1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package cloud.kubernetes.security.containersecurity_logging;
18
19import "google/protobuf/timestamp.proto";
20
21option csharp_namespace = "Google.Cloud.Kubernetes.Security.ContainerSecurity.Logging";
22option go_package = "cloud.google.com/go/cloud/kubernetes/security/containersecurity_logging/containersecurity_loggingpb;containersecurity_loggingpb";
23option java_multiple_files = true;
24option java_outer_classname = "ContainerSecurityLoggingProto";
25option java_package = "com.google.cloud.kubernetes.security.containersecurity.logging";
26option php_namespace = "Google\\Cloud\\Kubernetes\\Security\\ContainerSecurity\\Logging";
27option ruby_package = "Google::Cloud::Kubernetes::Security::ContainerSecurity::Logging";
28
29// Identifies a package vulnerability found within a workload.
30message Vulnerability {
31  // package name where vulnerability detected
32  string package_name = 1;
33
34  // affected package version
35  string affected_package_version = 2;
36
37  // title of vulnerability assigned by CVE
38  string cve_id = 3;
39
40  // cpe_uri where vulnerability detected
41  string cpe_uri = 4;
42
43  // assigned severity for vulnerability
44  Severity severity = 5;
45
46  // overall CVSS score
47  float cvss_score = 6;
48
49  // detailed CVSS score, format `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
50  string cvss_vector = 7;
51
52  // cpe_uri where vulnerability is fixed
53  string fixed_cpe_uri = 8;
54
55  // type of package (os, maven, go)
56  string package_type = 9;
57
58  // package name where vulnerability is fixed
59  string fixed_package = 10;
60
61  // fixed package version
62  string fixed_package_version = 11;
63
64  // detailed description
65  string description = 12;
66
67  // reference URL for source CVE database
68  repeated string related_urls = 13;
69
70  // affected images
71  repeated string affected_images = 14;
72}
73
74// A security concern for an asset(i.e cluster, workload, etc). Each finding
75// corresponds to a type of security concern. A finding is created during the
76// scan of an asset by any one of the GKE Security Posture features that are
77// enabled.
78message Finding {
79  // The current state of the finding(e.g still active, has been fixed etc).
80  enum State {
81    // Default value, only used to determine that nothing was specified.
82    STATE_UNSPECIFIED = 0;
83
84    // Active state means that the finding exists on the asset.
85    ACTIVE = 1;
86
87    // Remediated means that the finding has been fixed on the asset.
88    REMEDIATED = 2;
89  }
90
91  // Fully qualified resource name of the k8s resource, e.g.:
92  // {api}/{version}/namespaces/{namespace}/{kind}/{workload name}
93  string resource_name = 1;
94
95  // The type of security finding this is.
96  FindingType type = 2;
97
98  // State determines whether the finding still exists or has been resolved.
99  State state = 3;
100
101  // The human readable representation of the specific security finding.
102  // e.g. RUN_AS_NONROOT, CVE_ID_0 etc depending on the type.
103  string finding = 4;
104
105  // Severity determines the recommended actions for this finding.
106  Severity severity = 5;
107
108  // The time this finding was found/remediated.
109  google.protobuf.Timestamp event_time = 6;
110
111  // Specific details about the security finding if there are any.
112  oneof details {
113    Vulnerability vulnerability = 7;
114  }
115}
116
117// FindingType is an enumeration of all possible finding types in GKE Security
118// Posture.
119enum FindingType {
120  // Default value, unspecified.
121  FINDING_TYPE_UNSPECIFIED = 0;
122
123  // Workload misconfiguration policy audit.
124  FINDING_TYPE_MISCONFIG = 1;
125
126  // Workload vulnerabilities scanning.
127  FINDING_TYPE_VULNERABILITY = 2;
128}
129
130// Severity is an enumeration of all the possible severities of a violation.
131enum Severity {
132  // Default value, only used to determine that nothing was specified.
133  SEVERITY_UNSPECIFIED = 0;
134
135  // SEVERITY_CRITICAL recommends taking action immediately.
136  SEVERITY_CRITICAL = 1;
137
138  // SEVERITY_HIGH recommends taking action if possible.
139  SEVERITY_HIGH = 2;
140
141  // SEVERITY_MEDIUM recommends investigation.
142  SEVERITY_MEDIUM = 3;
143
144  // SEVERITY_LOW recommends being aware of the problem.
145  SEVERITY_LOW = 4;
146}
147