1// Copyright 2023 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19import "grafeas/v1/common.proto"; 20 21option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 22option java_multiple_files = true; 23option java_package = "io.grafeas.v1"; 24option objc_class_prefix = "GRA"; 25 26// A single VulnerabilityAssessmentNote represents 27// one particular product's vulnerability assessment for one CVE. 28message VulnerabilityAssessmentNote { 29 // The title of the note. E.g. `Vex-Debian-11.4` 30 string title = 1; 31 32 // A one sentence description of this Vex. 33 string short_description = 2; 34 35 // A detailed description of this Vex. 36 string long_description = 3; 37 38 // Identifies the language used by this document, 39 // corresponding to IETF BCP 47 / RFC 5646. 40 string language_code = 4; 41 42 // Publisher contains information about the publisher of 43 // this Note. 44 // (-- api-linter: core::0123::resource-annotation=disabled 45 // aip.dev/not-precedent: Publisher is not a separate resource. --) 46 message Publisher { 47 // Name of the publisher. 48 // Examples: 'Google', 'Google Cloud Platform'. 49 string name = 1; 50 51 // Provides information about the authority of the issuing party to 52 // release the document, in particular, the party's constituency and 53 // responsibilities or other obligations. 54 string issuing_authority = 2; 55 56 // The context or namespace. 57 // Contains a URL which is under control of the issuing party and can 58 // be used as a globally unique identifier for that issuing party. 59 // Example: https://csaf.io 60 string publisher_namespace = 3; 61 } 62 63 // Publisher details of this Note. 64 Publisher publisher = 5; 65 66 // Product contains information about a product and how to uniquely identify 67 // it. 68 // (-- api-linter: core::0123::resource-annotation=disabled 69 // aip.dev/not-precedent: Product is not a separate resource. --) 70 message Product { 71 // Name of the product. 72 string name = 1; 73 74 // Token that identifies a product so that it can be referred to from other 75 // parts in the document. There is no predefined format as long as it 76 // uniquely identifies a group in the context of the current document. 77 string id = 2; 78 79 oneof identifier { 80 // Contains a URI which is vendor-specific. 81 // Example: The artifact repository URL of an image. 82 string generic_uri = 3; 83 } 84 } 85 86 // The product affected by this vex. 87 Product product = 6; 88 89 // Assessment provides all information that is related to a single 90 // vulnerability for this product. 91 message Assessment { 92 // Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) 93 // tracking number for the vulnerability. 94 // Deprecated: Use vulnerability_id instead to denote CVEs. 95 string cve = 1 [deprecated = true]; 96 97 // The vulnerability identifier for this Assessment. Will hold one of 98 // common identifiers e.g. CVE, GHSA etc. 99 string vulnerability_id = 9; 100 101 // A one sentence description of this Vex. 102 string short_description = 2; 103 104 // A detailed description of this Vex. 105 string long_description = 3; 106 107 // Holds a list of references associated with this vulnerability item and 108 // assessment. These uris have additional information about the 109 // vulnerability and the assessment itself. E.g. Link to a document which 110 // details how this assessment concluded the state of this vulnerability. 111 repeated grafeas.v1.RelatedUrl related_uris = 4; 112 113 // Provides the state of this Vulnerability assessment. 114 enum State { 115 // No state is specified. 116 STATE_UNSPECIFIED = 0; 117 // This product is known to be affected by this vulnerability. 118 AFFECTED = 1; 119 // This product is known to be not affected by this vulnerability. 120 NOT_AFFECTED = 2; 121 // This product contains a fix for this vulnerability. 122 FIXED = 3; 123 // It is not known yet whether these versions are or are not affected 124 // by the vulnerability. However, it is still under investigation. 125 UNDER_INVESTIGATION = 4; 126 } 127 128 // Provides the state of this Vulnerability assessment. 129 State state = 5; 130 131 // Contains information about the impact of this vulnerability, 132 // this will change with time. 133 repeated string impacts = 6; 134 135 // Justification provides the justification when the state of the 136 // assessment if NOT_AFFECTED. 137 message Justification { 138 // Provides the type of justification. 139 enum JustificationType { 140 // JUSTIFICATION_TYPE_UNSPECIFIED. 141 JUSTIFICATION_TYPE_UNSPECIFIED = 0; 142 // The vulnerable component is not present in the product. 143 COMPONENT_NOT_PRESENT = 1; 144 // The vulnerable code is not present. Typically this case 145 // occurs when source code is configured or built in a way that excludes 146 // the vulnerable code. 147 VULNERABLE_CODE_NOT_PRESENT = 2; 148 // The vulnerable code can not be executed. 149 // Typically this case occurs when the product includes the vulnerable 150 // code but does not call or use the vulnerable code. 151 VULNERABLE_CODE_NOT_IN_EXECUTE_PATH = 3; 152 // The vulnerable code cannot be controlled by an attacker to exploit 153 // the vulnerability. 154 VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY = 4; 155 // The product includes built-in protections or features that prevent 156 // exploitation of the vulnerability. These built-in protections cannot 157 // be subverted by the attacker and cannot be configured or disabled by 158 // the user. These mitigations completely prevent exploitation based on 159 // known attack vectors. 160 INLINE_MITIGATIONS_ALREADY_EXIST = 5; 161 } 162 163 // The justification type for this vulnerability. 164 JustificationType justification_type = 1; 165 166 // Additional details on why this justification was chosen. 167 string details = 2; 168 } 169 170 // Justification provides the justification when the state of the 171 // assessment if NOT_AFFECTED. 172 Justification justification = 7; 173 174 // Specifies details on how to handle (and presumably, fix) a vulnerability. 175 message Remediation { 176 // The type of remediation that can be applied. 177 enum RemediationType { 178 // No remediation type specified. 179 REMEDIATION_TYPE_UNSPECIFIED = 0; 180 // A MITIGATION is available. 181 MITIGATION = 1; 182 // No fix is planned. 183 NO_FIX_PLANNED = 2; 184 // Not available. 185 NONE_AVAILABLE = 3; 186 // A vendor fix is available. 187 VENDOR_FIX = 4; 188 // A workaround is available. 189 WORKAROUND = 5; 190 } 191 192 // The type of remediation that can be applied. 193 RemediationType remediation_type = 1; 194 195 // Contains a comprehensive human-readable discussion of the remediation. 196 string details = 2; 197 198 // Contains the URL where to obtain the remediation. 199 grafeas.v1.RelatedUrl remediation_uri = 3; 200 } 201 202 // Specifies details on how to handle (and presumably, fix) a vulnerability. 203 repeated Remediation remediations = 8; 204 } 205 206 // Represents a vulnerability assessment for the product. 207 Assessment assessment = 7; 208} 209