data-plane-api 0.1.1

Envoy xDS protobuf and gRPC definitions
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

// Copyright 2018 The Grafeas Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package grafeas.v1beta1.vulnerability;

import "google/protobuf/timestamp.proto";
import "google/devtools/containeranalysis/v1beta1/common/common.proto";
import "google/devtools/containeranalysis/v1beta1/cvss/cvss.proto";
import "google/devtools/containeranalysis/v1beta1/package/package.proto";

option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1beta1/vulnerability;vulnerability";
option java_multiple_files = true;
option java_package = "io.grafeas.v1beta1.vulnerability";
option objc_class_prefix = "GRA";

// Note provider-assigned severity/impact ranking.
enum Severity {
  // Unknown.
  SEVERITY_UNSPECIFIED = 0;
  // Minimal severity.
  MINIMAL = 1;
  // Low severity.
  LOW = 2;
  // Medium severity.
  MEDIUM = 3;
  // High severity.
  HIGH = 4;
  // Critical severity.
  CRITICAL = 5;
}

// Vulnerability provides metadata about a security vulnerability in a Note.
message Vulnerability {
  // The CVSS score for this vulnerability.
  float cvss_score = 1;

  // Note provider assigned impact of the vulnerability.
  Severity severity = 2;

  // All information about the package to specifically identify this
  // vulnerability. One entry per (version range and cpe_uri) the package
  // vulnerability has manifested in.
  repeated Detail details = 3;

  // Identifies all appearances of this vulnerability in the package for a
  // specific distro/location. For example: glibc in
  // cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
  message Detail {
    // Required. The CPE URI in
    // [cpe format](https://cpe.mitre.org/specification/) in which the
    // vulnerability manifests. Examples include distro or storage location for
    // vulnerable jar.
    string cpe_uri = 1;

    // Required. The name of the package where the vulnerability was found.
    string package = 2;

    // The min version of the package in which the vulnerability exists.
    grafeas.v1beta1.package.Version min_affected_version = 3;

    // The max version of the package in which the vulnerability exists.
    grafeas.v1beta1.package.Version max_affected_version = 4;

    // The severity (eg: distro assigned severity) for this vulnerability.
    string severity_name = 5;

    // A vendor-specific description of this note.
    string description = 6;

    // The fix for this specific package version.
    VulnerabilityLocation fixed_location = 7;

    // The type of package; whether native or non native(ruby gems, node.js
    // packages etc).
    string package_type = 8;

    // Whether this detail is obsolete. Occurrences are expected not to point to
    // obsolete details.
    bool is_obsolete = 9;

    // The time this information was last changed at the source. This is an
    // upstream timestamp from the underlying information source - e.g. Ubuntu
    // security tracker.
    google.protobuf.Timestamp source_update_time = 10;
  }

  // The full description of the CVSSv3.
  CVSSv3 cvss_v3 = 4;

  // Windows details get their own format because the information format and
  // model don't match a normal detail. Specifically Windows updates are done as
  // patches, thus Windows vulnerabilities really are a missing package, rather
  // than a package being at an incorrect version.
  repeated WindowsDetail windows_details = 5;

  message WindowsDetail {
    // Required. The CPE URI in
    // [cpe format](https://cpe.mitre.org/specification/) in which the
    // vulnerability manifests. Examples include distro or storage location for
    // vulnerable jar.
    string cpe_uri = 1;

    // Required. The name of the vulnerability.
    string name = 2;

    // The description of the vulnerability.
    string description = 3;

    // Required. The names of the KBs which have hotfixes to mitigate this
    // vulnerability. Note that there may be multiple hotfixes (and thus
    // multiple KBs) that mitigate a given vulnerability. Currently any listed
    // kb's presence is considered a fix.
    repeated KnowledgeBase fixing_kbs = 4;

    message KnowledgeBase {
      // The KB name (generally of the form KB[0-9]+ i.e. KB123456).
      string name = 1;
      // A link to the KB in the Windows update catalog -
      // https://www.catalog.update.microsoft.com/
      string url = 2;
    }
  }

  // The time this information was last changed at the source. This is an
  // upstream timestamp from the underlying information source - e.g. Ubuntu
  // security tracker.
  google.protobuf.Timestamp source_update_time = 6;

  // Next free ID is 7.
}

// Details of a vulnerability Occurrence.
message Details {
  // The type of package; whether native or non native(ruby gems, node.js
  // packages etc)
  string type = 1;

  // Output only. The note provider assigned Severity of the vulnerability.
  Severity severity = 2;

  // Output only. The CVSS score of this vulnerability. CVSS score is on a
  // scale of 0-10 where 0 indicates low severity and 10 indicates high
  // severity.
  float cvss_score = 3;

  // Required. The set of affected locations and their fixes (if available)
  // within the associated resource.
  repeated PackageIssue package_issue = 4;

  // Output only. A one sentence description of this vulnerability.
  string short_description = 5;

  // Output only. A detailed description of this vulnerability.
  string long_description = 6;

  // Output only. URLs related to this vulnerability.
  repeated grafeas.v1beta1.RelatedUrl related_urls = 7;

  // The distro assigned severity for this vulnerability when it is
  // available, and note provider assigned severity when distro has not yet
  // assigned a severity for this vulnerability.
  Severity effective_severity = 8;
}

// This message wraps a location affected by a vulnerability and its
// associated fix (if one is available).
message PackageIssue {
  // Required. The location of the vulnerability.
  VulnerabilityLocation affected_location = 1;

  // The location of the available fix for vulnerability.
  VulnerabilityLocation fixed_location = 2;

  // Deprecated, use Details.effective_severity instead
  // The severity (e.g., distro assigned severity) for this vulnerability.
  string severity_name = 3;
}

// The location of the vulnerability.
message VulnerabilityLocation {
  // Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
  // format. Examples include distro or storage location for vulnerable jar.
  string cpe_uri = 1;

  // Required. The package being described.
  string package = 2;

  // Required. The version of the package being described.
  grafeas.v1beta1.package.Version version = 3;
}