DescribeImageVulList - Security Center - Alibaba Cloud Documentation Center

Queries the details of vulnerabilities that are detected by using container image scan and the affected images.

Operation description

To query the information about the recently detected image vulnerabilities, call the PublicCreateImageScanTask operation. Wait 1 to 5 minutes until the call is successful and call the DescribeImageVulList operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-sas:DescribeImageVulList	Read	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Default value: zh. Valid values: zh: Chinese en: English	zh
Type	string	Yes	The type of the vulnerability. Set the value to cve, which indicates image vulnerabilities.	cve
Uuids	string	No	The UUIDs of the assets. Separate multiple UUIDs with commas (,).	0004a32a0305a7f6ab5ff9600d47****
Name	string	No	The name of the vulnerability.	debian:10:CVE-2019-9893
AliasName	string	No	The alias of the vulnerability.	High severity vulnerability that affects org.eclipse.jetty:jetty-server
StatusList	string	No	The status of the vulnerability. Valid values: 1: unfixed 4: being fixed 7: fixed	1
Necessity	string	No	The priority to fix the vulnerability. Valid values: asap: high. You must fix the vulnerability at the earliest opportunity. later: medium. You can fix the vulnerability based on your business requirements. nntf: low. You can ignore the vulnerability.	asap
Dealed	string	No	Specifies whether the vulnerability is handled. Valid values: y: handled n: unhandled	y
CurrentPage	integer	No	The number of the page to return. Default value: 1	1
PageSize	integer	No	The number of entries to return on each page. Default value: 10	10
RepoRegionId	string	No	The region ID of the image repository.	cn-hangzhou
RepoInstanceId	string	No	The instance ID of the image repository.	i-qewqrqcsadf****
RepoId	string	No	The ID of the image repository.	qew****
RepoName	string	No	The name of the image repository.	libssh2
RepoNamespace	string	No	The namespace to which the image repository belongs.	libssh2
RegionId	string	No	The region ID of the instance.	cn-hangzhou
InstanceId	string	No	The instance ID of the asset.	1-qeqewqw****
Tag	string	No	The tag that is added to the image.	oval
Digest	string	No	The digest of the image.	8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012
ClusterId	string	No	The ID of the cluster to which the container belongs.	cc20a1024011c44b6a8710d6f8b****
ScanRange	array	No	The types of the assets that you want to scan.
	string	No	The type of the asset that you want to scan. Valid values: container image	container
ClusterName	string	No	The name of the cluster.	docker-law
ContainerId	string	No	The ID of the container.	c08d5fc1a329a4b88950a253d082f****
Pod	string	No	The pod.	22222-7xsqq
Namespace	string	No	The namespace.	test-002
Image	string	No	The name of the image.	registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-****

Response parameters

Parameter	Type	Description	Example
	object
CurrentPage	integer	The page number of the returned page.	1
RequestId	string	The request ID.	D6B20156-49B0-5CF0-B14D-7ECA4B50DAAB
PageSize	integer	The number of entries returned per page. Default value: 10	10
TotalCount	integer	The total number of entries returned.	1
VulRecords	object []	The vulnerabilities.
CanUpdate	boolean	Indicates whether the packages of the software that has the vulnerability can be upgraded by using Security Center. Valid values: true false	true
Type	string	The type of the vulnerability. The value is fixed as cve, which indicates image vulnerabilities.	cve
Status	integer	The status of the vulnerability. Valid values: 1: unfixed 7: fixed	1
ModifyTs	long	The timestamp when the information about the vulnerability was updated. Unit: milliseconds.	1580808765000
ImageDigest	string	The digest of the image.	8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012
PrimaryId	long	The ID of the vulnerability.	782661
Tag	string	The tag that is added to the vulnerability.	oval
RepoNamespace	string	The namespace to which the image repository belongs.	default
RepoName	string	The name of the image repository.	varnish
Related	string	The Common Vulnerabilities and Exposures (CVE) ID of the associated vulnerability.	CVE-2019-9893
FirstTs	long	The timestamp when the first scan was performed. Unit: milliseconds.	1620752053000
LastTs	long	The timestamp when the last scan was performed. Unit: milliseconds.	1631779996000
Necessity	string	The priority to fix the vulnerability. Valid values: asap: high. You must fix the vulnerability at the earliest opportunity. later: medium. You can fix the vulnerability based on your business requirements. nntf: low. You can ignore the vulnerability.	asap
Uuid	string	The UUID of the server.	0004a32a0305a7f6ab5ff9600d47****
AliasName	string	The alias of the vulnerability.	CVE-2018-25010:libwebp up to 1.0.0 ApplyFilter out-of-bounds read
Name	string	The name of the vulnerability.	debian:10:CVE-2019-9893
Layers	array	The image layers.
	string	The information about the image layer.	["null"]
ExtendContentJson	object	The extended information about the vulnerability.
OsRelease	string	The version of the operating system in the image.	10.9
Os	string	The name of the operating system.	debian
RpmEntityList	object []	The details of the packages of the software that has the vulnerability.
MatchList	array	The details of the rules that are used to detect the vulnerability.
	string	The details of the rules that are used to detect the vulnerability. The details of multiple rules are separated by commas (,).	["libstdc++ version less than 8.5.0-4.el8_5"]
Layer	string	The SHA-256 value of the digest of the image layer.	b1f5b9420803ad0657cf21566e3e20acc08581e7f22991249ef3aa80b8b1c587
FullVersion	string	The complete version number of the package.	2.3.3-4
Version	string	The version number of the package.	2.3.3-4
MatchDetail	string	The reason why the vulnerability is detected.	libseccomp2 version less than equals 2.3.3-4
Path	string	The path to the software that has the vulnerability.	/usr/lib64/libssh2.so.1
Name	string	The name of the software package.	libseccomp2
UpdateCmd	string	The command that is used to fix the vulnerability.	apt-get update && apt-get install libseccomp2 --only-upgrade
CanFix	string	Indicates whether the vulnerability can be fixed in the Security Center console. Valid values: yes no	yes
ClusterId	string	The ID of the cluster.	c08d5fc1a329a4b88950a253d082f1****
ClusterName	string	The name of the cluster.	docker-law
Pod	string	The pod.	22222-7xsqq
Namespace	string	The namespace.	test-002
Image	string	The name of the image.	registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-conta****
ContainerId	string	The ID of the container.	04d20e98c8e2c93b7b864372084320a15a58c8671e53c972ce3a71d9c163****
InternetIp	string	The public IP address of the server.	1.2.XX.XX
IntranetIp	string	The private IP address of the server.	172.19.XX.XX
InstanceName	string	The name of the asset.	testInstance
TargetId	string	The ID of the asset on which the vulnerability is detected.	m-bp17m0pc0xprzbwo****
TargetName	string	The name of the asset on which the vulnerability is detected.	source-test-obj-XM0Ma
MaliciousSource	string	The source of the malicious file. Valid values: agentless: agentless detection image: image container: container	agentless
TargetType	string	The type of the asset on which the vulnerability is detected. Valid values: ECS_IMAGE: image ECS_SNAPSHOT: snapshot	ECS_IMAGE
ScanTime	long	The time at which the scan was performed. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC.	1649814050000

Examples

Sample success responses

JSONformat

{
  "CurrentPage": 1,
  "RequestId": "D6B20156-49B0-5CF0-B14D-7ECA4B50DAAB",
  "PageSize": 10,
  "TotalCount": 1,
  "VulRecords": [
    {
      "CanUpdate": true,
      "Type": "cve",
      "Status": 1,
      "ModifyTs": 1580808765000,
      "ImageDigest": "8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012",
      "PrimaryId": 782661,
      "Tag": "oval",
      "RepoNamespace": "default",
      "RepoName": "varnish",
      "Related": "CVE-2019-9893",
      "FirstTs": 1620752053000,
      "LastTs": 1631779996000,
      "Necessity": "asap",
      "Uuid": "0004a32a0305a7f6ab5ff9600d47****",
      "AliasName": "CVE-2018-25010:libwebp up to 1.0.0 ApplyFilter out-of-bounds read",
      "Name": "debian:10:CVE-2019-9893",
      "Layers": [
        "[\"null\"]"
      ],
      "ExtendContentJson": {
        "OsRelease": "10.9",
        "Os": "debian",
        "RpmEntityList": [
          {
            "MatchList": [
              "[\"libstdc++ version less than 8.5.0-4.el8_5\"]"
            ],
            "Layer": "b1f5b9420803ad0657cf21566e3e20acc08581e7f22991249ef3aa80b8b1c587",
            "FullVersion": "2.3.3-4",
            "Version": "2.3.3-4",
            "MatchDetail": "libseccomp2 version less than equals 2.3.3-4",
            "Path": "/usr/lib64/libssh2.so.1",
            "Name": "libseccomp2",
            "UpdateCmd": "apt-get update && apt-get install libseccomp2  --only-upgrade"
          }
        ]
      },
      "CanFix": "yes",
      "ClusterId": "c08d5fc1a329a4b88950a253d082f1****\n",
      "ClusterName": "docker-law\n",
      "Pod": "22222-7xsqq\n",
      "Namespace": "test-002\n",
      "Image": "registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-conta****\n",
      "ContainerId": "04d20e98c8e2c93b7b864372084320a15a58c8671e53c972ce3a71d9c163****\n",
      "InternetIp": "1.2.XX.XX",
      "IntranetIp": "172.19.XX.XX",
      "InstanceName": "testInstance",
      "TargetId": "m-bp17m0pc0xprzbwo****",
      "TargetName": "source-test-obj-XM0Ma",
      "MaliciousSource": "agentless",
      "TargetType": "ECS_IMAGE",
      "ScanTime": 1649814050000
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
403	NoPermission	caller has no permission	You are not authorized to do this operation.
500	ServerError	ServerError	-

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2022-09-16

The request parameters of the API has changed. The response structure of the API has changed

see changesets

Change item	Change content
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: ScanRange
	Added Input Parameters: ClusterName
	Added Input Parameters: ContainerId
	Added Input Parameters: Pod
	Added Input Parameters: Namespace
	Added Input Parameters: Image
Output Parameters	The response structure of the API has changed.

2022-09-16

The request parameters of the API has changed. The response structure of the API has changed

see changesets

Change item	Change content
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: ScanRange
	Added Input Parameters: ClusterName
	Added Input Parameters: ContainerId
	Added Input Parameters: Pod
	Added Input Parameters: Namespace
	Added Input Parameters: Image
Output Parameters	The response structure of the API has changed.

2021-10-14

The internal configuration of the API is changed, but the call is not affected

see changesets

Change item	Change content
	The internal configuration of the API is changed, but the call is not affected.