oci_adm_vulnerability_audit

This resource provides the Vulnerability Audit resource in Oracle Cloud Infrastructure Adm service.

Creates a new Vulnerability Audit by providing a tree of Application Dependencies.

Example Usage

resource "oci_adm_vulnerability_audit" "test_vulnerability_audit" {
	#Required
	knowledge_base_id = oci_adm_knowledge_base.test_knowledge_base.id

	#Optional
	application_dependencies {
		#Required
		node_id = oci_adm_node.test_node.id

		#Optional
		application_dependency_node_ids = var.vulnerability_audit_application_dependencies_application_dependency_node_ids
		gav = var.vulnerability_audit_application_dependencies_gav
		purl = var.vulnerability_audit_application_dependencies_purl
	}
	build_type = var.vulnerability_audit_build_type
	compartment_id = var.compartment_id
	configuration {

		#Optional
		exclusions = var.vulnerability_audit_configuration_exclusions
		max_permissible_cvss_v2score = var.vulnerability_audit_configuration_max_permissible_cvss_v2score
		max_permissible_cvss_v3score = var.vulnerability_audit_configuration_max_permissible_cvss_v3score
		max_permissible_severity = var.vulnerability_audit_configuration_max_permissible_severity
	}
	defined_tags = {"foo-namespace.bar-key"= "value"}
	display_name = var.vulnerability_audit_display_name
	freeform_tags = {"bar-key"= "value"}
	source {
		#Required
		type = var.vulnerability_audit_source_type

		#Optional
		description = var.vulnerability_audit_source_description
		oci_resource_id = oci_adm_oci_resource.test_oci_resource.id
	}
	usage_data {
		#Required
		bucket = var.vulnerability_audit_usage_data_bucket
		namespace = var.vulnerability_audit_usage_data_namespace
		object = var.vulnerability_audit_usage_data_object
		source_type = var.vulnerability_audit_usage_data_source_type
	}
}

Argument Reference

The following arguments are supported:

• application_dependencies - (Optional) List of application dependencies (without vulnerabilities).
  • application_dependency_node_ids - (Optional) List of application dependencies on which this application dependency depends, each identified by its nodeId.
  • gav - (Optional) Group Artifact Version (GAV) identifier (Group:Artifact:Version). Example: org.graalvm.nativeimage:svm:21.1.0. “N/A” for non-maven artifacts.
  • node_id - (Required) Unique identifier of an application dependency, for example nodeId1. The nodeId can be generated by assigning a unique id to each application dependency in the tree of application dependencies. Every node, even those who share the same GAV, should have a different nodeId. The preferred way of constructing a nodeId is to assign incremental integers during a breadth first or depth first search. A nodeId can be reused only it refers to the same subtree of application dependencies. (This is not equivalent to referring to the same GAV, that is, a GAV can have multiple transitive dependencies.)
  • purl - (Optional) Package URL defined in https://github.com/package-url/purl-spec, e.g. pkg:maven/org.graalvm.nativeimage/svm@21.1.0
• build_type - (Optional) The type of the build tool is restricted to only two values MAVEN or UNSET. Use UNSET when the list of application dependencies is not Maven-related or is a mix of Maven and other ecosystems. This option is soon to be deprecated.
• compartment_id - (Optional) (Updatable) The compartment Oracle Cloud identifier (OCID) of the vulnerability audit. If compartment identifier is not provided the compartment of the associated knowledge base will be used instead.
• configuration - (Optional) Configuration for a vulnerability audit. A vulnerable application dependency is ignored if its name does match any of the items in exclusions, or all of the associated Vulnerabilies have a CVSS v2 score below maxPermissibleCvssV2Score and a CVSS v3 score below maxPermissibleCvssV3Score. type: object
  • exclusions - (Optional) A vulnerable application dependency is ignored if its name matches any of the items in exclusions. An asterisk (*) in the dependency pattern acts as a wildcard and matches zero or more characters.
  • max_permissible_cvss_v2score - (Optional) A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_cvss_v3score - (Optional) A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_severity - (Optional) A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleSeverity.
• defined_tags - (Optional) (Updatable) Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: {"foo-namespace.bar-key": "value"}
• display_name - (Optional) (Updatable) The name of the vulnerability audit.
• freeform_tags - (Optional) (Updatable) Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"}
• knowledge_base_id - (Required) The Oracle Cloud identifier (OCID) of the knowledge base.
• source - (Optional) vulnerability audit source.
  • description - (Applicable when type=EXTERNAL_RESOURCE) Description of the external resource source.
  • oci_resource_id - (Required when type=OCI_RESOURCE) The Oracle Cloud identifier (OCID) of the Oracle Cloud Infrastructure resource that triggered the vulnerability audit.
  • type - (Required) Source type of the vulnerability audit.
• usage_data - (Optional) The source details of the usage data in object storage. The usage data file uploaded to object storage must be a gzip archive of the JSON usage data returned from the GraalVM native-image-inspect tool after a native-image build. Set sourceType to objectStorageTuple and use UsageDataViaObjectStorageTupleDetails when specifying the namespace, bucket name, and object name.
  • bucket - (Required) The Object Storage bucket to read the usage data from.
  • namespace - (Required) The Object Storage namespace to read the usage data from.
  • object - (Required) The Object Storage object name to read the usage data from.
  • source_type - (Required) The destination type. Use objectStorageTuple when specifying the namespace, bucket name, and object name.

** IMPORTANT ** Any change to a property that does not support update will force the destruction and recreation of the resource with the new property values

Attributes Reference

The following attributes are exported:

• build_type - The type of the build tool is restricted to only two values MAVEN or UNSET. Use UNSET when the list of application dependencies is not Maven-related or is a mix of Maven and other ecosystems. This option is soon to be deprecated.
• compartment_id - The compartment Oracle Cloud identifier (OCID) of the vulnerability audit.
• configuration - Configuration for a vulnerability audit. A vulnerable application dependency is ignored if its name does match any of the items in exclusions, or all of the associated Vulnerabilies have a CVSS v2 score below maxPermissibleCvssV2Score and a CVSS v3 score below maxPermissibleCvssV3Score. type: object
  • exclusions - A vulnerable application dependency is ignored if its name matches any of the items in exclusions. An asterisk (*) in the dependency pattern acts as a wildcard and matches zero or more characters.
  • max_permissible_cvss_v2score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_cvss_v3score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_severity - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleSeverity.
• defined_tags - Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: {"foo-namespace.bar-key": "value"}
• display_name - The name of the vulnerability audit.
• freeform_tags - Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"}
• id - The Oracle Cloud identifier (OCID) of the vulnerability audit.
• is_success - Indicates if an audit succeeded according to the configuration. The value is null if the audit is in the CREATING state.
• knowledge_base_id - The Oracle Cloud identifier (OCID) of the knowledge base.
• lifecycle_details - Details on the lifecycle state.
• max_observed_cvss_v2score - Maximum Common Vulnerability Scoring System Version 2 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v2score_with_ignored - Maximum Common Vulnerability Scoring System Version 2 score observed for vulnerable application dependencies including ignored ones.
• max_observed_cvss_v3score - Maximum Common Vulnerability Scoring System Version 3 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v3score_with_ignored - Maximum Common Vulnerability Scoring System Version 3 score observed for vulnerable application dependencies including ignored ones.
• max_observed_severity - Maximum ADM Severity observed for non-ignored vulnerable application dependencies.
• max_observed_severity_with_ignored - Maximum ADM Severity observed for vulnerable application dependencies including ignored ones.
• source - vulnerability audit source.
  • description - Description of the external resource source.
  • oci_resource_id - The Oracle Cloud identifier (OCID) of the Oracle Cloud Infrastructure resource that triggered the vulnerability audit.
  • type - Source type of the vulnerability audit.
• state - The current lifecycle state of the vulnerability audit.
• system_tags - Usage of system tag keys. These predefined keys are scoped to namespaces. Example: {"orcl-cloud.free-tier-retained": "true"}
• time_created - The creation date and time of the vulnerability audit (formatted according to RFC3339).
• time_updated - The update date and time of the vulnerability audit (formatted according to RFC3339).
• usage_data - The source details of the usage data in object storage. The usage data file uploaded to object storage must be a gzip archive of the JSON usage data returned from the GraalVM native-image-inspect tool after a native-image build. Set sourceType to objectStorageTuple and use UsageDataViaObjectStorageTupleDetails when specifying the namespace, bucket name, and object name.
  • bucket - The Object Storage bucket to read the usage data from.
  • namespace - The Object Storage namespace to read the usage data from.
  • object - The Object Storage object name to read the usage data from.
  • source_type - The destination type. Use objectStorageTuple when specifying the namespace, bucket name, and object name.
• vulnerabilities - List of vulnerabilities found in the vulnerability audit. If a vulnerability affects multiple dependencies, the metadata returned here consists of audit-wide aggregates.
  • cvss_v2score - Common Vulnerability Scoring System (CVSS) Version 2.
  • cvss_v3score - Common Vulnerability Scoring System (CVSS) Version 3.
  • id - Unique vulnerability identifier, e.g. CVE-1999-0067.
  • is_false_positive - Indicates if the vulnerability is a false positive according to the usage data. If no usage data was provided or the service cannot infer usage of the vulnerable code then this property is null.
  • is_ignored - Indicates if the vulnerability was ignored according to the audit configuration.
  • severity - ADM qualitative severity score. Can be either NONE, LOW, MEDIUM, HIGH or CRITICAL.
  • source - Source that published the vulnerability
• vulnerable_artifacts_count - Count of non-ignored vulnerable application dependencies.
• vulnerable_artifacts_count_with_ignored - Count of all vulnerable application dependencies.

Timeouts

The timeouts block allows you to specify timeouts for certain operations: * create - (Defaults to 20 minutes), when creating the Vulnerability Audit * update - (Defaults to 20 minutes), when updating the Vulnerability Audit * delete - (Defaults to 20 minutes), when destroying the Vulnerability Audit

Import

VulnerabilityAudits can be imported using the id, e.g.

$ terraform import oci_adm_vulnerability_audit.test_vulnerability_audit "id"