Uploading External Reports
External reports can be uploaded manually. To upload, follow these steps:
-
Navigate to Projects → Project Name → Security Pipelines
-
Click the Import Results button in the right-hand menu
tipFor some tools, it is also possible to upload reports in SBOM format.
-
Upload the JSON or SARIF file with the results
noteIt is only possible to upload one file at a time, and it must be in JSON or SARIF format.
-
Click the Save button
JSON File Requirements
{
"properties": {
"issues": {
"type": "array",
"items": {
"type": "object",
"properties": {
"category": { "type": "string" },
"severity": {
"type": "string",
"enum": ["critical", "high", "medium", "low", "undefined"]
},
"id": { "type": "string" },
"cwe": { "type": "string" },
"cve": { "type": "string" },
"line": { "type": "integer", "minimum": 1 },
"code": { "type": "string" },
"libraryName": { "type": "string" },
"libraryVersion": { "type": "string" },
"file": { "type": "string" },
"links": {
"type": "array",
"items": { "type": "string", "format": "uri" }
},
"description": { "type": "string" },
"recommendation": { "type": "string" },
"fixedVersion": { "type": "string" },
"ratings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"metric": { "type": "string" },
"score": { "type": "number", "minimum": 0, "maximum": 10 }
},
"required": ["metric", "score"]
}
},
"path": {
"type": "array",
"items": { "type": "string" }
}
},
"required": ["category", "severity"]
}
}
},
"required": ["issues"]
}
Example Request Body
[
{
"category": "OS dependency vulnerability",
"severity": "high",
"sсan_object": "jfrog.tronsec.ru/tron/event-broker:1.1.2-patch",
"cwe": "CWE-79",
"cve": "CVE-2023-1234",
"tool_type_name": "KCS",
"lib_name": "example-library",
"lib_version": "1.2.3",
"info_links": ["https://example.com/cve-2023-1234"],
"description": "This is a vulnerability description.",
"recommendations": "Sanitize user input before executing commands.",
"fixed_version": "1.2.4",
"ratings": "CVSS: 9.1 (Critical)",
"path": "/src/controllers/userController.js",
"exploit": "Proof-of-concept exploit code here."
}
]
SARIF File Requirements
{
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "MySecurityScanner",
"rules": [
{
"id": "SEC001",
"name": "InsecureLibraryUse",
"helpUri": "https://example.com/rules/SEC001-CVE-2023-12345",
"properties": {
"tags": ["security", "CWE-79", "injection"],
"references": [
"https://cwe.mitre.org/data/definitions/79.html",
"https://nvd.nist.gov/vuln/detail/CVE-2023-12345"
]
}
}
]
}
},
"properties": {
"category": "dependency-analysis"
},
"results": [
{
"ruleId": "SEC001",
"level": "error",
"message": {
"text": "Vulnerable library detected: lodash@4.17.11"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/utils/parser.js"
},
"region": {
"startLine": 42,
"snippet": {
"text": "const _ = require('lodash');"
}
}
}
}
],
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "src/utils/parser.js"
},
"region": {
"startLine": 42
}
}
}
}
]
}
]
}
],
"properties": {
"input_issue_id": "ISSUE-00123",
"security-severity": 8.5,
"info_links": [
"https://cwe.mitre.org/data/definitions/79.html",
"https://nvd.nist.gov/vuln/detail/CVE-2023-12345"
],
"library_name": "lodash",
"library_version": "4.17.11"
}
}
]
}
]
}
info
When using external scripts and depending on the selected scanning tool (e.g., a CLI tool), the security check may have the option to receive scan results externally via an HTTP request from the external tool to the TRON.ASOC endpoint.