1// Copyright 2019 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/protobuf/timestamp.proto"; 21import "grafeas/v1/common.proto"; 22import "grafeas/v1/cvss.proto"; 23import "grafeas/v1/package.proto"; 24import "grafeas/v1/severity.proto"; 25import "grafeas/v1/vex.proto"; 26 27option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 28option java_multiple_files = true; 29option java_package = "io.grafeas.v1"; 30option objc_class_prefix = "GRA"; 31 32// A security vulnerability that can be found in resources. 33message VulnerabilityNote { 34 // The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10 35 // where 0 indicates low severity and 10 indicates high severity. 36 float cvss_score = 1; 37 38 // The note provider assigned severity of this vulnerability. 39 grafeas.v1.Severity severity = 2; 40 41 // Details of all known distros and packages affected by this vulnerability. 42 repeated Detail details = 3; 43 44 // A detail for a distro and package affected by this vulnerability and its 45 // associated fix (if one is available). 46 message Detail { 47 // The distro assigned severity of this vulnerability. 48 string severity_name = 1; 49 50 // A vendor-specific description of this vulnerability. 51 string description = 2; 52 53 // The type of package; whether native or non native (e.g., ruby gems, 54 // node.js packages, etc.). 55 string package_type = 3; 56 57 // Required. The [CPE URI](https://cpe.mitre.org/specification/) this 58 // vulnerability affects. 59 string affected_cpe_uri = 4; 60 61 // Required. The package this vulnerability affects. 62 string affected_package = 5; 63 64 // The version number at the start of an interval in which this 65 // vulnerability exists. A vulnerability can affect a package between 66 // version numbers that are disjoint sets of intervals (example: 67 // [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be 68 // represented in its own Detail. If a specific affected version is provided 69 // by a vulnerability database, affected_version_start and 70 // affected_version_end will be the same in that Detail. 71 grafeas.v1.Version affected_version_start = 6; 72 73 // The version number at the end of an interval in which this vulnerability 74 // exists. A vulnerability can affect a package between version numbers 75 // that are disjoint sets of intervals (example: [1.0.0-1.1.0], 76 // [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its 77 // own Detail. If a specific affected version is provided by a vulnerability 78 // database, affected_version_start and affected_version_end will be the 79 // same in that Detail. 80 grafeas.v1.Version affected_version_end = 7; 81 82 // The distro recommended [CPE URI](https://cpe.mitre.org/specification/) 83 // to update to that contains a fix for this vulnerability. It is possible 84 // for this to be different from the affected_cpe_uri. 85 string fixed_cpe_uri = 8; 86 87 // The distro recommended package to update to that contains a fix for this 88 // vulnerability. It is possible for this to be different from the 89 // affected_package. 90 string fixed_package = 9; 91 92 // The distro recommended version to update to that contains a 93 // fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no 94 // such version is yet available. 95 grafeas.v1.Version fixed_version = 10; 96 97 // Whether this detail is obsolete. Occurrences are expected not to point to 98 // obsolete details. 99 bool is_obsolete = 11; 100 101 // The time this information was last changed at the source. This is an 102 // upstream timestamp from the underlying information source - e.g. Ubuntu 103 // security tracker. 104 google.protobuf.Timestamp source_update_time = 12; 105 106 // The source from which the information in this Detail was obtained. 107 string source = 13; 108 109 // The name of the vendor of the product. 110 string vendor = 14; 111 } 112 113 // The full description of the CVSSv3 for this vulnerability. 114 CVSSv3 cvss_v3 = 4; 115 116 // Windows details get their own format because the information format and 117 // model don't match a normal detail. Specifically Windows updates are done as 118 // patches, thus Windows vulnerabilities really are a missing package, rather 119 // than a package being at an incorrect version. 120 repeated WindowsDetail windows_details = 5; 121 122 message WindowsDetail { 123 // Required. The [CPE URI](https://cpe.mitre.org/specification/) this 124 // vulnerability affects. 125 string cpe_uri = 1; 126 127 // Required. The name of this vulnerability. 128 string name = 2; 129 130 // The description of this vulnerability. 131 string description = 3; 132 133 // Required. The names of the KBs which have hotfixes to mitigate this 134 // vulnerability. Note that there may be multiple hotfixes (and thus 135 // multiple KBs) that mitigate a given vulnerability. Currently any listed 136 // KBs presence is considered a fix. 137 repeated KnowledgeBase fixing_kbs = 4; 138 139 message KnowledgeBase { 140 // The KB name (generally of the form KB[0-9]+ (e.g., KB123456)). 141 string name = 1; 142 // A link to the KB in the [Windows update catalog] 143 // (https://www.catalog.update.microsoft.com/). 144 string url = 2; 145 } 146 } 147 148 // The time this information was last changed at the source. This is an 149 // upstream timestamp from the underlying information source - e.g. Ubuntu 150 // security tracker. 151 google.protobuf.Timestamp source_update_time = 6; 152 153 // CVSS version used to populate cvss_score and severity. 154 grafeas.v1.CVSSVersion cvss_version = 7; 155 156 // The full description of the v2 CVSS for this vulnerability. 157 CVSS cvss_v2 = 8; 158 159 // Next free ID is 9. 160} 161 162// An occurrence of a severity vulnerability on a resource. 163message VulnerabilityOccurrence { 164 // The type of package; whether native or non native (e.g., ruby gems, node.js 165 // packages, etc.). 166 string type = 1; 167 168 // Output only. The note provider assigned severity of this vulnerability. 169 grafeas.v1.Severity severity = 2; 170 171 // Output only. The CVSS score of this vulnerability. CVSS score is on a 172 // scale of 0 - 10 where 0 indicates low severity and 10 indicates high 173 // severity. 174 float cvss_score = 3; 175 176 // The cvss v3 score for the vulnerability. 177 CVSS cvssv3 = 10; 178 179 // Required. The set of affected locations and their fixes (if available) 180 // within the associated resource. 181 repeated PackageIssue package_issue = 4; 182 183 // A detail for a distro and package this vulnerability occurrence was found 184 // in and its associated fix (if one is available). 185 message PackageIssue { 186 // Required. The [CPE URI](https://cpe.mitre.org/specification/) this 187 // vulnerability was found in. 188 string affected_cpe_uri = 1; 189 190 // Required. The package this vulnerability was found in. 191 string affected_package = 2; 192 193 // Required. The version of the package that is installed on the resource 194 // affected by this vulnerability. 195 grafeas.v1.Version affected_version = 3; 196 197 // The [CPE URI](https://cpe.mitre.org/specification/) this vulnerability 198 // was fixed in. It is possible for this to be different from the 199 // affected_cpe_uri. 200 string fixed_cpe_uri = 4; 201 202 // The package this vulnerability was fixed in. It is possible for this to 203 // be different from the affected_package. 204 string fixed_package = 5; 205 206 // Required. The version of the package this vulnerability was fixed in. 207 // Setting this to VersionKind.MAXIMUM means no fix is yet available. 208 grafeas.v1.Version fixed_version = 6; 209 210 // Output only. Whether a fix is available for this package. 211 bool fix_available = 7; 212 213 // The type of package (e.g. OS, MAVEN, GO). 214 string package_type = 8; 215 216 // The distro or language system assigned severity for this vulnerability 217 // when that is available and note provider assigned severity when it is not 218 // available. 219 grafeas.v1.Severity effective_severity = 9 220 [(google.api.field_behavior) = OUTPUT_ONLY]; 221 222 // The location at which this package was found. 223 repeated FileLocation file_location = 10; 224 } 225 226 // Output only. A one sentence description of this vulnerability. 227 string short_description = 5; 228 229 // Output only. A detailed description of this vulnerability. 230 string long_description = 6; 231 232 // Output only. URLs related to this vulnerability. 233 repeated grafeas.v1.RelatedUrl related_urls = 7; 234 235 // The distro assigned severity for this vulnerability when it is available, 236 // otherwise this is the note provider assigned severity. 237 // 238 // When there are multiple PackageIssues for this vulnerability, they can have 239 // different effective severities because some might be provided by the distro 240 // while others are provided by the language ecosystem for a language pack. 241 // For this reason, it is advised to use the effective severity on the 242 // PackageIssue level. In the case where multiple PackageIssues have differing 243 // effective severities, this field should be the highest severity for any of 244 // the PackageIssues. 245 grafeas.v1.Severity effective_severity = 8; 246 247 // Output only. Whether at least one of the affected packages has a fix 248 // available. 249 bool fix_available = 9; 250 251 // Output only. CVSS version used to populate cvss_score and severity. 252 grafeas.v1.CVSSVersion cvss_version = 11; 253 254 // The cvss v2 score for the vulnerability. 255 CVSS cvss_v2 = 12; 256 257 // VexAssessment provides all publisher provided Vex information that is 258 // related to this vulnerability. 259 message VexAssessment { 260 // Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) 261 // tracking number for the vulnerability. 262 string cve = 1; 263 264 // Holds a list of references associated with this vulnerability item and 265 // assessment. 266 repeated grafeas.v1.RelatedUrl related_uris = 2; 267 268 // The VulnerabilityAssessment note from which this VexAssessment was 269 // generated. 270 // This will be of the form: `projects/[PROJECT_ID]/notes/[NOTE_ID]`. 271 // (-- api-linter: core::0122::name-suffix=disabled 272 // aip.dev/not-precedent: The suffix is kept for consistency. --) 273 string note_name = 3; 274 275 // Provides the state of this Vulnerability assessment. 276 grafeas.v1.VulnerabilityAssessmentNote.Assessment.State state = 4; 277 278 // Contains information about the impact of this vulnerability, 279 // this will change with time. 280 repeated string impacts = 5; 281 282 // Specifies details on how to handle (and presumably, fix) a vulnerability. 283 repeated grafeas.v1.VulnerabilityAssessmentNote.Assessment.Remediation 284 remediations = 6; 285 286 // Justification provides the justification when the state of the 287 // assessment if NOT_AFFECTED. 288 grafeas.v1.VulnerabilityAssessmentNote.Assessment.Justification 289 justification = 7; 290 291 // Next ID: 8 292 } 293 294 VexAssessment vex_assessment = 13; 295 296 // Next free ID is 14. 297} 298