Перейти к содержанию

Приложение 17. Отчеты для импорта информации о проблемах безопасности

JSON-схема отчета

Примечание

Для обозначения обязательных полей используется ключ required. Их отсутствие приводит к ошибкам импорта.

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://docs.appsec-hub.ru/",
  "title": "Hub.Report Results Format Version 1.0.0 JSON Schema",
  "description": "This schema provides the AppSec.Hub report format for Application Security Testing analyzers",
  "type": "object",
  "properties": {
    "$schema": {
      "description": "The URI of the JSON schema corresponding to the version",
      "type": "string",
      "format": "uri"
    },
    "version": {
      "description": "The Hub.Report format version of this log file",
      "enum": [ "1.0.1" ],
      "type": "string"
    },
    "scans": {
      "description": "The set of scans contained in this log file",
      "type": "array",
      "items": {
        "$ref": "#/definitions/scan"
      }
    }
  },
  "required": [
    "version", "scans"
  ],


  "definitions": {
    "scan": {
      "description": "Describes a single run of an analysis tool, and contains the reported output of that run",
      "type": "object",
      "required": [
        "source", "tool", "results"
      ],
      "properties": {
        "scanDetails": {
          "description": "Information that describes a scan's identity",
          "$ref": "#/definitions/scanDetails"
        },
        "source": {
          "description": "List of scan sources - codebase, artifact or instance details that was analyzed",
          "type": "array",
          "items": {
            "oneOf": [
              {
                "$ref": "#/definitions/codebase"
              },
              {
                "$ref": "#/definitions/artifact"
              },
              {
                "$ref": "#/definitions/instance"
              }
            ]
          }
        },
        "tool": {
          "description": "Information about The analysis tool that was run",
          "$ref": "#/definitions/tool"
        },
        "results": {
          "description": "The set of results contained in an log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) if a log file represents an actual scan",
          "type": "array",
          "items": {
            "$ref": "#/definitions/result"
          }
        }
      }
    },

    "scanDetails": {         
      "type": "object",
      "properties": {
        "description": {
          "description": "A description of the identity and role played within the engineering system by this object's containing scan object",
          "type": "string"
        },
        "id": {
          "description": "A hierarchical string that uniquely identifies this object's containing scan object",
          "type": "string"
        },
        "guid": {
          "description": "A stable, unique identifier for this object's containing scan object in the form of a GUID",
          "type": "string"
        },
        "baselineGuid": {
          "description": "The 'guid' property of a previous 'scan'",
          "type": "string"
            },
        "scanDate": {
          "description": "The Coordinated Universal Time (UTC) date and time at which the analysis tool generated the notification",
          "type": "string",
          "format": "date-time"
        },
        "reportLink": {
          "description": "Report link",
          "type": "string"
        },
        "properties": {
          "description": "Key/value pairs that provide additional information about the scan automation details",
          "$ref": "#/definitions/propertyBag"
        }
      }
    },

    "codebase": {
      "description": "Codebase information that was analyzed",
      "type": "object",
      "required": [
        "type", "id", "url", "checkoutPath", "vcsType"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Source type",
          "enum": [ "codebase" ]
        },
        "id": {
          "type": "string",
          "description": "Unique source ID"
        },
        "name": {
          "type": "string",
          "description": "Codebase display name"
        },
        "url": {
          "maxLength": 256,
          "minLength": 0,
          "type": "string",
          "description": "Repository URL"
        },
        "checkoutPath": {
          "type": "string",
          "description": "Codebase checkout path"
        },
        "branch": {
          "maxLength": 128,
          "minLength": 0,
          "pattern": "^(?!.*\\/\\.)(?!.*\\.\\.)(?!\\/)(?!.*\\/\\/)(?!.*@\\{)(?!.*\\\\)(?!^@$)[^\u0000-\u001f ~^:?*\\[]*\\/?[^\u0000-\u001f ~^:?*\\[]+(?<!\\.lock)(?<!\\/)(?<!\\.)$",
          "type": "string",
          "description": "Branch name",
          "default": "master"
        },
        "commit": {
          "maxLength": 128,
          "minLength": 0,
          "type": "string",
          "description": "Commit hash",
          "default": "master"
        },
        "vcsType": {
          "pattern": "git",
          "type": "string",
          "description": "Type of VCS repository - \"git\"",
          "enum": [ "git" ]
        },
        "buildTool": {
          "pattern": "maven|gradle|nuget|npm|pip",
          "type": "string",
          "description": "Build tool used to compile this source code. Default: maven",
          "example": "maven",
          "enum": [ "maven" ]
        },
        "branchFilter": {
          "maxLength": 128,
          "minLength": 0,
          "pattern": "^(?!.*\\/\\.)(?!.*\\.\\.)(?!\\/)(?!.*\\/\\/)(?!.*@\\{)(?!.*\\\\)(?!^@$)[^\u0000-\u001f ~^:?\\[]*\\/?[^\u0000-\u001f ~^:?\\[]+(?<!\\.lock)(?<!\\/)(?<!\\.)$",
          "type": "string",
          "description": "Filter pattern for branches to scanned. Default: * (all branches)"
        }
      }
    },

    "artifact": {
      "description": "Artifact information that was analyzed",
      "type": "object",

      "required": [
        "type", "id", "name", "url"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Source type",
          "enum": [ "artifact" ]
        },
        "id": {
          "type": "string",
          "description": "Unique source ID"
        },
        "name": {
          "type": "string",
          "description": "Artifact name"
        },
        "url": {
          "maxLength": 256,
          "minLength": 0,
          "type": "string",
          "description": "Artifact URL"
        }
      }
    },

    "instance": {
      "description": "Instance information that was analyzed",
      "type": "object",
      "required": [
        "type", "id", "url"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Source type",
          "enum": [ "instance" ]
        },
        "id": {
          "type": "string",
          "description": "Unique source ID"
        },
        "name": {
          "type": "string",
          "description": "Application instance name"
        },
        "url": {
          "maxLength": 256,
          "minLength": 0,
          "type": "string",
          "description": "Instance URL"
        },
        "stage": {
          "type": "string",
          "description": "Stage (system test, integration acceptance test, user acceptance test, stage, production)",
          "enum": ["ST", "IAT", "UAT", "STG", "PROD"]
        }
      }
    },

    "tool": {
      "type": "object",
      "required": [ "product" ],
      "properties": {

        "product": {
          "description": "The code of the product",
          "type": "string"
        },
        "guid": {
          "description": "A unique identifier for the tool component in the form of a GUID",
          "type": "string"
        },
        "version": {
          "description": "The tool component version",
          "type": "string"
        },
        "informationUri": {
          "description": "The absolute URI at which information about this version of the tool component can be found",
          "type": "string",
          "format": "uri"
        }
      }
    },

    "result": {         
      "type": "object",
      "description": "A result produced by an analysis tool",
      "properties": {

        "rules": {
          "description": "rules",
          "$ref": "#/definitions/rules"
        },
        "locations": {
          "description": "locations",
          "$ref": "#/definitions/locations"
        },
        "findings": {
          "description": "findings",
          "$ref": "#/definitions/findings"
        }
      }
    },

    "rules": {
      "description": "Tool rules",
      "type": "array",
      "items": {
       "oneOf": [
         {
           "$ref": "#/definitions/sastRule"
           },
          {
           "$ref": "#/definitions/sca_cRule"
          },
          {
           "$ref": "#/definitions/sca_sRule"
          },
          {
            "$ref": "#/definitions/dastRule"
          }
        ]
       }
     },

    "sastRule": {
      "description": "SAST vulnerability rule details",
      "type": "object",

      "required": [
        "type", "id", "name", "severity"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Rule type",
          "enum": [ "sast" ]
        },
        "id": {
          "type": "string",
          "description": "The stable, unique identifier of the rule"
        },
        "name": {
          "type": "string",
          "description": "The name of the rule"
        },
        "severity": {
          "description": "A value specifying the severity level of the result",
          "$ref": "#/definitions/severity"
        },
        "description": {
          "type": "string",
          "description": "Rule description"
        },
        "cwe": {
          "type": "array",
          "description": "Vulnerability CWE",
          "items": {
            "$ref": "#/definitions/cwe"
          }
        },
        "recommendation": {
          "type": "string",
          "description": "Vulnerability recommendation"
        },
        "cause": {
          "type": "string",
          "description": "Vulnerability cause"
        },
        "risk": {
          "type": "string",
          "description": "Vulnerability risk"
        },
        "example": {
          "type": "string",
          "description": "Vulnerability source code example"
        },
        "extraInformation": {
          "description": "Additional Information about Rule",
          "$ref": "#/definitions/propertyBag"
        }
      }
    },

    "sca_sRule": {
      "description": "SCA Security vulnerability rule details",
      "type": "object",
      "required": [
        "type", "id", "severity", "cveId"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Rule type",
          "enum": [ "sca_s" ]
        },
        "id": {
          "type": "string",
          "description": "The stable, unique identifier of the rule"
        },
        "name": {
          "type": "string",
          "description": "The name of the rule"
        },
        "severity": {
          "description": "Vulnerability severity",
          "$ref": "#/definitions/severity"
        },
        "description": {
          "type": "string",
          "description": "Rule description"
        },
        "cveId": {
          "type": "string",
          "description": "CVE Id"
        },
        "cveLink": {
          "type": "string",
          "description": "CVE Link"
        },
        "cwe": {
          "type": "array",
          "description": "Vulnerability CWE",
          "items": {
            "$ref": "#/definitions/cwe"
          }
        },
        "cvss2Score": {
          "type": "string",
          "description": "Vulnerability score"
        },
        "cvss2Vector": {
          "type": "string",
          "description": "cvss2 vector"
        },
        "cvss3Score": {
          "type": "string",
          "description": "Vulnerability score"
        },
        "cvss3Vector": {
          "type": "string",
          "description": "cvss3 vector"
        },
        "recommendation": {
          "type": "string",
          "description": "Rule recommendation"
        },
        "details": {
          "type": "string",
          "description": "Rule details"
        },
        "fixVersions": {
          "type": "array",
          "description": "List of fix versions ",
          "items": {
            "type": "string"
          }
        },
        "publishedDate": {
          "type": "string",
          "description": "Vulnerability publication date"
        },
        "lastModified": {
          "type": "string",
          "description": "Vulnerability last modified date date"
        },
        "references": 
        {
          "type": "array",
          "description": "Rule references",
          "items": {
            "type": "string",
            "format": "uri"
          }
        },
        "extraInformation": {
          "description": "Additional Information about Rule",
          "$ref": "#/definitions/propertyBag"
        }
      }
    },

    "sca_cRule": {
      "description": "SCA Compliance rule details",
      "type": "object",

      "required": [
        "type", "id", "name", "severity"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Rule type",
          "enum": [ "sca_c" ]
        },
        "id": {
          "type": "string",
          "description": "The stable, unique identifier of the rule"
        },
        "name": {
          "type": "string",
          "description": "The name of the policy"
        },
        "severity": {
          "description": "Rule severity",
          "$ref": "#/definitions/severity"
        },
        "description": {
          "type": "string",
          "description": "Rule description"
        },
        "policyConditions": {
          "type": "array",
          "description": "Policy condition",
          "items": {
            "$ref": "#/definitions/policyCondition"
          }
        },
        "extraInformation": {
          "description": "Additional Information about Rule",
          "$ref": "#/definitions/propertyBag"
        }
      }
    },

    "dastRule": {
      "description": "DAST vulnerability Rule details",
      "type": "object",
      "required": [
        "type", "id", "name", "severity"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Rule type",
          "enum": [ "dast" ]
        },
        "id": {
          "type": "string",
          "description": "The stable, unique identifier of the rule"
        },
        "name": {
          "type": "string",
          "description": "The name of the rule"
        },
        "severity": {
          "description": "Vulnerability severity",
          "$ref": "#/definitions/severity"
        },
        "description": {
          "type": "string",
          "description": "Rule description"
        },
        "recommendation": {
          "type": "string",
          "description": "Rule recommendation"
        },
        "cwe": {
          "type": "array",
          "description": "Vulnerability CWE",
          "items": {
            "$ref": "#/definitions/cwe"
          }
        },
        "cvss2Score": {
          "type": "string",
          "description": "Vulnerability score"
        },
        "cvss2Vector": {
          "type": "string",
          "description": "cvss2 vector"
        },
        "cvss3Score": {
          "type": "string",
          "description": "Vulnerability score"
        },
        "cvss3Vector": {
          "type": "string",
          "description": "cvss3 vector"
        },
        "extraInformation": {
          "description": "Additional Information about Rule",
          "$ref": "#/definitions/propertyBag"
        }
      }
    },

    "locations": {
      "description": "Locations",
      "type": "array",
      "items": {
       "oneOf": [
         {
           "$ref": "#/definitions/codebaseLocation"
           },
          {
           "$ref": "#/definitions/componentLocation"
          },
          {
            "$ref": "#/definitions/instanceLocation"
          }
        ]
       }
     },

    "codebaseLocation": {
      "description": "The location of the codebase",
      "type": "object",
      "required": [
        "type", "id", "sourceId", "fileName", "language"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Location type",
          "enum": [ "codebase" ]
        },
        "id": {
          "type": "string",
          "description": "Codebase location id"
        },
        "sourceId": {
          "type": "string",
          "description": "Source ID"
        },
        "fileName": {
          "type": "string",
          "description": "File name"
        },
        "language": {
          "type": "string",
          "description": "Language"
        }
      }
    },

    "componentLocation": {
      "description": "The location of the component",
      "type": "object",
      "required": [
        "type", "id", "sourceId", "componentName", "componentVersion"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Location type",
          "enum": [ "component" ]
        },
        "id": {
          "type": "string",
          "description": "Component location id"
        },
        "sourceId": {
          "type": "string",
          "description": "Source ID"
        },
        "componentName": {
          "type": "string",
          "description": "The name of the component"
        },
        "componentVersion": {
          "type": "string",
          "description": "The version of the component"
        },
        "vendor": {
          "type": "string",
          "description": "vendor"
        },
        "group": {
          "type": "string",
          "description": "The group of the component"
        },
        "packageUrl": {
          "type": "string",
          "description": "The purl of the component"
        },
        "cpe": {
          "type": "string",
          "description": "The cpe of the component"
        },
        "filePath": {
          "type": "string",
          "description": "filePath"
        },
        "licenses": {
          "type": "array",
          "description": "List of library licenses",
          "items": {
            "$ref": "#/definitions/license"
          }
        },
        "published": {
          "type": "string",
          "description": "Library publication date"
        },
        "lastModified": {
          "type": "string",
          "description": "Date of last library update"
        },
        "description": {
          "type": "string",
          "description": "description"
        }
      }
    },

    "instanceLocation": {
      "description": "The location of the instance",
      "type": "object",
      "required": [
        "type", "id", "sourceId", "url"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Location type",
          "enum": [ "instance" ]
        },
        "id": {
          "type": "string",
          "description": "Instance location id"
        },
        "sourceId": {
          "type": "string",
          "description": "Source ID"
        },
        "url": {
          "type": "string",
          "description": "url"
        },
        "description": {
          "type": "string",
          "description": "description"
        }
      }
    },

    "findings": {
      "description": "Findings",
      "type": "array",
      "items": {
       "oneOf": [
         {
           "$ref": "#/definitions/sastFinding"
           },
          {
           "$ref": "#/definitions/sca_cFinding"
          },
          {
           "$ref": "#/definitions/sca_sFinding"
          },
          {
            "$ref": "#/definitions/dastFinding"
          }
        ]
       }
     },

    "sastFinding": {
      "description": "SAST finding",
      "type": "object",

      "required": [
        "type", "id", "ruleId", "locationId"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Finding type",
          "enum": [ "sast" ]
        },
        "id": {
          "type": "string",
          "description": "Issue External ID"
        },
        "ruleId": {
          "type": "string",
          "description": "Rule Id"
        },
         "locationId": {
          "type": "string",
          "description": "Codebase location Id"
        },
        "line": {
          "type": "string",
          "description": "Line number"
        },
         "code": {
          "type": "string",
          "description": "Source code"
        },
        "status": {
          "type": "string",
          "description": "Finding status",
          "$ref": "#/definitions/status"
        },
        "description": {
          "type": "string",
          "description": "description"
        },
        "stacks": {
          "type": "array",
          "description": "The sequence of function calls leading to the finding",
          "items": {
            "$ref": "#/definitions/stack"
          }
        },
        "toolFindingLink": {
          "type": "string",
          "description": "Tool finding link"
        }
      }
    },

    "sca_sFinding": {
      "description": "SCA Security finding",
      "type": "object",
      "required": [
        "type", "id", "locationId", "ruleId"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Finding type",
          "enum": [ "sca_s" ]
        },
        "id": {
          "type": "string",
          "description": "Issue External ID"
        },
        "ruleId": {
          "type": "string",
          "description": "Rule Id"
        },
        "locationId": {
          "type": "string",
          "description": "Component location Id"
        },
         "path": {
         "type": "array",
         "description": "Path",
         "items": {
            "type": "string"
             }
          },
        "status": {
          "type": "string",
          "description": "Finding status",
          "$ref": "#/definitions/status"
        },
        "description": {
          "type": "string",
          "description": "description"
        },
        "toolFindingLink": {
          "type": "string",
          "description": "Tool finding link"
        }
      }
    },

    "sca_cFinding": {
      "description": "SCA Compliance finding",
      "type": "object",
      "required": [
        "type", "id", "locationId", "ruleId"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Finding type",
          "enum": [ "sca_c" ]
        },
        "id": {
          "type": "string",
          "description": "Issue External ID"
        },
        "ruleId": {
          "type": "string",
          "description": "Rule Id"
        },
        "locationId": {
          "type": "string",
          "description": "Component location Id"
        },
        "path": {
          "type": "array",
          "description": "Path",
          "items": {
            "type": "string"
             }
         },
        "status": {
          "type": "string",
          "description": "Finding status",
          "$ref": "#/definitions/status"
        },
        "description": {
          "type": "string",
          "description": "description"
        },
         "group": {
          "type": "string",
          "description": "License group"
        },
        "reason": {
          "type": "array",
          "description": "description",
          "items": {
            "type": "object",
            "properties": {
              "policyConditionId": {
                "type": "string"
              },
              "effectiveLicenses": {
                "type": "array",
                "description": "List of effective licenses",
                "items": {
                  "$ref": "#/definitions/license"
                }
              }
            }
          }
        },
        "toolFindingLink": {
          "type": "string",
          "description": "Tool finding link"
        }
      }
    },

    "dastFinding": {
      "description": "DAST finding",
      "type": "object",
      "required": [
        "type", "id", "locationId", "ruleId", "url"
      ],
      "properties": {
        "type": {
          "type": "string",
          "description": "Finding type",
          "enum": [ "dast" ]
        },
        "id": {
          "type": "string",
          "description": "Issue External ID"
        },
        "ruleId": {
          "type": "string",
          "description": "Rule Id"
        },
        "locationId": {
          "type": "string",
          "description": "Instance location Id"
        },
        "url": {
          "type": "string",
          "description": "url"
        },
        "status": {
          "type": "string",
          "description": "Finding status",
          "$ref": "#/definitions/status"
        },
        "description": {
          "type": "string",
          "description": "description"
        },
        "httpRequest": {
          "type": "string",
          "description": "Http request"
        },
        "httpResponce": {
          "type": "string",
          "description": "Http responce"
        },
        "toolFindingLink": {
          "type": "string",
          "description": "Tool finding link"
        }
      }
    },

    "policyCondition": {
      "description": "Policy condition",
      "type": "object",
      "required": [ "id" ],
      "properties": {
        "id": {
          "type": "string",
          "description": "Condition id"
        },
        "subject": {
          "type": "string",
          "description": "Condition subject"
        },
        "operator": {
          "type": "string",
          "description": "Condition operator"
        },
        "value": {
          "type": "string",
          "description": "Condition value"
        }
      }
    },

    "license": {
      "type": "object",
      "properties": {
        "id": {
          "type": "string",
          "description": "The License id"
        },
        "name": {
          "type": "string",
          "description": "The License name"
        }

      }
    },

    "stack": {
      "description": "Condition",
      "type": "object",

      "required": [
        "locationId", "line", "code"
      ],
      "properties": {
        "locationId": {
          "type": "string",
          "description": "Location Id"
        },
        "line": {
          "type": "integer",
          "minimum": 1,         
          "description": "Line number"
        },
        "sequence": {
          "type": "integer",
          "minimum": 1,
          "description": "Sequence"
        },
        "column": {
          "type": "integer",
          "minimum": 1,         
          "description": "Column number"
        },
        "code": {
          "type": "string",
          "description": "Source code"
        }
      }
    },

    "severity": {         
      "type": "string",
      "enum": [
        "Low", "Medium", "High", "Critical"
      ]
    },

    "status": {         
      "type": "string",
      "enum": [
        "To Verify", "Confirmed", "Open", "Fixed", "False Positive", "Accepted risk"
      ]
    },

    "cwe": {
      "type": "object",
      "required": [ "id" ],
      "properties": {
        "id": {
          "type": "integer",
          "description": "The CWE id"
        },
        "name": {
          "type": "string",
          "description": "The CWE name"
        },       
        "link": {
          "type": "string",
          "description": "The CWE link"
        }
      }
    },

    "propertyBag": {
      "description": "Key/value pairs that provide additional information about the object",
      "type": "object",
      "properties": {
        "tags": {
          "description": "A set of distinct strings that provide additional information",
          "type": "array",
          "uniqueItems": false,
          "default": [],
          "items": {
            "type": "string"
          }
        }
      }
    }
  }
}

Пример отчета

{
  "$schema": "https://docs.appsec-hub.ru/",
  "version": "1.0.1",
  "scans": [
    {
      "scanDetails": {
        "description": "description",
        "id": "Nightly code scan/2023-12-08",
        "guid": "BC650830-A9FE-44CB-8818-AD6C387279A0",
        "baselineGuid": "0A106451-C9B1-4309-A7EE-06988B95F723",
        "scanDate": "2023-09-01T12:12:12",
        "reportLink": "https://tool.com/dashboard?id=21112023_dvjamaster_1"
      },

      "source": [
        {
          "type": "codebase",
          "id": "F7",       
          "name": "maven-repository-master",
          "url": "https://gitlab.service.swordfishsecurity.com/open/maven-repository.git",
          "checkoutPath": "/",
          "branch": "master",
          "commit": "master",
          "vcsType": "git",
          "buildTool": "maven",
          "branchFilter": "master"
        },

        {
          "type": "artifact",
          "id": "S2",
          "name": "core-docker",
          "url": "https://nexus.test.com/java-web-project:9.17"
        },

        {
          "type": "instance",
          "id": "S3",       
          "name": "app1_inst2",
          "url": "https://your.company.com",
          "stage": "PROD"
        }
      ],

      "tool": {
        "product": "Your product",
        "guid": "BC650830-A9FE-44CB-8818-AD6C387279A0",
        "version": "1",
        "informationUri": "https://tool.com/"
      },

      "results": [
        {
          "rules": [
            {
              "type": "sast",
              "id": "R01",
              "name": "ORM Injection in Django",
              "severity": "Critical",
              "description": "description",
              "cwe": [
                {
                  "id": 89,
                  "name": "Improper Neutralization of Special Elements used in an SQL Command",
                  "link": "https://cwe.mitre.org/data/definitions/89.html"
                },
                {
                  "id": 67
                }
              ],
              "recommendation": "recommendation",
              "cause": "cause",
              "risk": "risk",
              "example": "example",
              "extraInformation": {
                "owasp": {
                  "Owasp": "A6",
                  "Owasp2017": "A3"
                }
              }
            },
            {
              "type": "sca_s",
              "id": "CVE-2023-6378",
              "name": "name",
              "severity": "Critical",
              "description": "description",
              "cveId": "CVE-2023-6378",
              "cveLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-6378",            
              "cwe": [
                {
                  "id": 540
                },
                {
                  "id": 67
                }
              ],
              "cvss3Score": "7.1",
              "cvss3Vector": "AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
              "recommendation": "recommendation",
              "details": "details",
              "fixVersions": [
                "2.9.10.4"
                ],
              "publishedDate": "2023-29-11",
              "lastModified": "2023-29-11",

              "references": [ "https://nvd.nist.gov/vuln/detail/CVE-2023-6378"
              ]

            },
            {
              "type": "sca_c",
              "id": "Policy1",
              "name": "Policy name",
              "severity": "Critical",
              "description": "description",
              "policyConditions": [
                {
                  "id": "condition ID1",
                  "subject": "age",
                  "operator": "NUMERIC GREATER THAN",
                  "value": "5"
                },
                 {
                  "id": "condition ID2",
                  "subject": "License group",
                  "operator": "IS",
                  "value": "Copyleft"
                }

              ]
            },
            {
              "type": "dast",
              "id": "dastrule1",
              "name": "dastrule1",
              "severity": "Critical",
              "description": "description",
              "recommendation": "recommendation",
              "cwe": [
                {
                  "id": 540
                }
              ],
              "cvss3Score": "7.1",
              "cvss3Vector": "AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
            }
          ],

          "locations": [
            {
              "type": "codebase",
              "id": "L1",
              "sourceId": "S1",
              "fileName": "src/main/java/UserController.java",
              "language": "Java"
            },

            {
              "type": "component",
              "id": "L2",
              "sourceId": "S2",
              "componentName": "f",
              "componentVersion": "45",
              "vendor": "",
              "group": "",
              "packageUrl": "",
              "cpe": "",
              "filePath": "",
              "licenses": [
                {
                  "id": "",
                  "name": ""
                }
              ],
              "published": "",
              "lastModified": "",
              "description": ""

            },

            {
              "type": "instance",
              "id": "L3",
              "sourceId": "S3",
              "url": "345",
              "description": ""
            }

          ],

          "findings": [
            {
              "type": "sast",
              "id": "F1",
              "ruleId": "R01",
              "locationId": "L1",
              "line": "15",
              "code": "code",
              "status": "False Positive",
              "description": "description",
              "stacks": [
                {
                  "locationId": "L1",
                  "line": 15,
                  "sequence": 1,
                  "column": 20,
                  "code": "code"
                },
                {
                  "locationId": "L1",
                  "line": 16,
                  "sequence": 2,
                  "column": 20,
                  "code": "code"
                }
              ],
              "toolFindingLink": "http://toolFindingLink.com/finding/F1.html"
            },

            {
              "type": "sca_s",
              "id": "F2",
              "ruleId": "CVE-2023-6378",
              "locationId": "L2",
              "path": [
 ""
              ],
              "status": "False Positive",
              "description": "description",
              "toolFindingLink": "http://toolFindingLink.com/finding/F2.html"
            },

                        {
              "type": "sca_c",
              "id": "F3",
              "ruleId": "Policy1",
              "locationId": "L2",
              "path": [
               ""
              ],
              "status": "False Positive",
              "description": "description",
              "group": "Copyleft",
              "reason": [
                {
                  "policyConditionId": "condition ID2"
                },
                {
                  "effectiveLicenses": [
                    {
                   "id": "id",
                    "name": "Affero General Public License v1.0"
                    }

                  ]

                }

              ],

              "toolFindingLink": "http://toolFindingLink.com/finding/F3.html"
            },

            {
              "type": "dast",
              "id": "F4",
              "ruleId": "dastrule1",
              "locationId": "L3",
              "url": "url",
              "status": "False Positive",
              "description": "description",
              "httpRequest": "httpRequest",
              "httpResponse": "httpRequest",
              "toolFindingLink": "http://toolFindingLink.com/finding/F2.html"
            }
          ]
        }
      ]
    }
  ]
}
К началу