All Products
Search
Document Center

Security Center:DescribeImageVulList

Last Updated:Nov 25, 2024

Queries the details of vulnerabilities that are detected by using container image scan and the affected images.

Operation description

To query the information about the recently detected image vulnerabilities, call the PublicCreateImageScanTask operation. Wait 1 to 5 minutes until the call is successful and call the DescribeImageVulList operation.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
yundun-sas:DescribeImageVulListget
*All Resources
*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
LangstringNo

The language of the content within the request and response. Default value: zh. Valid values:

  • zh: Chinese
  • en: English
zh
TypestringYes

The type of the vulnerability. Set the value to cve, which indicates image vulnerabilities.

cve
UuidsstringNo

The UUIDs of the assets. Separate multiple UUIDs with commas (,).

0004a32a0305a7f6ab5ff9600d47****
NamestringNo

The name of the vulnerability.

debian:10:CVE-2019-9893
AliasNamestringNo

The alias of the vulnerability.

High severity vulnerability that affects org.eclipse.jetty:jetty-server
StatusListstringNo

The status of the vulnerability. Valid values:

  • 1: unfixed
  • 4: being fixed
  • 7: fixed
1
NecessitystringNo

The priority to fix the vulnerability. Valid values:

  • asap: high. You must fix the vulnerability at the earliest opportunity.
  • later: medium. You can fix the vulnerability based on your business requirements.
  • nntf: low. You can ignore the vulnerability.
asap
DealedstringNo

Specifies whether the vulnerability is handled. Valid values:

  • y: handled
  • n: unhandled
y
CurrentPageintegerNo

The number of the page to return. Default value: 1

1
PageSizeintegerNo

The number of entries to return on each page. Default value: 10

10
RepoRegionIdstringNo

The region ID of the image repository.

cn-hangzhou
RepoInstanceIdstringNo

The instance ID of the image repository.

i-qewqrqcsadf****
RepoIdstringNo

The ID of the image repository.

qew****
RepoNamestringNo

The name of the image repository.

libssh2
RepoNamespacestringNo

The namespace to which the image repository belongs.

libssh2
RegionIdstringNo

The region ID of the instance.

cn-hangzhou
InstanceIdstringNo

The instance ID of the asset.

1-qeqewqw****
TagstringNo

The tag that is added to the image.

oval
DigeststringNo

The digest of the image.

8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012
ClusterIdstringNo

The ID of the cluster to which the container belongs.

cc20a1024011c44b6a8710d6f8b****
ScanRangearrayNo

The types of the assets that you want to scan.

stringNo

The type of the asset that you want to scan. Valid values:

  • container
  • image
container
ClusterNamestringNo

The name of the cluster.

docker-law
ContainerIdstringNo

The ID of the container.

c08d5fc1a329a4b88950a253d082f****
PodstringNo

The pod.

22222-7xsqq
NamespacestringNo

The namespace.

test-002
ImagestringNo

The name of the image.

registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-****

Response parameters

ParameterTypeDescriptionExample
object
CurrentPageinteger

The page number of the returned page.

1
RequestIdstring

The request ID.

D6B20156-49B0-5CF0-B14D-7ECA4B50DAAB
PageSizeinteger

The number of entries returned per page. Default value: 10

10
TotalCountinteger

The total number of entries returned.

1
VulRecordsarray<object>

The vulnerabilities.

VulRecordobject

The information about the array object.

CanUpdateboolean

Indicates whether the packages of the software that has the vulnerability can be upgraded by using Security Center. Valid values:

  • true
  • false
true
Typestring

The type of the vulnerability. The value is fixed as cve, which indicates image vulnerabilities.

cve
Statusinteger

The status of the vulnerability. Valid values:

  • 1: unfixed
  • 7: fixed
1
ModifyTslong

The timestamp when the information about the vulnerability was updated. Unit: milliseconds.

1580808765000
ImageDigeststring

The digest of the image.

8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012
PrimaryIdlong

The ID of the vulnerability.

782661
Tagstring

The tag that is added to the vulnerability.

oval
RepoNamespacestring

The namespace to which the image repository belongs.

default
RepoNamestring

The name of the image repository.

varnish
Relatedstring

The Common Vulnerabilities and Exposures (CVE) ID of the associated vulnerability.

CVE-2019-9893
FirstTslong

The timestamp when the first scan was performed. Unit: milliseconds.

1620752053000
LastTslong

The timestamp when the last scan was performed. Unit: milliseconds.

1631779996000
Necessitystring

The priority to fix the vulnerability. Valid values:

  • asap: high. You must fix the vulnerability at the earliest opportunity.
  • later: medium. You can fix the vulnerability based on your business requirements.
  • nntf: low. You can ignore the vulnerability.
asap
Uuidstring

The UUID of the server.

0004a32a0305a7f6ab5ff9600d47****
AliasNamestring

The alias of the vulnerability.

CVE-2018-25010:libwebp up to 1.0.0 ApplyFilter out-of-bounds read
Namestring

The name of the vulnerability.

debian:10:CVE-2019-9893
Layersarray

The image layers.

namestring

The information about the image layer.

["null"]
ExtendContentJsonobject

The extended information about the vulnerability.

OsReleasestring

The version of the operating system in the image.

10.9
Osstring

The name of the operating system.

debian
RpmEntityListarray<object>

The details of the packages of the software that has the vulnerability.

RpmEntityobject

The information about the array object.

MatchListarray

The details of the rules that are used to detect the vulnerability.

Matchstring

The details of the rules that are used to detect the vulnerability. The details of multiple rules are separated by commas (,).

["libstdc++ version less than 8.5.0-4.el8_5"]
Layerstring

The SHA-256 value of the digest of the image layer.

b1f5b9420803ad0657cf21566e3e20acc08581e7f22991249ef3aa80b8b1c587
FullVersionstring

The complete version number of the package.

2.3.3-4
Versionstring

The version number of the package.

2.3.3-4
MatchDetailstring

The reason why the vulnerability is detected.

libseccomp2 version less than equals 2.3.3-4
Pathstring

The path to the software that has the vulnerability.

/usr/lib64/libssh2.so.1
Namestring

The name of the software package.

libseccomp2
UpdateCmdstring

The command that is used to fix the vulnerability.

apt-get update && apt-get install libseccomp2 --only-upgrade
CanFixstring

Indicates whether the vulnerability can be fixed in the Security Center console. Valid values:

  • yes
  • no
yes
ClusterIdstring

The ID of the cluster.

c08d5fc1a329a4b88950a253d082f1****
ClusterNamestring

The name of the cluster.

docker-law
Podstring

The pod.

22222-7xsqq
Namespacestring

The namespace.

test-002
Imagestring

The name of the image.

registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-conta****
ContainerIdstring

The ID of the container.

04d20e98c8e2c93b7b864372084320a15a58c8671e53c972ce3a71d9c163****
InternetIpstring

The public IP address of the server.

1.2.XX.XX
IntranetIpstring

The private IP address of the server.

172.19.XX.XX
InstanceNamestring

The name of the asset.

testInstance
TargetIdstring

The ID of the asset on which the vulnerability is detected.

m-bp17m0pc0xprzbwo****
TargetNamestring

The name of the asset on which the vulnerability is detected.

source-test-obj-XM0Ma
MaliciousSourcestring

The source of the malicious file. Valid values:

  • agentless: agentless detection
  • image: image
  • container: container
agentless
TargetTypestring

The type of the asset on which the vulnerability is detected. Valid values:

  • ECS_IMAGE: image
  • ECS_SNAPSHOT: snapshot
ECS_IMAGE
ScanTimelong

The time at which the scan was performed. This value is a UNIX timestamp representing the number of milliseconds that have elapsed since January 1, 1970, 00:00:00 UTC.

1649814050000

Examples

Sample success responses

JSONformat

{
  "CurrentPage": 1,
  "RequestId": "D6B20156-49B0-5CF0-B14D-7ECA4B50DAAB",
  "PageSize": 10,
  "TotalCount": 1,
  "VulRecords": [
    {
      "CanUpdate": true,
      "Type": "cve",
      "Status": 1,
      "ModifyTs": 1580808765000,
      "ImageDigest": "8f0fbdb41d3d1ade4ffdf21558443f4c03342010563bb8c43ccc09594d507012",
      "PrimaryId": 782661,
      "Tag": "oval",
      "RepoNamespace": "default",
      "RepoName": "varnish",
      "Related": "CVE-2019-9893",
      "FirstTs": 1620752053000,
      "LastTs": 1631779996000,
      "Necessity": "asap",
      "Uuid": "0004a32a0305a7f6ab5ff9600d47****",
      "AliasName": "CVE-2018-25010:libwebp up to 1.0.0 ApplyFilter out-of-bounds read",
      "Name": "debian:10:CVE-2019-9893",
      "Layers": [
        "[\"null\"]"
      ],
      "ExtendContentJson": {
        "OsRelease": "10.9",
        "Os": "debian",
        "RpmEntityList": [
          {
            "MatchList": [
              "[\"libstdc++ version less than 8.5.0-4.el8_5\"]"
            ],
            "Layer": "b1f5b9420803ad0657cf21566e3e20acc08581e7f22991249ef3aa80b8b1c587",
            "FullVersion": "2.3.3-4",
            "Version": "2.3.3-4",
            "MatchDetail": "libseccomp2 version less than equals 2.3.3-4",
            "Path": "/usr/lib64/libssh2.so.1",
            "Name": "libseccomp2",
            "UpdateCmd": "apt-get update && apt-get install libseccomp2  --only-upgrade"
          }
        ]
      },
      "CanFix": "yes",
      "ClusterId": "c08d5fc1a329a4b88950a253d082f1****\n",
      "ClusterName": "docker-law\n",
      "Pod": "22222-7xsqq\n",
      "Namespace": "test-002\n",
      "Image": "registry.cn-wulanchabu.aliyuncs.com/sas_test/huxin-test-001:nuxeo6-conta****\n",
      "ContainerId": "04d20e98c8e2c93b7b864372084320a15a58c8671e53c972ce3a71d9c163****\n",
      "InternetIp": "1.2.XX.XX",
      "IntranetIp": "172.19.XX.XX",
      "InstanceName": "testInstance",
      "TargetId": "m-bp17m0pc0xprzbwo****",
      "TargetName": "source-test-obj-XM0Ma",
      "MaliciousSource": "agentless",
      "TargetType": "ECS_IMAGE",
      "ScanTime": 1649814050000
    }
  ]
}

Error codes

HTTP status codeError codeError messageDescription
403NoPermissioncaller has no permissionYou are not authorized to do this operation.
500ServerErrorServerError-

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2022-09-16The request parameters of the API has changed. The response structure of the API has changedView Change Details
2022-09-16The request parameters of the API has changed. The response structure of the API has changedView Change Details
2021-10-14The internal configuration of the API is changed, but the call is not affectedView Change Details