// Copyright 2018 The Grafeas Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package grafeas.v1beta1.vulnerability;

import "google/protobuf/timestamp.proto";
import "google/devtools/containeranalysis/v1beta1/common/common.proto";
import "google/devtools/containeranalysis/v1beta1/cvss/cvss.proto";
import "google/devtools/containeranalysis/v1beta1/package/package.proto";

option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1beta1/vulnerability;vulnerability";
option java_multiple_files = true;
option java_package = "io.grafeas.v1beta1.vulnerability";
option objc_class_prefix = "GRA";

// Note provider-assigned severity/impact ranking.
enum Severity {
  // Unknown.
  SEVERITY_UNSPECIFIED = 0;
  // Minimal severity.
  MINIMAL = 1;
  // Low severity.
  LOW = 2;
  // Medium severity.
  MEDIUM = 3;
  // High severity.
  HIGH = 4;
  // Critical severity.
  CRITICAL = 5;
}

// Vulnerability provides metadata about a security vulnerability in a Note.
message Vulnerability {
  // The CVSS score for this vulnerability.
  float cvss_score = 1;

  // Note provider assigned impact of the vulnerability.
  Severity severity = 2;

  // All information about the package to specifically identify this
  // vulnerability. One entry per (version range and cpe_uri) the package
  // vulnerability has manifested in.
  repeated Detail details = 3;

  // Identifies all appearances of this vulnerability in the package for a
  // specific distro/location. For example: glibc in
  // cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
  message Detail {
    // Required. The CPE URI in
    // [cpe format](https://cpe.mitre.org/specification/) in which the
    // vulnerability manifests. Examples include distro or storage location for
    // vulnerable jar.
    string cpe_uri = 1;

    // Required. The name of the package where the vulnerability was found.
    string package = 2;

    // The min version of the package in which the vulnerability exists.
    grafeas.v1beta1.package.Version min_affected_version = 3;

    // The max version of the package in which the vulnerability exists.
    grafeas.v1beta1.package.Version max_affected_version = 4;

    // The severity (eg: distro assigned severity) for this vulnerability.
    string severity_name = 5;

    // A vendor-specific description of this note.
    string description = 6;

    // The fix for this specific package version.
    VulnerabilityLocation fixed_location = 7;

    // The type of package; whether native or non native(ruby gems, node.js
    // packages etc).
    string package_type = 8;

    // Whether this detail is obsolete. Occurrences are expected not to point to
    // obsolete details.
    bool is_obsolete = 9;

    // The time this information was last changed at the source. This is an
    // upstream timestamp from the underlying information source - e.g. Ubuntu
    // security tracker.
    google.protobuf.Timestamp source_update_time = 10;
  }

  // The full description of the CVSSv3.
  CVSSv3 cvss_v3 = 4;

  // Windows details get their own format because the information format and
  // model don't match a normal detail. Specifically Windows updates are done as
  // patches, thus Windows vulnerabilities really are a missing package, rather
  // than a package being at an incorrect version.
  repeated WindowsDetail windows_details = 5;

  message WindowsDetail {
    // Required. The CPE URI in
    // [cpe format](https://cpe.mitre.org/specification/) in which the
    // vulnerability manifests. Examples include distro or storage location for
    // vulnerable jar.
    string cpe_uri = 1;

    // Required. The name of the vulnerability.
    string name = 2;

    // The description of the vulnerability.
    string description = 3;

    // Required. The names of the KBs which have hotfixes to mitigate this
    // vulnerability. Note that there may be multiple hotfixes (and thus
    // multiple KBs) that mitigate a given vulnerability. Currently any listed
    // kb's presence is considered a fix.
    repeated KnowledgeBase fixing_kbs = 4;

    message KnowledgeBase {
      // The KB name (generally of the form KB[0-9]+ i.e. KB123456).
      string name = 1;
      // A link to the KB in the Windows update catalog -
      // https://www.catalog.update.microsoft.com/
      string url = 2;
    }
  }

  // The time this information was last changed at the source. This is an
  // upstream timestamp from the underlying information source - e.g. Ubuntu
  // security tracker.
  google.protobuf.Timestamp source_update_time = 6;

  // Next free ID is 7.
}

// Details of a vulnerability Occurrence.
message Details {
  // The type of package; whether native or non native(ruby gems, node.js
  // packages etc)
  string type = 1;

  // Output only. The note provider assigned Severity of the vulnerability.
  Severity severity = 2;

  // Output only. The CVSS score of this vulnerability. CVSS score is on a
  // scale of 0-10 where 0 indicates low severity and 10 indicates high
  // severity.
  float cvss_score = 3;

  // Required. The set of affected locations and their fixes (if available)
  // within the associated resource.
  repeated PackageIssue package_issue = 4;

  // Output only. A one sentence description of this vulnerability.
  string short_description = 5;

  // Output only. A detailed description of this vulnerability.
  string long_description = 6;

  // Output only. URLs related to this vulnerability.
  repeated grafeas.v1beta1.RelatedUrl related_urls = 7;

  // The distro assigned severity for this vulnerability when it is
  // available, and note provider assigned severity when distro has not yet
  // assigned a severity for this vulnerability.
  Severity effective_severity = 8;
}

// This message wraps a location affected by a vulnerability and its
// associated fix (if one is available).
message PackageIssue {
  // Required. The location of the vulnerability.
  VulnerabilityLocation affected_location = 1;

  // The location of the available fix for vulnerability.
  VulnerabilityLocation fixed_location = 2;

  // Deprecated, use Details.effective_severity instead
  // The severity (e.g., distro assigned severity) for this vulnerability.
  string severity_name = 3;
}

// The location of the vulnerability.
message VulnerabilityLocation {
  // Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
  // format. Examples include distro or storage location for vulnerable jar.
  string cpe_uri = 1;

  // Required. The package being described.
  string package = 2;

  // Required. The version of the package being described.
  grafeas.v1beta1.package.Version version = 3;
}