DescribeImageVulList API Overview for Container Image Vulnerability Detection - Security Center

Retrieves the details of vulnerabilities that are detected by using container image scan and the affected images.

Operation description

To query the information about the recently detected image vulnerabilities, call the PublicCreateImageScanTask operation. Wait 1 to 5 minutes until the call is successful and call the DescribeImageVulList operation.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sas:DescribeImageVulList

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Default value: zh. Valid values: zh: Chinese en: English	zh
Type	string	Yes	The type of the vulnerability. Set the value to cve, which indicates image vulnerabilities.	cve
Uuids	string	No	The UUIDs of the assets. Separate multiple UUIDs with commas (,).	0004a32a0305a7f6ab5ff9600d47****
Name	string	No	The name of the vulnerability.	debian:10:CVE-2019-9893
AliasName	string	No	The alias of the vulnerability.	High severity vulnerability that affects org.eclipse.jetty:jetty-server
StatusList	string	No	The status of the vulnerability. Valid values: 1: unfixed 4: being fixed 7: fixed	1
Necessity	string	No	The priority to fix the vulnerability. Valid values: asap: high. You must fix the vulnerability at the earliest opportunity. later: medium. You can fix the vulnerability based on your business requirements. nntf: low. You can ignore the vulnerability.	asap
Dealed	string	No	Specifies whether the vulnerability is handled. Valid values: y: yes n: no	y
CurrentPage	integer	No	The number of the page to return. Default value: 1.	1
PageSize	integer	No	The number of entries to return on each page. Default value: 10.	10
RepoRegionId	string	No	The region ID of the image repository.	cn-hangzhou
RepoInstanceId	string	No	The instance ID of the image repository.	i-qewqrqcsadf****
RepoId	string	No	The ID of the image repository.	qew****
RepoName	string	No	The name of the image.	libssh2
RepoNamespace	string	No	The namespace to which the image repository belongs.	libssh2
RepoName	string	No	The name of the image.	libssh2
RegionId	string	No	The region ID of the instance.	cn-hangzhou
InstanceId	string	No	The instance ID of the asset.	1-qeqewqw****
RepoId	string	No	The ID of the image repository.	qew****
Tag	string	No	The tag that is added to the image vulnerability.	oval
Digest	string	No	The digest of the image.	8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012
ClusterId	string	No	The ID of the cluster to which the container belongs.	cc20a1024011c44b6a8710d6f8b****
ScanRange	array	No	The types of the assets that you want to scan.
	string	No	The type of the asset that you want to scan. Valid values: container image	container
ClusterName	string	No	The name of the cluster.	docker-law
ContainerId	string	No	The ID of the container.	c08d5fc1a329a4b88950a253d082f****
Pod	string	No	The pod.	22222-7xsqq
Namespace	string	No	The namespace.	test-002
Image	string	No	The name of the image.	registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-****
RuleTag	string	No	The tag of this vulnerability. Valid values: AI: AI-related components.	AI

Response elements

Element	Type	Description	Example
	object
CurrentPage	integer	The page number of the returned page.	1
RequestId	string	The ID of the request, which is used to locate and troubleshoot issues.	D6B20156-49B0-5CF0-B14D-7ECA4B50DAAB
PageSize	integer	The number of entries returned per page. Default value: 10.	10
TotalCount	integer	The total number of vulnerabilities returned.	1
VulRecords	array<object>	An array that consists of the vulnerabilities.
	array<object>
CanUpdate	boolean	Indicates whether the package of the software that has the vulnerability can be upgraded by using Security Center. Valid values: true: yes false: no	true
Type	string	The type of the vulnerability. The value is fixed as CVE, which indicates image vulnerabilities.	cve
Status	integer	The status of the vulnerability. Valid values: 1: unfixed 7: fixed	1
ModifyTs	integer	The timestamp when the information about the vulnerability was updated. Unit: milliseconds.	1580808765000
ImageDigest	string	The digest of the image.	8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012
PrimaryId	integer	The ID of the vulnerability.	782661
Tag	string	The tag that is added to the image vulnerability.	oval
RepoNamespace	string	The namespace to which the image repository belongs.	default
RepoName	string	The name of the image repository.	varnish
Related	string	The Common Vulnerabilities and Exposures (CVE) ID of the associated vulnerability.	CVE-2019-9893
FirstTs	integer	The timestamp when the first scan was performed. Unit: milliseconds.	1620752053000
LastTs	integer	The timestamp when the last scan was performed. Unit: milliseconds.	1631779996000
Necessity	string	The priority to fix the vulnerability. Valid values: asap: high. You must fix the vulnerability at the earliest opportunity. later: medium. You can fix the vulnerability based on your business requirements. nntf: low. You can ignore the vulnerability.	asap
Uuid	string	The UUID of the server.	0004a32a0305a7f6ab5ff9600d47****
AliasName	string	The alias of the vulnerability.	CVE-2018-25010:libwebp up to 1.0.0 ApplyFilter out-of-bounds read
Name	string	The name of the vulnerability.	debian:10:CVE-2019-9893
Layers	array	The image layers.
	string	The image layers.	["null"]
ExtendContentJson	object	The extended information about the vulnerability.
OsRelease	string	The version of the operating system in the image.	10.9
Os	string	The name of the operating system.	debian
RpmEntityList	array<object>	The details of the package of the software that has the vulnerability.
	object
MatchList	array	The details of the rule that is used to detect the vulnerability.	["libseccomp2 version less than equals 2.3.3-4"]
	string	The details of the rule that is used to detect the vulnerability. The details of multiple rules are separated by commas (,).	["libstdc++ version less than 8.5.0-4.el8_5"]
Layer	string	The SHA-256 value of the digest of the image layer.	b1f5b9420803ad0657cf21566e3e20acc08581e7f22991249ef3aa80b8b1c587
FullVersion	string	The complete version number of the package.	2.3.3-4
Version	string	The version number of the package.	2.3.3-4
MatchDetail	string	The reason why the vulnerability is detected.	libseccomp2 version less than equals 2.3.3-4
Path	string	The path of the software that has the vulnerability.	/usr/lib64/libssh2.so.1
Name	string	The name of the software package.	libseccomp2
UpdateCmd	string	The command that is used to fix the vulnerability.	apt-get update && apt-get install libseccomp2 --only-upgrade
CanFix	string	Indicates whether the vulnerability can be fixed in the Security Center console. Valid values: yes: yes no: no	yes
ClusterId	string	The ID of the cluster.	c08d5fc1a329a4b88950a253d082f1****
ClusterName	string	The name of the cluster.	docker-law
Pod	string	The pod.	22222-7xsqq
Namespace	string	The namespace.	test-002
Image	string	The name of the image.	registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-conta****
ContainerId	string	The ID of the container.	04d20e98c8e2c93b7b864372084320a15a58c8671e53c972ce3a71d9c163****
InternetIp	string	The public IP address of the server.	1.2.XX.XX
IntranetIp	string	The private IP address of the server.	172.19.XX.XX
InstanceName	string	The name of the asset.	testInstance
TargetId	string	The ID of the asset on which the vulnerability is detected.	m-bp17m0pc0xprzbwo****
TargetName	string	The name of the asset on which the vulnerability is detected.	source-test-obj-XM0Ma
MaliciousSource	string	The source of the malicious file. Valid values: agentless: agentless detection image: image container: container	agentless
TargetType	string	The type of the asset on which the vulnerability is detected. Valid values: ECS_SNAPSHOT: snapshot ECS_IMAGE: image	ECS_IMAGE
ScanTime	integer	The time at which the scan was performed. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC.	1649814050000
RuleTag	string	The tag of this vulnerability. Valid values: AI: AI-related components.	AI

Examples

Success response

JSON format

{
  "CurrentPage": 1,
  "RequestId": "D6B20156-49B0-5CF0-B14D-7ECA4B50DAAB",
  "PageSize": 10,
  "TotalCount": 1,
  "VulRecords": [
    {
      "CanUpdate": true,
      "Type": "cve",
      "Status": 1,
      "ModifyTs": 1580808765000,
      "ImageDigest": "8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012",
      "PrimaryId": 782661,
      "Tag": "oval",
      "RepoNamespace": "default",
      "RepoName": "varnish",
      "Related": "CVE-2019-9893",
      "FirstTs": 1620752053000,
      "LastTs": 1631779996000,
      "Necessity": "asap",
      "Uuid": "0004a32a0305a7f6ab5ff9600d47****",
      "AliasName": "CVE-2018-25010:libwebp up to 1.0.0 ApplyFilter out-of-bounds read",
      "Name": "debian:10:CVE-2019-9893",
      "Layers": [
        "[\"null\"]"
      ],
      "ExtendContentJson": {
        "OsRelease": "10.9",
        "Os": "debian",
        "RpmEntityList": [
          {
            "MatchList": [
              "[\"libstdc++ version less than 8.5.0-4.el8_5\"]"
            ],
            "Layer": "b1f5b9420803ad0657cf21566e3e20acc08581e7f22991249ef3aa80b8b1c587",
            "FullVersion": "2.3.3-4",
            "Version": "2.3.3-4",
            "MatchDetail": "libseccomp2 version less than equals 2.3.3-4",
            "Path": "/usr/lib64/libssh2.so.1",
            "Name": "libseccomp2",
            "UpdateCmd": "apt-get update && apt-get install libseccomp2  --only-upgrade"
          }
        ]
      },
      "CanFix": "yes",
      "ClusterId": "c08d5fc1a329a4b88950a253d082f1****\n",
      "ClusterName": "docker-law\n",
      "Pod": "22222-7xsqq\n",
      "Namespace": "test-002\n",
      "Image": "registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-conta****\n",
      "ContainerId": "04d20e98c8e2c93b7b864372084320a15a58c8671e53c972ce3a71d9c163****\n",
      "InternetIp": "1.2.XX.XX",
      "IntranetIp": "172.19.XX.XX",
      "InstanceName": "testInstance",
      "TargetId": "m-bp17m0pc0xprzbwo****",
      "TargetName": "source-test-obj-XM0Ma",
      "MaliciousSource": "agentless",
      "TargetType": "ECS_IMAGE",
      "ScanTime": 1649814050000,
      "RuleTag": "AI"
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
500	ServerError	ServerError
403	NoPermission	caller has no permission	You are not authorized to do this operation.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.