diff options
Diffstat (limited to 'third_party/googleapis/google/cloud/osconfig/v1/vulnerability.proto')
| -rw-r--r-- | third_party/googleapis/google/cloud/osconfig/v1/vulnerability.proto | 365 |
1 files changed, 365 insertions, 0 deletions
diff --git a/third_party/googleapis/google/cloud/osconfig/v1/vulnerability.proto b/third_party/googleapis/google/cloud/osconfig/v1/vulnerability.proto new file mode 100644 index 0000000..b8ca517 --- /dev/null +++ b/third_party/googleapis/google/cloud/osconfig/v1/vulnerability.proto @@ -0,0 +1,365 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.cloud.osconfig.v1; + +import "google/api/field_behavior.proto"; +import "google/api/resource.proto"; +import "google/protobuf/timestamp.proto"; + +option csharp_namespace = "Google.Cloud.OsConfig.V1"; +option go_package = "google.golang.org/genproto/googleapis/cloud/osconfig/v1;osconfig"; +option java_multiple_files = true; +option java_outer_classname = "VulnerabilityProto"; +option java_package = "com.google.cloud.osconfig.v1"; +option php_namespace = "Google\\Cloud\\OsConfig\\V1"; +option ruby_package = "Google::Cloud::OsConfig::V1"; + +// This API resource represents the vulnerability report for a specified +// Compute Engine virtual machine (VM) instance at a given point in time. +// +// For more information, see [Vulnerability +// reports](https://cloud.google.com/compute/docs/instances/os-inventory-management#vulnerability-reports). +message VulnerabilityReport { + option (google.api.resource) = { + type: "osconfig.googleapis.com/VulnerabilityReport" + pattern: "projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport" + }; + + // A vulnerability affecting the VM instance. + message Vulnerability { + // Contains metadata information for the vulnerability. This information is + // collected from the upstream feed of the operating system. + message Details { + // A reference for this vulnerability. + message Reference { + // The url of the reference. + string url = 1; + + // The source of the reference e.g. NVD. + string source = 2; + } + + // The CVE of the vulnerability. CVE cannot be + // empty and the combination of <cve, classification> should be unique + // across vulnerabilities for a VM. + string cve = 1; + + // The CVSS V2 score of this vulnerability. CVSS V2 score is on a scale of + // 0 - 10 where 0 indicates low severity and 10 indicates high severity. + float cvss_v2_score = 2; + + // The full description of the CVSSv3 for this vulnerability from NVD. + CVSSv3 cvss_v3 = 3; + + // Assigned severity/impact ranking from the distro. + string severity = 4; + + // The note or description describing the vulnerability from the distro. + string description = 5; + + // Corresponds to the references attached to the `VulnerabilityDetails`. + repeated Reference references = 6; + } + + // OS inventory item that is affected by a vulnerability or fixed as a + // result of a vulnerability. + message Item { + // Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM. + // This field displays the inventory items affected by this vulnerability. + // If the vulnerability report was not updated after the VM inventory + // update, these values might not display in VM inventory. For some + // operating systems, this field might be empty. + string installed_inventory_item_id = 1; + + // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM. + // If the vulnerability report was not updated after the VM inventory + // update, these values might not display in VM inventory. If there is no + // available fix, the field is empty. The `inventory_item` value specifies + // the latest `SoftwarePackage` available to the VM that fixes the + // vulnerability. + string available_inventory_item_id = 2; + + // The recommended [CPE URI](https://cpe.mitre.org/specification/) update + // that contains a fix for this vulnerability. + string fixed_cpe_uri = 3; + + // The upstream OS patch, packages or KB that fixes the vulnerability. + string upstream_fix = 4; + } + + // Contains metadata as per the upstream feed of the operating system and + // NVD. + Details details = 1; + + // Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM. + // This field displays the inventory items affected by this vulnerability. + // If the vulnerability report was not updated after the VM inventory + // update, these values might not display in VM inventory. For some distros, + // this field may be empty. + repeated string installed_inventory_item_ids = 2 [deprecated = true]; + + // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM. + // If the vulnerability report was not updated after the VM inventory + // update, these values might not display in VM inventory. If there is no + // available fix, the field is empty. The `inventory_item` value specifies + // the latest `SoftwarePackage` available to the VM that fixes the + // vulnerability. + repeated string available_inventory_item_ids = 3 [deprecated = true]; + + // The timestamp for when the vulnerability was first detected. + google.protobuf.Timestamp create_time = 4; + + // The timestamp for when the vulnerability was last modified. + google.protobuf.Timestamp update_time = 5; + + // List of items affected by the vulnerability. + repeated Item items = 6; + } + + // Output only. The `vulnerabilityReport` API resource name. + // + // Format: + // `projects/{project_number}/locations/{location}/instances/{instance_id}/vulnerabilityReport` + string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. List of vulnerabilities affecting the VM. + repeated Vulnerability vulnerabilities = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The timestamp for when the last vulnerability report was generated for the + // VM. + google.protobuf.Timestamp update_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; +} + +// A request message for getting the vulnerability report for the specified VM. +message GetVulnerabilityReportRequest { + // Required. API resource name for vulnerability resource. + // + // Format: + // `projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport` + // + // For `{project}`, either `project-number` or `project-id` can be provided. + // For `{instance}`, either Compute Engine `instance-id` or `instance-name` + // can be provided. + string name = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "osconfig.googleapis.com/VulnerabilityReport" + } + ]; +} + +// A request message for listing vulnerability reports for all VM instances in +// the specified location. +message ListVulnerabilityReportsRequest { + // Required. The parent resource name. + // + // Format: `projects/{project}/locations/{location}/instances/-` + // + // For `{project}`, either `project-number` or `project-id` can be provided. + string parent = 1 [ + (google.api.field_behavior) = REQUIRED, + (google.api.resource_reference) = { + type: "compute.googleapis.com/Instance" + } + ]; + + // The maximum number of results to return. + int32 page_size = 2; + + // A pagination token returned from a previous call to + // `ListVulnerabilityReports` that indicates where this listing + // should continue from. + string page_token = 3; + + // If provided, this field specifies the criteria that must be met by a + // `vulnerabilityReport` API resource to be included in the response. + string filter = 4; +} + +// A response message for listing vulnerability reports for all VM instances in +// the specified location. +message ListVulnerabilityReportsResponse { + // List of vulnerabilityReport objects. + repeated VulnerabilityReport vulnerability_reports = 1; + + // The pagination token to retrieve the next page of vulnerabilityReports + // object. + string next_page_token = 2; +} + +// Common Vulnerability Scoring System version 3. +// For details, see https://www.first.org/cvss/specification-document +message CVSSv3 { + // This metric reflects the context by which vulnerability exploitation is + // possible. + enum AttackVector { + // Invalid value. + ATTACK_VECTOR_UNSPECIFIED = 0; + + // The vulnerable component is bound to the network stack and the set of + // possible attackers extends beyond the other options listed below, up to + // and including the entire Internet. + ATTACK_VECTOR_NETWORK = 1; + + // The vulnerable component is bound to the network stack, but the attack is + // limited at the protocol level to a logically adjacent topology. + ATTACK_VECTOR_ADJACENT = 2; + + // The vulnerable component is not bound to the network stack and the + // attacker's path is via read/write/execute capabilities. + ATTACK_VECTOR_LOCAL = 3; + + // The attack requires the attacker to physically touch or manipulate the + // vulnerable component. + ATTACK_VECTOR_PHYSICAL = 4; + } + + // This metric describes the conditions beyond the attacker's control that + // must exist in order to exploit the vulnerability. + enum AttackComplexity { + // Invalid value. + ATTACK_COMPLEXITY_UNSPECIFIED = 0; + + // Specialized access conditions or extenuating circumstances do not exist. + // An attacker can expect repeatable success when attacking the vulnerable + // component. + ATTACK_COMPLEXITY_LOW = 1; + + // A successful attack depends on conditions beyond the attacker's control. + // That is, a successful attack cannot be accomplished at will, but requires + // the attacker to invest in some measurable amount of effort in preparation + // or execution against the vulnerable component before a successful attack + // can be expected. + ATTACK_COMPLEXITY_HIGH = 2; + } + + // This metric describes the level of privileges an attacker must possess + // before successfully exploiting the vulnerability. + enum PrivilegesRequired { + // Invalid value. + PRIVILEGES_REQUIRED_UNSPECIFIED = 0; + + // The attacker is unauthorized prior to attack, and therefore does not + // require any access to settings or files of the vulnerable system to + // carry out an attack. + PRIVILEGES_REQUIRED_NONE = 1; + + // The attacker requires privileges that provide basic user capabilities + // that could normally affect only settings and files owned by a user. + // Alternatively, an attacker with Low privileges has the ability to access + // only non-sensitive resources. + PRIVILEGES_REQUIRED_LOW = 2; + + // The attacker requires privileges that provide significant (e.g., + // administrative) control over the vulnerable component allowing access to + // component-wide settings and files. + PRIVILEGES_REQUIRED_HIGH = 3; + } + + // This metric captures the requirement for a human user, other than the + // attacker, to participate in the successful compromise of the vulnerable + // component. + enum UserInteraction { + // Invalid value. + USER_INTERACTION_UNSPECIFIED = 0; + + // The vulnerable system can be exploited without interaction from any user. + USER_INTERACTION_NONE = 1; + + // Successful exploitation of this vulnerability requires a user to take + // some action before the vulnerability can be exploited. + USER_INTERACTION_REQUIRED = 2; + } + + // The Scope metric captures whether a vulnerability in one vulnerable + // component impacts resources in components beyond its security scope. + enum Scope { + // Invalid value. + SCOPE_UNSPECIFIED = 0; + + // An exploited vulnerability can only affect resources managed by the same + // security authority. + SCOPE_UNCHANGED = 1; + + // An exploited vulnerability can affect resources beyond the security scope + // managed by the security authority of the vulnerable component. + SCOPE_CHANGED = 2; + } + + // The Impact metrics capture the effects of a successfully exploited + // vulnerability on the component that suffers the worst outcome that is most + // directly and predictably associated with the attack. + enum Impact { + // Invalid value. + IMPACT_UNSPECIFIED = 0; + + // High impact. + IMPACT_HIGH = 1; + + // Low impact. + IMPACT_LOW = 2; + + // No impact. + IMPACT_NONE = 3; + } + + // The base score is a function of the base metric scores. + // https://www.first.org/cvss/specification-document#Base-Metrics + float base_score = 1; + + // The Exploitability sub-score equation is derived from the Base + // Exploitability metrics. + // https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics + float exploitability_score = 2; + + // The Impact sub-score equation is derived from the Base Impact metrics. + float impact_score = 3; + + // This metric reflects the context by which vulnerability exploitation is + // possible. + AttackVector attack_vector = 5; + + // This metric describes the conditions beyond the attacker's control that + // must exist in order to exploit the vulnerability. + AttackComplexity attack_complexity = 6; + + // This metric describes the level of privileges an attacker must possess + // before successfully exploiting the vulnerability. + PrivilegesRequired privileges_required = 7; + + // This metric captures the requirement for a human user, other than the + // attacker, to participate in the successful compromise of the vulnerable + // component. + UserInteraction user_interaction = 8; + + // The Scope metric captures whether a vulnerability in one vulnerable + // component impacts resources in components beyond its security scope. + Scope scope = 9; + + // This metric measures the impact to the confidentiality of the information + // resources managed by a software component due to a successfully exploited + // vulnerability. + Impact confidentiality_impact = 10; + + // This metric measures the impact to integrity of a successfully exploited + // vulnerability. + Impact integrity_impact = 11; + + // This metric measures the impact to the availability of the impacted + // component resulting from a successfully exploited vulnerability. + Impact availability_impact = 12; +} |