// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.securitycenter.v1; option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; option java_multiple_files = true; option java_outer_classname = "VulnerabilityProto"; option java_package = "com.google.cloud.securitycenter.v1"; option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; option ruby_package = "Google::Cloud::SecurityCenter::V1"; // Refers to common vulnerability fields e.g. cve, cvss, cwe etc. message Vulnerability { // CVE stands for Common Vulnerabilities and Exposures // (https://cve.mitre.org/about/) Cve cve = 1; } // CVE stands for Common Vulnerabilities and Exposures. // More information: https://cve.mitre.org message Cve { // The unique identifier for the vulnerability. e.g. CVE-2021-34527 string id = 1; // Additional information about the CVE. // e.g. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527 repeated Reference references = 2; // Describe Common Vulnerability Scoring System specified at // https://www.first.org/cvss/v3.1/specification-document Cvssv3 cvssv3 = 3; // Whether upstream fix is available for the CVE. bool upstream_fix_available = 4; } // Additional Links message Reference { // Source of the reference e.g. NVD string source = 1; // Uri for the mentioned source e.g. // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. string uri = 2; } // Common Vulnerability Scoring System version 3. message Cvssv3 { // This metric reflects the context by which vulnerability exploitation is // possible. enum AttackVector { // Invalid value. ATTACK_VECTOR_UNSPECIFIED = 0; // The vulnerable component is bound to the network stack and the set of // possible attackers extends beyond the other options listed below, up to // and including the entire Internet. ATTACK_VECTOR_NETWORK = 1; // The vulnerable component is bound to the network stack, but the attack is // limited at the protocol level to a logically adjacent topology. ATTACK_VECTOR_ADJACENT = 2; // The vulnerable component is not bound to the network stack and the // attacker's path is via read/write/execute capabilities. ATTACK_VECTOR_LOCAL = 3; // The attack requires the attacker to physically touch or manipulate the // vulnerable component. ATTACK_VECTOR_PHYSICAL = 4; } // This metric describes the conditions beyond the attacker's control that // must exist in order to exploit the vulnerability. enum AttackComplexity { // Invalid value. ATTACK_COMPLEXITY_UNSPECIFIED = 0; // Specialized access conditions or extenuating circumstances do not exist. // An attacker can expect repeatable success when attacking the vulnerable // component. ATTACK_COMPLEXITY_LOW = 1; // A successful attack depends on conditions beyond the attacker's control. // That is, a successful attack cannot be accomplished at will, but requires // the attacker to invest in some measurable amount of effort in preparation // or execution against the vulnerable component before a successful attack // can be expected. ATTACK_COMPLEXITY_HIGH = 2; } // This metric describes the level of privileges an attacker must possess // before successfully exploiting the vulnerability. enum PrivilegesRequired { // Invalid value. PRIVILEGES_REQUIRED_UNSPECIFIED = 0; // The attacker is unauthorized prior to attack, and therefore does not // require any access to settings or files of the vulnerable system to // carry out an attack. PRIVILEGES_REQUIRED_NONE = 1; // The attacker requires privileges that provide basic user capabilities // that could normally affect only settings and files owned by a user. // Alternatively, an attacker with Low privileges has the ability to access // only non-sensitive resources. PRIVILEGES_REQUIRED_LOW = 2; // The attacker requires privileges that provide significant (e.g., // administrative) control over the vulnerable component allowing access to // component-wide settings and files. PRIVILEGES_REQUIRED_HIGH = 3; } // This metric captures the requirement for a human user, other than the // attacker, to participate in the successful compromise of the vulnerable // component. enum UserInteraction { // Invalid value. USER_INTERACTION_UNSPECIFIED = 0; // The vulnerable system can be exploited without interaction from any user. USER_INTERACTION_NONE = 1; // Successful exploitation of this vulnerability requires a user to take // some action before the vulnerability can be exploited. USER_INTERACTION_REQUIRED = 2; } // The Scope metric captures whether a vulnerability in one vulnerable // component impacts resources in components beyond its security scope. enum Scope { // Invalid value. SCOPE_UNSPECIFIED = 0; // An exploited vulnerability can only affect resources managed by the same // security authority. SCOPE_UNCHANGED = 1; // An exploited vulnerability can affect resources beyond the security scope // managed by the security authority of the vulnerable component. SCOPE_CHANGED = 2; } // The Impact metrics capture the effects of a successfully exploited // vulnerability on the component that suffers the worst outcome that is most // directly and predictably associated with the attack. enum Impact { // Invalid value. IMPACT_UNSPECIFIED = 0; // High impact. IMPACT_HIGH = 1; // Low impact. IMPACT_LOW = 2; // No impact. IMPACT_NONE = 3; } // The base score is a function of the base metric scores. double base_score = 1; // Base Metrics // Represents the intrinsic characteristics of a vulnerability that are // constant over time and across user environments. // This metric reflects the context by which vulnerability exploitation is // possible. AttackVector attack_vector = 5; // This metric describes the conditions beyond the attacker's control that // must exist in order to exploit the vulnerability. AttackComplexity attack_complexity = 6; // This metric describes the level of privileges an attacker must possess // before successfully exploiting the vulnerability. PrivilegesRequired privileges_required = 7; // This metric captures the requirement for a human user, other than the // attacker, to participate in the successful compromise of the vulnerable // component. UserInteraction user_interaction = 8; // The Scope metric captures whether a vulnerability in one vulnerable // component impacts resources in components beyond its security scope. Scope scope = 9; // This metric measures the impact to the confidentiality of the information // resources managed by a software component due to a successfully exploited // vulnerability. Impact confidentiality_impact = 10; // This metric measures the impact to integrity of a successfully exploited // vulnerability. Impact integrity_impact = 11; // This metric measures the impact to the availability of the impacted // component resulting from a successfully exploited vulnerability. Impact availability_impact = 12; }