×

GET /v1/export/vuln-mgmt/workloads

Streams vulnerability data upon request. Each entry consists of a deployment and the associated container images.

Description

The response is structured as: {\"result\": {\"deployment\": {…​}, \"images\": […​]}} …​ {\"result\": {\"deployment\": {…​}, \"images\": […​]}}

Parameters

Query Parameters

Name Description Required Default Pattern

timeout

Request timeout in seconds.

-

null

query

Query to constrain the deployments for which vulnerability data is returned. The queries contain pairs of `Search Option:Value` separated by `+` signs. For HTTP requests the query should be quoted. For example > curl "$ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?query=Deployment%3Ascanner%2BNamespace%3Astackrox" queries vulnerability data for all scanner deployments in the stackrox namespace. See https://docs.openshift.com/acs/operating/search-filter.html for more information.

-

null

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.(streaming responses)

Stream_result_of_v1VulnMgmtExportWorkloadsResponse

0

An unexpected error response.

GooglerpcStatus

Samples

Common object reference

CVSSV2AccessComplexity

Enum Values

ACCESS_HIGH

ACCESS_MEDIUM

ACCESS_LOW

CVSSV2Authentication

Enum Values

AUTH_MULTIPLE

AUTH_SINGLE

AUTH_NONE

CVSSV3Complexity

Enum Values

COMPLEXITY_LOW

COMPLEXITY_HIGH

CVSSV3Privileges

Enum Values

PRIVILEGE_NONE

PRIVILEGE_LOW

PRIVILEGE_HIGH

CVSSV3UserInteraction

Enum Values

UI_NONE

UI_REQUIRED

ContainerConfigEnvironmentConfig

Field Name Required Nullable Type Description Format

key

String

value

String

envVarSource

EnvironmentConfigEnvVarSource

UNSET, RAW, SECRET_KEY, CONFIG_MAP_KEY, FIELD, RESOURCE_FIELD, UNKNOWN,

EmbeddedVulnerabilityVulnerabilityType

Enum Values

UNKNOWN_VULNERABILITY

IMAGE_VULNERABILITY

K8S_VULNERABILITY

ISTIO_VULNERABILITY

NODE_VULNERABILITY

OPENSHIFT_VULNERABILITY

EnvironmentConfigEnvVarSource

For any update to EnvVarSource, please also update 'ui/src/messages/common.js'
Enum Values

UNSET

RAW

SECRET_KEY

CONFIG_MAP_KEY

FIELD

RESOURCE_FIELD

UNKNOWN

GooglerpcStatus

Field Name Required Nullable Type Description Format

code

Integer

int32

message

String

details

List of ProtobufAny

PortConfigExposureInfo

Field Name Required Nullable Type Description Format

level

PortConfigExposureLevel

UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE,

serviceName

String

serviceId

String

serviceClusterIp

String

servicePort

Integer

int32

nodePort

Integer

int32

externalIps

List of string

externalHostnames

List of string

PortConfigExposureLevel

Enum Values

UNSET

EXTERNAL

NODE

INTERNAL

HOST

ROUTE

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

@type

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

SeccompProfileProfileType

Enum Values

UNCONFINED

RUNTIME_DEFAULT

LOCALHOST

SecurityContextSELinux

Field Name Required Nullable Type Description Format

user

String

role

String

type

String

level

String

SecurityContextSeccompProfile

Field Name Required Nullable Type Description Format

type

SeccompProfileProfileType

UNCONFINED, RUNTIME_DEFAULT, LOCALHOST,

localhostProfile

String

StorageCVSSScore

Field Name Required Nullable Type Description Format

source

StorageSource

SOURCE_UNKNOWN, SOURCE_RED_HAT, SOURCE_OSV, SOURCE_NVD,

url

String

cvssv2

StorageCVSSV2

cvssv3

StorageCVSSV3

StorageCVSSV2

Field Name Required Nullable Type Description Format

vector

String

attackVector

StorageCVSSV2AttackVector

ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK,

accessComplexity

CVSSV2AccessComplexity

ACCESS_HIGH, ACCESS_MEDIUM, ACCESS_LOW,

authentication

CVSSV2Authentication

AUTH_MULTIPLE, AUTH_SINGLE, AUTH_NONE,

confidentiality

StorageCVSSV2Impact

IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE,

integrity

StorageCVSSV2Impact

IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE,

availability

StorageCVSSV2Impact

IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE,

exploitabilityScore

Float

float

impactScore

Float

float

score

Float

float

severity

StorageCVSSV2Severity

UNKNOWN, LOW, MEDIUM, HIGH,

StorageCVSSV2AttackVector

Enum Values

ATTACK_LOCAL

ATTACK_ADJACENT

ATTACK_NETWORK

StorageCVSSV2Impact

Enum Values

IMPACT_NONE

IMPACT_PARTIAL

IMPACT_COMPLETE

StorageCVSSV2Severity

Enum Values

UNKNOWN

LOW

MEDIUM

HIGH

StorageCVSSV3

Field Name Required Nullable Type Description Format

vector

String

exploitabilityScore

Float

float

impactScore

Float

float

attackVector

StorageCVSSV3AttackVector

ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK, ATTACK_PHYSICAL,

attackComplexity

CVSSV3Complexity

COMPLEXITY_LOW, COMPLEXITY_HIGH,

privilegesRequired

CVSSV3Privileges

PRIVILEGE_NONE, PRIVILEGE_LOW, PRIVILEGE_HIGH,

userInteraction

CVSSV3UserInteraction

UI_NONE, UI_REQUIRED,

scope

StorageCVSSV3Scope

UNCHANGED, CHANGED,

confidentiality

StorageCVSSV3Impact

IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH,

integrity

StorageCVSSV3Impact

IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH,

availability

StorageCVSSV3Impact

IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH,

score

Float

float

severity

StorageCVSSV3Severity

UNKNOWN, NONE, LOW, MEDIUM, HIGH, CRITICAL,

StorageCVSSV3AttackVector

Enum Values

ATTACK_LOCAL

ATTACK_ADJACENT

ATTACK_NETWORK

ATTACK_PHYSICAL

StorageCVSSV3Impact

Enum Values

IMPACT_NONE

IMPACT_LOW

IMPACT_HIGH

StorageCVSSV3Scope

Enum Values

UNCHANGED

CHANGED

StorageCVSSV3Severity

Enum Values

UNKNOWN

NONE

LOW

MEDIUM

HIGH

CRITICAL

StorageContainer

Field Name Required Nullable Type Description Format

id

String

config

StorageContainerConfig

image

StorageContainerImage

securityContext

StorageSecurityContext

volumes

List of StorageVolume

ports

List of StoragePortConfig

secrets

List of StorageEmbeddedSecret

resources

StorageResources

name

String

livenessProbe

StorageLivenessProbe

readinessProbe

StorageReadinessProbe

StorageContainerConfig

Field Name Required Nullable Type Description Format

env

List of ContainerConfigEnvironmentConfig

command

List of string

args

List of string

directory

String

user

String

uid

String

int64

appArmorProfile

String

StorageContainerImage

Next tag: 12
Field Name Required Nullable Type Description Format

id

String

name

StorageImageName

notPullable

Boolean

isClusterLocal

Boolean

StorageCosignSignature

Field Name Required Nullable Type Description Format

rawSignature

byte[]

byte

signaturePayload

byte[]

byte

certPem

byte[]

byte

certChainPem

byte[]

byte

StorageDataSource

Field Name Required Nullable Type Description Format

id

String

name

String

mirror

String

StorageDeployment

Next available tag: 36
Field Name Required Nullable Type Description Format

id

String

name

String

hash

String

uint64

type

String

namespace

String

namespaceId

String

orchestratorComponent

Boolean

replicas

String

int64

labels

Map of string

podLabels

Map of string

labelSelector

StorageLabelSelector

created

Date

date-time

clusterId

String

clusterName

String

containers

List of StorageContainer

annotations

Map of string

priority

String

int64

inactive

Boolean

imagePullSecrets

List of string

serviceAccount

String

serviceAccountPermissionLevel

StoragePermissionLevel

UNSET, NONE, DEFAULT, ELEVATED_IN_NAMESPACE, ELEVATED_CLUSTER_WIDE, CLUSTER_ADMIN,

automountServiceAccountToken

Boolean

hostNetwork

Boolean

hostPid

Boolean

hostIpc

Boolean

runtimeClass

String

tolerations

List of StorageToleration

ports

List of StoragePortConfig

stateTimestamp

String

int64

riskScore

Float

float

platformComponent

Boolean

StorageEmbeddedImageScanComponent

Next Tag: 13
Field Name Required Nullable Type Description Format

name

String

version

String

license

StorageLicense

vulns

List of StorageEmbeddedVulnerability

layerIndex

Integer

int32

priority

String

int64

source

StorageSourceType

OS, PYTHON, JAVA, RUBY, NODEJS, GO, DOTNETCORERUNTIME, INFRASTRUCTURE,

location

String

topCvss

Float

float

riskScore

Float

float

fixedBy

String

Component version that fixes all the fixable vulnerabilities in this component.

executables

List of StorageEmbeddedImageScanComponentExecutable

StorageEmbeddedImageScanComponentExecutable

Field Name Required Nullable Type Description Format

path

String

dependencies

List of string

StorageEmbeddedSecret

Field Name Required Nullable Type Description Format

name

String

path

String

StorageEmbeddedVulnerability

Next Tag: 22
Field Name Required Nullable Type Description Format

cve

String

cvss

Float

float

summary

String

link

String

fixedBy

String

scoreVersion

StorageEmbeddedVulnerabilityScoreVersion

V2, V3,

cvssV2

StorageCVSSV2

cvssV3

StorageCVSSV3

publishedOn

Date

date-time

lastModified

Date

date-time

vulnerabilityType

EmbeddedVulnerabilityVulnerabilityType

UNKNOWN_VULNERABILITY, IMAGE_VULNERABILITY, K8S_VULNERABILITY, ISTIO_VULNERABILITY, NODE_VULNERABILITY, OPENSHIFT_VULNERABILITY,

vulnerabilityTypes

List of EmbeddedVulnerabilityVulnerabilityType

suppressed

Boolean

suppressActivation

Date

date-time

suppressExpiry

Date

date-time

firstSystemOccurrence

Date

Time when the CVE was first seen, for this specific distro, in the system.

date-time

firstImageOccurrence

Date

Time when the CVE was first seen in this image.

date-time

severity

StorageVulnerabilitySeverity

UNKNOWN_VULNERABILITY_SEVERITY, LOW_VULNERABILITY_SEVERITY, MODERATE_VULNERABILITY_SEVERITY, IMPORTANT_VULNERABILITY_SEVERITY, CRITICAL_VULNERABILITY_SEVERITY,

state

StorageVulnerabilityState

OBSERVED, DEFERRED, FALSE_POSITIVE,

cvssMetrics

List of StorageCVSSScore

nvdCvss

Float

float

StorageEmbeddedVulnerabilityScoreVersion

ScoreVersion can be deprecated ROX-26066
  • V2: No unset for automatic backwards compatibility

Enum Values

V2

V3

StorageImage

Next Tag: 19
Field Name Required Nullable Type Description Format

id

String

name

StorageImageName

names

List of StorageImageName

This should deprecate the ImageName field long-term, allowing images with the same digest to be associated with different locations. TODO(dhaus): For now, this message will be without search tags due to duplicated search tags otherwise.

metadata

StorageImageMetadata

scan

StorageImageScan

signatureVerificationData

StorageImageSignatureVerificationData

signature

StorageImageSignature

components

Integer

int32

cves

Integer

int32

fixableCves

Integer

int32

lastUpdated

Date

date-time

notPullable

Boolean

isClusterLocal

Boolean

priority

String

int64

riskScore

Float

float

topCvss

Float

float

notes

List of StorageImageNote

StorageImageLayer

Field Name Required Nullable Type Description Format

instruction

String

value

String

created

Date

date-time

author

String

empty

Boolean

StorageImageMetadata

If any fields of ImageMetadata are modified including subfields, please check pkg/images/enricher/metadata.go to ensure that those changes will be automatically picked up Next Tag: 6

StorageImageName

Field Name Required Nullable Type Description Format

registry

String

remote

String

tag

String

fullName

String

StorageImageNote

Enum Values

MISSING_METADATA

MISSING_SCAN_DATA

MISSING_SIGNATURE

MISSING_SIGNATURE_VERIFICATION_DATA

StorageImageScan

Next tag: 8
Field Name Required Nullable Type Description Format

scannerVersion

String

scanTime

Date

date-time

components

List of StorageEmbeddedImageScanComponent

operatingSystem

String

dataSource

StorageDataSource

notes

List of StorageImageScanNote

hash

String

uint64

StorageImageScanNote

Enum Values

UNSET

OS_UNAVAILABLE

PARTIAL_SCAN_DATA

OS_CVES_UNAVAILABLE

OS_CVES_STALE

LANGUAGE_CVES_UNAVAILABLE

CERTIFIED_RHEL_SCAN_UNAVAILABLE

StorageImageSignature

Field Name Required Nullable Type Description Format

signatures

List of StorageSignature

fetched

Date

date-time

StorageImageSignatureVerificationData

Field Name Required Nullable Type Description Format

results

List of StorageImageSignatureVerificationResult

StorageImageSignatureVerificationResult

Next Tag: 6
Field Name Required Nullable Type Description Format

verificationTime

Date

date-time

verifierId

String

verifier_id correlates to the ID of the signature integration used to verify the signature.

status

StorageImageSignatureVerificationResultStatus

UNSET, VERIFIED, FAILED_VERIFICATION, INVALID_SIGNATURE_ALGO, CORRUPTED_SIGNATURE, GENERIC_ERROR,

description

String

description is set in the case of an error with the specific error’s message. Otherwise, this will not be set.

verifiedImageReferences

List of string

The full image names that are verified by this specific signature integration ID.

StorageImageSignatureVerificationResultStatus

Status represents the status of the result.

  • VERIFIED: VERIFIED is set when the signature’s verification was successful.

  • FAILED_VERIFICATION: FAILED_VERIFICATION is set when the signature’s verification failed.

  • INVALID_SIGNATURE_ALGO: INVALID_SIGNATURE_ALGO is set when the signature’s algorithm is invalid and unsupported.

  • CORRUPTED_SIGNATURE: CORRUPTED_SIGNATURE is set when the raw signature is corrupted, i.e. wrong base64 encoding.

  • GENERIC_ERROR: GENERIC_ERROR is set when an error occurred during verification that cannot be associated with a specific status.

Enum Values

UNSET

VERIFIED

FAILED_VERIFICATION

INVALID_SIGNATURE_ALGO

CORRUPTED_SIGNATURE

GENERIC_ERROR

StorageLabelSelector

Label selector components are joined with logical AND, see     https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Next available tag: 3

Field Name Required Nullable Type Description Format

matchLabels

Map of string

This is actually a oneof, but we can’t make it one due to backwards compatibility constraints.

requirements

List of StorageLabelSelectorRequirement

StorageLabelSelectorOperator

Enum Values

UNKNOWN

IN

NOT_IN

EXISTS

NOT_EXISTS

StorageLabelSelectorRequirement

Next available tag: 4
Field Name Required Nullable Type Description Format

key

String

op

StorageLabelSelectorOperator

UNKNOWN, IN, NOT_IN, EXISTS, NOT_EXISTS,

values

List of string

StorageLicense

Field Name Required Nullable Type Description Format

name

String

type

String

url

String

StorageLivenessProbe

Field Name Required Nullable Type Description Format

defined

Boolean

StoragePermissionLevel

For any update to PermissionLevel, also update: - pkg/searchbasedpolicies/builders/k8s_rbac.go - ui/src/messages/common.js
Enum Values

UNSET

NONE

DEFAULT

ELEVATED_IN_NAMESPACE

ELEVATED_CLUSTER_WIDE

CLUSTER_ADMIN

StoragePortConfig

Next Available Tag: 6
Field Name Required Nullable Type Description Format

name

String

containerPort

Integer

int32

protocol

String

exposure

PortConfigExposureLevel

UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE,

exposedPort

Integer

int32

exposureInfos

List of PortConfigExposureInfo

StorageReadinessProbe

Field Name Required Nullable Type Description Format

defined

Boolean

StorageResources

Field Name Required Nullable Type Description Format

cpuCoresRequest

Float

float

cpuCoresLimit

Float

float

memoryMbRequest

Float

float

memoryMbLimit

Float

float

StorageSecurityContext

Field Name Required Nullable Type Description Format

privileged

Boolean

selinux

SecurityContextSELinux

dropCapabilities

List of string

addCapabilities

List of string

readOnlyRootFilesystem

Boolean

seccompProfile

SecurityContextSeccompProfile

allowPrivilegeEscalation

Boolean

StorageSignature

Field Name Required Nullable Type Description Format

cosign

StorageCosignSignature

StorageSource

Enum Values

SOURCE_UNKNOWN

SOURCE_RED_HAT

SOURCE_OSV

SOURCE_NVD

StorageSourceType

Enum Values

OS

PYTHON

JAVA

RUBY

NODEJS

GO

DOTNETCORERUNTIME

INFRASTRUCTURE

StorageTaintEffect

Enum Values

UNKNOWN_TAINT_EFFECT

NO_SCHEDULE_TAINT_EFFECT

PREFER_NO_SCHEDULE_TAINT_EFFECT

NO_EXECUTE_TAINT_EFFECT

StorageToleration

Field Name Required Nullable Type Description Format

key

String

operator

StorageTolerationOperator

TOLERATION_OPERATION_UNKNOWN, TOLERATION_OPERATOR_EXISTS, TOLERATION_OPERATOR_EQUAL,

value

String

taintEffect

StorageTaintEffect

UNKNOWN_TAINT_EFFECT, NO_SCHEDULE_TAINT_EFFECT, PREFER_NO_SCHEDULE_TAINT_EFFECT, NO_EXECUTE_TAINT_EFFECT,

StorageTolerationOperator

Enum Values

TOLERATION_OPERATION_UNKNOWN

TOLERATION_OPERATOR_EXISTS

TOLERATION_OPERATOR_EQUAL

StorageV1Metadata

StorageV2Metadata

StorageVolume

Field Name Required Nullable Type Description Format

name

String

source

String

destination

String

readOnly

Boolean

type

String

mountPropagation

VolumeMountPropagation

NONE, HOST_TO_CONTAINER, BIDIRECTIONAL,

StorageVulnerabilitySeverity

Enum Values

UNKNOWN_VULNERABILITY_SEVERITY

LOW_VULNERABILITY_SEVERITY

MODERATE_VULNERABILITY_SEVERITY

IMPORTANT_VULNERABILITY_SEVERITY

CRITICAL_VULNERABILITY_SEVERITY

StorageVulnerabilityState

VulnerabilityState indicates if vulnerability is being observed or deferred(/suppressed). By default, it vulnerabilities are observed.

  • OBSERVED: [Default state]

Enum Values

OBSERVED

DEFERRED

FALSE_POSITIVE

StreamResultOfV1VulnMgmtExportWorkloadsResponse

Stream result of v1VulnMgmtExportWorkloadsResponse
Field Name Required Nullable Type Description Format

result

V1VulnMgmtExportWorkloadsResponse

error

GooglerpcStatus

V1VulnMgmtExportWorkloadsResponse

The workloads response contains the full image details including the vulnerability data.

Field Name Required Nullable Type Description Format

deployment

StorageDeployment

images

List of StorageImage

VolumeMountPropagation

Enum Values

NONE

HOST_TO_CONTAINER

BIDIRECTIONAL