1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.websecurityscanner.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/cloud/websecurityscanner/v1/finding_addon.proto"; 22 23option csharp_namespace = "Google.Cloud.WebSecurityScanner.V1"; 24option go_package = "cloud.google.com/go/websecurityscanner/apiv1/websecurityscannerpb;websecurityscannerpb"; 25option java_multiple_files = true; 26option java_outer_classname = "FindingProto"; 27option java_package = "com.google.cloud.websecurityscanner.v1"; 28option php_namespace = "Google\\Cloud\\WebSecurityScanner\\V1"; 29option ruby_package = "Google::Cloud::WebSecurityScanner::V1"; 30 31// A Finding resource represents a vulnerability instance identified during a 32// ScanRun. 33message Finding { 34 option (google.api.resource) = { 35 type: "websecurityscanner.googleapis.com/Finding" 36 pattern: "projects/{project}/scanConfigs/{scan_config}/scanRuns/{scan_run}/findings/{finding}" 37 }; 38 39 // The severity level of a vulnerability. 40 enum Severity { 41 // No severity specified. The default value. 42 SEVERITY_UNSPECIFIED = 0; 43 44 // Critical severity. 45 CRITICAL = 1; 46 47 // High severity. 48 HIGH = 2; 49 50 // Medium severity. 51 MEDIUM = 3; 52 53 // Low severity. 54 LOW = 4; 55 } 56 57 // Output only. The resource name of the Finding. The name follows the format of 58 // 'projects/{projectId}/scanConfigs/{scanConfigId}/scanruns/{scanRunId}/findings/{findingId}'. 59 // The finding IDs are generated by the system. 60 string name = 1; 61 62 // Output only. The type of the Finding. 63 // Detailed and up-to-date information on findings can be found here: 64 // https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings 65 string finding_type = 2; 66 67 // Output only. The severity level of the reported vulnerability. 68 Severity severity = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; 69 70 // Output only. The http method of the request that triggered the vulnerability, in 71 // uppercase. 72 string http_method = 3; 73 74 // Output only. The URL produced by the server-side fuzzer and used in the request that 75 // triggered the vulnerability. 76 string fuzzed_url = 4; 77 78 // Output only. The body of the request that triggered the vulnerability. 79 string body = 5; 80 81 // Output only. The description of the vulnerability. 82 string description = 6; 83 84 // Output only. The URL containing human-readable payload that user can leverage to 85 // reproduce the vulnerability. 86 string reproduction_url = 7; 87 88 // Output only. If the vulnerability was originated from nested IFrame, the immediate 89 // parent IFrame is reported. 90 string frame_url = 8; 91 92 // Output only. The URL where the browser lands when the vulnerability is detected. 93 string final_url = 9; 94 95 // Output only. The tracking ID uniquely identifies a vulnerability instance across 96 // multiple ScanRuns. 97 string tracking_id = 10; 98 99 // Output only. An addon containing information reported for a vulnerability with an HTML 100 // form, if any. 101 Form form = 16; 102 103 // Output only. An addon containing information about outdated libraries. 104 OutdatedLibrary outdated_library = 11; 105 106 // Output only. An addon containing detailed information regarding any resource causing the 107 // vulnerability such as JavaScript sources, image, audio files, etc. 108 ViolatingResource violating_resource = 12; 109 110 // Output only. An addon containing information about vulnerable or missing HTTP headers. 111 VulnerableHeaders vulnerable_headers = 15; 112 113 // Output only. An addon containing information about request parameters which were found 114 // to be vulnerable. 115 VulnerableParameters vulnerable_parameters = 13; 116 117 // Output only. An addon containing information reported for an XSS, if any. 118 Xss xss = 14; 119 120 // Output only. An addon containing information reported for an XXE, if any. 121 Xxe xxe = 18 [(google.api.field_behavior) = OUTPUT_ONLY]; 122} 123