This repository has been archived by the owner on Dec 31, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
vulnerability.proto
226 lines (182 loc) · 8.38 KB
/
vulnerability.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
// Copyright 2019 The Grafeas Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package grafeas.v1;
import "google/protobuf/timestamp.proto";
import "grafeas/v1/common.proto";
import "grafeas/v1/cvss.proto";
import "grafeas/v1/package.proto";
option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
option java_multiple_files = true;
option java_package = "io.grafeas.v1";
option objc_class_prefix = "GRA";
// Note provider assigned severity/impact ranking.
enum Severity {
// Unknown.
SEVERITY_UNSPECIFIED = 0;
// Minimal severity.
MINIMAL = 1;
// Low severity.
LOW = 2;
// Medium severity.
MEDIUM = 3;
// High severity.
HIGH = 4;
// Critical severity.
CRITICAL = 5;
}
// A security vulnerability that can be found in resources.
message VulnerabilityNote {
// The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10
// where 0 indicates low severity and 10 indicates high severity.
float cvss_score = 1;
// The note provider assigned severity of this vulnerability.
Severity severity = 2;
// Details of all known distros and packages affected by this vulnerability.
repeated Detail details = 3;
// A detail for a distro and package affected by this vulnerability and its
// associated fix (if one is available).
message Detail {
// The distro assigned severity of this vulnerability.
string severity_name = 1;
// A vendor-specific description of this vulnerability.
string description = 2;
// The type of package; whether native or non native (e.g., ruby gems,
// node.js packages, etc.).
string package_type = 3;
// Required. The [CPE URI](https://cpe.mitre.org/specification/) this
// vulnerability affects.
string affected_cpe_uri = 4;
// Required. The package this vulnerability affects.
string affected_package = 5;
// The version number at the start of an interval in which this
// vulnerability exists. A vulnerability can affect a package between
// version numbers that are disjoint sets of intervals (example:
// [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be
// represented in its own Detail. If a specific affected version is provided
// by a vulnerability database, affected_version_start and
// affected_version_end will be the same in that Detail.
grafeas.v1.Version affected_version_start = 6;
// The version number at the end of an interval in which this vulnerability
// exists. A vulnerability can affect a package between version numbers
// that are disjoint sets of intervals (example: [1.0.0-1.1.0],
// [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its
// own Detail. If a specific affected version is provided by a vulnerability
// database, affected_version_start and affected_version_end will be the
// same in that Detail.
grafeas.v1.Version affected_version_end = 7;
// The distro recommended [CPE URI](https://cpe.mitre.org/specification/)
// to update to that contains a fix for this vulnerability. It is possible
// for this to be different from the affected_cpe_uri.
string fixed_cpe_uri = 8;
// The distro recommended package to update to that contains a fix for this
// vulnerability. It is possible for this to be different from the
// affected_package.
string fixed_package = 9;
// The distro recommended version to update to that contains a
// fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no
// such version is yet available.
grafeas.v1.Version fixed_version = 10;
// Whether this detail is obsolete. Occurrences are expected not to point to
// obsolete details.
bool is_obsolete = 11;
// The time this information was last changed at the source. This is an
// upstream timestamp from the underlying information source - e.g. Ubuntu
// security tracker.
google.protobuf.Timestamp source_update_time = 12;
}
// The full description of the CVSSv3 for this vulnerability.
CVSSv3 cvss_v3 = 4;
// Windows details get their own format because the information format and
// model don't match a normal detail. Specifically Windows updates are done as
// patches, thus Windows vulnerabilities really are a missing package, rather
// than a package being at an incorrect version.
repeated WindowsDetail windows_details = 5;
message WindowsDetail {
// Required. The [CPE URI](https://cpe.mitre.org/specification/) this
// vulnerability affects.
string cpe_uri = 1;
// Required. The name of this vulnerability.
string name = 2;
// The description of this vulnerability.
string description = 3;
// Required. The names of the KBs which have hotfixes to mitigate this
// vulnerability. Note that there may be multiple hotfixes (and thus
// multiple KBs) that mitigate a given vulnerability. Currently any listed
// KBs presence is considered a fix.
repeated KnowledgeBase fixing_kbs = 4;
message KnowledgeBase {
// The KB name (generally of the form KB[0-9]+ (e.g., KB123456)).
string name = 1;
// A link to the KB in the [Windows update catalog]
// (https://www.catalog.update.microsoft.com/).
string url = 2;
}
}
// The time this information was last changed at the source. This is an
// upstream timestamp from the underlying information source - e.g. Ubuntu
// security tracker.
google.protobuf.Timestamp source_update_time = 6;
}
// An occurrence of a severity vulnerability on a resource.
message VulnerabilityOccurrence {
// The type of package; whether native or non native (e.g., ruby gems, node.js
// packages, etc.).
string type = 1;
// Output only. The note provider assigned severity of this vulnerability.
Severity severity = 2;
// Output only. The CVSS score of this vulnerability. CVSS score is on a
// scale of 0 - 10 where 0 indicates low severity and 10 indicates high
// severity.
float cvss_score = 3;
// Required. The set of affected locations and their fixes (if available)
// within the associated resource.
repeated PackageIssue package_issue = 4;
// A detail for a distro and package this vulnerability occurrence was found
// in and its associated fix (if one is available).
message PackageIssue {
// Required. The [CPE URI](https://cpe.mitre.org/specification/) this
// vulnerability was found in.
string affected_cpe_uri = 1;
// Required. The package this vulnerability was found in.
string affected_package = 2;
// Required. The version of the package that is installed on the resource
// affected by this vulnerability.
grafeas.v1.Version affected_version = 3;
// The [CPE URI](https://cpe.mitre.org/specification/) this vulnerability
// was fixed in. It is possible for this to be different from the
// affected_cpe_uri.
string fixed_cpe_uri = 4;
// The package this vulnerability was fixed in. It is possible for this to
// be different from the affected_package.
string fixed_package = 5;
// Required. The version of the package this vulnerability was fixed in.
// Setting this to VersionKind.MAXIMUM means no fix is yet available.
grafeas.v1.Version fixed_version = 6;
// Output only. Whether a fix is available for this package.
bool fix_available = 7;
}
// Output only. A one sentence description of this vulnerability.
string short_description = 5;
// Output only. A detailed description of this vulnerability.
string long_description = 6;
// Output only. URLs related to this vulnerability.
repeated grafeas.v1.RelatedUrl related_urls = 7;
// The distro assigned severity for this vulnerability when it is available,
// otherwise this is the note provider assigned severity.
Severity effective_severity = 8;
// Output only. Whether at least one of the affected packages has a fix
// available.
bool fix_available = 9;
}