123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 |
- // Copyright 2018 The Grafeas Authors. All rights reserved.
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- syntax = "proto3";
- package grafeas.v1beta1.vulnerability;
- import "google/protobuf/timestamp.proto";
- import "google/devtools/containeranalysis/v1beta1/common/common.proto";
- import "google/devtools/containeranalysis/v1beta1/cvss/cvss.proto";
- import "google/devtools/containeranalysis/v1beta1/package/package.proto";
- option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1beta1/vulnerability;vulnerability";
- option java_multiple_files = true;
- option java_package = "io.grafeas.v1beta1.vulnerability";
- option objc_class_prefix = "GRA";
- // Note provider-assigned severity/impact ranking.
- enum Severity {
- // Unknown.
- SEVERITY_UNSPECIFIED = 0;
- // Minimal severity.
- MINIMAL = 1;
- // Low severity.
- LOW = 2;
- // Medium severity.
- MEDIUM = 3;
- // High severity.
- HIGH = 4;
- // Critical severity.
- CRITICAL = 5;
- }
- // Vulnerability provides metadata about a security vulnerability in a Note.
- message Vulnerability {
- // The CVSS score for this vulnerability.
- float cvss_score = 1;
- // Note provider assigned impact of the vulnerability.
- Severity severity = 2;
- // All information about the package to specifically identify this
- // vulnerability. One entry per (version range and cpe_uri) the package
- // vulnerability has manifested in.
- repeated Detail details = 3;
- // Identifies all appearances of this vulnerability in the package for a
- // specific distro/location. For example: glibc in
- // cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
- message Detail {
- // Required. The CPE URI in
- // [cpe format](https://cpe.mitre.org/specification/) in which the
- // vulnerability manifests. Examples include distro or storage location for
- // vulnerable jar.
- string cpe_uri = 1;
- // Required. The name of the package where the vulnerability was found.
- string package = 2;
- // The min version of the package in which the vulnerability exists.
- grafeas.v1beta1.package.Version min_affected_version = 3;
- // The max version of the package in which the vulnerability exists.
- grafeas.v1beta1.package.Version max_affected_version = 4;
- // The severity (eg: distro assigned severity) for this vulnerability.
- string severity_name = 5;
- // A vendor-specific description of this note.
- string description = 6;
- // The fix for this specific package version.
- VulnerabilityLocation fixed_location = 7;
- // The type of package; whether native or non native(ruby gems, node.js
- // packages etc).
- string package_type = 8;
- // Whether this detail is obsolete. Occurrences are expected not to point to
- // obsolete details.
- bool is_obsolete = 9;
- // The time this information was last changed at the source. This is an
- // upstream timestamp from the underlying information source - e.g. Ubuntu
- // security tracker.
- google.protobuf.Timestamp source_update_time = 10;
- }
- // The full description of the CVSSv3.
- CVSSv3 cvss_v3 = 4;
- // Windows details get their own format because the information format and
- // model don't match a normal detail. Specifically Windows updates are done as
- // patches, thus Windows vulnerabilities really are a missing package, rather
- // than a package being at an incorrect version.
- repeated WindowsDetail windows_details = 5;
- message WindowsDetail {
- // Required. The CPE URI in
- // [cpe format](https://cpe.mitre.org/specification/) in which the
- // vulnerability manifests. Examples include distro or storage location for
- // vulnerable jar.
- string cpe_uri = 1;
- // Required. The name of the vulnerability.
- string name = 2;
- // The description of the vulnerability.
- string description = 3;
- // Required. The names of the KBs which have hotfixes to mitigate this
- // vulnerability. Note that there may be multiple hotfixes (and thus
- // multiple KBs) that mitigate a given vulnerability. Currently any listed
- // kb's presence is considered a fix.
- repeated KnowledgeBase fixing_kbs = 4;
- message KnowledgeBase {
- // The KB name (generally of the form KB[0-9]+ i.e. KB123456).
- string name = 1;
- // A link to the KB in the Windows update catalog -
- // https://www.catalog.update.microsoft.com/
- string url = 2;
- }
- }
- // The time this information was last changed at the source. This is an
- // upstream timestamp from the underlying information source - e.g. Ubuntu
- // security tracker.
- google.protobuf.Timestamp source_update_time = 6;
- // Next free ID is 7.
- }
- // Details of a vulnerability Occurrence.
- message Details {
- // The type of package; whether native or non native(ruby gems, node.js
- // packages etc)
- string type = 1;
- // Output only. The note provider assigned Severity of the vulnerability.
- Severity severity = 2;
- // Output only. The CVSS score of this vulnerability. CVSS score is on a
- // scale of 0-10 where 0 indicates low severity and 10 indicates high
- // severity.
- float cvss_score = 3;
- // Required. The set of affected locations and their fixes (if available)
- // within the associated resource.
- repeated PackageIssue package_issue = 4;
- // Output only. A one sentence description of this vulnerability.
- string short_description = 5;
- // Output only. A detailed description of this vulnerability.
- string long_description = 6;
- // Output only. URLs related to this vulnerability.
- repeated grafeas.v1beta1.RelatedUrl related_urls = 7;
- // The distro assigned severity for this vulnerability when it is
- // available, and note provider assigned severity when distro has not yet
- // assigned a severity for this vulnerability.
- Severity effective_severity = 8;
- }
- // This message wraps a location affected by a vulnerability and its
- // associated fix (if one is available).
- message PackageIssue {
- // Required. The location of the vulnerability.
- VulnerabilityLocation affected_location = 1;
- // The location of the available fix for vulnerability.
- VulnerabilityLocation fixed_location = 2;
- // Deprecated, use Details.effective_severity instead
- // The severity (e.g., distro assigned severity) for this vulnerability.
- string severity_name = 3;
- }
- // The location of the vulnerability.
- message VulnerabilityLocation {
- // Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
- // format. Examples include distro or storage location for vulnerable jar.
- string cpe_uri = 1;
- // Required. The package being described.
- string package = 2;
- // Required. The version of the package being described.
- grafeas.v1beta1.package.Version version = 3;
- }
|