Data Source: oci_adm_vulnerability_audit

This data source provides details about a specific Vulnerability Audit resource in Oracle Cloud Infrastructure ADM service.

Returns the details of the specified Vulnerability Audit.

Example Usage

data "oci_adm_vulnerability_audit" "test_vulnerability_audit" {
	#Required
	vulnerability_audit_id = oci_adm_vulnerability_audit.test_vulnerability_audit.id
}

Argument Reference

The following arguments are supported:

• vulnerability_audit_id - (Required) Unique Vulnerability Audit identifier path parameter.

Attributes Reference

The following attributes are exported:

• build_type - The type of the build tool is restricted to only two values MAVEN or UNSET. Use UNSET when the list of application dependencies is not Maven-related or is a mix of Maven and other ecosystems. This option is soon to be deprecated.
• compartment_id - The compartment Oracle Cloud identifier (OCID) of the vulnerability audit.
• configuration - Configuration for a vulnerability audit. A vulnerable application dependency is ignored if its name does match any of the items in exclusions, or all of the associated Vulnerabilies have a CVSS v2 score below maxPermissibleCvssV2Score and a CVSS v3 score below maxPermissibleCvssV3Score. type: object
  • exclusions - A vulnerable application dependency is ignored if its name matches any of the items in exclusions. An asterisk (*) in the dependency pattern acts as a wildcard and matches zero or more characters.
  • max_permissible_cvss_v2score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_cvss_v3score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_severity - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleSeverity.
• defined_tags - Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: {"foo-namespace.bar-key": "value"}
• display_name - The name of the vulnerability audit.
• freeform_tags - Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"}
• id - The Oracle Cloud identifier (OCID) of the vulnerability audit.
• is_success - Indicates if an audit succeeded according to the configuration. The value is null if the audit is in the CREATING state.
• knowledge_base_id - The Oracle Cloud identifier (OCID) of the knowledge base.
• lifecycle_details - Details on the lifecycle state.
• max_observed_cvss_v2score - Maximum Common Vulnerability Scoring System Version 2 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v2score_with_ignored - Maximum Common Vulnerability Scoring System Version 2 score observed for vulnerable application dependencies including ignored ones.
• max_observed_cvss_v3score - Maximum Common Vulnerability Scoring System Version 3 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v3score_with_ignored - Maximum Common Vulnerability Scoring System Version 3 score observed for vulnerable application dependencies including ignored ones.
• max_observed_severity - Maximum ADM Severity observed for non-ignored vulnerable application dependencies.
• max_observed_severity_with_ignored - Maximum ADM Severity observed for vulnerable application dependencies including ignored ones.
• source - vulnerability audit source.
  • description - Description of the external resource source.
  • oci_resource_id - The Oracle Cloud identifier (OCID) of the Oracle Cloud Infrastructure resource that triggered the vulnerability audit.
  • type - Source type of the vulnerability audit.
• state - The current lifecycle state of the vulnerability audit.
• system_tags - Usage of system tag keys. These predefined keys are scoped to namespaces. Example: {"orcl-cloud.free-tier-retained": "true"}
• time_created - The creation date and time of the vulnerability audit (formatted according to RFC3339).
• time_updated - The update date and time of the vulnerability audit (formatted according to RFC3339).
• usage_data - The source details of the usage data in object storage. The usage data file uploaded to object storage must be a gzip archive of the JSON usage data returned from the GraalVM native-image-inspect tool after a native-image build. Set sourceType to objectStorageTuple and use UsageDataViaObjectStorageTupleDetails when specifying the namespace, bucket name, and object name.
  • bucket - The Object Storage bucket to read the usage data from.
  • namespace - The Object Storage namespace to read the usage data from.
  • object - The Object Storage object name to read the usage data from.
  • source_type - The destination type. Use objectStorageTuple when specifying the namespace, bucket name, and object name.
• vulnerabilities - List of vulnerabilities found in the vulnerability audit. If a vulnerability affects multiple dependencies, the metadata returned here consists of audit-wide aggregates.
  • cvss_v2score - Common Vulnerability Scoring System (CVSS) Version 2, calculated from the metrics provided in the CVSS vector provided from the vulnerability source. This field is deprecated and will be removed in the future. The cvssV2Score can be obtained from the metrics field of the listVulnerabilities endpoint.
  • cvss_v3score - Common Vulnerability Scoring System (CVSS) Version 3, calculated from the metrics provided in the CVSS vector provided from the vulnerability source. This field is deprecated and will be removed in the future. The cvssV3Score can be obtained from the metrics field of the listVulnerabilities endpoint.
  • id - Unique vulnerability identifier, e.g. CVE-1999-0067.
  • is_false_positive - Indicates if the vulnerability is a false positive according to the usage data. If no usage data was provided or the service cannot infer usage of the vulnerable code then this property is null.
  • is_ignored - Indicates if the vulnerability was ignored according to the audit configuration.
  • severity - ADM qualitative severity score. Can be either NONE, LOW, MEDIUM, HIGH or CRITICAL.
  • source - Source that published the vulnerability
• vulnerable_artifacts_count - Count of non-ignored vulnerable application dependencies.
• vulnerable_artifacts_count_with_ignored - Count of all vulnerable application dependencies.