Data Source: oci_adm_vulnerability_audit_application_dependency_vulnerabilities
This data source provides the list of Vulnerability Audit Application Dependency Vulnerabilities in Oracle Cloud Infrastructure ADM service.
Returns a list of Application Dependencies with their associated vulnerabilities.
Example Usage
data "oci_adm_vulnerability_audit_application_dependency_vulnerabilities" "test_vulnerability_audit_application_dependency_vulnerabilities" {
#Required
vulnerability_audit_id = oci_adm_vulnerability_audit.test_vulnerability_audit.id
#Optional
cvss_v2greater_than_or_equal = var.vulnerability_audit_application_dependency_vulnerability_cvss_v2greater_than_or_equal
cvss_v3greater_than_or_equal = var.vulnerability_audit_application_dependency_vulnerability_cvss_v3greater_than_or_equal
depth = var.vulnerability_audit_application_dependency_vulnerability_depth
gav = var.vulnerability_audit_application_dependency_vulnerability_gav
purl = var.vulnerability_audit_application_dependency_vulnerability_purl
root_node_id = oci_adm_root_node.test_root_node.id
severity_greater_than_or_equal = var.vulnerability_audit_application_dependency_vulnerability_severity_greater_than_or_equal
vulnerability_id = oci_adm_vulnerability.test_vulnerability.id
}
Argument Reference
The following arguments are supported:
cvss_v2greater_than_or_equal- (Optional) A filter that returns only Vulnerabilities that have a Common Vulnerability Scoring System Version 2 (CVSS V2) greater than or equal to the specified value.cvss_v3greater_than_or_equal- (Optional) A filter that returns only Vulnerabilities that have a Common Vulnerability Scoring System Version 3 (CVSS V3) greater than or equal to the specified value.depth- (Optional) A filter to limit depth of the application dependencies tree traversal. Additionally query parameters such as “cvssV2GreaterThanOrEqual”, “cvssV3GreaterThanOrEqual”, “gav” and “vulnerabilityId” can’t be used in conjunction with this latter.gav- (Optional) A filter to return only resources that match the entire GAV (Group Artifact Version) identifier given.purl- (Optional) A filter to return only resources that match the entire purl given.root_node_id- (Optional) A filter to override the top level root identifier with the new given value. The application dependency tree will only be traversed from the given node. Query parameters “cvssV2GreaterThanOrEqual”, “cvssV3GreaterThanOrEqual”, “gav” and “vulnerabilityId” cannot be used in conjunction with this parameter.severity_greater_than_or_equal- (Optional) A filter that returns only Vulnerabilities that have a severity greater than or equal to the specified value.vulnerability_audit_id- (Required) Unique Vulnerability Audit identifier path parameter.vulnerability_id- (Optional) A filter to return only Vulnerability Audits that match the specified id.
Attributes Reference
The following attributes are exported:
application_dependency_vulnerability_collection- The list of VulnerabilityAuditApplicationDependencyVulnerability.
VulnerabilityAuditApplicationDependencyVulnerability Reference
The following attributes are exported:
items- List of vulnerability audit summaries.application_dependency_node_ids- List of application dependencies on which this application dependency depends, each identified by its nodeId.gav- Group Artifact Version (GAV) identifier (Group:Artifact:Version). Example: org.graalvm.nativeimage:svm:21.1.0. “N/A” for non-maven artifacts.is_found_in_knowledge_base- Indicates if the artifact is found in the knowledge base, this field is deprecated and will be removed in the future.node_id- Unique identifier of an application dependency, for example nodeId1.purl- Package URL identifier, e.g. pkg:maven/org.graalvm.nativeimage/svm@21.1.0vulnerabilities- List of vulnerabilities for the application dependency.cvss_v2score- Common Vulnerability Scoring System (CVSS) Version 2, calculated from the metrics provided in the CVSS vector provided from the vulnerability source. This field is deprecated and will be removed in the future. The cvssV2Score can be obtained from the metrics field of the listVulnerabilities endpoint.cvss_v3score- Common Vulnerability Scoring System (CVSS) Version 3, calculated from the metrics provided in the CVSS vector provided from the vulnerability source. This field is deprecated and will be removed in the future. The cvssV3Score can be obtained from the metrics field of the listVulnerabilities endpoint.id- Unique vulnerability identifier, e.g. CVE-1999-0067.is_false_positive- Indicates if the vulnerability is a false positive according to the usage data. If no usage data was provided or the service cannot infer usage of the vulnerable code then this property isnull.is_ignored- Indicates if the vulnerability was ignored according to the audit configuration.severity- ADM qualitative severity score. Can be either NONE, LOW, MEDIUM, HIGH or CRITICAL.source- Source that published the vulnerability
warnings- Potential issues in the artifact identifiers (purls) provided by the user, that the user is alerted about. ADM supports the following warnings:- MISSING_VERSION: Missing version
- INCORRECT_FORMAT_VERSION: Version can not be parsed according to the ecosystem
- UNKNOWN_ECOSYSTEM: The purl’s ecosystem is unknown to ADM
- INCORRECT_FORMAT_EPOCH: Epoch qualifier can not be parsed according to the ecosystem
- MISSING_DISTRO: The distro qualifier is required for the ecosystem, but was not provided in the purl
- UNKNOWN_DISTRO: ADM does not have data for the provided distro value for the given ecosystem
- MISSING_ARCH: The arch qualifier is required for the ecosystem and distro, but was not provided in the purl
- UNKNOWN_ARCH: ADM does not have data for the provided arch value for the given ecosystem and distro
- EPOCH_VALUE_MISMATCH: Epoch value in qualifier is not the same as the epoch value in version
- INVALID_PURL: The provided PURL could not be parsed