Skip to main content

Security

Description of the content structure of the scan result json file

After your application completes the detection, you can upload the detection result file to the platform through the OpenAPI interface(Save security scan results).After uploading the test result file, you can view the test results on the corresponding warehouse->Security->Code Scan page.

Scan Resultproperty description

property nametypedescriptionrequired
scanInfoObjectObject containing information about the scanyes
repositoryObjectInformation object about the code repositoryyes
appObjectapplication information objectyes
leakResultsArrayArray containing vulnerability detection resultsno
permitResultsArrayArray containing license detection resultsno
maintenanceResultsArrayArray containing detection results about maintenance risksno
codeResultsArrayArray containing results about static code instrumentationno
comprehensiveReportStringLink to integrated reporting documentyes

scanInfo property description

property nametypedescriptionrequired
typeStringtrigger typeyes
idStringThe ID that triggered the scan taskyes
senderObjectTrigger informationyes

scanInfo.sender property description

property nametypedescriptionrequired
idStringuser or org IDyes
typeStringtype:user or orgyes
loginStringusernameyes

repository property description

property nametypedescriptionrequired
idStringrepository IDyes
nameStringrepository nameyes
branchStringrepository branchyes
commitIdStringcommit IDno
permitStringLicense informationno

app property description

property nametypedescriptionrequired
idStringApp IDyes
nameStringApp nameyes
versionStringApp versionno

leakResults property description

child propertytypedescriptionrequired
nameStringVulnerability nameyes
numberStringVulnerability idyes
precisionStringrisk level,0: Unclassified 1: Urgent 2: High risk 3: Moderate risk 4: Low riskyes
propertiesObjectAn object containing properties about the vulnerabilityno
NVDCVSS3PropertiesObjectObject containing CVSS3 properties about the vulnerabilityyes
locationsArrayArray containing information about vulnerability locationsyes

leakResults.properties property description

child propertytypedescriptionrequired
descriptionStringVulnerability descriptionno
releaseTimeStringpublish timeno
PoCArrayProof of Concept(PoC)examples,String arrayno
officialPatchesLinkArrayOfficial patch link,String arrayno
mitigatesStringMitigation text descriptionno
referLinksArrayReference link,String arrayno
suggestionsArraysuggestionno

leakResults.properties.suggestions property description

child propertytypedescriptionrequired
titleStringtitleyes
descriptionStringdescriptionyes

leakResults.NVDCVSS3Properties property description

child propertytypedescriptionrequired
scoreNumberscoreyes
AVStringattack vectoryes
ACStringAttack complexityyes
PRStringPermission requirementsyes
UIStringUser Interactionyes
SStringScopeyes
CStringConfidentialityyes
IStringintegrityyes
AStringAvailabilityyes

leakResults.locations property description

child propertytypedescription
physicalLocationObjectContains objects about physical location

leakResults.locations.physicalLocation property description

child propertytypedescription
artifactLocationObjectContains objects about components location

leakResults.locations.physicalLocation.artifactLocation property description

child propertytypedescriptionrequired
nameStringcomponent nameyes
versionStringcomponent versionyes
fixVersionStringRepair versionno
uriStringURI of widget locationyes

permitResults property description

child propertytypedescriptionrequired
nameStringLicense informationyes
componentNameStringcomponent nameyes
componentVersionStringcomponent versionyes
conflictComponentNameStringConflicting component nameno
conflictComponentVersionStringConflicting component versionno
conflictDescriptionArrayConflict description array, String arrayno
precisionStringRisk level, 1: high risk 2: medium risk 3: low riskyes
propertiesObjectObject containing properties about the licenseyes
locationsArrayArray containing the location of the licenseyes

permitResults.properties property description

child propertytypedescriptionrequired
descriptionStringLicense descriptionyes
referLinksArrayReference link,String arrayno

permitResults.locations property description

child propertytypedescription
physicalLocationObjectContains objects about physical location

permitResults.locations.physicalLocation property description

child propertytypedescription
artifactLocationObjectContains an object about the license location

permitResults.locations.physicalLocation.artifactLocation property description

child propertytypedescriptionrequired
uriStringLICENCE file locationyes
conflictUriStringconflicted LICENCE file locationno

maintenanceResults property description

child propertytypedescriptionrequired
nameStringcomponent nameyes
versionStringcomponent versionyes
addressStringUpstream project addressyes
typeStringRisk type, supply interruption risk/service suspension riskyes
propertiesObjectObject containing attributes about riskyes

maintenanceResults.properties property description

child propertytypedescriptionrequired
descriptionStringrisk descriptionyes
referLinksArrayReference link,String arrayno

codeResults property description

child propertytypedescriptionrequired
nameStringrisk nameyes
precisionStringRisk level, 0: Ungraded 1: Urgent 2: High risk 3: Medium risk 4: Low riskyes
propertiesObjectObject containing attributes about riskyes
locationsArrayObject containing attributes about risk locationyes

codeResults.properties property description

child propertytypedescriptionrequired
descriptionStringrisk descriptionyes
referLinksArrayReference link,String arrayno

locations property description

child propertytypedescription
physicalLocationObjectContains objects about physical location

locations.physicalLocation property description

child propertytypedescription
artifactLocationObjectobject containing information about the location of the code

locations.physicalLocation.artifactLocation property description

child propertytypedescriptionrequired
uriStringuri of codeyes

locations.physicalLocation.artifactLocation.region property description

child propertytypedescriptionrequired
startLineNumberstartLineyes
startColumnNumberstartColumnyes
endColumnNumberendColumnyes

示例

{
"runs":[
{
"scanInfo":{
"type":"Webhook",
"id":"123",
"sender":{
"id":"321",
"type":"User",
"login":"username"
}
},
"respository":{
"id": "35170",
"name":"respositoryName",
"branch":"master",
"commitId":"1234567890123456789012345678901234567890",
"permit":"GPL-3.0"
},
"app":{
"id": "324",
"name": "毒霸爸爸",
"version": "1.0.0"
},
"leakResults":[
{
"name":"远程脚本执行漏洞",
"number":"cve-2020-1000",
"precision": "1",
"properties":{
"description":"漏洞描述",
"releaseTime": "2019-08-14",
"PoC": ["POC"],
"officialPatchesLink":[
"官方补丁链接1",
"官方补丁链接2"
],
"mitigates":"缓解措施文本描述",
"referLinks":[
"参考链接1",
"参考链接2"
],
"suggestions":[{
"title":"标题",
"description":"描述"
}]
},
"NVDCVSS3Properties":{
"score":75,
"AV":"攻击向量",
"AC":"攻击复杂度",
"PR":"权限要求",
"UI":"用户交互",
"S":"影响范围",
"C":"机密性",
"I":"完整性 ",
"A":"可用性"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"name":"组件名称",
"version":"组件版本",
"fixVersion":"对应组件的修复版本",
"uri": "src/pom.xml"
}
}
}
]
}
],
"permitResults":[
{
"name":"GPL",
"componentName":"组件名称",
"componentVersion":"组件版本",
"conflictComponentName":"冲突组件名称",
"conflictComponentVersion":"冲突组件版本",
"conflictDescription":["冲突描述1","冲突描述2"],
"precision":"1",
"properties":{
"description":"许可证描述",
"referLinks":[
"参考链接1",
"参考链接2"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/package/xxxxx/LICENCE",
"conflictUri": "src/package/yyyy/LICENCE"
}
}
}
]
}
],
"maintenanceResults":[
{
"name":"组件名称",
"version":"组件版本",
"address": "https://atomgit.com/xxx/yyy",
"type":"断供风险",
"properties":{
"description":"risk description",
"referLinks":[
"参考链接1",
"参考链接2"
]
}
}
],
"codeResults":[
{
"name":"未使用到的变量",
"precision":"1",
"properties":{
"description":"risk description",
"referLinks":[
"参考链接1",
"参考链接2"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/main.js"
},
"region": {
"startLine": 2,
"startColumn": 7,
"endColumn": 10
}
}
}
]
}
],
"comprehensiveReport":"https://atomgit.oss-cn-beijing.aliyuncs.com/security/result/代码风险报告.doc"
}
]
}