Data Source: oci_adm_vulnerability_audits

This data source provides the list of Vulnerability Audits in Oracle Cloud Infrastructure ADM service.

Returns a list of Vulnerability Audits based on the specified query parameters. At least one of id, compartmentId query parameter must be provided.

Example Usage

data "oci_adm_vulnerability_audits" "test_vulnerability_audits" {

	#Optional
	compartment_id = var.compartment_id
	display_name = var.vulnerability_audit_display_name
	id = var.vulnerability_audit_id
	is_success = var.vulnerability_audit_is_success
	knowledge_base_id = oci_adm_knowledge_base.test_knowledge_base.id
	max_observed_severity_greater_than_or_equal_to = var.vulnerability_audit_max_observed_severity_greater_than_or_equal_to
	state = var.vulnerability_audit_state
	time_created_greater_than_or_equal_to = var.vulnerability_audit_time_created_greater_than_or_equal_to
	time_created_less_than_or_equal_to = var.vulnerability_audit_time_created_less_than_or_equal_to
}

Argument Reference

The following arguments are supported:

• compartment_id - (Optional) A filter to return only resources that belong to the specified compartment identifier. Required only if the id query param is not specified.
• display_name - (Optional) A filter to return only resources that match the entire display name given.
• id - (Optional) A filter to return only resources that match the specified identifier. Required only if the compartmentId query parameter is not specified.
• is_success - (Optional) A filter to return only successful or failed Vulnerability Audits.
• knowledge_base_id - (Optional) A filter to return only Vulnerability Audits that were created against the specified knowledge base.
• max_observed_severity_greater_than_or_equal_to - (Optional) A filter that returns only Vulnerability Audits that have a maximum observed Severity greater than or equal to the specified value.
• state - (Optional) A filter to return only Vulnerability Audits that match the specified lifecycleState.
• time_created_greater_than_or_equal_to - (Optional) A filter to return only Vulnerability Audits with timeCreated greater or equal to the specified value.
• time_created_less_than_or_equal_to - (Optional) A filter to return only Vulnerability Audits with timeCreated less or equal to the specified value.

Attributes Reference

The following attributes are exported:

• vulnerability_audit_collection - The list of vulnerability_audit_collection.

VulnerabilityAudit Reference

The following attributes are exported:

• build_type - The type of the build tool is restricted to only two values MAVEN or UNSET. Use UNSET when the list of application dependencies is not Maven-related or is a mix of Maven and other ecosystems. This option is soon to be deprecated.
• compartment_id - The compartment Oracle Cloud identifier (OCID) of the vulnerability audit.
• configuration - Configuration for a vulnerability audit. A vulnerable application dependency is ignored if its name does match any of the items in exclusions, or all of the associated Vulnerabilies have a CVSS v2 score below maxPermissibleCvssV2Score and a CVSS v3 score below maxPermissibleCvssV3Score. type: object
  • exclusions - A vulnerable application dependency is ignored if its name matches any of the items in exclusions. An asterisk (*) in the dependency pattern acts as a wildcard and matches zero or more characters.
  • max_permissible_cvss_v2score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_cvss_v3score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_severity - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleSeverity.
• defined_tags - Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: {"foo-namespace.bar-key": "value"}
• display_name - The name of the vulnerability audit.
• freeform_tags - Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"}
• id - The Oracle Cloud identifier (OCID) of the vulnerability audit.
• is_success - Indicates if an audit succeeded according to the configuration. The value is null if the audit is in the CREATING state.
• knowledge_base_id - The Oracle Cloud identifier (OCID) of the knowledge base.
• lifecycle_details - Details on the lifecycle state.
• max_observed_cvss_v2score - Maximum Common Vulnerability Scoring System Version 2 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v2score_with_ignored - Maximum Common Vulnerability Scoring System Version 2 score observed for vulnerable application dependencies including ignored ones.
• max_observed_cvss_v3score - Maximum Common Vulnerability Scoring System Version 3 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v3score_with_ignored - Maximum Common Vulnerability Scoring System Version 3 score observed for vulnerable application dependencies including ignored ones.
• max_observed_severity - Maximum ADM Severity observed for non-ignored vulnerable application dependencies.
• max_observed_severity_with_ignored - Maximum ADM Severity observed for vulnerable application dependencies including ignored ones.
• source - vulnerability audit source.
  • description - Description of the external resource source.
  • oci_resource_id - The Oracle Cloud identifier (OCID) of the Oracle Cloud Infrastructure resource that triggered the vulnerability audit.
  • type - Source type of the vulnerability audit.
• state - The current lifecycle state of the vulnerability audit.
• system_tags - Usage of system tag keys. These predefined keys are scoped to namespaces. Example: {"orcl-cloud.free-tier-retained": "true"}
• time_created - The creation date and time of the vulnerability audit (formatted according to RFC3339).
• time_updated - The update date and time of the vulnerability audit (formatted according to RFC3339).
• usage_data - The source details of the usage data in object storage. The usage data file uploaded to object storage must be a gzip archive of the JSON usage data returned from the GraalVM native-image-inspect tool after a native-image build. Set sourceType to objectStorageTuple and use UsageDataViaObjectStorageTupleDetails when specifying the namespace, bucket name, and object name.
  • bucket - The Object Storage bucket to read the usage data from.
  • namespace - The Object Storage namespace to read the usage data from.
  • object - The Object Storage object name to read the usage data from.
  • source_type - The destination type. Use objectStorageTuple when specifying the namespace, bucket name, and object name.
• vulnerabilities - List of vulnerabilities found in the vulnerability audit. If a vulnerability affects multiple dependencies, the metadata returned here consists of audit-wide aggregates.
  • cvss_v2score - Common Vulnerability Scoring System (CVSS) Version 2.
  • cvss_v3score - Common Vulnerability Scoring System (CVSS) Version 3.
  • id - Unique vulnerability identifier, e.g. CVE-1999-0067.
  • is_false_positive - Indicates if the vulnerability is a false positive according to the usage data. If no usage data was provided or the service cannot infer usage of the vulnerable code then this property is null.
  • is_ignored - Indicates if the vulnerability was ignored according to the audit configuration.
  • severity - ADM qualitative severity score. Can be either NONE, LOW, MEDIUM, HIGH or CRITICAL.
  • source - Source that published the vulnerability
• vulnerable_artifacts_count - Count of non-ignored vulnerable application dependencies.
• vulnerable_artifacts_count_with_ignored - Count of all vulnerable application dependencies.