// Copyright 2018 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.devtools.containeranalysis.v1alpha1;

import "google/api/annotations.proto";

option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis";
option java_multiple_files = true;
option java_package = "com.google.containeranalysis.v1alpha1";
option objc_class_prefix = "GCA";

// VulnerabilityType provides metadata about a security vulnerability.
message VulnerabilityType {
  // Version contains structured information about the version of the package.
  // For a discussion of this in Debian/Ubuntu:
  // http://serverfault.com/questions/604541/debian-packages-version-convention
  // For a discussion of this in Redhat/Fedora/Centos:
  // http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/
  message Version {
    // Whether this is an ordinary package version or a
    // sentinel MIN/MAX version.
    enum VersionKind {
      // A standard package version, defined by the other fields.
      NORMAL = 0;

      // A special version representing negative infinity,
      // other fields are ignored.
      MINIMUM = 1;

      // A special version representing positive infinity,
      // other fields are ignored.
      MAXIMUM = 2;
    }

    // Used to correct mistakes in the version numbering scheme.
    int32 epoch = 1;

    // The main part of the version name.
    string name = 2;

    // The iteration of the package build from the above version.
    string revision = 3;

    // Distinguish between sentinel MIN/MAX versions and normal versions.
    // If kind is not NORMAL, then the other fields are ignored.
    VersionKind kind = 5;
  }

  // Identifies all occurrences of this vulnerability in the package for a
  // specific distro/location
  // For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
  message Detail {
    // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) in
    // which the vulnerability manifests.  Examples include distro or storage
    // location for vulnerable jar.
    // This field can be used as a filter in list requests.
    string cpe_uri = 1;

    // The name of the package where the vulnerability was found.
    // This field can be used as a filter in list requests.
    string package = 8;

    // The min version of the package in which the vulnerability exists.
    Version min_affected_version = 6;

    // The max version of the package in which the vulnerability exists.
    // This field can be used as a filter in list requests.
    Version max_affected_version = 7;

    // The severity (eg: distro assigned severity) for this vulnerability.
    string severity_name = 4;

    // A vendor-specific description of this note.
    string description = 9;

    // The fix for this specific package version.
    VulnerabilityLocation fixed_location = 5;

    // The type of package; whether native or non native(ruby gems,
    // node.js packages etc)
    string package_type = 10;

    // Whether this Detail is obsolete. Occurrences are expected not to point to
    // obsolete details.
    bool is_obsolete = 11;
  }

  // Used by Occurrence to point to where the vulnerability exists and how
  // to fix it.
  message VulnerabilityDetails {
    // The type of package; whether native or non native(ruby gems,
    // node.js packages etc)
    string type = 3;

    // Output only. The note provider assigned Severity of the vulnerability.
    Severity severity = 4;

    // Output only. The CVSS score of this vulnerability. CVSS score is on a
    // scale of 0-10 where 0 indicates low severity and 10 indicates high
    // severity.
    float cvss_score = 5;

    // The set of affected locations and their fixes (if available) within
    // the associated resource.
    repeated PackageIssue package_issue = 6;
  }

  // This message wraps a location affected by a vulnerability and its
  // associated fix (if one is available).
  message PackageIssue {
    // The location of the vulnerability.
    VulnerabilityLocation affected_location = 1;

    // The location of the available fix for vulnerability.
    VulnerabilityLocation fixed_location = 2;

    // The severity (eg: distro assigned severity) for this vulnerability.
    string severity_name = 3;
  }

  // The location of the vulnerability
  message VulnerabilityLocation {
    // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/)
    // format. Examples include distro or storage location for vulnerable jar.
    // This field can be used as a filter in list requests.
    string cpe_uri = 1;

    // The package being described.
    string package = 2;

    // The version of the package being described.
    // This field can be used as a filter in list requests.
    Version version = 4;
  }

  // Note provider-assigned severity/impact ranking
  enum Severity {
    // Unknown Impact
    SEVERITY_UNSPECIFIED = 0;

    // Minimal Impact
    MINIMAL = 1;

    // Low Impact
    LOW = 2;

    // Medium Impact
    MEDIUM = 3;

    // High Impact
    HIGH = 4;

    // Critical Impact
    CRITICAL = 5;
  }

  // The CVSS score for this Vulnerability.
  float cvss_score = 2;

  // Note provider assigned impact of the vulnerability
  Severity severity = 3;

  // All information about the package to specifically identify this
  // vulnerability. One entry per (version range and cpe_uri) the
  // package vulnerability has manifested in.
  repeated Detail details = 4;
}