google/devtools/containeranalysis/v1beta1/vulnerability/vulnerability.proto


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

// Copyright 2018 The Grafeas Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package grafeas.v1beta1.vulnerability;

import "google/devtools/containeranalysis/v1beta1/common/common.proto";
import "google/devtools/containeranalysis/v1beta1/package/package.proto";

option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1beta1/vulnerability;vulnerability";
option java_multiple_files = true;
option java_package = "io.grafeas.v1beta1.vulnerability";
option objc_class_prefix = "GRA";

// Note provider-assigned severity/impact ranking.
enum Severity {
  // Unknown.
  SEVERITY_UNSPECIFIED = 0;
  // Minimal severity.
  MINIMAL = 1;
  // Low severity.
  LOW = 2;
  // Medium severity.
  MEDIUM = 3;
  // High severity.
  HIGH = 4;
  // Critical severity.
  CRITICAL = 5;
}

// Vulnerability provides metadata about a security vulnerability.
message Vulnerability {
  // The CVSS score for this vulnerability.
  float cvss_score = 1;

  // Note provider assigned impact of the vulnerability.
  Severity severity = 2;

  // All information about the package to specifically identify this
  // vulnerability. One entry per (version range and cpe_uri) the package
  // vulnerability has manifested in.
  repeated Detail details = 3;

  // Identifies all occurrences of this vulnerability in the package for a
  // specific distro/location. For example: glibc in
  // cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
  message Detail {
    // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) in
    // which the vulnerability manifests.  Examples include distro or storage
    // location for vulnerable jar.
    string cpe_uri = 1;

    // The name of the package where the vulnerability was found.
    string package = 2;

    // The min version of the package in which the vulnerability exists.
    grafeas.v1beta1.package.Version min_affected_version = 3;

    // The max version of the package in which the vulnerability exists.
    grafeas.v1beta1.package.Version max_affected_version = 4;

    // The severity (eg: distro assigned severity) for this vulnerability.
    string severity_name = 5;

    // A vendor-specific description of this note.
    string description = 6;

    // The fix for this specific package version.
    VulnerabilityLocation fixed_location = 7;

    // The type of package; whether native or non native(ruby gems, node.js
    // packages etc).
    string package_type = 8;

    // Whether this detail is obsolete. Occurrences are expected not to point to
    // obsolete details.
    bool is_obsolete = 9;
  }
}

// Details of a vulnerability occurrence.
message Details {
  // The type of package; whether native or non native(ruby gems, node.js
  // packages etc)
  string type = 1;

  // Output only. The note provider assigned Severity of the vulnerability.
  Severity severity = 2;

  // Output only. The CVSS score of this vulnerability. CVSS score is on a
  // scale of 0-10 where 0 indicates low severity and 10 indicates high
  // severity.
  float cvss_score = 3;

  // The set of affected locations and their fixes (if available) within the
  // associated resource.
  repeated PackageIssue package_issue = 4;

  // Output only. A one sentence description of this vulnerability.
  string short_description = 5;

  // Output only. A detailed description of this vulnerability.
  string long_description = 6;

  // Output only. URLs related to this vulnerability.
  repeated grafeas.v1beta1.RelatedUrl related_urls = 7;
}

// This message wraps a location affected by a vulnerability and its
// associated fix (if one is available).
message PackageIssue {
  // The location of the vulnerability.
  VulnerabilityLocation affected_location = 1;

  // The location of the available fix for vulnerability.
  VulnerabilityLocation fixed_location = 2;

  // The severity (e.g., distro assigned severity) for this vulnerability.
  string severity_name = 3;
}

// The location of the vulnerability.
message VulnerabilityLocation {
  // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/)
  // format. Examples include distro or storage location for vulnerable jar.
  string cpe_uri = 1;

  // The package being described.
  string package = 2;

  // The version of the package being described.
  grafeas.v1beta1.package.Version version = 3;
}