Data Source: oci_adm_vulnerability_audit_application_dependency_vulnerabilities

This data source provides the list of Vulnerability Audit Application Dependency Vulnerabilities in Oracle Cloud Infrastructure ADM service.

Returns a list of Application Dependencies with their associated vulnerabilities.

Example Usage

data "oci_adm_vulnerability_audit_application_dependency_vulnerabilities" "test_vulnerability_audit_application_dependency_vulnerabilities" {
	#Required
	vulnerability_audit_id = oci_adm_vulnerability_audit.test_vulnerability_audit.id

	#Optional
	cvss_v2greater_than_or_equal = var.vulnerability_audit_application_dependency_vulnerability_cvss_v2greater_than_or_equal
	cvss_v3greater_than_or_equal = var.vulnerability_audit_application_dependency_vulnerability_cvss_v3greater_than_or_equal
	depth = var.vulnerability_audit_application_dependency_vulnerability_depth
	gav = var.vulnerability_audit_application_dependency_vulnerability_gav
	purl = var.vulnerability_audit_application_dependency_vulnerability_purl
	root_node_id = oci_adm_root_node.test_root_node.id
	severity_greater_than_or_equal = var.vulnerability_audit_application_dependency_vulnerability_severity_greater_than_or_equal
	vulnerability_id = oci_adm_vulnerability.test_vulnerability.id
}

Argument Reference

The following arguments are supported:

• cvss_v2greater_than_or_equal - (Optional) A filter that returns only Vulnerabilities that have a Common Vulnerability Scoring System Version 2 (CVSS V2) greater than or equal to the specified value.
• cvss_v3greater_than_or_equal - (Optional) A filter that returns only Vulnerabilities that have a Common Vulnerability Scoring System Version 3 (CVSS V3) greater than or equal to the specified value.
• depth - (Optional) A filter to limit depth of the application dependencies tree traversal. Additionally query parameters such as “cvssV2GreaterThanOrEqual”, “cvssV3GreaterThanOrEqual”, “gav” and “vulnerabilityId” can’t be used in conjunction with this latter.
• gav - (Optional) A filter to return only resources that match the entire GAV (Group Artifact Version) identifier given.
• purl - (Optional) A filter to return only resources that match the entire PURL given (https://github.com/package-url/purl-spec/).
• root_node_id - (Optional) A filter to override the top level root identifier with the new given value. The application dependency tree will only be traversed from the given node. Query parameters “cvssV2GreaterThanOrEqual”, “cvssV3GreaterThanOrEqual”, “gav” and “vulnerabilityId” cannot be used in conjunction with this parameter.
• severity_greater_than_or_equal - (Optional) A filter that returns only Vulnerabilities that have a severity greater than or equal to the specified value.
• vulnerability_audit_id - (Required) Unique Vulnerability Audit identifier path parameter.
• vulnerability_id - (Optional) A filter to return only Vulnerability Audits that match the specified id.

Attributes Reference

The following attributes are exported:

• application_dependency_vulnerability_collection - The list of VulnerabilityAuditApplicationDependencyVulnerability.

VulnerabilityAuditApplicationDependencyVulnerability Reference

The following attributes are exported:

• items - List of vulnerability audit summaries.
  • application_dependency_node_ids - List of application dependencies on which this application dependency depends, each identified by its nodeId.
  • gav - Group Artifact Version (GAV) identifier (Group:Artifact:Version). Example: org.graalvm.nativeimage:svm:21.1.0. “N/A” for non-maven artifacts.
  • is_found_in_knowledge_base - Indicates if the artifact is found in the knowledge base.
  • node_id - Unique identifier of an application dependency, for example nodeId1.
  • purl - Package URL defined in https://github.com/package-url/purl-spec, e.g. pkg:maven/org.graalvm.nativeimage/svm@21.1.0
  • vulnerabilities - List of vulnerabilities for the application dependency.
    • cvss_v2score - Common Vulnerability Scoring System (CVSS) Version 2.
    • cvss_v3score - Common Vulnerability Scoring System (CVSS) Version 3.
    • id - Unique vulnerability identifier, e.g. CVE-1999-0067.
    • is_false_positive - Indicates if the vulnerability is a false positive according to the usage data. If no usage data was provided or the service cannot infer usage of the vulnerable code then this property is null.
    • is_ignored - Indicates if the vulnerability was ignored according to the audit configuration.
    • severity - ADM qualitative severity score. Can be either NONE, LOW, MEDIUM, HIGH or CRITICAL.
    • source - Source that published the vulnerability