{ "description": "VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages\nbuilt into container images.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "report": { "description": "Report is the actual vulnerability report data.", "properties": { "artifact": { "description": "Artifact represents a standalone, executable package of software that includes everything needed to\nrun an application.", "properties": { "digest": { "description": "Digest is a unique and immutable identifier of an Artifact.", "type": "string" }, "mimeType": { "description": "MimeType represents a type and format of an Artifact.", "type": "string" }, "repository": { "description": "Repository is the name of the repository in the Artifact registry.", "type": "string" }, "tag": { "description": "Tag is a mutable, human-readable string used to identify an Artifact.", "type": "string" } }, "type": "object", "additionalProperties": false }, "os": { "description": "OS information of the artifact", "properties": { "eosl": { "description": "Eosl is true if OS version has reached end of service life", "type": "boolean" }, "family": { "description": "Operating System Family", "type": "string" }, "name": { "description": "Name or version of the OS", "type": "string" } }, "type": "object", "additionalProperties": false }, "registry": { "description": "Registry is the registry the Artifact was pulled from.", "properties": { "server": { "description": "Server the FQDN of registry server.", "type": "string" } }, "type": "object", "additionalProperties": false }, "scanner": { "description": "Scanner is the scanner that generated this report.", "properties": { "name": { "description": "Name the name of the scanner.", "type": "string" }, "vendor": { "description": "Vendor the name of the vendor providing the scanner.", "type": "string" }, "version": { "description": "Version the version of the scanner.", "type": "string" } }, "required": [ "name", "vendor", "version" ], "type": "object", "additionalProperties": false }, "summary": { "description": "Summary is a summary of Vulnerability counts grouped by Severity.", "properties": { "criticalCount": { "description": "CriticalCount is the number of vulnerabilities with Critical Severity.", "minimum": 0, "type": "integer" }, "highCount": { "description": "HighCount is the number of vulnerabilities with High Severity.", "minimum": 0, "type": "integer" }, "lowCount": { "description": "LowCount is the number of vulnerabilities with Low Severity.", "minimum": 0, "type": "integer" }, "mediumCount": { "description": "MediumCount is the number of vulnerabilities with Medium Severity.", "minimum": 0, "type": "integer" }, "noneCount": { "description": "NoneCount is the number of packages without any vulnerability.", "minimum": 0, "type": "integer" }, "unknownCount": { "description": "UnknownCount is the number of vulnerabilities with unknown severity.", "minimum": 0, "type": "integer" } }, "required": [ "criticalCount", "highCount", "lowCount", "mediumCount", "unknownCount" ], "type": "object", "additionalProperties": false }, "updateTimestamp": { "description": "UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated.", "format": "date-time", "type": "string" }, "vulnerabilities": { "description": "Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact.", "items": { "description": "Vulnerability is the spec for a vulnerability record.", "properties": { "class": { "type": "string" }, "cvss": { "additionalProperties": { "properties": { "V2Score": { "type": "number" }, "V2Vector": { "type": "string" }, "V3Score": { "type": "number" }, "V3Vector": { "type": "string" }, "V40Score": { "type": "number" }, "V40Vector": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "object" }, "cvsssource": { "type": "string" }, "description": { "type": "string" }, "fixedVersion": { "description": "FixedVersion indicates the version of the Resource in which this vulnerability has been fixed.", "type": "string" }, "installedVersion": { "description": "InstalledVersion indicates the installed version of the Resource.", "type": "string" }, "lastModifiedDate": { "description": "LastModifiedDate indicates the last date CVE has been modified.", "type": "string" }, "links": { "items": { "type": "string" }, "type": "array" }, "packagePURL": { "type": "string" }, "packagePath": { "type": "string" }, "packageType": { "type": "string" }, "primaryLink": { "type": "string" }, "publishedDate": { "description": "PublishedDate indicates the date of published CVE.", "type": "string" }, "resource": { "description": "Resource is a vulnerable package, application, or library.", "type": "string" }, "score": { "type": "number" }, "severity": { "description": "Severity level of a vulnerability or a configuration audit check.", "enum": [ "CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN" ], "type": "string" }, "target": { "type": "string" }, "title": { "type": "string" }, "vulnerabilityID": { "description": "VulnerabilityID the vulnerability identifier.", "type": "string" } }, "required": [ "fixedVersion", "installedVersion", "lastModifiedDate", "publishedDate", "resource", "severity", "title", "vulnerabilityID" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "artifact", "os", "scanner", "summary", "updateTimestamp", "vulnerabilities" ], "type": "object", "additionalProperties": false } }, "required": [ "report" ], "type": "object", "x-kubernetes-preserve-unknown-fields": true }