image tag[](#image-tag "Permalink")
如[Docker Official Images](https://github.com/docker-library/official-images#tags-and-aliases)項目中所述,強烈建議給版本號標簽起別名,這使用戶可以輕松地引用特定系列的"最新"版本. 另請參閱[Docker 標記:標記和版本化 Docker 映像的最佳實踐](https://docs.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images) .
## Command line[](#command-line "Permalink")
掃描程序是一種命令行工具,它將環境變量作為輸入,并生成一個文件,該文件作為報告上載(基于作業定義). 它還會在標準輸出和標準錯誤流上生成文本輸出,并以狀態碼退出.
### Variables[](#variables "Permalink")
所有 CI 變量都作為環境變量傳遞到掃描儀. 掃描的項目由[預定義的 CI 變量](../../ci/variables/README.html)描述.
#### SAST and Dependency Scanning[](#sast-and-dependency-scanning "Permalink")
SAST 和依賴項掃描掃描程序必須掃描項目目錄中由`CI_PROJECT_DIR`變量指定的文件.
#### Container Scanning[](#container-scanning "Permalink")
為了與 GitLab 的官方 Container Scanning 一致,掃描程序必須掃描 Docker 映像,其名稱和標記分別由`CI_APPLICATION_REPOSITORY`和`CI_APPLICATION_TAG`給出.
如果未提供, `CI_APPLICATION_REPOSITORY`應該默認為`$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` ,這是預定義的 CI 變量的組合. `CI_APPLICATION_TAG`應該默認為`CI_COMMIT_SHA` .
掃描程序應使用變量`DOCKER_USER`和`DOCKER_PASSWORD`登錄 Docker 注冊表. 如果未定義它們,則掃描程序應使用`CI_REGISTRY_USER`和`CI_REGISTRY_PASSWORD`作為默認值.
#### Configuration files[](#configuration-files "Permalink")
盡管掃描程序可以使用`CI_PROJECT_DIR`加載特定的配置文件,但建議將配置公開為環境變量,而不是文件.
### Output file[](#output-file "Permalink")
與上載到 GitLab CI / CD 的任何工件一樣,由掃描儀生成的安全報告必須寫入項目目錄中,該目錄由`CI_PROJECT_DIR`環境變量指定.
建議以掃描類型命名輸出文件,并使用`gl-`作為前綴. 由于所有安全報告都是 JSON 文件,因此建議使用`.json`作為文件擴展名. 例如,"依賴關系掃描"報告的建議文件名是`gl-dependency-scanning.json` .
作業定義的[`artifacts:reports`](../../ci/pipelines/job_artifacts.html#artifactsreports)關鍵字必須與編寫"安全性"報告的文件路徑一致. 例如,如果 Dependency Scanning 分析器將其報告寫入 CI 項目目錄,并且此報告文件名為`depscan.json` ,則必須將`artifacts:reports:dependency_scanning`設置為`depscan.json` .
### Exit code[](#exit-code "Permalink")
遵循 POSIX 退出代碼標準,掃描儀將以 0 表示成功退出,以 1 到 255 之間的任何數字表示退出. 成功還包括發現漏洞的情況.
使用[Docker-in-Docker 特權模式](../../user/application_security/sast/index.html#requirements)執行掃描作業時,我們保留以下標準退出代碼.
| 協調器退出代碼 | Description |
| --- | --- |
| 3 | 沒有匹配項,沒有兼容的分析儀 |
| 4 | 項目目錄為空 |
| 5 | 沒有兼容的 Docker 映像 |
### Logging[](#logging "Permalink")
掃描程序應記錄錯誤消息和警告,以便用戶可以通過查看 CI 掃描作業的日志輕松調查配置錯誤和集成問題.
掃描程序可以使用[ANSI 轉義碼](https://en.wikipedia.org/wiki/ANSI_escape_code#Colors)來著色它們寫入 Unix 標準輸出和標準錯誤流的消息的顏色. 我們建議您使用紅色報告錯誤,黃色使用警告,綠色使用通知. 此外,我們建議在錯誤消息前添加`[ERRO]` ,在警告前添加`[WARN]` ,在通知中添加`[INFO]` .
#### Logging level[](#logging-level "Permalink")
如果掃描程序的日志級別低于`SECURE_LOG_LEVEL`變量中設置的級別,則掃描器應篩選出一條日志消息. 例如,當`SECURE_LOG_LEVEL`設置為`error`時,應跳過`info`和`warn`消息. 可接受的值如下,從最高到最低列出:
* `fatal`
* `error`
* `warn`
* `info`
* `debug`
建議將`debug`級別用于詳細日志記錄,這在調試時可能會很有用. `SECURE_LOG_LEVEL`的默認值應設置為`info` .
#### common logutil package[](#common-logutil-package "Permalink")
如果您使用[go](https://s0golang0org.icopy.site/)和[common](https://gitlab.com/gitlab-org/security-products/analyzers/common) ,那么建議您使用[logrus](https://github.com/Sirupsen/logrus)和[common 的 logutil 軟件包](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil)為[logrus](https://github.com/Sirupsen/logrus)配置格式化[程序](https://github.com/Sirupsen/logrus) . 請參閱[logutil README.md](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil/README.md)
## Report[](#report "Permalink")
該報告是 JSON 文檔,其中結合了漏洞和可能的補救措施.
本文檔概述了報告 JSON 格式,以及幫助集成商設置其字段的建議和示例. 該格式在[SAST](../../user/application_security/sast/index.html#reports-json-format) , [依賴項掃描](../../user/application_security/dependency_scanning/index.html#reports-json-format)和[容器掃描](../../user/application_security/container_scanning/index.html#reports-json-format)的文檔中進行了廣泛描述.
目前未記錄報告 JSON 格式的 DAST 變體.
### Version[](#version "Permalink")
This field specifies the version of the report schema you are using. Please reference individual scanner pages for the specific versions to use.
### Vulnerabilities[](#vulnerabilities "Permalink")
報告的`vulnerabilities`字段是漏洞對象的數組.
#### ID[](#id "Permalink")
`id`字段是漏洞的唯一標識符. 它用于從[修復對象中](#remediations)引用固定的漏洞. 我們建議您生成一個 UUID 并將其用作`id`字段的值.
#### Category[](#category "Permalink")
`category`字段的值與報告類型匹配: `dependency_scanning` , `container_scanning` , `sast`和`dast` .
#### Scanner[](#scanner "Permalink")
`scanner`字段是一個嵌入人類可讀`name`和技術`id` . 該`id`不應與其他集成商提供的其他掃描儀沖突.
#### Name, message, and description[](#name-message-and-description "Permalink")
`name`和`message`字段包含該漏洞的簡短描述. `description`字段提供更多詳細信息.
`name`字段不受上下文限制,并且不包含有關在何處發現漏洞的`message` ,而`message`可能會重復該位置.
作為一個直觀的示例,此屏幕快照突出顯示了在將漏洞作為管道視圖的一部分查看時使用這些字段的位置.
[](example_vuln.png)
For instance, a `message` for a vulnerability reported by Dependency Scanning gives information on the vulnerable dependency, which is redundant with the `location` field of the vulnerability. The `name` field is preferred but the `message` field is used when the context/location cannot be removed from the title of the vulnerability.
為了說明這一點,這是一個由"依賴關系掃描"掃描器報告的示例漏洞對象,并且該`message`重復了`location`字段:
```
{ "location": { "dependency": { "package": { "name": "debug" } } }, "name": "Regular Expression Denial of Service", "message": "Regular Expression Denial of Service in debug", "description": "The debug module is vulnerable to regular expression denial of service
when untrusted user input is passed into the `o` formatter.
It takes around 50k characters to block for 2 seconds making this a low severity issue." }
```
該`description`可能會解釋漏洞的工作方式或提供有關漏洞利用的上下文. 它不應重復漏洞對象的其他字段. 特別是,該`description`不應重復`location` (受影響的對象)或`solution` (如何減輕風險).
#### Solution[](#solution "Permalink")
您可以使用`solution`字段來指導用戶如何解決已識別的漏洞或減輕風險. 最終用戶與此字段進行交互,而 GitLab 會自動處理`remediations`對象.
#### Identifiers[](#identifiers "Permalink")
`identifiers`數組描述了檢測到的漏洞. 標識符對象的`type`和`value`字段用于判斷兩個標識符是否相同. 用戶界面使用對象的`name`和`url`字段顯示標識符.
建議重新使用 GitLab 掃描儀已經定義的標識符:
| Identifier | Type | 示例值 |
| --- | --- | --- |
| [CVE](https://cve.mitre.org/cve/) | `cve` | CVE-2019-10086 |
| [CWE](https://cwe.mitre.org/data/index.html) | `cwe` | CWE-1026 |
| [OSVD](https://cve.mitre.org/data/refs/refmap/source-OSVDB.html) | `osvdb` | OSVDB-113928 |
| [USN](https://usn.ubuntu.com/) | `usn` | USN-4234-1 |
| [WASC](http://projects.webappsec.org/Threat-Classification-Reference-Grid) | `wasc` | WASC-19 |
| [RHSA](https://access.redhat.com/errata/#/) | `rhsa` | RHSA-2020:0111 |
| [ELSA](https://linux.oracle.com/security/) | `elsa` | ELSA-2020-0085 |
上面列出的通用標識符在[公共庫](https://gitlab.com/gitlab-org/security-products/analyzers/common)中定義,由 GitLab 維護的分析器共享. 如果需要,您可以[貢獻](https://gitlab.com/gitlab-org/security-products/analyzers/common/blob/master/issue/identifier.go)新的通用標識符. 分析人員還可以生成特定于供應商或產品的標識符,這些標識符不屬于[公共庫](https://gitlab.com/gitlab-org/security-products/analyzers/common) .
`identifiers`數組的第一項稱為主要標識符. 主標識符特別重要,因為當新提交被推送到存儲庫時,它用于[跟蹤漏洞](#tracking-and-merging-vulnerabilities) . 標識符還用于[合并](#tracking-and-merging-vulnerabilities)針對同一提交報告的[重復漏洞](#tracking-and-merging-vulnerabilities) ,但`CWE`和`WASC`除外.
### Location[](#location "Permalink")
該`location`指示檢測到漏洞的`location` . 位置的格式取決于掃描的類型.
在內部,GitLab 提取`location`一些屬性以生成**位置指紋** ,該**指紋**用于在將新的提交推送到存儲庫時跟蹤漏洞. 用于生成位置指紋的屬性還取決于掃描的類型.
#### Dependency Scanning[](#dependency-scanning "Permalink")
該`location`依賴關系掃描漏洞是由的`dependency`和`file` . `dependency`對象描述了受影響的`package`和依賴項`version` . `package`嵌入受影響的庫/模塊的`name` . `file`是聲明受影響的依賴項的依賴項文件的路徑.
例如,這是一個影響 npm 軟件包[`handlebars`](https://s0www0npmjs0com.icopy.site/package/handlebars)版本`4.0.11`的漏洞的`location`對象:
```
{ "file": "client/package.json", "dependency": { "package": { "name": "handlebars" }, "version": "4.0.11" } }
```
受影響的依賴項列在`client/package.json` ,該文件由 npm 或 yarn 處理.
The location fingerprint of a Dependency Scanning vulnerability combines the `file` and the package `name`, so these attributes are mandatory. All other attributes are optional.
#### Container Scanning[](#container-scanning-1 "Permalink")
與依賴性掃描相似,容器掃描漏洞的`location`具有`dependency`和`file` . 它還具有一個`operating_system`字段.
例如,這是一個漏洞對象的`location`對象,該漏洞影響 Debian 軟件包`glib2.0`版本`2.50.3-2+deb9u1` `glib2.0` :
```
{ "dependency": { "package": { "name": "glib2.0" }, }, "version": "2.50.3-2+deb9u1", "operating_system": "debian:9", "image": "registry.gitlab.com/example/app:latest" }
```
在掃描 Docker 鏡像`registry.gitlab.com/example/app:latest`時找到受影響的軟件包. Docker 映像基于`debian:9` (Debian Stretch).
容器掃描漏洞的位置指紋結合了`operating_system`和程序包`name` ,因此這些屬性是必需的. 該`image`也是必需的. 所有其他屬性都是可選的.
#### SAST[](#sast "Permalink")
SAST 漏洞的`location`必須具有一個`file`和一個`start_line`字段,分別提供受影響文件的路徑和受影響的行號. 它還可能有一個`end_line` ,一個`class`和一個`method` .
例如,此處是`location`為一個安全漏洞對象發現在線路`41`的`src/main/java/com/gitlab/example/App.java` ,在`generateSecretToken`所述的方法`com.gitlab.security_products.tests.App` Java 類:
```
{ "file": "src/main/java/com/gitlab/example/App.java", "start_line": 41, "end_line": 41, "class": "com.gitlab.security_products.tests.App", "method": "generateSecretToken1" }
```
SAST 漏洞的位置指紋結合了`file` , `start_line`和`end_line` ,因此這些屬性是必需的. 所有其他屬性都是可選的.
### Tracking and merging vulnerabilities[](#tracking-and-merging-vulnerabilities "Permalink")
用戶可以提供有關漏洞的反饋:
* 如果該漏洞不適用于他們的項目,他們可能會忽略該漏洞
* 如果存在潛在威脅,他們可能會導致漏洞問題
GitLab 跟蹤漏洞,以便在將新的 Git 提交推送到存儲庫時不會丟失用戶反饋. 使用以下三個屬性的組合來跟蹤漏洞:
* [Report type](#category)
* [Location fingerprint](#location)
* [Primary identifier](#identifiers)
目前,如果推送新 Git 提交時其位置發生變化,則 GitLab 無法跟蹤漏洞,這會導致用戶反饋丟失. 例如,如果重命名受影響的文件或受影響的行向下移動,則會丟失用戶對 SAST 漏洞的反饋. [問題#7586 中](https://gitlab.com/gitlab-org/gitlab/-/issues/7586)已解決.
在某些情況下,在同一 CI 管道中執行的多次掃描會導致重復生成,這些重復使用漏洞位置和標識符自動合并. 如果兩個漏洞共享相同的[位置指紋](#location)和至少一個[標識符,](#identifiers)則認為這兩個漏洞是相同的. 如果兩個標識符共享相同的`type`和`id`則它們是相同的. 不考慮使用 CWE 和 WASC 標識符,因為它們描述了漏洞缺陷的類別,但沒有描述特定的安全缺陷.
#### Severity and confidence[](#severity-and-confidence "Permalink")
`severity`字段描述了漏洞對軟件的影響`severity` ,而`confidence`字段描述了漏洞評估的可靠性. 嚴重性用于對安全性儀表板中的漏洞進行排序.
嚴重性的范圍從" `Info`到" `Critical` ,但也可以是" `Unknown` . 有效值為: `Unknown` , `Info` , `Low` , `Medium` , `High`或`Critical`
置信度范圍從`Low`到`Confirmed` ,但是如果要忽略此漏洞,也可以是`Unknown` , `Experimental`甚至`Ignore` . 有效值為: `Ignore` , `Unknown` , `Experimental` , `Low` , `Medium` , `High`或`Confirmed`
`Unknown`值意味著無法獲得數據來確定其實際值. 因此,它可能是`high` , `medium`或`low` ,需要進行調查. 我們[提供了](../../user/application_security/sast/analyzers.html#analyzers-data)可用的 SAST 分析儀以及當前可用的數據[的圖表](../../user/application_security/sast/analyzers.html#analyzers-data) .
### Remediations[](#remediations "Permalink")
報告的" `remediations`字段是補救對象的數組. 每個補救措施都描述了一個補丁,可將其應用來[自動修復](../../user/application_security/#solutions-for-vulnerabilities-auto-remediation)一組漏洞.
這是包含補救措施的報告示例.
```
{ "vulnerabilities": [ { "category": "dependency_scanning", "name": "Regular Expression Denial of Service", "id": "123e4567-e89b-12d3-a456-426655440000", "solution": "Upgrade to new versions.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "identifiers": [ { "type": "gemnasium", "name": "Gemnasium-642735a5-1425-428d-8d4e-3c854885a3c9", "value": "642735a5-1425-428d-8d4e-3c854885a3c9" } ] } ], "remediations": [ { "fixes": [ { "id": "123e4567-e89b-12d3-a456-426655440000" } ], "summary": "Upgrade to new version", "diff": "ZGlmZiAtLWdpdCBhL3lhcm4ubG9jayBiL3lhcm4ubG9jawppbmRleCAwZWNjOTJmLi43ZmE0NTU0IDEwMDY0NAotLS0gYS95Y==" } ] }
```
#### Summary[](#summary "Permalink")
`summary`字段概述了如何修復漏洞. 這是必填欄.
#### Fixed vulnerabilities[](#fixed-vulnerabilities "Permalink")
`fixes`字段是一組對象,這些對象引用了補救措施所修復的漏洞. `fixes[].id`包含一個固定漏洞的[唯一標識符](#id) . 這是必填欄.
#### Diff[](#diff "Permalink")
`diff`字段是 base64 編碼的補救代碼 diff,與[`git apply`](https://git-scm.com/docs/git-format-patch#_discussion)兼容. 這是必填欄.
## Limitations[](#limitations "Permalink")
### Container Scanning[](#container-scanning-2 "Permalink")
容器掃描當前具有以下限制:
* 盡管"安全儀表板"可以顯示來自多個圖像的掃描結果,但是,如果多個漏洞具有相同的指紋,則僅顯示該漏洞的第一個實例. 我們正在努力消除這一限制. 您可以關注我們的問題[更改容器掃描的位置指紋](https://gitlab.com/gitlab-org/gitlab/-/issues/215466)問題的進展.
* 不同的掃描程序可能各自報告相同的漏洞,從而導致重復的發現.
- GitLab Docs
- Installation
- Requirements
- GitLab cloud native Helm Chart
- Install GitLab with Docker
- Installation from source
- Install GitLab on Microsoft Azure
- Installing GitLab on Google Cloud Platform
- Installing GitLab on Amazon Web Services (AWS)
- Analytics
- Code Review Analytics
- Productivity Analytics
- Value Stream Analytics
- Kubernetes clusters
- Adding and removing Kubernetes clusters
- Adding EKS clusters
- Adding GKE clusters
- Group-level Kubernetes clusters
- Instance-level Kubernetes clusters
- Canary Deployments
- Cluster Environments
- Deploy Boards
- GitLab Managed Apps
- Crossplane configuration
- Cluster management project (alpha)
- Kubernetes Logs
- Runbooks
- Serverless
- Deploying AWS Lambda function using GitLab CI/CD
- Securing your deployed applications
- Groups
- Contribution Analytics
- Custom group-level project templates
- Epics
- Manage epics
- Group Import/Export
- Insights
- Issues Analytics
- Iterations
- Public access
- SAML SSO for GitLab.com groups
- SCIM provisioning using SAML SSO for GitLab.com groups
- Subgroups
- Roadmap
- Projects
- GitLab Secure
- Security Configuration
- Container Scanning
- Dependency Scanning
- Dependency List
- Static Application Security Testing (SAST)
- Secret Detection
- Dynamic Application Security Testing (DAST)
- GitLab Security Dashboard
- Offline environments
- Standalone Vulnerability pages
- Security scanner integration
- Badges
- Bulk editing issues and merge requests at the project level
- Code Owners
- Compliance
- License Compliance
- Compliance Dashboard
- Create a project
- Description templates
- Deploy Keys
- Deploy Tokens
- File finder
- Project integrations
- Integrations
- Atlassian Bamboo CI Service
- Bugzilla Service
- Custom Issue Tracker service
- Discord Notifications service
- Enabling emails on push
- GitHub project integration
- Hangouts Chat service
- Atlassian HipChat
- Irker IRC Gateway
- GitLab Jira integration
- Mattermost Notifications Service
- Mattermost slash commands
- Microsoft Teams service
- Mock CI Service
- Prometheus integration
- Redmine Service
- Slack Notifications Service
- Slack slash commands
- GitLab Slack application
- Webhooks
- YouTrack Service
- Insights
- Issues
- Crosslinking Issues
- Design Management
- Confidential issues
- Due dates
- Issue Boards
- Issue Data and Actions
- Labels
- Managing issues
- Milestones
- Multiple Assignees for Issues
- Related issues
- Service Desk
- Sorting and ordering issue lists
- Issue weight
- Associate a Zoom meeting with an issue
- Merge requests
- Allow collaboration on merge requests across forks
- Merge Request Approvals
- Browser Performance Testing
- How to create a merge request
- Cherry-pick changes
- Code Quality
- Load Performance Testing
- Merge Request dependencies
- Fast-forward merge requests
- Merge when pipeline succeeds
- Merge request conflict resolution
- Reverting changes
- Reviewing and managing merge requests
- Squash and merge
- Merge requests versions
- Draft merge requests
- Members of a project
- Migrating projects to a GitLab instance
- Import your project from Bitbucket Cloud to GitLab
- Import your project from Bitbucket Server to GitLab
- Migrating from ClearCase
- Migrating from CVS
- Import your project from FogBugz to GitLab
- Gemnasium
- Import your project from GitHub to GitLab
- Project importing from GitLab.com to your private GitLab instance
- Import your project from Gitea to GitLab
- Import your Jira project issues to GitLab
- Migrating from Perforce Helix
- Import Phabricator tasks into a GitLab project
- Import multiple repositories by uploading a manifest file
- Import project from repo by URL
- Migrating from SVN to GitLab
- Migrating from TFVC to Git
- Push Options
- Releases
- Repository
- Branches
- Git Attributes
- File Locking
- Git file blame
- Git file history
- Repository mirroring
- Protected branches
- Protected tags
- Push Rules
- Reduce repository size
- Signing commits with GPG
- Syntax Highlighting
- GitLab Web Editor
- Web IDE
- Requirements Management
- Project settings
- Project import/export
- Project access tokens (Alpha)
- Share Projects with other Groups
- Snippets
- Static Site Editor
- Wiki
- Project operations
- Monitor metrics for your CI/CD environment
- Set up alerts for Prometheus metrics
- Embedding metric charts within GitLab-flavored Markdown
- Embedding Grafana charts
- Using the Metrics Dashboard
- Dashboard YAML properties
- Metrics dashboard settings
- Panel types for dashboards
- Using Variables
- Templating variables for metrics dashboards
- Prometheus Metrics library
- Monitoring AWS Resources
- Monitoring HAProxy
- Monitoring Kubernetes
- Monitoring NGINX
- Monitoring NGINX Ingress Controller
- Monitoring NGINX Ingress Controller with VTS metrics
- Alert Management
- Error Tracking
- Tracing
- Incident Management
- GitLab Status Page
- Feature Flags
- GitLab CI/CD
- GitLab CI/CD pipeline configuration reference
- GitLab CI/CD include examples
- Introduction to CI/CD with GitLab
- Getting started with GitLab CI/CD
- How to enable or disable GitLab CI/CD
- Using SSH keys with GitLab CI/CD
- Migrating from CircleCI
- Migrating from Jenkins
- Auto DevOps
- Getting started with Auto DevOps
- Requirements for Auto DevOps
- Customizing Auto DevOps
- Stages of Auto DevOps
- Upgrading PostgreSQL for Auto DevOps
- Cache dependencies in GitLab CI/CD
- GitLab ChatOps
- Cloud deployment
- Docker integration
- Building Docker images with GitLab CI/CD
- Using Docker images
- Building images with kaniko and GitLab CI/CD
- GitLab CI/CD environment variables
- Predefined environment variables reference
- Where variables can be used
- Deprecated GitLab CI/CD variables
- Environments and deployments
- Protected Environments
- GitLab CI/CD Examples
- Test a Clojure application with GitLab CI/CD
- Using Dpl as deployment tool
- Testing a Phoenix application with GitLab CI/CD
- End-to-end testing with GitLab CI/CD and WebdriverIO
- DevOps and Game Dev with GitLab CI/CD
- Deploy a Spring Boot application to Cloud Foundry with GitLab CI/CD
- How to deploy Maven projects to Artifactory with GitLab CI/CD
- Testing PHP projects
- Running Composer and NPM scripts with deployment via SCP in GitLab CI/CD
- Test and deploy Laravel applications with GitLab CI/CD and Envoy
- Test and deploy a Python application with GitLab CI/CD
- Test and deploy a Ruby application with GitLab CI/CD
- Test and deploy a Scala application to Heroku
- GitLab CI/CD for external repositories
- Using GitLab CI/CD with a Bitbucket Cloud repository
- Using GitLab CI/CD with a GitHub repository
- GitLab Pages
- GitLab Pages
- GitLab Pages domain names, URLs, and baseurls
- Create a GitLab Pages website from scratch
- Custom domains and SSL/TLS Certificates
- GitLab Pages integration with Let's Encrypt
- GitLab Pages Access Control
- Exploring GitLab Pages
- Incremental Rollouts with GitLab CI/CD
- Interactive Web Terminals
- Optimizing GitLab for large repositories
- Metrics Reports
- CI/CD pipelines
- Pipeline Architecture
- Directed Acyclic Graph
- Multi-project pipelines
- Parent-child pipelines
- Pipelines for Merge Requests
- Pipelines for Merged Results
- Merge Trains
- Job artifacts
- Pipeline schedules
- Pipeline settings
- Triggering pipelines through the API
- Review Apps
- Configuring GitLab Runners
- GitLab CI services examples
- Using MySQL
- Using PostgreSQL
- Using Redis
- Troubleshooting CI/CD
- GitLab Package Registry
- GitLab Container Registry
- Dependency Proxy
- GitLab Composer Repository
- GitLab Conan Repository
- GitLab Maven Repository
- GitLab NPM Registry
- GitLab NuGet Repository
- GitLab PyPi Repository
- API Docs
- API resources
- .gitignore API
- GitLab CI YMLs API
- Group and project access requests API
- Appearance API
- Applications API
- Audit Events API
- Avatar API
- Award Emoji API
- Project badges API
- Group badges API
- Branches API
- Broadcast Messages API
- Project clusters API
- Group clusters API
- Instance clusters API
- Commits API
- Container Registry API
- Custom Attributes API
- Dashboard annotations API
- Dependencies API
- Deploy Keys API
- Deployments API
- Discussions API
- Dockerfiles API
- Environments API
- Epics API
- Events
- Feature Flags API
- Feature flag user lists API
- Freeze Periods API
- Geo Nodes API
- Group Activity Analytics API
- Groups API
- Import API
- Issue Boards API
- Group Issue Boards API
- Issues API
- Epic Issues API
- Issues Statistics API
- Jobs API
- Keys API
- Labels API
- Group Labels API
- License
- Licenses API
- Issue links API
- Epic Links API
- Managed Licenses API
- Markdown API
- Group and project members API
- Merge request approvals API
- Merge requests API
- Project milestones API
- Group milestones API
- Namespaces API
- Notes API
- Notification settings API
- Packages API
- Pages domains API
- Pipeline schedules API
- Pipeline triggers API
- Pipelines API
- Project Aliases API
- Project import/export API
- Project repository storage moves API
- Project statistics API
- Project templates API
- Projects API
- Protected branches API
- Protected tags API
- Releases API
- Release links API
- Repositories API
- Repository files API
- Repository submodules API
- Resource label events API
- Resource milestone events API
- Resource weight events API
- Runners API
- SCIM API
- Search API
- Services API
- Application settings API
- Sidekiq Metrics API
- Snippets API
- Project snippets
- Application statistics API
- Suggest Changes API
- System hooks API
- Tags API
- Todos API
- Users API
- Project-level Variables API
- Group-level Variables API
- Version API
- Vulnerabilities API
- Vulnerability Findings API
- Wikis API
- GraphQL API
- Getting started with GitLab GraphQL API
- GraphQL API Resources
- API V3 to API V4
- Validate the .gitlab-ci.yml (API)
- User Docs
- Abuse reports
- User account
- Active sessions
- Deleting a User account
- Permissions
- Personal access tokens
- Profile preferences
- Threads
- GitLab and SSH keys
- GitLab integrations
- Git
- GitLab.com settings
- Infrastructure as code with Terraform and GitLab
- GitLab keyboard shortcuts
- GitLab Markdown
- AsciiDoc
- GitLab Notification Emails
- GitLab Quick Actions
- Autocomplete characters
- Reserved project and group names
- Search through GitLab
- Advanced Global Search
- Advanced Syntax Search
- Time Tracking
- GitLab To-Do List
- Administrator Docs
- Reference architectures
- Reference architecture: up to 1,000 users
- Reference architecture: up to 2,000 users
- Reference architecture: up to 3,000 users
- Reference architecture: up to 5,000 users
- Reference architecture: up to 10,000 users
- Reference architecture: up to 25,000 users
- Reference architecture: up to 50,000 users
- Troubleshooting a reference architecture set up
- Working with the bundled Consul service
- Configuring PostgreSQL for scaling
- Configuring GitLab application (Rails)
- Load Balancer for multi-node GitLab
- Configuring a Monitoring node for Scaling and High Availability
- NFS
- Working with the bundled PgBouncer service
- Configuring Redis for scaling
- Configuring Sidekiq
- Admin Area settings
- Continuous Integration and Deployment Admin settings
- Custom instance-level project templates
- Diff limits administration
- Enable and disable GitLab features deployed behind feature flags
- Geo nodes Admin Area
- GitLab Pages administration
- Health Check
- Job logs
- Labels administration
- Log system
- PlantUML & GitLab
- Repository checks
- Repository storage paths
- Repository storage types
- Account and limit settings
- Service templates
- System hooks
- Changing your time zone
- Uploads administration
- Abuse reports
- Activating and deactivating users
- Audit Events
- Blocking and unblocking users
- Broadcast Messages
- Elasticsearch integration
- Gitaly
- Gitaly Cluster
- Gitaly reference
- Monitoring GitLab
- Monitoring GitLab with Prometheus
- Performance Bar
- Usage statistics
- Object Storage
- Performing Operations in GitLab
- Cleaning up stale Redis sessions
- Fast lookup of authorized SSH keys in the database
- Filesystem Performance Benchmarking
- Moving repositories managed by GitLab
- Run multiple Sidekiq processes
- Sidekiq MemoryKiller
- Switching to Puma
- Understanding Unicorn and unicorn-worker-killer
- User lookup via OpenSSH's AuthorizedPrincipalsCommand
- GitLab Package Registry administration
- GitLab Container Registry administration
- Replication (Geo)
- Geo database replication
- Geo with external PostgreSQL instances
- Geo configuration
- Using a Geo Server
- Updating the Geo nodes
- Geo with Object storage
- Docker Registry for a secondary node
- Geo for multiple nodes
- Geo security review (Q&A)
- Location-aware Git remote URL with AWS Route53
- Tuning Geo
- Removing secondary Geo nodes
- Geo data types support
- Geo Frequently Asked Questions
- Geo Troubleshooting
- Geo validation tests
- Disaster Recovery (Geo)
- Disaster recovery for planned failover
- Bring a demoted primary node back online
- Automatic background verification
- Rake tasks
- Back up and restore GitLab
- Clean up
- Namespaces
- Maintenance Rake tasks
- Geo Rake Tasks
- GitHub import
- Import bare repositories
- Integrity check Rake task
- LDAP Rake tasks
- Listing repository directories
- Praefect Rake tasks
- Project import/export administration
- Repository storage Rake tasks
- Generate sample Prometheus data
- Uploads migrate Rake tasks
- Uploads sanitize Rake tasks
- User management
- Webhooks administration
- X.509 signatures
- Server hooks
- Static objects external storage
- Updating GitLab
- GitLab release and maintenance policy
- Security
- Password Storage
- Custom password length limits
- Restrict allowed SSH key technologies and minimum length
- Rate limits
- Webhooks and insecure internal web services
- Information exclusivity
- How to reset your root password
- How to unlock a locked user from the command line
- User File Uploads
- How we manage the TLS protocol CRIME vulnerability
- User email confirmation at sign-up
- Security of running jobs
- Proxying assets
- CI/CD Environment Variables
- Contributor and Development Docs
- Contribute to GitLab
- Community members & roles
- Implement design & UI elements
- Issues workflow
- Merge requests workflow
- Code Review Guidelines
- Style guides
- GitLab Architecture Overview
- CI/CD development documentation
- Database guides
- Database Review Guidelines
- Database Review Guidelines
- Migration Style Guide
- What requires downtime?
- Understanding EXPLAIN plans
- Rake tasks for developers
- Mass inserting Rails models
- GitLab Documentation guidelines
- Documentation Style Guide
- Documentation structure and template
- Documentation process
- Documentation site architecture
- Global navigation
- GitLab Docs monthly release process
- Telemetry Guide
- Usage Ping Guide
- Snowplow Guide
- Experiment Guide
- Feature flags in development of GitLab
- Feature flags process
- Developing with feature flags
- Feature flag controls
- Document features deployed behind feature flags
- Frontend Development Guidelines
- Accessibility & Readability
- Ajax
- Architecture
- Axios
- Design Patterns
- Frontend Development Process
- DropLab
- Emojis
- Filter
- Frontend FAQ
- GraphQL
- Icons and SVG Illustrations
- InputSetter
- Performance
- Principles
- Security
- Tooling
- Vuex
- Vue
- Geo (development)
- Geo self-service framework (alpha)
- Gitaly developers guide
- GitLab development style guides
- API style guide
- Go standards and style guidelines
- GraphQL API style guide
- Guidelines for shell commands in the GitLab codebase
- HTML style guide
- JavaScript style guide
- Migration Style Guide
- Newlines style guide
- Python Development Guidelines
- SCSS style guide
- Shell scripting standards and style guidelines
- Sidekiq debugging
- Sidekiq Style Guide
- SQL Query Guidelines
- Vue.js style guide
- Instrumenting Ruby code
- Testing standards and style guidelines
- Flaky tests
- Frontend testing standards and style guidelines
- GitLab tests in the Continuous Integration (CI) context
- Review Apps
- Smoke Tests
- Testing best practices
- Testing levels
- Testing Rails migrations at GitLab
- Testing Rake tasks
- End-to-end Testing
- Beginner's guide to writing end-to-end tests
- End-to-end testing Best Practices
- Dynamic Element Validation
- Flows in GitLab QA
- Page objects in GitLab QA
- Resource class in GitLab QA
- Style guide for writing end-to-end tests
- Testing with feature flags
- Translate GitLab to your language
- Internationalization for GitLab
- Translating GitLab
- Proofread Translations
- Merging translations from CrowdIn
- Value Stream Analytics development guide
- GitLab subscription
- Activate GitLab EE with a license