oci_adm_vulnerability_audit

This resource provides the Vulnerability Audit resource in Oracle Cloud Infrastructure Adm service.

Creates a new Vulnerability Audit by providing a tree of Application Dependencies.

Example Usage

resource "oci_adm_vulnerability_audit" "test_vulnerability_audit" {
	#Required
	knowledge_base_id = oci_adm_knowledge_base.test_knowledge_base.id

	#Optional
	application_dependencies {
		#Required
		node_id = oci_adm_node.test_node.id

		#Optional
		application_dependency_node_ids = var.vulnerability_audit_application_dependencies_application_dependency_node_ids
		gav = var.vulnerability_audit_application_dependencies_gav
		purl = var.vulnerability_audit_application_dependencies_purl
	}
	build_type = var.vulnerability_audit_build_type
	compartment_id = var.compartment_id
	configuration {

		#Optional
		exclusions = var.vulnerability_audit_configuration_exclusions
		max_permissible_cvss_v2score = var.vulnerability_audit_configuration_max_permissible_cvss_v2score
		max_permissible_cvss_v3score = var.vulnerability_audit_configuration_max_permissible_cvss_v3score
		max_permissible_severity = var.vulnerability_audit_configuration_max_permissible_severity
	}
	defined_tags = {"foo-namespace.bar-key"= "value"}
	display_name = var.vulnerability_audit_display_name
	freeform_tags = {"bar-key"= "value"}
	source {
		#Required
		type = var.vulnerability_audit_source_type

		#Optional
		description = var.vulnerability_audit_source_description
		oci_resource_id = oci_adm_oci_resource.test_oci_resource.id
	}
	usage_data {
		#Required
		bucket = var.vulnerability_audit_usage_data_bucket
		namespace = var.vulnerability_audit_usage_data_namespace
		object = var.vulnerability_audit_usage_data_object
		source_type = var.vulnerability_audit_usage_data_source_type
	}
}

Argument Reference

The following arguments are supported:

• application_dependencies - (Optional) List of application dependencies (without vulnerabilities).
  • application_dependency_node_ids - (Optional) List of application dependencies on which this application dependency depends, each identified by its nodeId.
  • gav - (Optional) Group Artifact Version (GAV) identifier (Group:Artifact:Version). Example: org.graalvm.nativeimage:svm:21.1.0. “N/A” for non-maven artifacts.
  • node_id - (Required) Unique identifier of an application dependency, for example nodeId1. The nodeId can be generated by assigning a unique id to each application dependency in the tree of application dependencies. Every node, even those who share the same GAV, should have a different nodeId. The preferred way of constructing a nodeId is to assign incremental integers during a breadth first or depth first search. A nodeId can be reused only it refers to the same subtree of application dependencies. (This is not equivalent to referring to the same GAV, that is, a GAV can have multiple transitive dependencies.)
  • purl - (Optional) Package URL identifier, e.g. pkg:maven/org.graalvm.nativeimage/svm@21.1.0
• build_type - (Optional) The type of the build tool is restricted to only two values MAVEN or UNSET. Use UNSET when the list of application dependencies is not Maven-related or is a mix of Maven and other ecosystems. This option is soon to be deprecated.
• compartment_id - (Optional) (Updatable) The compartment Oracle Cloud identifier (OCID) of the vulnerability audit. If compartment identifier is not provided the compartment of the associated knowledge base will be used instead.
• configuration - (Optional) Configuration for a vulnerability audit. A vulnerable application dependency is ignored if its name does match any of the items in exclusions, or all of the associated Vulnerabilies have a CVSS v2 score below maxPermissibleCvssV2Score and a CVSS v3 score below maxPermissibleCvssV3Score. type: object
  • exclusions - (Optional) A vulnerable application dependency is ignored if its name matches any of the items in exclusions. An asterisk (*) in the dependency pattern acts as a wildcard and matches zero or more characters.
  • max_permissible_cvss_v2score - (Optional) A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_cvss_v3score - (Optional) A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_severity - (Optional) A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleSeverity.
• defined_tags - (Optional) (Updatable) Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: {"foo-namespace.bar-key": "value"}
• display_name - (Optional) (Updatable) The name of the vulnerability audit.
• freeform_tags - (Optional) (Updatable) Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"}
• knowledge_base_id - (Required) The Oracle Cloud identifier (OCID) of the knowledge base.
• source - (Optional) vulnerability audit source.
  • description - (Applicable when type=EXTERNAL_RESOURCE) Description of the external resource source.
  • oci_resource_id - (Required when type=OCI_RESOURCE) The Oracle Cloud identifier (OCID) of the Oracle Cloud Infrastructure resource that triggered the vulnerability audit.
  • type - (Required) Source type of the vulnerability audit.
• usage_data - (Optional) The source details of the usage data in object storage. The usage data file uploaded to object storage must be a gzip archive of the JSON usage data returned from the GraalVM native-image-inspect tool after a native-image build. Set sourceType to objectStorageTuple and use UsageDataViaObjectStorageTupleDetails when specifying the namespace, bucket name, and object name.
  • bucket - (Required) The Object Storage bucket to read the usage data from.
  • namespace - (Required) The Object Storage namespace to read the usage data from.
  • object - (Required) The Object Storage object name to read the usage data from.
  • source_type - (Required) The destination type. Use objectStorageTuple when specifying the namespace, bucket name, and object name.

** IMPORTANT ** Any change to a property that does not support update will force the destruction and recreation of the resource with the new property values

Attributes Reference

The following attributes are exported:

• build_type - The type of the build tool is restricted to only two values MAVEN or UNSET. Use UNSET when the list of application dependencies is not Maven-related or is a mix of Maven and other ecosystems. This option is soon to be deprecated.
• compartment_id - The compartment Oracle Cloud identifier (OCID) of the vulnerability audit.
• configuration - Configuration for a vulnerability audit. A vulnerable application dependency is ignored if its name does match any of the items in exclusions, or all of the associated Vulnerabilies have a CVSS v2 score below maxPermissibleCvssV2Score and a CVSS v3 score below maxPermissibleCvssV3Score. type: object
  • exclusions - A vulnerable application dependency is ignored if its name matches any of the items in exclusions. An asterisk (*) in the dependency pattern acts as a wildcard and matches zero or more characters.
  • max_permissible_cvss_v2score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_cvss_v3score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_severity - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleSeverity.
• defined_tags - Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: {"foo-namespace.bar-key": "value"}
• display_name - The name of the vulnerability audit.
• freeform_tags - Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"}
• id - The Oracle Cloud identifier (OCID) of the vulnerability audit.
• is_success - Indicates if an audit succeeded according to the configuration. The value is null if the audit is in the CREATING state.
• knowledge_base_id - The Oracle Cloud identifier (OCID) of the knowledge base.
• lifecycle_details - Details on the lifecycle state.
• max_observed_cvss_v2score - Maximum Common Vulnerability Scoring System Version 2 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v2score_with_ignored - Maximum Common Vulnerability Scoring System Version 2 score observed for vulnerable application dependencies including ignored ones.
• max_observed_cvss_v3score - Maximum Common Vulnerability Scoring System Version 3 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v3score_with_ignored - Maximum Common Vulnerability Scoring System Version 3 score observed for vulnerable application dependencies including ignored ones.
• max_observed_severity - Maximum ADM Severity observed for non-ignored vulnerable application dependencies.
• max_observed_severity_with_ignored - Maximum ADM Severity observed for vulnerable application dependencies including ignored ones.
• source - vulnerability audit source.
  • description - Description of the external resource source.
  • oci_resource_id - The Oracle Cloud identifier (OCID) of the Oracle Cloud Infrastructure resource that triggered the vulnerability audit.
  • type - Source type of the vulnerability audit.
• state - The current lifecycle state of the vulnerability audit.
• system_tags - Usage of system tag keys. These predefined keys are scoped to namespaces. Example: {"orcl-cloud.free-tier-retained": "true"}
• time_created - The creation date and time of the vulnerability audit (formatted according to RFC3339).
• time_updated - The update date and time of the vulnerability audit (formatted according to RFC3339).
• usage_data - The source details of the usage data in object storage. The usage data file uploaded to object storage must be a gzip archive of the JSON usage data returned from the GraalVM native-image-inspect tool after a native-image build. Set sourceType to objectStorageTuple and use UsageDataViaObjectStorageTupleDetails when specifying the namespace, bucket name, and object name.
  • bucket - The Object Storage bucket to read the usage data from.
  • namespace - The Object Storage namespace to read the usage data from.
  • object - The Object Storage object name to read the usage data from.
  • source_type - The destination type. Use objectStorageTuple when specifying the namespace, bucket name, and object name.
• vulnerabilities - List of vulnerabilities found in the vulnerability audit. If a vulnerability affects multiple dependencies, the metadata returned here consists of audit-wide aggregates.
  • cvss_v2score - Common Vulnerability Scoring System (CVSS) Version 2, calculated from the metrics provided in the CVSS vector provided from the vulnerability source. This field is deprecated and will be removed in the future. The cvssV2Score can be obtained from the metrics field of the listVulnerabilities endpoint.
  • cvss_v3score - Common Vulnerability Scoring System (CVSS) Version 3, calculated from the metrics provided in the CVSS vector provided from the vulnerability source. This field is deprecated and will be removed in the future. The cvssV3Score can be obtained from the metrics field of the listVulnerabilities endpoint.
  • id - Unique vulnerability identifier, e.g. CVE-1999-0067.
  • is_false_positive - Indicates if the vulnerability is a false positive according to the usage data. If no usage data was provided or the service cannot infer usage of the vulnerable code then this property is null.
  • is_ignored - Indicates if the vulnerability was ignored according to the audit configuration.
  • severity - ADM qualitative severity score. Can be either NONE, LOW, MEDIUM, HIGH or CRITICAL.
  • source - Source that published the vulnerability
• vulnerable_artifacts_count - Count of non-ignored vulnerable application dependencies.
• vulnerable_artifacts_count_with_ignored - Count of all vulnerable application dependencies.

Timeouts

The timeouts block allows you to specify timeouts for certain operations: * create - (Defaults to 20 minutes), when creating the Vulnerability Audit * update - (Defaults to 20 minutes), when updating the Vulnerability Audit * delete - (Defaults to 20 minutes), when destroying the Vulnerability Audit

Import

VulnerabilityAudits can be imported using the id, e.g.

$ terraform import oci_adm_vulnerability_audit.test_vulnerability_audit "id"