diff --git a/grafeas/v1/vulnerability.proto b/grafeas/v1/vulnerability.proto index f6543a8f6..27a5d238b 100644 --- a/grafeas/v1/vulnerability.proto +++ b/grafeas/v1/vulnerability.proto @@ -73,25 +73,42 @@ message VulnerabilityNote { // Required. The package this vulnerability affects. string affected_package = 5; - // Required. The minimum version of the package this vulnerability affects. - grafeas.v1.Version min_affected_version = 6; - - // The [CPE URI](https://cpe.mitre.org/specification/) this vulnerability - // was fixed in. It is possible for this to be different from the - // affected_cpe_uri. - string fixed_cpe_uri = 7; - - // The package this vulnerability was fixed in. It is possible for this to - // be different from the affected_package. - string fixed_package = 8; - - // Required. The version of the package this vulnerability was fixed in. - // Setting this to VersionKind.MAXIMUM means no fix is yet available. - grafeas.v1.Version fixed_version = 9; + // The version number at the start of an interval in which this + // vulnerability exists. A vulnerability can affect a package between + // version numbers that are disjoint sets of intervals (example: + // [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be + // represented in its own Detail. If a specific affected version is provided + // by a vulnerability database, affected_version_start and + // affected_version_end will be the same in that Detail. + grafeas.v1.Version affected_version_start = 6; + + // The version number at the end of an interval in which this vulnerability + // exists. A vulnerability can affect a package between version numbers + // that are disjoint sets of intervals (example: [1.0.0-1.1.0], + // [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its + // own Detail. If a specific affected version is provided by a vulnerability + // database, affected_version_start and affected_version_end will be the + // same in that Detail. + grafeas.v1.Version affected_version_end = 7; + + // The distro recommended [CPE URI](https://cpe.mitre.org/specification/) + // to update to that contains a fix for this vulnerability. It is possible + // for this to be different from the affected_cpe_uri. + string fixed_cpe_uri = 8; + + // The distro recommended package to update to that contains a fix for this + // vulnerability. It is possible for this to be different from the + // affected_package. + string fixed_package = 9; + + // The distro recommended version to update to that contains a + // fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no + // such version is yet available. + grafeas.v1.Version fixed_version = 10; // Whether this detail is obsolete. Occurrences are expected not to point to // obsolete details. - bool is_obsolete = 10; + bool is_obsolete = 11; } // The full description of the CVSSv3 for this vulnerability. @@ -158,9 +175,9 @@ message VulnerabilityOccurrence { // Required. The package this vulnerability was found in. string affected_package = 2; - // Required. The minimum version of the package this vulnerability exists - // in. - grafeas.v1.Version min_affected_version = 3; + // Required. The version of the package that is installed on the resource + // affected by this vulnerability. + grafeas.v1.Version affected_version = 3; // The [CPE URI](https://cpe.mitre.org/specification/) this vulnerability // was fixed in. It is possible for this to be different from the