Data Source: oci_adm_vulnerability_audit

This data source provides details about a specific Vulnerability Audit resource in Oracle Cloud Infrastructure ADM service.

Returns the details of the specified Vulnerability Audit.

Example Usage

data "oci_adm_vulnerability_audit" "test_vulnerability_audit" {
	#Required
	vulnerability_audit_id = oci_adm_vulnerability_audit.test_vulnerability_audit.id
}

Argument Reference

The following arguments are supported:

• vulnerability_audit_id - (Required) Unique Vulnerability Audit identifier path parameter.

Attributes Reference

The following attributes are exported:

• build_type - The type of the build tool is restricted to only two values MAVEN or UNSET. Use UNSET when the list of application dependencies is not Maven-related or is a mix of Maven and other ecosystems. This option is soon to be deprecated.
• compartment_id - The compartment Oracle Cloud identifier (OCID) of the vulnerability audit.
• configuration - Configuration for a vulnerability audit. A vulnerable application dependency is ignored if its name does match any of the items in exclusions, or all of the associated Vulnerabilies have a CVSS v2 score below maxPermissibleCvssV2Score and a CVSS v3 score below maxPermissibleCvssV3Score. type: object
  • exclusions - A vulnerable application dependency is ignored if its name matches any of the items in exclusions. An asterisk (*) in the dependency pattern acts as a wildcard and matches zero or more characters.
  • max_permissible_cvss_v2score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_cvss_v3score - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleCvssV2Score and below maxPermissibleCvssV3Score.
  • max_permissible_severity - A vulnerable application dependency is ignored if the score of its associated Vulnerability is below maxPermissibleSeverity.
• defined_tags - Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: {"foo-namespace.bar-key": "value"}
• display_name - The name of the vulnerability audit.
• freeform_tags - Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: {"bar-key": "value"}
• id - The Oracle Cloud identifier (OCID) of the vulnerability audit.
• is_success - Indicates if an audit succeeded according to the configuration. The value is null if the audit is in the CREATING state.
• knowledge_base_id - The Oracle Cloud identifier (OCID) of the knowledge base.
• lifecycle_details - Details on the lifecycle state.
• max_observed_cvss_v2score - Maximum Common Vulnerability Scoring System Version 2 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v2score_with_ignored - Maximum Common Vulnerability Scoring System Version 2 score observed for vulnerable application dependencies including ignored ones.
• max_observed_cvss_v3score - Maximum Common Vulnerability Scoring System Version 3 score observed for non-ignored vulnerable application dependencies.
• max_observed_cvss_v3score_with_ignored - Maximum Common Vulnerability Scoring System Version 3 score observed for vulnerable application dependencies including ignored ones.
• max_observed_severity - Maximum ADM Severity observed for non-ignored vulnerable application dependencies.
• max_observed_severity_with_ignored - Maximum ADM Severity observed for vulnerable application dependencies including ignored ones.
• source - vulnerability audit source.
  • description - Description of the external resource source.
  • oci_resource_id - The Oracle Cloud identifier (OCID) of the Oracle Cloud Infrastructure resource that triggered the vulnerability audit.
  • type - Source type of the vulnerability audit.
• state - The current lifecycle state of the vulnerability audit.
• system_tags - Usage of system tag keys. These predefined keys are scoped to namespaces. Example: {"orcl-cloud.free-tier-retained": "true"}
• time_created - The creation date and time of the vulnerability audit (formatted according to RFC3339).
• time_updated - The update date and time of the vulnerability audit (formatted according to RFC3339).
• usage_data - The source details of the usage data in object storage. The usage data file uploaded to object storage must be a gzip archive of the JSON usage data returned from the GraalVM native-image-inspect tool after a native-image build. Set sourceType to objectStorageTuple and use UsageDataViaObjectStorageTupleDetails when specifying the namespace, bucket name, and object name.
  • bucket - The Object Storage bucket to read the usage data from.
  • namespace - The Object Storage namespace to read the usage data from.
  • object - The Object Storage object name to read the usage data from.
  • source_type - The destination type. Use objectStorageTuple when specifying the namespace, bucket name, and object name.
• vulnerabilities - List of vulnerabilities found in the vulnerability audit. If a vulnerability affects multiple dependencies, the metadata returned here consists of audit-wide aggregates.
  • cvss_v2score - Common Vulnerability Scoring System (CVSS) Version 2.
  • cvss_v3score - Common Vulnerability Scoring System (CVSS) Version 3.
  • id - Unique vulnerability identifier, e.g. CVE-1999-0067.
  • is_false_positive - Indicates if the vulnerability is a false positive according to the usage data. If no usage data was provided or the service cannot infer usage of the vulnerable code then this property is null.
  • is_ignored - Indicates if the vulnerability was ignored according to the audit configuration.
  • severity - ADM qualitative severity score. Can be either NONE, LOW, MEDIUM, HIGH or CRITICAL.
  • source - Source that published the vulnerability
• vulnerable_artifacts_count - Count of non-ignored vulnerable application dependencies.
• vulnerable_artifacts_count_with_ignored - Count of all vulnerable application dependencies.