1// Copyright 2021 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.osconfig.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/timestamp.proto"; 22 23option csharp_namespace = "Google.Cloud.OsConfig.V1"; 24option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb"; 25option java_multiple_files = true; 26option java_outer_classname = "VulnerabilityProto"; 27option java_package = "com.google.cloud.osconfig.v1"; 28option php_namespace = "Google\\Cloud\\OsConfig\\V1"; 29option ruby_package = "Google::Cloud::OsConfig::V1"; 30 31// This API resource represents the vulnerability report for a specified 32// Compute Engine virtual machine (VM) instance at a given point in time. 33// 34// For more information, see [Vulnerability 35// reports](https://cloud.google.com/compute/docs/instances/os-inventory-management#vulnerability-reports). 36message VulnerabilityReport { 37 option (google.api.resource) = { 38 type: "osconfig.googleapis.com/VulnerabilityReport" 39 pattern: "projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport" 40 }; 41 42 // A vulnerability affecting the VM instance. 43 message Vulnerability { 44 // Contains metadata information for the vulnerability. This information is 45 // collected from the upstream feed of the operating system. 46 message Details { 47 // A reference for this vulnerability. 48 message Reference { 49 // The url of the reference. 50 string url = 1; 51 52 // The source of the reference e.g. NVD. 53 string source = 2; 54 } 55 56 // The CVE of the vulnerability. CVE cannot be 57 // empty and the combination of <cve, classification> should be unique 58 // across vulnerabilities for a VM. 59 string cve = 1; 60 61 // The CVSS V2 score of this vulnerability. CVSS V2 score is on a scale of 62 // 0 - 10 where 0 indicates low severity and 10 indicates high severity. 63 float cvss_v2_score = 2; 64 65 // The full description of the CVSSv3 for this vulnerability from NVD. 66 CVSSv3 cvss_v3 = 3; 67 68 // Assigned severity/impact ranking from the distro. 69 string severity = 4; 70 71 // The note or description describing the vulnerability from the distro. 72 string description = 5; 73 74 // Corresponds to the references attached to the `VulnerabilityDetails`. 75 repeated Reference references = 6; 76 } 77 78 // OS inventory item that is affected by a vulnerability or fixed as a 79 // result of a vulnerability. 80 message Item { 81 // Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM. 82 // This field displays the inventory items affected by this vulnerability. 83 // If the vulnerability report was not updated after the VM inventory 84 // update, these values might not display in VM inventory. For some 85 // operating systems, this field might be empty. 86 string installed_inventory_item_id = 1; 87 88 // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM. 89 // If the vulnerability report was not updated after the VM inventory 90 // update, these values might not display in VM inventory. If there is no 91 // available fix, the field is empty. The `inventory_item` value specifies 92 // the latest `SoftwarePackage` available to the VM that fixes the 93 // vulnerability. 94 string available_inventory_item_id = 2; 95 96 // The recommended [CPE URI](https://cpe.mitre.org/specification/) update 97 // that contains a fix for this vulnerability. 98 string fixed_cpe_uri = 3; 99 100 // The upstream OS patch, packages or KB that fixes the vulnerability. 101 string upstream_fix = 4; 102 } 103 104 // Contains metadata as per the upstream feed of the operating system and 105 // NVD. 106 Details details = 1; 107 108 // Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM. 109 // This field displays the inventory items affected by this vulnerability. 110 // If the vulnerability report was not updated after the VM inventory 111 // update, these values might not display in VM inventory. For some distros, 112 // this field may be empty. 113 repeated string installed_inventory_item_ids = 2 [deprecated = true]; 114 115 // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM. 116 // If the vulnerability report was not updated after the VM inventory 117 // update, these values might not display in VM inventory. If there is no 118 // available fix, the field is empty. The `inventory_item` value specifies 119 // the latest `SoftwarePackage` available to the VM that fixes the 120 // vulnerability. 121 repeated string available_inventory_item_ids = 3 [deprecated = true]; 122 123 // The timestamp for when the vulnerability was first detected. 124 google.protobuf.Timestamp create_time = 4; 125 126 // The timestamp for when the vulnerability was last modified. 127 google.protobuf.Timestamp update_time = 5; 128 129 // List of items affected by the vulnerability. 130 repeated Item items = 6; 131 } 132 133 // Output only. The `vulnerabilityReport` API resource name. 134 // 135 // Format: 136 // `projects/{project_number}/locations/{location}/instances/{instance_id}/vulnerabilityReport` 137 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 138 139 // Output only. List of vulnerabilities affecting the VM. 140 repeated Vulnerability vulnerabilities = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 141 142 // Output only. The timestamp for when the last vulnerability report was generated for the 143 // VM. 144 google.protobuf.Timestamp update_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 145} 146 147// A request message for getting the vulnerability report for the specified VM. 148message GetVulnerabilityReportRequest { 149 // Required. API resource name for vulnerability resource. 150 // 151 // Format: 152 // `projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport` 153 // 154 // For `{project}`, either `project-number` or `project-id` can be provided. 155 // For `{instance}`, either Compute Engine `instance-id` or `instance-name` 156 // can be provided. 157 string name = 1 [ 158 (google.api.field_behavior) = REQUIRED, 159 (google.api.resource_reference) = { 160 type: "osconfig.googleapis.com/VulnerabilityReport" 161 } 162 ]; 163} 164 165// A request message for listing vulnerability reports for all VM instances in 166// the specified location. 167message ListVulnerabilityReportsRequest { 168 // Required. The parent resource name. 169 // 170 // Format: `projects/{project}/locations/{location}/instances/-` 171 // 172 // For `{project}`, either `project-number` or `project-id` can be provided. 173 string parent = 1 [ 174 (google.api.field_behavior) = REQUIRED, 175 (google.api.resource_reference) = { 176 type: "compute.googleapis.com/Instance" 177 } 178 ]; 179 180 // The maximum number of results to return. 181 int32 page_size = 2; 182 183 // A pagination token returned from a previous call to 184 // `ListVulnerabilityReports` that indicates where this listing 185 // should continue from. 186 string page_token = 3; 187 188 // If provided, this field specifies the criteria that must be met by a 189 // `vulnerabilityReport` API resource to be included in the response. 190 string filter = 4; 191} 192 193// A response message for listing vulnerability reports for all VM instances in 194// the specified location. 195message ListVulnerabilityReportsResponse { 196 // List of vulnerabilityReport objects. 197 repeated VulnerabilityReport vulnerability_reports = 1; 198 199 // The pagination token to retrieve the next page of vulnerabilityReports 200 // object. 201 string next_page_token = 2; 202} 203 204// Common Vulnerability Scoring System version 3. 205// For details, see https://www.first.org/cvss/specification-document 206message CVSSv3 { 207 // This metric reflects the context by which vulnerability exploitation is 208 // possible. 209 enum AttackVector { 210 // Invalid value. 211 ATTACK_VECTOR_UNSPECIFIED = 0; 212 213 // The vulnerable component is bound to the network stack and the set of 214 // possible attackers extends beyond the other options listed below, up to 215 // and including the entire Internet. 216 ATTACK_VECTOR_NETWORK = 1; 217 218 // The vulnerable component is bound to the network stack, but the attack is 219 // limited at the protocol level to a logically adjacent topology. 220 ATTACK_VECTOR_ADJACENT = 2; 221 222 // The vulnerable component is not bound to the network stack and the 223 // attacker's path is via read/write/execute capabilities. 224 ATTACK_VECTOR_LOCAL = 3; 225 226 // The attack requires the attacker to physically touch or manipulate the 227 // vulnerable component. 228 ATTACK_VECTOR_PHYSICAL = 4; 229 } 230 231 // This metric describes the conditions beyond the attacker's control that 232 // must exist in order to exploit the vulnerability. 233 enum AttackComplexity { 234 // Invalid value. 235 ATTACK_COMPLEXITY_UNSPECIFIED = 0; 236 237 // Specialized access conditions or extenuating circumstances do not exist. 238 // An attacker can expect repeatable success when attacking the vulnerable 239 // component. 240 ATTACK_COMPLEXITY_LOW = 1; 241 242 // A successful attack depends on conditions beyond the attacker's control. 243 // That is, a successful attack cannot be accomplished at will, but requires 244 // the attacker to invest in some measurable amount of effort in preparation 245 // or execution against the vulnerable component before a successful attack 246 // can be expected. 247 ATTACK_COMPLEXITY_HIGH = 2; 248 } 249 250 // This metric describes the level of privileges an attacker must possess 251 // before successfully exploiting the vulnerability. 252 enum PrivilegesRequired { 253 // Invalid value. 254 PRIVILEGES_REQUIRED_UNSPECIFIED = 0; 255 256 // The attacker is unauthorized prior to attack, and therefore does not 257 // require any access to settings or files of the vulnerable system to 258 // carry out an attack. 259 PRIVILEGES_REQUIRED_NONE = 1; 260 261 // The attacker requires privileges that provide basic user capabilities 262 // that could normally affect only settings and files owned by a user. 263 // Alternatively, an attacker with Low privileges has the ability to access 264 // only non-sensitive resources. 265 PRIVILEGES_REQUIRED_LOW = 2; 266 267 // The attacker requires privileges that provide significant (e.g., 268 // administrative) control over the vulnerable component allowing access to 269 // component-wide settings and files. 270 PRIVILEGES_REQUIRED_HIGH = 3; 271 } 272 273 // This metric captures the requirement for a human user, other than the 274 // attacker, to participate in the successful compromise of the vulnerable 275 // component. 276 enum UserInteraction { 277 // Invalid value. 278 USER_INTERACTION_UNSPECIFIED = 0; 279 280 // The vulnerable system can be exploited without interaction from any user. 281 USER_INTERACTION_NONE = 1; 282 283 // Successful exploitation of this vulnerability requires a user to take 284 // some action before the vulnerability can be exploited. 285 USER_INTERACTION_REQUIRED = 2; 286 } 287 288 // The Scope metric captures whether a vulnerability in one vulnerable 289 // component impacts resources in components beyond its security scope. 290 enum Scope { 291 // Invalid value. 292 SCOPE_UNSPECIFIED = 0; 293 294 // An exploited vulnerability can only affect resources managed by the same 295 // security authority. 296 SCOPE_UNCHANGED = 1; 297 298 // An exploited vulnerability can affect resources beyond the security scope 299 // managed by the security authority of the vulnerable component. 300 SCOPE_CHANGED = 2; 301 } 302 303 // The Impact metrics capture the effects of a successfully exploited 304 // vulnerability on the component that suffers the worst outcome that is most 305 // directly and predictably associated with the attack. 306 enum Impact { 307 // Invalid value. 308 IMPACT_UNSPECIFIED = 0; 309 310 // High impact. 311 IMPACT_HIGH = 1; 312 313 // Low impact. 314 IMPACT_LOW = 2; 315 316 // No impact. 317 IMPACT_NONE = 3; 318 } 319 320 // The base score is a function of the base metric scores. 321 // https://www.first.org/cvss/specification-document#Base-Metrics 322 float base_score = 1; 323 324 // The Exploitability sub-score equation is derived from the Base 325 // Exploitability metrics. 326 // https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics 327 float exploitability_score = 2; 328 329 // The Impact sub-score equation is derived from the Base Impact metrics. 330 float impact_score = 3; 331 332 // This metric reflects the context by which vulnerability exploitation is 333 // possible. 334 AttackVector attack_vector = 5; 335 336 // This metric describes the conditions beyond the attacker's control that 337 // must exist in order to exploit the vulnerability. 338 AttackComplexity attack_complexity = 6; 339 340 // This metric describes the level of privileges an attacker must possess 341 // before successfully exploiting the vulnerability. 342 PrivilegesRequired privileges_required = 7; 343 344 // This metric captures the requirement for a human user, other than the 345 // attacker, to participate in the successful compromise of the vulnerable 346 // component. 347 UserInteraction user_interaction = 8; 348 349 // The Scope metric captures whether a vulnerability in one vulnerable 350 // component impacts resources in components beyond its security scope. 351 Scope scope = 9; 352 353 // This metric measures the impact to the confidentiality of the information 354 // resources managed by a software component due to a successfully exploited 355 // vulnerability. 356 Impact confidentiality_impact = 10; 357 358 // This metric measures the impact to integrity of a successfully exploited 359 // vulnerability. 360 Impact integrity_impact = 11; 361 362 // This metric measures the impact to the availability of the impacted 363 // component resulting from a successfully exploited vulnerability. 364 Impact availability_impact = 12; 365} 366