xref: /aosp_15_r20/external/googleapis/google/cloud/securitycenter/v2/vulnerability.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.securitycenter.v2;
18
19import "google/protobuf/timestamp.proto";
20
21option csharp_namespace = "Google.Cloud.SecurityCenter.V2";
22option go_package = "cloud.google.com/go/securitycenter/apiv2/securitycenterpb;securitycenterpb";
23option java_multiple_files = true;
24option java_outer_classname = "VulnerabilityProto";
25option java_package = "com.google.cloud.securitycenter.v2";
26option php_namespace = "Google\\Cloud\\SecurityCenter\\V2";
27option ruby_package = "Google::Cloud::SecurityCenter::V2";
28
29// Refers to common vulnerability fields e.g. cve, cvss, cwe etc.
30message Vulnerability {
31  // CVE stands for Common Vulnerabilities and Exposures
32  // (https://cve.mitre.org/about/)
33  Cve cve = 1;
34
35  // The offending package is relevant to the finding.
36  Package offending_package = 2;
37
38  // The fixed package is relevant to the finding.
39  Package fixed_package = 3;
40
41  // The security bulletin is relevant to this finding.
42  SecurityBulletin security_bulletin = 4;
43}
44
45// CVE stands for Common Vulnerabilities and Exposures.
46// Information from the [CVE
47// record](https://www.cve.org/ResourcesSupport/Glossary) that describes this
48// vulnerability.
49message Cve {
50  // The possible values of impact of the vulnerability if it was to be
51  // exploited.
52  enum RiskRating {
53    // Invalid or empty value.
54    RISK_RATING_UNSPECIFIED = 0;
55
56    // Exploitation would have little to no security impact.
57    LOW = 1;
58
59    // Exploitation would enable attackers to perform activities, or could allow
60    // attackers to have a direct impact, but would require additional steps.
61    MEDIUM = 2;
62
63    // Exploitation would enable attackers to have a notable direct impact
64    // without needing to overcome any major mitigating factors.
65    HIGH = 3;
66
67    // Exploitation would fundamentally undermine the security of affected
68    // systems, enable actors to perform significant attacks with minimal
69    // effort, with little to no mitigating factors to overcome.
70    CRITICAL = 4;
71  }
72
73  // The possible values of exploitation activity of the vulnerability in the
74  // wild.
75  enum ExploitationActivity {
76    // Invalid or empty value.
77    EXPLOITATION_ACTIVITY_UNSPECIFIED = 0;
78
79    // Exploitation has been reported or confirmed to widely occur.
80    WIDE = 1;
81
82    // Limited reported or confirmed exploitation activities.
83    CONFIRMED = 2;
84
85    // Exploit is publicly available.
86    AVAILABLE = 3;
87
88    // No known exploitation activity, but has a high potential for
89    // exploitation.
90    ANTICIPATED = 4;
91
92    // No known exploitation activity.
93    NO_KNOWN = 5;
94  }
95
96  // The unique identifier for the vulnerability. e.g. CVE-2021-34527
97  string id = 1;
98
99  // Additional information about the CVE.
100  // e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
101  repeated Reference references = 2;
102
103  // Describe Common Vulnerability Scoring System specified at
104  // https://www.first.org/cvss/v3.1/specification-document
105  Cvssv3 cvssv3 = 3;
106
107  // Whether upstream fix is available for the CVE.
108  bool upstream_fix_available = 4;
109
110  // The potential impact of the vulnerability if it was to be exploited.
111  RiskRating impact = 5;
112
113  // The exploitation activity of the vulnerability in the wild.
114  ExploitationActivity exploitation_activity = 6;
115
116  // Whether or not the vulnerability has been observed in the wild.
117  bool observed_in_the_wild = 7;
118
119  // Whether or not the vulnerability was zero day when the finding was
120  // published.
121  bool zero_day = 8;
122}
123
124// Additional Links
125message Reference {
126  // Source of the reference e.g. NVD
127  string source = 1;
128
129  // Uri for the mentioned source e.g.
130  // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527.
131  string uri = 2;
132}
133
134// Common Vulnerability Scoring System version 3.
135message Cvssv3 {
136  // This metric reflects the context by which vulnerability exploitation is
137  // possible.
138  enum AttackVector {
139    // Invalid value.
140    ATTACK_VECTOR_UNSPECIFIED = 0;
141
142    // The vulnerable component is bound to the network stack and the set of
143    // possible attackers extends beyond the other options listed below, up to
144    // and including the entire Internet.
145    ATTACK_VECTOR_NETWORK = 1;
146
147    // The vulnerable component is bound to the network stack, but the attack is
148    // limited at the protocol level to a logically adjacent topology.
149    ATTACK_VECTOR_ADJACENT = 2;
150
151    // The vulnerable component is not bound to the network stack and the
152    // attacker's path is via read/write/execute capabilities.
153    ATTACK_VECTOR_LOCAL = 3;
154
155    // The attack requires the attacker to physically touch or manipulate the
156    // vulnerable component.
157    ATTACK_VECTOR_PHYSICAL = 4;
158  }
159
160  // This metric describes the conditions beyond the attacker's control that
161  // must exist in order to exploit the vulnerability.
162  enum AttackComplexity {
163    // Invalid value.
164    ATTACK_COMPLEXITY_UNSPECIFIED = 0;
165
166    // Specialized access conditions or extenuating circumstances do not exist.
167    // An attacker can expect repeatable success when attacking the vulnerable
168    // component.
169    ATTACK_COMPLEXITY_LOW = 1;
170
171    // A successful attack depends on conditions beyond the attacker's control.
172    // That is, a successful attack cannot be accomplished at will, but requires
173    // the attacker to invest in some measurable amount of effort in preparation
174    // or execution against the vulnerable component before a successful attack
175    // can be expected.
176    ATTACK_COMPLEXITY_HIGH = 2;
177  }
178
179  // This metric describes the level of privileges an attacker must possess
180  // before successfully exploiting the vulnerability.
181  enum PrivilegesRequired {
182    // Invalid value.
183    PRIVILEGES_REQUIRED_UNSPECIFIED = 0;
184
185    // The attacker is unauthorized prior to attack, and therefore does not
186    // require any access to settings or files of the vulnerable system to
187    // carry out an attack.
188    PRIVILEGES_REQUIRED_NONE = 1;
189
190    // The attacker requires privileges that provide basic user capabilities
191    // that could normally affect only settings and files owned by a user.
192    // Alternatively, an attacker with Low privileges has the ability to access
193    // only non-sensitive resources.
194    PRIVILEGES_REQUIRED_LOW = 2;
195
196    // The attacker requires privileges that provide significant (e.g.,
197    // administrative) control over the vulnerable component allowing access to
198    // component-wide settings and files.
199    PRIVILEGES_REQUIRED_HIGH = 3;
200  }
201
202  // This metric captures the requirement for a human user, other than the
203  // attacker, to participate in the successful compromise of the vulnerable
204  // component.
205  enum UserInteraction {
206    // Invalid value.
207    USER_INTERACTION_UNSPECIFIED = 0;
208
209    // The vulnerable system can be exploited without interaction from any user.
210    USER_INTERACTION_NONE = 1;
211
212    // Successful exploitation of this vulnerability requires a user to take
213    // some action before the vulnerability can be exploited.
214    USER_INTERACTION_REQUIRED = 2;
215  }
216
217  // The Scope metric captures whether a vulnerability in one vulnerable
218  // component impacts resources in components beyond its security scope.
219  enum Scope {
220    // Invalid value.
221    SCOPE_UNSPECIFIED = 0;
222
223    // An exploited vulnerability can only affect resources managed by the same
224    // security authority.
225    SCOPE_UNCHANGED = 1;
226
227    // An exploited vulnerability can affect resources beyond the security scope
228    // managed by the security authority of the vulnerable component.
229    SCOPE_CHANGED = 2;
230  }
231
232  // The Impact metrics capture the effects of a successfully exploited
233  // vulnerability on the component that suffers the worst outcome that is most
234  // directly and predictably associated with the attack.
235  enum Impact {
236    // Invalid value.
237    IMPACT_UNSPECIFIED = 0;
238
239    // High impact.
240    IMPACT_HIGH = 1;
241
242    // Low impact.
243    IMPACT_LOW = 2;
244
245    // No impact.
246    IMPACT_NONE = 3;
247  }
248
249  // The base score is a function of the base metric scores.
250  double base_score = 1;
251
252  // Base Metrics
253  // Represents the intrinsic characteristics of a vulnerability that are
254  // constant over time and across user environments.
255  // This metric reflects the context by which vulnerability exploitation is
256  // possible.
257  AttackVector attack_vector = 2;
258
259  // This metric describes the conditions beyond the attacker's control that
260  // must exist in order to exploit the vulnerability.
261  AttackComplexity attack_complexity = 3;
262
263  // This metric describes the level of privileges an attacker must possess
264  // before successfully exploiting the vulnerability.
265  PrivilegesRequired privileges_required = 4;
266
267  // This metric captures the requirement for a human user, other than the
268  // attacker, to participate in the successful compromise of the vulnerable
269  // component.
270  UserInteraction user_interaction = 5;
271
272  // The Scope metric captures whether a vulnerability in one vulnerable
273  // component impacts resources in components beyond its security scope.
274  Scope scope = 6;
275
276  // This metric measures the impact to the confidentiality of the information
277  // resources managed by a software component due to a successfully exploited
278  // vulnerability.
279  Impact confidentiality_impact = 7;
280
281  // This metric measures the impact to integrity of a successfully exploited
282  // vulnerability.
283  Impact integrity_impact = 8;
284
285  // This metric measures the impact to the availability of the impacted
286  // component resulting from a successfully exploited vulnerability.
287  Impact availability_impact = 9;
288}
289
290// Package is a generic definition of a package.
291message Package {
292  // The name of the package where the vulnerability was detected.
293  string package_name = 1;
294
295  // The CPE URI where the vulnerability was detected.
296  string cpe_uri = 2;
297
298  // Type of package, for example, os, maven, or go.
299  string package_type = 3;
300
301  // The version of the package.
302  string package_version = 4;
303}
304
305// SecurityBulletin are notifications of vulnerabilities of Google products.
306message SecurityBulletin {
307  // ID of the bulletin corresponding to the vulnerability.
308  string bulletin_id = 1;
309
310  // Submission time of this Security Bulletin.
311  google.protobuf.Timestamp submission_time = 2;
312
313  // This represents a version that the cluster receiving this notification
314  // should be upgraded to, based on its current version. For example, 1.15.0
315  string suggested_upgrade_version = 3;
316}
317