Google APIs
4 years ago
committed by
Copybara-Service
parent
9c7eb1f9a7
commit
31d2d3432d
7 changed files with 541 additions and 22 deletions
@ -0,0 +1,74 @@ |
|||||||
|
// Copyright 2021 Google LLC |
||||||
|
// |
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
// you may not use this file except in compliance with the License. |
||||||
|
// You may obtain a copy of the License at |
||||||
|
// |
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0 |
||||||
|
// |
||||||
|
// Unless required by applicable law or agreed to in writing, software |
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
// See the License for the specific language governing permissions and |
||||||
|
// limitations under the License. |
||||||
|
|
||||||
|
syntax = "proto3"; |
||||||
|
|
||||||
|
package google.cloud.osconfig.v1; |
||||||
|
|
||||||
|
import "google/api/annotations.proto"; |
||||||
|
import "google/api/client.proto"; |
||||||
|
import "google/api/resource.proto"; |
||||||
|
import "google/cloud/osconfig/v1/inventory.proto"; |
||||||
|
import "google/cloud/osconfig/v1/vulnerability.proto"; |
||||||
|
|
||||||
|
option csharp_namespace = "Google.Cloud.OsConfig.V1"; |
||||||
|
option go_package = "google.golang.org/genproto/googleapis/cloud/osconfig/v1;osconfig"; |
||||||
|
option java_multiple_files = true; |
||||||
|
option java_outer_classname = "OsConfigZonalServiceProto"; |
||||||
|
option java_package = "com.google.cloud.osconfig.v1"; |
||||||
|
option php_namespace = "Google\\Cloud\\OsConfig\\V1"; |
||||||
|
option ruby_package = "Google::Cloud::OsConfig::V1"; |
||||||
|
|
||||||
|
// Zonal OS Config API |
||||||
|
// |
||||||
|
// The OS Config service is the server-side component that allows users to |
||||||
|
// manage package installations and patch jobs for Compute Engine VM instances. |
||||||
|
service OsConfigZonalService { |
||||||
|
option (google.api.default_host) = "osconfig.googleapis.com"; |
||||||
|
option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; |
||||||
|
|
||||||
|
// Get inventory data for the specified VM instance. If the VM has no |
||||||
|
// associated inventory, the message `NOT_FOUND` is returned. |
||||||
|
rpc GetInventory(GetInventoryRequest) returns (Inventory) { |
||||||
|
option (google.api.http) = { |
||||||
|
get: "/v1/{name=projects/*/locations/*/instances/*/inventory}" |
||||||
|
}; |
||||||
|
option (google.api.method_signature) = "name"; |
||||||
|
} |
||||||
|
|
||||||
|
// List inventory data for all VM instances in the specified zone. |
||||||
|
rpc ListInventories(ListInventoriesRequest) returns (ListInventoriesResponse) { |
||||||
|
option (google.api.http) = { |
||||||
|
get: "/v1/{parent=projects/*/locations/*/instances/*}/inventories" |
||||||
|
}; |
||||||
|
option (google.api.method_signature) = "parent"; |
||||||
|
} |
||||||
|
|
||||||
|
// Gets the vulnerability report for the specified VM instance. Only VMs with |
||||||
|
// inventory data have vulnerability reports associated with them. |
||||||
|
rpc GetVulnerabilityReport(GetVulnerabilityReportRequest) returns (VulnerabilityReport) { |
||||||
|
option (google.api.http) = { |
||||||
|
get: "/v1/{name=projects/*/locations/*/instances/*/vulnerabilityReport}" |
||||||
|
}; |
||||||
|
option (google.api.method_signature) = "name"; |
||||||
|
} |
||||||
|
|
||||||
|
// List vulnerability reports for all VM instances in the specified zone. |
||||||
|
rpc ListVulnerabilityReports(ListVulnerabilityReportsRequest) returns (ListVulnerabilityReportsResponse) { |
||||||
|
option (google.api.http) = { |
||||||
|
get: "/v1/{parent=projects/*/locations/*/instances/*}/vulnerabilityReports" |
||||||
|
}; |
||||||
|
option (google.api.method_signature) = "parent"; |
||||||
|
} |
||||||
|
} |
||||||
@ -0,0 +1,336 @@ |
|||||||
|
// Copyright 2021 Google LLC |
||||||
|
// |
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
// you may not use this file except in compliance with the License. |
||||||
|
// You may obtain a copy of the License at |
||||||
|
// |
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0 |
||||||
|
// |
||||||
|
// Unless required by applicable law or agreed to in writing, software |
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
// See the License for the specific language governing permissions and |
||||||
|
// limitations under the License. |
||||||
|
|
||||||
|
syntax = "proto3"; |
||||||
|
|
||||||
|
package google.cloud.osconfig.v1; |
||||||
|
|
||||||
|
import "google/api/field_behavior.proto"; |
||||||
|
import "google/api/resource.proto"; |
||||||
|
import "google/protobuf/timestamp.proto"; |
||||||
|
|
||||||
|
option csharp_namespace = "Google.Cloud.OsConfig.V1"; |
||||||
|
option go_package = "google.golang.org/genproto/googleapis/cloud/osconfig/v1;osconfig"; |
||||||
|
option java_multiple_files = true; |
||||||
|
option java_outer_classname = "VulnerabilityProto"; |
||||||
|
option java_package = "com.google.cloud.osconfig.v1"; |
||||||
|
option php_namespace = "Google\\Cloud\\OsConfig\\V1"; |
||||||
|
option ruby_package = "Google::Cloud::OsConfig::V1"; |
||||||
|
|
||||||
|
// This API resource represents the vulnerability report for a specified |
||||||
|
// Compute Engine virtual machine (VM) instance at a given point in time. |
||||||
|
// |
||||||
|
// For more information, see [Vulnerability |
||||||
|
// reports](https://cloud.google.com/compute/docs/instances/os-inventory-management#vulnerability-reports). |
||||||
|
message VulnerabilityReport { |
||||||
|
option (google.api.resource) = { |
||||||
|
type: "osconfig.googleapis.com/VulnerabilityReport" |
||||||
|
pattern: "projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport" |
||||||
|
}; |
||||||
|
|
||||||
|
// A vulnerability affecting the VM instance. |
||||||
|
message Vulnerability { |
||||||
|
// Contains metadata information for the vulnerability. This information is |
||||||
|
// collected from the upstream feed of the operating system. |
||||||
|
message Details { |
||||||
|
// A reference for this vulnerability. |
||||||
|
message Reference { |
||||||
|
// The url of the reference. |
||||||
|
string url = 1; |
||||||
|
|
||||||
|
// The source of the reference e.g. NVD. |
||||||
|
string source = 2; |
||||||
|
} |
||||||
|
|
||||||
|
// The CVE of the vulnerability. CVE cannot be |
||||||
|
// empty and the combination of <cve, classification> should be unique |
||||||
|
// across vulnerabilities for a VM. |
||||||
|
string cve = 1; |
||||||
|
|
||||||
|
// The CVSS V2 score of this vulnerability. CVSS V2 score is on a scale of |
||||||
|
// 0 - 10 where 0 indicates low severity and 10 indicates high severity. |
||||||
|
float cvss_v2_score = 2; |
||||||
|
|
||||||
|
// The full description of the CVSSv3 for this vulnerability from NVD. |
||||||
|
CVSSv3 cvss_v3 = 3; |
||||||
|
|
||||||
|
// Assigned severity/impact ranking from the distro. |
||||||
|
string severity = 4; |
||||||
|
|
||||||
|
// The note or description describing the vulnerability from the distro. |
||||||
|
string description = 5; |
||||||
|
|
||||||
|
// Corresponds to the references attached to the `VulnerabilityDetails`. |
||||||
|
repeated Reference references = 6; |
||||||
|
} |
||||||
|
|
||||||
|
// Contains metadata as per the upstream feed of the operating system and |
||||||
|
// NVD. |
||||||
|
Details details = 1; |
||||||
|
|
||||||
|
// Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM. |
||||||
|
// This field displays the inventory items affected by this vulnerability. |
||||||
|
// If the vulnerability report was not updated after the VM inventory |
||||||
|
// update, these values might not display in VM inventory. For some distros, |
||||||
|
// this field may be empty. |
||||||
|
repeated string installed_inventory_item_ids = 2; |
||||||
|
|
||||||
|
// Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM. |
||||||
|
// If the vulnerability report was not updated after the VM inventory |
||||||
|
// update, these values might not display in VM inventory. If there is no |
||||||
|
// available fix, the field is empty. The `inventory_item` value specifies |
||||||
|
// the latest `SoftwarePackage` available to the VM that fixes the |
||||||
|
// vulnerability. |
||||||
|
repeated string available_inventory_item_ids = 3; |
||||||
|
|
||||||
|
// The timestamp for when the vulnerability was first detected. |
||||||
|
google.protobuf.Timestamp create_time = 4; |
||||||
|
|
||||||
|
// The timestamp for when the vulnerability was last modified. |
||||||
|
google.protobuf.Timestamp update_time = 5; |
||||||
|
} |
||||||
|
|
||||||
|
// Output only. The `vulnerabilityReport` API resource name. |
||||||
|
// |
||||||
|
// Format: |
||||||
|
// `projects/{project_number}/locations/{location}/instances/{instance_id}/vulnerabilityReport` |
||||||
|
string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; |
||||||
|
|
||||||
|
// Output only. List of vulnerabilities affecting the VM. |
||||||
|
repeated Vulnerability vulnerabilities = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; |
||||||
|
|
||||||
|
// Output only. The timestamp for when the last vulnerability report was generated for the |
||||||
|
// VM. |
||||||
|
google.protobuf.Timestamp update_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; |
||||||
|
} |
||||||
|
|
||||||
|
// A request message for getting the vulnerability report for the specified VM. |
||||||
|
message GetVulnerabilityReportRequest { |
||||||
|
// Required. API resource name for vulnerability resource. |
||||||
|
// |
||||||
|
// Format: |
||||||
|
// `projects/{project}/locations/{location}/instances/{instance}/vulnerabilityReport` |
||||||
|
// |
||||||
|
// For `{project}`, either `project-number` or `project-id` can be provided. |
||||||
|
// For `{instance}`, either Compute Engine `instance-id` or `instance-name` |
||||||
|
// can be provided. |
||||||
|
string name = 1 [ |
||||||
|
(google.api.field_behavior) = REQUIRED, |
||||||
|
(google.api.resource_reference) = { |
||||||
|
type: "osconfig.googleapis.com/VulnerabilityReport" |
||||||
|
} |
||||||
|
]; |
||||||
|
} |
||||||
|
|
||||||
|
// A request message for listing vulnerability reports for all VM instances in |
||||||
|
// the specified location. |
||||||
|
message ListVulnerabilityReportsRequest { |
||||||
|
// Required. The parent resource name. |
||||||
|
// |
||||||
|
// Format: `projects/{project}/locations/{location}/instances/-` |
||||||
|
// |
||||||
|
// For `{project}`, either `project-number` or `project-id` can be provided. |
||||||
|
string parent = 1 [ |
||||||
|
(google.api.field_behavior) = REQUIRED, |
||||||
|
(google.api.resource_reference) = { |
||||||
|
type: "compute.googleapis.com/Instance" |
||||||
|
} |
||||||
|
]; |
||||||
|
|
||||||
|
// The maximum number of results to return. |
||||||
|
int32 page_size = 2; |
||||||
|
|
||||||
|
// A pagination token returned from a previous call to |
||||||
|
// `ListVulnerabilityReports` that indicates where this listing |
||||||
|
// should continue from. |
||||||
|
string page_token = 3; |
||||||
|
|
||||||
|
// If provided, this field specifies the criteria that must be met by a |
||||||
|
// `vulnerabilityReport` API resource to be included in the response. |
||||||
|
string filter = 4; |
||||||
|
} |
||||||
|
|
||||||
|
// A response message for listing vulnerability reports for all VM instances in |
||||||
|
// the specified location. |
||||||
|
message ListVulnerabilityReportsResponse { |
||||||
|
// List of vulnerabilityReport objects. |
||||||
|
repeated VulnerabilityReport vulnerability_reports = 1; |
||||||
|
|
||||||
|
// The pagination token to retrieve the next page of vulnerabilityReports |
||||||
|
// object. |
||||||
|
string next_page_token = 2; |
||||||
|
} |
||||||
|
|
||||||
|
// Common Vulnerability Scoring System version 3. |
||||||
|
// For details, see https://www.first.org/cvss/specification-document |
||||||
|
message CVSSv3 { |
||||||
|
// This metric reflects the context by which vulnerability exploitation is |
||||||
|
// possible. |
||||||
|
enum AttackVector { |
||||||
|
// Invalid value. |
||||||
|
ATTACK_VECTOR_UNSPECIFIED = 0; |
||||||
|
|
||||||
|
// The vulnerable component is bound to the network stack and the set of |
||||||
|
// possible attackers extends beyond the other options listed below, up to |
||||||
|
// and including the entire Internet. |
||||||
|
ATTACK_VECTOR_NETWORK = 1; |
||||||
|
|
||||||
|
// The vulnerable component is bound to the network stack, but the attack is |
||||||
|
// limited at the protocol level to a logically adjacent topology. |
||||||
|
ATTACK_VECTOR_ADJACENT = 2; |
||||||
|
|
||||||
|
// The vulnerable component is not bound to the network stack and the |
||||||
|
// attacker's path is via read/write/execute capabilities. |
||||||
|
ATTACK_VECTOR_LOCAL = 3; |
||||||
|
|
||||||
|
// The attack requires the attacker to physically touch or manipulate the |
||||||
|
// vulnerable component. |
||||||
|
ATTACK_VECTOR_PHYSICAL = 4; |
||||||
|
} |
||||||
|
|
||||||
|
// This metric describes the conditions beyond the attacker's control that |
||||||
|
// must exist in order to exploit the vulnerability. |
||||||
|
enum AttackComplexity { |
||||||
|
// Invalid value. |
||||||
|
ATTACK_COMPLEXITY_UNSPECIFIED = 0; |
||||||
|
|
||||||
|
// Specialized access conditions or extenuating circumstances do not exist. |
||||||
|
// An attacker can expect repeatable success when attacking the vulnerable |
||||||
|
// component. |
||||||
|
ATTACK_COMPLEXITY_LOW = 1; |
||||||
|
|
||||||
|
// A successful attack depends on conditions beyond the attacker's control. |
||||||
|
// That is, a successful attack cannot be accomplished at will, but requires |
||||||
|
// the attacker to invest in some measurable amount of effort in preparation |
||||||
|
// or execution against the vulnerable component before a successful attack |
||||||
|
// can be expected. |
||||||
|
ATTACK_COMPLEXITY_HIGH = 2; |
||||||
|
} |
||||||
|
|
||||||
|
// This metric describes the level of privileges an attacker must possess |
||||||
|
// before successfully exploiting the vulnerability. |
||||||
|
enum PrivilegesRequired { |
||||||
|
// Invalid value. |
||||||
|
PRIVILEGES_REQUIRED_UNSPECIFIED = 0; |
||||||
|
|
||||||
|
// The attacker is unauthorized prior to attack, and therefore does not |
||||||
|
// require any access to settings or files of the vulnerable system to |
||||||
|
// carry out an attack. |
||||||
|
PRIVILEGES_REQUIRED_NONE = 1; |
||||||
|
|
||||||
|
// The attacker requires privileges that provide basic user capabilities |
||||||
|
// that could normally affect only settings and files owned by a user. |
||||||
|
// Alternatively, an attacker with Low privileges has the ability to access |
||||||
|
// only non-sensitive resources. |
||||||
|
PRIVILEGES_REQUIRED_LOW = 2; |
||||||
|
|
||||||
|
// The attacker requires privileges that provide significant (e.g., |
||||||
|
// administrative) control over the vulnerable component allowing access to |
||||||
|
// component-wide settings and files. |
||||||
|
PRIVILEGES_REQUIRED_HIGH = 3; |
||||||
|
} |
||||||
|
|
||||||
|
// This metric captures the requirement for a human user, other than the |
||||||
|
// attacker, to participate in the successful compromise of the vulnerable |
||||||
|
// component. |
||||||
|
enum UserInteraction { |
||||||
|
// Invalid value. |
||||||
|
USER_INTERACTION_UNSPECIFIED = 0; |
||||||
|
|
||||||
|
// The vulnerable system can be exploited without interaction from any user. |
||||||
|
USER_INTERACTION_NONE = 1; |
||||||
|
|
||||||
|
// Successful exploitation of this vulnerability requires a user to take |
||||||
|
// some action before the vulnerability can be exploited. |
||||||
|
USER_INTERACTION_REQUIRED = 2; |
||||||
|
} |
||||||
|
|
||||||
|
// The Scope metric captures whether a vulnerability in one vulnerable |
||||||
|
// component impacts resources in components beyond its security scope. |
||||||
|
enum Scope { |
||||||
|
// Invalid value. |
||||||
|
SCOPE_UNSPECIFIED = 0; |
||||||
|
|
||||||
|
// An exploited vulnerability can only affect resources managed by the same |
||||||
|
// security authority. |
||||||
|
SCOPE_UNCHANGED = 1; |
||||||
|
|
||||||
|
// An exploited vulnerability can affect resources beyond the security scope |
||||||
|
// managed by the security authority of the vulnerable component. |
||||||
|
SCOPE_CHANGED = 2; |
||||||
|
} |
||||||
|
|
||||||
|
// The Impact metrics capture the effects of a successfully exploited |
||||||
|
// vulnerability on the component that suffers the worst outcome that is most |
||||||
|
// directly and predictably associated with the attack. |
||||||
|
enum Impact { |
||||||
|
// Invalid value. |
||||||
|
IMPACT_UNSPECIFIED = 0; |
||||||
|
|
||||||
|
// High impact. |
||||||
|
IMPACT_HIGH = 1; |
||||||
|
|
||||||
|
// Low impact. |
||||||
|
IMPACT_LOW = 2; |
||||||
|
|
||||||
|
// No impact. |
||||||
|
IMPACT_NONE = 3; |
||||||
|
} |
||||||
|
|
||||||
|
// The base score is a function of the base metric scores. |
||||||
|
// https://www.first.org/cvss/specification-document#Base-Metrics |
||||||
|
float base_score = 1; |
||||||
|
|
||||||
|
// The Exploitability sub-score equation is derived from the Base |
||||||
|
// Exploitability metrics. |
||||||
|
// https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics |
||||||
|
float exploitability_score = 2; |
||||||
|
|
||||||
|
// The Impact sub-score equation is derived from the Base Impact metrics. |
||||||
|
float impact_score = 3; |
||||||
|
|
||||||
|
// This metric reflects the context by which vulnerability exploitation is |
||||||
|
// possible. |
||||||
|
AttackVector attack_vector = 5; |
||||||
|
|
||||||
|
// This metric describes the conditions beyond the attacker's control that |
||||||
|
// must exist in order to exploit the vulnerability. |
||||||
|
AttackComplexity attack_complexity = 6; |
||||||
|
|
||||||
|
// This metric describes the level of privileges an attacker must possess |
||||||
|
// before successfully exploiting the vulnerability. |
||||||
|
PrivilegesRequired privileges_required = 7; |
||||||
|
|
||||||
|
// This metric captures the requirement for a human user, other than the |
||||||
|
// attacker, to participate in the successful compromise of the vulnerable |
||||||
|
// component. |
||||||
|
UserInteraction user_interaction = 8; |
||||||
|
|
||||||
|
// The Scope metric captures whether a vulnerability in one vulnerable |
||||||
|
// component impacts resources in components beyond its security scope. |
||||||
|
Scope scope = 9; |
||||||
|
|
||||||
|
// This metric measures the impact to the confidentiality of the information |
||||||
|
// resources managed by a software component due to a successfully exploited |
||||||
|
// vulnerability. |
||||||
|
Impact confidentiality_impact = 10; |
||||||
|
|
||||||
|
// This metric measures the impact to integrity of a successfully exploited |
||||||
|
// vulnerability. |
||||||
|
Impact integrity_impact = 11; |
||||||
|
|
||||||
|
// This metric measures the impact to the availability of the impacted |
||||||
|
// component resulting from a successfully exploited vulnerability. |
||||||
|
Impact availability_impact = 12; |
||||||
|
} |
||||||
Loading…
Reference in new issue