227 lines
8.4 KiB
Protocol Buffer
227 lines
8.4 KiB
Protocol Buffer
// Copyright 2019 The Grafeas Authors. All rights reserved.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
syntax = "proto3";
|
|
|
|
package grafeas.v1;
|
|
|
|
import "google/protobuf/timestamp.proto";
|
|
import "grafeas/v1/common.proto";
|
|
import "grafeas/v1/cvss.proto";
|
|
import "grafeas/v1/package.proto";
|
|
|
|
option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
|
|
option java_multiple_files = true;
|
|
option java_package = "io.grafeas.v1";
|
|
option objc_class_prefix = "GRA";
|
|
|
|
// Note provider assigned severity/impact ranking.
|
|
enum Severity {
|
|
// Unknown.
|
|
SEVERITY_UNSPECIFIED = 0;
|
|
// Minimal severity.
|
|
MINIMAL = 1;
|
|
// Low severity.
|
|
LOW = 2;
|
|
// Medium severity.
|
|
MEDIUM = 3;
|
|
// High severity.
|
|
HIGH = 4;
|
|
// Critical severity.
|
|
CRITICAL = 5;
|
|
}
|
|
|
|
// A security vulnerability that can be found in resources.
|
|
message VulnerabilityNote {
|
|
// The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10
|
|
// where 0 indicates low severity and 10 indicates high severity.
|
|
float cvss_score = 1;
|
|
|
|
// The note provider assigned severity of this vulnerability.
|
|
Severity severity = 2;
|
|
|
|
// Details of all known distros and packages affected by this vulnerability.
|
|
repeated Detail details = 3;
|
|
|
|
// A detail for a distro and package affected by this vulnerability and its
|
|
// associated fix (if one is available).
|
|
message Detail {
|
|
// The distro assigned severity of this vulnerability.
|
|
string severity_name = 1;
|
|
|
|
// A vendor-specific description of this vulnerability.
|
|
string description = 2;
|
|
|
|
// The type of package; whether native or non native (e.g., ruby gems,
|
|
// node.js packages, etc.).
|
|
string package_type = 3;
|
|
|
|
// Required. The [CPE URI](https://cpe.mitre.org/specification/) this
|
|
// vulnerability affects.
|
|
string affected_cpe_uri = 4;
|
|
|
|
// Required. The package this vulnerability affects.
|
|
string affected_package = 5;
|
|
|
|
// The version number at the start of an interval in which this
|
|
// vulnerability exists. A vulnerability can affect a package between
|
|
// version numbers that are disjoint sets of intervals (example:
|
|
// [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be
|
|
// represented in its own Detail. If a specific affected version is provided
|
|
// by a vulnerability database, affected_version_start and
|
|
// affected_version_end will be the same in that Detail.
|
|
grafeas.v1.Version affected_version_start = 6;
|
|
|
|
// The version number at the end of an interval in which this vulnerability
|
|
// exists. A vulnerability can affect a package between version numbers
|
|
// that are disjoint sets of intervals (example: [1.0.0-1.1.0],
|
|
// [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its
|
|
// own Detail. If a specific affected version is provided by a vulnerability
|
|
// database, affected_version_start and affected_version_end will be the
|
|
// same in that Detail.
|
|
grafeas.v1.Version affected_version_end = 7;
|
|
|
|
// The distro recommended [CPE URI](https://cpe.mitre.org/specification/)
|
|
// to update to that contains a fix for this vulnerability. It is possible
|
|
// for this to be different from the affected_cpe_uri.
|
|
string fixed_cpe_uri = 8;
|
|
|
|
// The distro recommended package to update to that contains a fix for this
|
|
// vulnerability. It is possible for this to be different from the
|
|
// affected_package.
|
|
string fixed_package = 9;
|
|
|
|
// The distro recommended version to update to that contains a
|
|
// fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no
|
|
// such version is yet available.
|
|
grafeas.v1.Version fixed_version = 10;
|
|
|
|
// Whether this detail is obsolete. Occurrences are expected not to point to
|
|
// obsolete details.
|
|
bool is_obsolete = 11;
|
|
|
|
// The time this information was last changed at the source. This is an
|
|
// upstream timestamp from the underlying information source - e.g. Ubuntu
|
|
// security tracker.
|
|
google.protobuf.Timestamp source_update_time = 12;
|
|
}
|
|
|
|
// The full description of the CVSSv3 for this vulnerability.
|
|
CVSSv3 cvss_v3 = 4;
|
|
|
|
// Windows details get their own format because the information format and
|
|
// model don't match a normal detail. Specifically Windows updates are done as
|
|
// patches, thus Windows vulnerabilities really are a missing package, rather
|
|
// than a package being at an incorrect version.
|
|
repeated WindowsDetail windows_details = 5;
|
|
|
|
message WindowsDetail {
|
|
// Required. The [CPE URI](https://cpe.mitre.org/specification/) this
|
|
// vulnerability affects.
|
|
string cpe_uri = 1;
|
|
|
|
// Required. The name of this vulnerability.
|
|
string name = 2;
|
|
|
|
// The description of this vulnerability.
|
|
string description = 3;
|
|
|
|
// Required. The names of the KBs which have hotfixes to mitigate this
|
|
// vulnerability. Note that there may be multiple hotfixes (and thus
|
|
// multiple KBs) that mitigate a given vulnerability. Currently any listed
|
|
// KBs presence is considered a fix.
|
|
repeated KnowledgeBase fixing_kbs = 4;
|
|
|
|
message KnowledgeBase {
|
|
// The KB name (generally of the form KB[0-9]+ (e.g., KB123456)).
|
|
string name = 1;
|
|
// A link to the KB in the [Windows update catalog]
|
|
// (https://www.catalog.update.microsoft.com/).
|
|
string url = 2;
|
|
}
|
|
}
|
|
|
|
// The time this information was last changed at the source. This is an
|
|
// upstream timestamp from the underlying information source - e.g. Ubuntu
|
|
// security tracker.
|
|
google.protobuf.Timestamp source_update_time = 6;
|
|
}
|
|
|
|
// An occurrence of a severity vulnerability on a resource.
|
|
message VulnerabilityOccurrence {
|
|
// The type of package; whether native or non native (e.g., ruby gems, node.js
|
|
// packages, etc.).
|
|
string type = 1;
|
|
|
|
// Output only. The note provider assigned severity of this vulnerability.
|
|
Severity severity = 2;
|
|
|
|
// Output only. The CVSS score of this vulnerability. CVSS score is on a
|
|
// scale of 0 - 10 where 0 indicates low severity and 10 indicates high
|
|
// severity.
|
|
float cvss_score = 3;
|
|
|
|
// Required. The set of affected locations and their fixes (if available)
|
|
// within the associated resource.
|
|
repeated PackageIssue package_issue = 4;
|
|
|
|
// A detail for a distro and package this vulnerability occurrence was found
|
|
// in and its associated fix (if one is available).
|
|
message PackageIssue {
|
|
// Required. The [CPE URI](https://cpe.mitre.org/specification/) this
|
|
// vulnerability was found in.
|
|
string affected_cpe_uri = 1;
|
|
|
|
// Required. The package this vulnerability was found in.
|
|
string affected_package = 2;
|
|
|
|
// Required. The version of the package that is installed on the resource
|
|
// affected by this vulnerability.
|
|
grafeas.v1.Version affected_version = 3;
|
|
|
|
// The [CPE URI](https://cpe.mitre.org/specification/) this vulnerability
|
|
// was fixed in. It is possible for this to be different from the
|
|
// affected_cpe_uri.
|
|
string fixed_cpe_uri = 4;
|
|
|
|
// The package this vulnerability was fixed in. It is possible for this to
|
|
// be different from the affected_package.
|
|
string fixed_package = 5;
|
|
|
|
// Required. The version of the package this vulnerability was fixed in.
|
|
// Setting this to VersionKind.MAXIMUM means no fix is yet available.
|
|
grafeas.v1.Version fixed_version = 6;
|
|
|
|
// Output only. Whether a fix is available for this package.
|
|
bool fix_available = 7;
|
|
}
|
|
|
|
// Output only. A one sentence description of this vulnerability.
|
|
string short_description = 5;
|
|
|
|
// Output only. A detailed description of this vulnerability.
|
|
string long_description = 6;
|
|
|
|
// Output only. URLs related to this vulnerability.
|
|
repeated grafeas.v1.RelatedUrl related_urls = 7;
|
|
|
|
// The distro assigned severity for this vulnerability when it is available,
|
|
// otherwise this is the note provider assigned severity.
|
|
Severity effective_severity = 8;
|
|
|
|
// Output only. Whether at least one of the affected packages has a fix
|
|
// available.
|
|
bool fix_available = 9;
|
|
}
|