For any update to EnvVarSource, please also update 'ui/src/messages/common.js'
GET /v1/export/vuln-mgmt/workloads
Streams vulnerability data upon request. Each entry consists of a deployment and the associated container images.
The response is structured as: {\"result\": {\"deployment\": {…}, \"images\": […]}} … {\"result\": {\"deployment\": {…}, \"images\": […]}}
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
timeout |
Request timeout in seconds. |
- |
null |
|
query |
Query to constrain the deployments for which vulnerability data is returned. The queries contain pairs of `Search Option:Value` separated by `+` signs. For HTTP requests the query should be quoted. For example > curl "$ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?query=Deployment%3Ascanner%2BNamespace%3Astackrox" queries vulnerability data for all scanner deployments in the stackrox namespace. See https://docs.openshift.com/acs/operating/search-filter.html for more information. |
- |
null |
Code | Message | Datatype |
---|---|---|
200 |
A successful response.(streaming responses) |
|
0 |
An unexpected error response. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
value |
String |
||||
envVarSource |
UNSET, RAW, SECRET_KEY, CONFIG_MAP_KEY, FIELD, RESOURCE_FIELD, UNKNOWN, |
Enum Values |
---|
UNKNOWN_VULNERABILITY |
IMAGE_VULNERABILITY |
K8S_VULNERABILITY |
ISTIO_VULNERABILITY |
NODE_VULNERABILITY |
OPENSHIFT_VULNERABILITY |
For any update to EnvVarSource, please also update 'ui/src/messages/common.js'
Enum Values |
---|
UNSET |
RAW |
SECRET_KEY |
CONFIG_MAP_KEY |
FIELD |
RESOURCE_FIELD |
UNKNOWN |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
code |
Integer |
int32 |
|||
message |
String |
||||
details |
List of ProtobufAny |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
level |
UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE, |
||||
serviceName |
String |
||||
serviceId |
String |
||||
serviceClusterIp |
String |
||||
servicePort |
Integer |
int32 |
|||
nodePort |
Integer |
int32 |
|||
externalIps |
List of |
||||
externalHostnames |
List of |
Any
contains an arbitrary serialized protocol buffer message along with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
Example 2: Pack and unpack a message in Java.
Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); }
Example 3: Pack and unpack a message in Python.
foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... }
The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".
The JSON representation of an Any
value uses the regular
representation of the deserialized, embedded message, with an
additional field @type
which contains the type URL. Example:
package google.profile; message Person { string first_name = 1; string last_name = 2; }
{ "@type": "type.googleapis.com/google.profile.Person", "firstName": <string>, "lastName": <string> }
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
value
which holds the custom JSON in addition to the @type
field. Example (for message [google.protobuf.Duration][]):
{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
@type |
String |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
user |
String |
||||
role |
String |
||||
type |
String |
||||
level |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
type |
UNCONFINED, RUNTIME_DEFAULT, LOCALHOST, |
||||
localhostProfile |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
source |
SOURCE_UNKNOWN, SOURCE_RED_HAT, SOURCE_OSV, SOURCE_NVD, |
||||
url |
String |
||||
cvssv2 |
|||||
cvssv3 |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
vector |
String |
||||
attackVector |
ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK, |
||||
accessComplexity |
ACCESS_HIGH, ACCESS_MEDIUM, ACCESS_LOW, |
||||
authentication |
AUTH_MULTIPLE, AUTH_SINGLE, AUTH_NONE, |
||||
confidentiality |
IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE, |
||||
integrity |
IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE, |
||||
availability |
IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE, |
||||
exploitabilityScore |
Float |
float |
|||
impactScore |
Float |
float |
|||
score |
Float |
float |
|||
severity |
UNKNOWN, LOW, MEDIUM, HIGH, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
vector |
String |
||||
exploitabilityScore |
Float |
float |
|||
impactScore |
Float |
float |
|||
attackVector |
ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK, ATTACK_PHYSICAL, |
||||
attackComplexity |
COMPLEXITY_LOW, COMPLEXITY_HIGH, |
||||
privilegesRequired |
PRIVILEGE_NONE, PRIVILEGE_LOW, PRIVILEGE_HIGH, |
||||
userInteraction |
UI_NONE, UI_REQUIRED, |
||||
scope |
UNCHANGED, CHANGED, |
||||
confidentiality |
IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH, |
||||
integrity |
IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH, |
||||
availability |
IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH, |
||||
score |
Float |
float |
|||
severity |
UNKNOWN, NONE, LOW, MEDIUM, HIGH, CRITICAL, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
config |
|||||
image |
|||||
securityContext |
|||||
volumes |
List of StorageVolume |
||||
ports |
List of StoragePortConfig |
||||
secrets |
List of StorageEmbeddedSecret |
||||
resources |
|||||
name |
String |
||||
livenessProbe |
|||||
readinessProbe |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
env |
List of ContainerConfigEnvironmentConfig |
||||
command |
List of |
||||
args |
List of |
||||
directory |
String |
||||
user |
String |
||||
uid |
String |
int64 |
|||
appArmorProfile |
String |
Next tag: 12
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
|||||
notPullable |
Boolean |
||||
isClusterLocal |
Boolean |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
rawSignature |
byte[] |
byte |
|||
signaturePayload |
byte[] |
byte |
|||
certPem |
byte[] |
byte |
|||
certChainPem |
byte[] |
byte |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
mirror |
String |
Next available tag: 36
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
hash |
String |
uint64 |
|||
type |
String |
||||
namespace |
String |
||||
namespaceId |
String |
||||
orchestratorComponent |
Boolean |
||||
replicas |
String |
int64 |
|||
labels |
Map of |
||||
podLabels |
Map of |
||||
labelSelector |
|||||
created |
Date |
date-time |
|||
clusterId |
String |
||||
clusterName |
String |
||||
containers |
List of StorageContainer |
||||
annotations |
Map of |
||||
priority |
String |
int64 |
|||
inactive |
Boolean |
||||
imagePullSecrets |
List of |
||||
serviceAccount |
String |
||||
serviceAccountPermissionLevel |
UNSET, NONE, DEFAULT, ELEVATED_IN_NAMESPACE, ELEVATED_CLUSTER_WIDE, CLUSTER_ADMIN, |
||||
automountServiceAccountToken |
Boolean |
||||
hostNetwork |
Boolean |
||||
hostPid |
Boolean |
||||
hostIpc |
Boolean |
||||
runtimeClass |
String |
||||
tolerations |
List of StorageToleration |
||||
ports |
List of StoragePortConfig |
||||
stateTimestamp |
String |
int64 |
|||
riskScore |
Float |
float |
|||
platformComponent |
Boolean |
Next Tag: 13
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
version |
String |
||||
license |
|||||
vulns |
List of StorageEmbeddedVulnerability |
||||
layerIndex |
Integer |
int32 |
|||
priority |
String |
int64 |
|||
source |
OS, PYTHON, JAVA, RUBY, NODEJS, GO, DOTNETCORERUNTIME, INFRASTRUCTURE, |
||||
location |
String |
||||
topCvss |
Float |
float |
|||
riskScore |
Float |
float |
|||
fixedBy |
String |
Component version that fixes all the fixable vulnerabilities in this component. |
|||
executables |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
path |
String |
||||
dependencies |
List of |
Next Tag: 22
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
cve |
String |
||||
cvss |
Float |
float |
|||
summary |
String |
||||
link |
String |
||||
fixedBy |
String |
||||
scoreVersion |
V2, V3, |
||||
cvssV2 |
|||||
cvssV3 |
|||||
publishedOn |
Date |
date-time |
|||
lastModified |
Date |
date-time |
|||
vulnerabilityType |
UNKNOWN_VULNERABILITY, IMAGE_VULNERABILITY, K8S_VULNERABILITY, ISTIO_VULNERABILITY, NODE_VULNERABILITY, OPENSHIFT_VULNERABILITY, |
||||
vulnerabilityTypes |
|||||
suppressed |
Boolean |
||||
suppressActivation |
Date |
date-time |
|||
suppressExpiry |
Date |
date-time |
|||
firstSystemOccurrence |
Date |
Time when the CVE was first seen, for this specific distro, in the system. |
date-time |
||
firstImageOccurrence |
Date |
Time when the CVE was first seen in this image. |
date-time |
||
severity |
UNKNOWN_VULNERABILITY_SEVERITY, LOW_VULNERABILITY_SEVERITY, MODERATE_VULNERABILITY_SEVERITY, IMPORTANT_VULNERABILITY_SEVERITY, CRITICAL_VULNERABILITY_SEVERITY, |
||||
state |
OBSERVED, DEFERRED, FALSE_POSITIVE, |
||||
cvssMetrics |
List of StorageCVSSScore |
||||
nvdCvss |
Float |
float |
ScoreVersion can be deprecated ROX-26066
V2: No unset for automatic backwards compatibility
Enum Values |
---|
V2 |
V3 |
Next Tag: 19
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
|||||
names |
List of StorageImageName |
This should deprecate the ImageName field long-term, allowing images with the same digest to be associated with different locations. TODO(dhaus): For now, this message will be without search tags due to duplicated search tags otherwise. |
|||
metadata |
|||||
scan |
|||||
signatureVerificationData |
|||||
signature |
|||||
components |
Integer |
int32 |
|||
cves |
Integer |
int32 |
|||
fixableCves |
Integer |
int32 |
|||
lastUpdated |
Date |
date-time |
|||
notPullable |
Boolean |
||||
isClusterLocal |
Boolean |
||||
priority |
String |
int64 |
|||
riskScore |
Float |
float |
|||
topCvss |
Float |
float |
|||
notes |
List of StorageImageNote |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
instruction |
String |
||||
value |
String |
||||
created |
Date |
date-time |
|||
author |
String |
||||
empty |
Boolean |
If any fields of ImageMetadata are modified including subfields, please check pkg/images/enricher/metadata.go to ensure that those changes will be automatically picked up Next Tag: 6
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
v1 |
|||||
v2 |
|||||
layerShas |
List of |
||||
dataSource |
|||||
version |
String |
uint64 |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
registry |
String |
||||
remote |
String |
||||
tag |
String |
||||
fullName |
String |
Enum Values |
---|
MISSING_METADATA |
MISSING_SCAN_DATA |
MISSING_SIGNATURE |
MISSING_SIGNATURE_VERIFICATION_DATA |
Next tag: 8
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
scannerVersion |
String |
||||
scanTime |
Date |
date-time |
|||
components |
|||||
operatingSystem |
String |
||||
dataSource |
|||||
notes |
List of StorageImageScanNote |
||||
hash |
String |
uint64 |
Enum Values |
---|
UNSET |
OS_UNAVAILABLE |
PARTIAL_SCAN_DATA |
OS_CVES_UNAVAILABLE |
OS_CVES_STALE |
LANGUAGE_CVES_UNAVAILABLE |
CERTIFIED_RHEL_SCAN_UNAVAILABLE |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
signatures |
List of StorageSignature |
||||
fetched |
Date |
date-time |
Next Tag: 6
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
verificationTime |
Date |
date-time |
|||
verifierId |
String |
verifier_id correlates to the ID of the signature integration used to verify the signature. |
|||
status |
UNSET, VERIFIED, FAILED_VERIFICATION, INVALID_SIGNATURE_ALGO, CORRUPTED_SIGNATURE, GENERIC_ERROR, |
||||
description |
String |
description is set in the case of an error with the specific error’s message. Otherwise, this will not be set. |
|||
verifiedImageReferences |
List of |
The full image names that are verified by this specific signature integration ID. |
Status represents the status of the result.
VERIFIED: VERIFIED is set when the signature’s verification was successful.
FAILED_VERIFICATION: FAILED_VERIFICATION is set when the signature’s verification failed.
INVALID_SIGNATURE_ALGO: INVALID_SIGNATURE_ALGO is set when the signature’s algorithm is invalid and unsupported.
CORRUPTED_SIGNATURE: CORRUPTED_SIGNATURE is set when the raw signature is corrupted, i.e. wrong base64 encoding.
GENERIC_ERROR: GENERIC_ERROR is set when an error occurred during verification that cannot be associated with a specific status.
Enum Values |
---|
UNSET |
VERIFIED |
FAILED_VERIFICATION |
INVALID_SIGNATURE_ALGO |
CORRUPTED_SIGNATURE |
GENERIC_ERROR |
Label selector components are joined with logical AND, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
Next available tag: 3
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
matchLabels |
Map of |
This is actually a oneof, but we can’t make it one due to backwards compatibility constraints. |
|||
requirements |
List of StorageLabelSelectorRequirement |
Next available tag: 4
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
op |
UNKNOWN, IN, NOT_IN, EXISTS, NOT_EXISTS, |
||||
values |
List of |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
type |
String |
||||
url |
String |
For any update to PermissionLevel, also update: - pkg/searchbasedpolicies/builders/k8s_rbac.go - ui/src/messages/common.js
Enum Values |
---|
UNSET |
NONE |
DEFAULT |
ELEVATED_IN_NAMESPACE |
ELEVATED_CLUSTER_WIDE |
CLUSTER_ADMIN |
Next Available Tag: 6
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
containerPort |
Integer |
int32 |
|||
protocol |
String |
||||
exposure |
UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE, |
||||
exposedPort |
Integer |
int32 |
|||
exposureInfos |
List of PortConfigExposureInfo |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
cpuCoresRequest |
Float |
float |
|||
cpuCoresLimit |
Float |
float |
|||
memoryMbRequest |
Float |
float |
|||
memoryMbLimit |
Float |
float |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
privileged |
Boolean |
||||
selinux |
|||||
dropCapabilities |
List of |
||||
addCapabilities |
List of |
||||
readOnlyRootFilesystem |
Boolean |
||||
seccompProfile |
|||||
allowPrivilegeEscalation |
Boolean |
Enum Values |
---|
UNKNOWN_TAINT_EFFECT |
NO_SCHEDULE_TAINT_EFFECT |
PREFER_NO_SCHEDULE_TAINT_EFFECT |
NO_EXECUTE_TAINT_EFFECT |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
operator |
TOLERATION_OPERATION_UNKNOWN, TOLERATION_OPERATOR_EXISTS, TOLERATION_OPERATOR_EQUAL, |
||||
value |
String |
||||
taintEffect |
UNKNOWN_TAINT_EFFECT, NO_SCHEDULE_TAINT_EFFECT, PREFER_NO_SCHEDULE_TAINT_EFFECT, NO_EXECUTE_TAINT_EFFECT, |
Enum Values |
---|
TOLERATION_OPERATION_UNKNOWN |
TOLERATION_OPERATOR_EXISTS |
TOLERATION_OPERATOR_EQUAL |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
digest |
String |
||||
created |
Date |
date-time |
|||
author |
String |
||||
layers |
List of StorageImageLayer |
||||
user |
String |
||||
command |
List of |
||||
entrypoint |
List of |
||||
volumes |
List of |
||||
labels |
Map of |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
source |
String |
||||
destination |
String |
||||
readOnly |
Boolean |
||||
type |
String |
||||
mountPropagation |
NONE, HOST_TO_CONTAINER, BIDIRECTIONAL, |
Enum Values |
---|
UNKNOWN_VULNERABILITY_SEVERITY |
LOW_VULNERABILITY_SEVERITY |
MODERATE_VULNERABILITY_SEVERITY |
IMPORTANT_VULNERABILITY_SEVERITY |
CRITICAL_VULNERABILITY_SEVERITY |
VulnerabilityState indicates if vulnerability is being observed or deferred(/suppressed). By default, it vulnerabilities are observed.
OBSERVED: [Default state]
Enum Values |
---|
OBSERVED |
DEFERRED |
FALSE_POSITIVE |
Stream result of v1VulnMgmtExportWorkloadsResponse
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
result |
|||||
error |
The workloads response contains the full image details including the vulnerability data.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
deployment |
|||||
images |
List of StorageImage |