feat(client-ecr): The DescribeImageScanning API now includes `fixAv…

…ailable`, `exploitAvailable`, and `fixedInVersion` fields to provide more detailed information about the availability of fixes, exploits, and fixed versions for identified image vulnerabilities.
aws · Sep 17, 2024 · d829454 · d829454
1 parent 566bb05
commit d829454
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 5 deletions.
diff --git a/clients/client-ecr/src/commands/DescribeImageScanFindingsCommand.ts b/clients/client-ecr/src/commands/DescribeImageScanFindingsCommand.ts
@@ -116,6 +116,7 @@ export interface DescribeImageScanFindingsCommandOutput extends DescribeImageSca
  * //               release: "STRING_VALUE",
  * //               sourceLayerHash: "STRING_VALUE",
  * //               version: "STRING_VALUE",
+ * //               fixedInVersion: "STRING_VALUE",
  * //             },
  * //           ],
  * //         },
@@ -168,6 +169,8 @@ export interface DescribeImageScanFindingsCommandOutput extends DescribeImageSca
  * //         title: "STRING_VALUE",
  * //         type: "STRING_VALUE",
  * //         updatedAt: new Date("TIMESTAMP"),
+ * //         fixAvailable: "STRING_VALUE",
+ * //         exploitAvailable: "STRING_VALUE",
  * //       },
  * //     ],
  * //   },

diff --git a/clients/client-ecr/src/models/models_0.ts b/clients/client-ecr/src/models/models_0.ts
@@ -1065,14 +1065,14 @@ export interface EncryptionConfiguration {
    *             for Amazon ECR, or specify your own KMS key, which you already created.</p>
    *          <p>If you use the <code>KMS_DSSE</code> encryption type, the contents of the repository
    *             will be encrypted with two layers of encryption using server-side encryption with the
-   *             KMS Management Service key stored in KMS. Similar to the KMS encryption type, you
+   *             KMS Management Service key stored in KMS. Similar to the <code>KMS</code> encryption type, you
    *             can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS
    *             key, which you've already created. </p>
    *          <p>If you use the <code>AES256</code> encryption type, Amazon ECR uses server-side encryption
    *             with Amazon S3-managed encryption keys which encrypts the images in the repository using an
-   *             AES256 encryption algorithm. For more information, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html">Protecting data using
-   *                 server-side encryption with Amazon S3-managed encryption keys (SSE-S3)</a> in the
-   *                 <i>Amazon Simple Storage Service Console Developer Guide</i>.</p>
+   *             AES256 encryption algorithm.</p>
+   *          <p>For more information, see <a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html">Amazon ECR encryption at
+   *             rest</a> in the <i>Amazon Elastic Container Registry User Guide</i>.</p>
    * @public
    */
   encryptionType: EncryptionType | undefined;
@@ -2456,6 +2456,12 @@ export interface VulnerablePackage {
    * @public
    */
   version?: string;
+
+  /**
+   * <p>The version of the package that contains the vulnerability fix.</p>
+   * @public
+   */
+  fixedInVersion?: string;
 }
 
 /**
@@ -2814,6 +2820,21 @@ export interface EnhancedImageScanFinding {
    * @public
    */
   updatedAt?: Date;
+
+  /**
+   * <p>Details on whether a fix is available through a version update. This value can be
+   *                 <code>YES</code>, <code>NO</code>, or <code>PARTIAL</code>. A <code>PARTIAL</code>
+   *             fix means that some, but not all, of the packages identified in the finding have fixes
+   *             available through updated versions.</p>
+   * @public
+   */
+  fixAvailable?: string;
+
+  /**
+   * <p>If a finding discovered in your environment has an exploit available.</p>
+   * @public
+   */
+  exploitAvailable?: string;
 }
 
 /**

diff --git a/clients/client-ecr/src/protocols/Aws_json1_1.ts b/clients/client-ecr/src/protocols/Aws_json1_1.ts
@@ -3133,8 +3133,10 @@ const de_EnhancedImageScanFinding = (output: any, context: __SerdeContext): Enha
   return take(output, {
     awsAccountId: __expectString,
     description: __expectString,
+    exploitAvailable: __expectString,
     findingArn: __expectString,
     firstObservedAt: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
+    fixAvailable: __expectString,
     lastObservedAt: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     packageVulnerabilityDetails: (_: any) => de_PackageVulnerabilityDetails(_, context),
     remediation: _json,

diff --git a/codegen/sdk-codegen/aws-models/ecr.json b/codegen/sdk-codegen/aws-models/ecr.json
@@ -3499,7 +3499,7 @@
         "encryptionType": {
           "target": "com.amazonaws.ecr#EncryptionType",
           "traits": {
-            "smithy.api#documentation": "<p>The encryption type to use.</p>\n         <p>If you use the <code>KMS</code> encryption type, the contents of the repository will\n            be encrypted using server-side encryption with Key Management Service key stored in KMS. When you\n            use KMS to encrypt your data, you can either use the default Amazon Web Services managed KMS key\n            for Amazon ECR, or specify your own KMS key, which you already created.</p>\n         <p>If you use the <code>KMS_DSSE</code> encryption type, the contents of the repository\n            will be encrypted with two layers of encryption using server-side encryption with the\n            KMS Management Service key stored in KMS. Similar to the KMS encryption type, you\n            can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS\n            key, which you've already created. </p>\n         <p>If you use the <code>AES256</code> encryption type, Amazon ECR uses server-side encryption\n            with Amazon S3-managed encryption keys which encrypts the images in the repository using an\n            AES256 encryption algorithm. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html\">Protecting data using\n                server-side encryption with Amazon S3-managed encryption keys (SSE-S3)</a> in the\n                <i>Amazon Simple Storage Service Console Developer Guide</i>.</p>",
+            "smithy.api#documentation": "<p>The encryption type to use.</p>\n         <p>If you use the <code>KMS</code> encryption type, the contents of the repository will\n            be encrypted using server-side encryption with Key Management Service key stored in KMS. When you\n            use KMS to encrypt your data, you can either use the default Amazon Web Services managed KMS key\n            for Amazon ECR, or specify your own KMS key, which you already created.</p>\n         <p>If you use the <code>KMS_DSSE</code> encryption type, the contents of the repository\n            will be encrypted with two layers of encryption using server-side encryption with the\n            KMS Management Service key stored in KMS. Similar to the <code>KMS</code> encryption type, you\n            can either use the default Amazon Web Services managed KMS key for Amazon ECR, or specify your own KMS\n            key, which you've already created. </p>\n         <p>If you use the <code>AES256</code> encryption type, Amazon ECR uses server-side encryption\n            with Amazon S3-managed encryption keys which encrypts the images in the repository using an\n            AES256 encryption algorithm.</p>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html\">Amazon ECR encryption at\n            rest</a> in the <i>Amazon Elastic Container Registry User Guide</i>.</p>",
             "smithy.api#required": {}
           }
         },
@@ -3651,6 +3651,18 @@
           "traits": {
             "smithy.api#documentation": "<p>The date and time the finding was last updated at.</p>"
           }
+        },
+        "fixAvailable": {
+          "target": "com.amazonaws.ecr#FixAvailable",
+          "traits": {
+            "smithy.api#documentation": "<p>Details on whether a fix is available through a version update. This value can be\n                <code>YES</code>, <code>NO</code>, or <code>PARTIAL</code>. A <code>PARTIAL</code>\n            fix means that some, but not all, of the packages identified in the finding have fixes\n            available through updated versions.</p>"
+          }
+        },
+        "exploitAvailable": {
+          "target": "com.amazonaws.ecr#ExploitAvailable",
+          "traits": {
+            "smithy.api#documentation": "<p>If a finding discovered in your environment has an exploit available.</p>"
+          }
         }
       },
       "traits": {
@@ -3675,6 +3687,9 @@
     "com.amazonaws.ecr#ExpirationTimestamp": {
       "type": "timestamp"
     },
+    "com.amazonaws.ecr#ExploitAvailable": {
+      "type": "string"
+    },
     "com.amazonaws.ecr#FilePath": {
       "type": "string"
     },
@@ -3737,6 +3752,12 @@
         "target": "com.amazonaws.ecr#SeverityCount"
       }
     },
+    "com.amazonaws.ecr#FixAvailable": {
+      "type": "string"
+    },
+    "com.amazonaws.ecr#FixedInVersion": {
+      "type": "string"
+    },
     "com.amazonaws.ecr#ForceFlag": {
       "type": "boolean",
       "traits": {
@@ -8639,6 +8660,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The version of the vulnerable package.</p>"
           }
+        },
+        "fixedInVersion": {
+          "target": "com.amazonaws.ecr#FixedInVersion",
+          "traits": {
+            "smithy.api#documentation": "<p>The version of the package that contains the vulnerability fix.</p>"
+          }
         }
       },
       "traits": {