1// Copyright 2023 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19import "grafeas/v1/common.proto"; 20 21option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 22option java_multiple_files = true; 23option java_package = "io.grafeas.v1"; 24option objc_class_prefix = "GRA"; 25 26// A single VulnerabilityAssessmentNote represents 27// one particular product's vulnerability assessment for one CVE. 28message VulnerabilityAssessmentNote { 29 // The title of the note. E.g. `Vex-Debian-11.4` 30 string title = 1; 31 32 // A one sentence description of this Vex. 33 string short_description = 2; 34 35 // A detailed description of this Vex. 36 string long_description = 3; 37 38 // Identifies the language used by this document, 39 // corresponding to IETF BCP 47 / RFC 5646. 40 string language_code = 4; 41 42 // Publisher contains information about the publisher of 43 // this Note. 44 // (-- api-linter: core::0123::resource-annotation=disabled 45 // aip.dev/not-precedent: Publisher is not a separate resource. --) 46 message Publisher { 47 // Name of the publisher. 48 // Examples: 'Google', 'Google Cloud Platform'. 49 string name = 1; 50 51 // Provides information about the authority of the issuing party to 52 // release the document, in particular, the party's constituency and 53 // responsibilities or other obligations. 54 string issuing_authority = 2; 55 56 // The context or namespace. 57 // Contains a URL which is under control of the issuing party and can 58 // be used as a globally unique identifier for that issuing party. 59 // Example: https://csaf.io 60 string publisher_namespace = 3; 61 } 62 63 // Publisher details of this Note. 64 Publisher publisher = 5; 65 66 // Product contains information about a product and how to uniquely identify 67 // it. 68 // (-- api-linter: core::0123::resource-annotation=disabled 69 // aip.dev/not-precedent: Product is not a separate resource. --) 70 message Product { 71 // Name of the product. 72 string name = 1; 73 74 // Token that identifies a product so that it can be referred to from other 75 // parts in the document. There is no predefined format as long as it 76 // uniquely identifies a group in the context of the current document. 77 string id = 2; 78 79 oneof identifier { 80 // Contains a URI which is vendor-specific. 81 // Example: The artifact repository URL of an image. 82 string generic_uri = 3; 83 } 84 } 85 86 // The product affected by this vex. 87 Product product = 6; 88 89 // Assessment provides all information that is related to a single 90 // vulnerability for this product. 91 message Assessment { 92 // Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) 93 // tracking number for the vulnerability. 94 string cve = 1; 95 96 // A one sentence description of this Vex. 97 string short_description = 2; 98 99 // A detailed description of this Vex. 100 string long_description = 3; 101 102 // Holds a list of references associated with this vulnerability item and 103 // assessment. These uris have additional information about the 104 // vulnerability and the assessment itself. E.g. Link to a document which 105 // details how this assessment concluded the state of this vulnerability. 106 repeated grafeas.v1.RelatedUrl related_uris = 4; 107 108 // Provides the state of this Vulnerability assessment. 109 enum State { 110 // No state is specified. 111 STATE_UNSPECIFIED = 0; 112 // This product is known to be affected by this vulnerability. 113 AFFECTED = 1; 114 // This product is known to be not affected by this vulnerability. 115 NOT_AFFECTED = 2; 116 // This product contains a fix for this vulnerability. 117 FIXED = 3; 118 // It is not known yet whether these versions are or are not affected 119 // by the vulnerability. However, it is still under investigation. 120 UNDER_INVESTIGATION = 4; 121 } 122 123 // Provides the state of this Vulnerability assessment. 124 State state = 5; 125 126 // Contains information about the impact of this vulnerability, 127 // this will change with time. 128 repeated string impacts = 6; 129 130 // Justification provides the justification when the state of the 131 // assessment if NOT_AFFECTED. 132 message Justification { 133 // Provides the type of justification. 134 enum JustificationType { 135 // JUSTIFICATION_TYPE_UNSPECIFIED. 136 JUSTIFICATION_TYPE_UNSPECIFIED = 0; 137 // The vulnerable component is not present in the product. 138 COMPONENT_NOT_PRESENT = 1; 139 // The vulnerable code is not present. Typically this case 140 // occurs when source code is configured or built in a way that excludes 141 // the vulnerable code. 142 VULNERABLE_CODE_NOT_PRESENT = 2; 143 // The vulnerable code can not be executed. 144 // Typically this case occurs when the product includes the vulnerable 145 // code but does not call or use the vulnerable code. 146 VULNERABLE_CODE_NOT_IN_EXECUTE_PATH = 3; 147 // The vulnerable code cannot be controlled by an attacker to exploit 148 // the vulnerability. 149 VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY = 4; 150 // The product includes built-in protections or features that prevent 151 // exploitation of the vulnerability. These built-in protections cannot 152 // be subverted by the attacker and cannot be configured or disabled by 153 // the user. These mitigations completely prevent exploitation based on 154 // known attack vectors. 155 INLINE_MITIGATIONS_ALREADY_EXIST = 5; 156 } 157 158 // The justification type for this vulnerability. 159 JustificationType justification_type = 1; 160 161 // Additional details on why this justification was chosen. 162 string details = 2; 163 } 164 165 // Justification provides the justification when the state of the 166 // assessment if NOT_AFFECTED. 167 Justification justification = 7; 168 169 // Specifies details on how to handle (and presumably, fix) a vulnerability. 170 message Remediation { 171 // The type of remediation that can be applied. 172 enum RemediationType { 173 // No remediation type specified. 174 REMEDIATION_TYPE_UNSPECIFIED = 0; 175 // A MITIGATION is available. 176 MITIGATION = 1; 177 // No fix is planned. 178 NO_FIX_PLANNED = 2; 179 // Not available. 180 NONE_AVAILABLE = 3; 181 // A vendor fix is available. 182 VENDOR_FIX = 4; 183 // A workaround is available. 184 WORKAROUND = 5; 185 } 186 187 // The type of remediation that can be applied. 188 RemediationType remediation_type = 1; 189 190 // Contains a comprehensive human-readable discussion of the remediation. 191 string details = 2; 192 193 // Contains the URL where to obtain the remediation. 194 grafeas.v1.RelatedUrl remediation_uri = 3; 195 } 196 197 // Specifies details on how to handle (and presumably, fix) a vulnerability. 198 repeated Remediation remediations = 8; 199 } 200 201 // Represents a vulnerability assessment for the product. 202 Assessment assessment = 7; 203} 204