1// Copyright 2019 Google LLC. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15 16syntax = "proto3"; 17 18package google.cloud.websecurityscanner.v1beta; 19 20import "google/api/resource.proto"; 21import "google/cloud/websecurityscanner/v1beta/finding_addon.proto"; 22 23option csharp_namespace = "Google.Cloud.WebSecurityScanner.V1Beta"; 24option go_package = "cloud.google.com/go/websecurityscanner/apiv1beta/websecurityscannerpb;websecurityscannerpb"; 25option java_multiple_files = true; 26option java_outer_classname = "FindingProto"; 27option java_package = "com.google.cloud.websecurityscanner.v1beta"; 28option php_namespace = "Google\\Cloud\\WebSecurityScanner\\V1beta"; 29option ruby_package = "Google::Cloud::WebSecurityScanner::V1beta"; 30 31// A Finding resource represents a vulnerability instance identified during a 32// ScanRun. 33message Finding { 34 option (google.api.resource) = { 35 type: "websecurityscanner.googleapis.com/Finding" 36 pattern: "projects/{project}/scanConfigs/{scan_config}/scanRuns/{scan_run}/findings/{finding}" 37 }; 38 39 // The resource name of the Finding. The name follows the format of 40 // 'projects/{projectId}/scanConfigs/{scanConfigId}/scanruns/{scanRunId}/findings/{findingId}'. 41 // The finding IDs are generated by the system. 42 string name = 1; 43 44 // The type of the Finding. 45 // Detailed and up-to-date information on findings can be found here: 46 // https://cloud.google.com/security-scanner/docs/scan-result-details 47 string finding_type = 2; 48 49 // The http method of the request that triggered the vulnerability, in 50 // uppercase. 51 string http_method = 3; 52 53 // The URL produced by the server-side fuzzer and used in the request that 54 // triggered the vulnerability. 55 string fuzzed_url = 4; 56 57 // The body of the request that triggered the vulnerability. 58 string body = 5; 59 60 // The description of the vulnerability. 61 string description = 6; 62 63 // The URL containing human-readable payload that user can leverage to 64 // reproduce the vulnerability. 65 string reproduction_url = 7; 66 67 // If the vulnerability was originated from nested IFrame, the immediate 68 // parent IFrame is reported. 69 string frame_url = 8; 70 71 // The URL where the browser lands when the vulnerability is detected. 72 string final_url = 9; 73 74 // The tracking ID uniquely identifies a vulnerability instance across 75 // multiple ScanRuns. 76 string tracking_id = 10; 77 78 // An addon containing information reported for a vulnerability with an HTML 79 // form, if any. 80 Form form = 16; 81 82 // An addon containing information about outdated libraries. 83 OutdatedLibrary outdated_library = 11; 84 85 // An addon containing detailed information regarding any resource causing the 86 // vulnerability such as JavaScript sources, image, audio files, etc. 87 ViolatingResource violating_resource = 12; 88 89 // An addon containing information about vulnerable or missing HTTP headers. 90 VulnerableHeaders vulnerable_headers = 15; 91 92 // An addon containing information about request parameters which were found 93 // to be vulnerable. 94 VulnerableParameters vulnerable_parameters = 13; 95 96 // An addon containing information reported for an XSS, if any. 97 Xss xss = 14; 98} 99