// Copyright 2018 Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.devtools.containeranalysis.v1alpha1; import "google/api/annotations.proto"; option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis"; option java_multiple_files = true; option java_package = "com.google.containeranalysis.v1alpha1"; option objc_class_prefix = "GCA"; // VulnerabilityType provides metadata about a security vulnerability. message VulnerabilityType { // Version contains structured information about the version of the package. // For a discussion of this in Debian/Ubuntu: // http://serverfault.com/questions/604541/debian-packages-version-convention // For a discussion of this in Redhat/Fedora/Centos: // http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/ message Version { // Whether this is an ordinary package version or a // sentinel MIN/MAX version. enum VersionKind { // A standard package version, defined by the other fields. NORMAL = 0; // A special version representing negative infinity, // other fields are ignored. MINIMUM = 1; // A special version representing positive infinity, // other fields are ignored. MAXIMUM = 2; } // Used to correct mistakes in the version numbering scheme. int32 epoch = 1; // The main part of the version name. string name = 2; // The iteration of the package build from the above version. string revision = 3; // Distinguish between sentinel MIN/MAX versions and normal versions. // If kind is not NORMAL, then the other fields are ignored. VersionKind kind = 5; } // Identifies all occurrences of this vulnerability in the package for a // specific distro/location // For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2 message Detail { // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) in // which the vulnerability manifests. Examples include distro or storage // location for vulnerable jar. // This field can be used as a filter in list requests. string cpe_uri = 1; // The name of the package where the vulnerability was found. // This field can be used as a filter in list requests. string package = 8; // The min version of the package in which the vulnerability exists. Version min_affected_version = 6; // The max version of the package in which the vulnerability exists. // This field can be used as a filter in list requests. Version max_affected_version = 7; // The severity (eg: distro assigned severity) for this vulnerability. string severity_name = 4; // A vendor-specific description of this note. string description = 9; // The fix for this specific package version. VulnerabilityLocation fixed_location = 5; // The type of package; whether native or non native(ruby gems, // node.js packages etc) string package_type = 10; // Whether this Detail is obsolete. Occurrences are expected not to point to // obsolete details. bool is_obsolete = 11; } // Used by Occurrence to point to where the vulnerability exists and how // to fix it. message VulnerabilityDetails { // The type of package; whether native or non native(ruby gems, // node.js packages etc) string type = 3; // Output only. The note provider assigned Severity of the vulnerability. Severity severity = 4; // Output only. The CVSS score of this vulnerability. CVSS score is on a // scale of 0-10 where 0 indicates low severity and 10 indicates high // severity. float cvss_score = 5; // The set of affected locations and their fixes (if available) within // the associated resource. repeated PackageIssue package_issue = 6; } // This message wraps a location affected by a vulnerability and its // associated fix (if one is available). message PackageIssue { // The location of the vulnerability. VulnerabilityLocation affected_location = 1; // The location of the available fix for vulnerability. VulnerabilityLocation fixed_location = 2; // The severity (eg: distro assigned severity) for this vulnerability. string severity_name = 3; } // The location of the vulnerability message VulnerabilityLocation { // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) // format. Examples include distro or storage location for vulnerable jar. // This field can be used as a filter in list requests. string cpe_uri = 1; // The package being described. string package = 2; // The version of the package being described. // This field can be used as a filter in list requests. Version version = 4; } // Note provider-assigned severity/impact ranking enum Severity { // Unknown Impact SEVERITY_UNSPECIFIED = 0; // Minimal Impact MINIMAL = 1; // Low Impact LOW = 2; // Medium Impact MEDIUM = 3; // High Impact HIGH = 4; // Critical Impact CRITICAL = 5; } // The CVSS score for this Vulnerability. float cvss_score = 2; // Note provider assigned impact of the vulnerability Severity severity = 3; // All information about the package to specifically identify this // vulnerability. One entry per (version range and cpe_uri) the // package vulnerability has manifested in. repeated Detail details = 4; }