// This represents a Vulnerability Assessment.

VULNERABILITY_ASSESSMENT = 11;

import "grafeas/v1/vex.proto";

// A note describing a vulnerability assessment.

grafeas.v1.VulnerabilityAssessmentNote vulnerability_assessment = 20;

"AssessmentJustification": {

"type": "object",

"properties": {

"justificationType": {

"$ref": "#/definitions/JustificationJustificationType",

"description": "The justification type for this vulnerability."

},

"details": {

"type": "string",

"description": "Additional details on why this justification was chosen."

}

},

"description": "Justification provides the justification when the state of the\nassessment if NOT_AFFECTED."

},

"AssessmentRemediation": {

"type": "object",

"properties": {

"remediationType": {

"$ref": "#/definitions/RemediationRemediationType",

"description": "The type of remediation that can be applied."

},

"details": {

"type": "string",

"description": "Contains a comprehensive human-readable discussion of the remediation."

},

"remediationUri": {

"$ref": "#/definitions/v1RelatedUrl",

"description": "Contains the URL where to obtain the remediation."

}

},

"description": "Specifies details on how to handle (and presumably, fix) a vulnerability."

},

"AssessmentState": {

"type": "string",

"enum": [

"STATE_UNSPECIFIED",

"AFFECTED",

"NOT_AFFECTED",

"FIXED",

"UNDER_INVESTIGATION"

],

"default": "STATE_UNSPECIFIED",

"description": "Provides the state of this Vulnerability assessment.\n\n - STATE_UNSPECIFIED: No state is specified.\n - AFFECTED: This product is known to be affected by this vulnerability.\n - NOT_AFFECTED: This product is known to be not affected by this vulnerability.\n - FIXED: This product contains a fix for this vulnerability.\n - UNDER_INVESTIGATION: It is not known yet whether these versions are or are not affected\nby the vulnerability. However, it is still under investigation."

},

"JustificationJustificationType": {

"type": "string",

"enum": [

"JUSTIFICATION_TYPE_UNSPECIFIED",

"COMPONENT_NOT_PRESENT",

"VULNERABLE_CODE_NOT_PRESENT",

"VULNERABLE_CODE_NOT_IN_EXECUTE_PATH",

"VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY",

"INLINE_MITIGATIONS_ALREADY_EXIST"

],

"default": "JUSTIFICATION_TYPE_UNSPECIFIED",

"description": "Provides the type of justification.\n\n - JUSTIFICATION_TYPE_UNSPECIFIED: JUSTIFICATION_TYPE_UNSPECIFIED.\n - COMPONENT_NOT_PRESENT: The vulnerable component is not present in the product.\n - VULNERABLE_CODE_NOT_PRESENT: The vulnerable code is not present. Typically this case\noccurs when source code is configured or built in a way that excludes\nthe vulnerable code.\n - VULNERABLE_CODE_NOT_IN_EXECUTE_PATH: The vulnerable code can not be executed.\nTypically this case occurs when the product includes the vulnerable\ncode but does not call or use the vulnerable code.\n - VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY: The vulnerable code cannot be controlled by an attacker to exploit\nthe vulnerability.\n - INLINE_MITIGATIONS_ALREADY_EXIST: The product includes built-in protections or features that prevent\nexploitation of the vulnerability. These built-in protections cannot\nbe subverted by the attacker and cannot be configured or disabled by\nthe user. These mitigations completely prevent exploitation based on\nknown attack vectors."

},

"RemediationRemediationType": {

"type": "string",

"enum": [

"REMEDIATION_TYPE_UNSPECIFIED",

"MITIGATION",

"NO_FIX_PLANNED",

"NONE_AVAILABLE",

"VENDOR_FIX",

"WORKAROUND"

],

"default": "REMEDIATION_TYPE_UNSPECIFIED",

"description": "The type of remediation that can be applied.\n\n - REMEDIATION_TYPE_UNSPECIFIED: No remediation type specified.\n - MITIGATION: A MITIGATION is available.\n - NO_FIX_PLANNED: No fix is planned.\n - NONE_AVAILABLE: Not available.\n - VENDOR_FIX: A vendor fix is available.\n - WORKAROUND: A workaround is available."

},

"VulnerabilityAssessmentNoteAssessment": {

"type": "object",

"properties": {

"cve": {

"type": "string",

"description": "Holds the MITRE standard Common Vulnerabilities and Exposures (CVE)\ntracking number for the vulnerability."

},

"shortDescription": {

"type": "string",

"description": "A one sentence description of this Vex."

},

"longDescription": {

"type": "string",

"description": "A detailed description of this Vex."

},

"relatedUris": {

"type": "array",

"items": {

"$ref": "#/definitions/v1RelatedUrl"

},

"description": "Holds a list of references associated with this vulnerability item and\nassessment. These uris have additional information about the\nvulnerability and the assessment itself. E.g. Link to a document which\ndetails how this assessment concluded the state of this vulnerability."

},

"state": {

"$ref": "#/definitions/AssessmentState",

"description": "Provides the state of this Vulnerability assessment."

},

"impacts": {

"type": "array",

"items": {

"type": "string"

},

"description": "Contains information about the impact of this vulnerability,\nthis will change with time."

},

"justification": {

"$ref": "#/definitions/AssessmentJustification",

"description": "Justification provides the justification when the state of the\nassessment if NOT_AFFECTED."

},

"remediations": {

"type": "array",

"items": {

"$ref": "#/definitions/AssessmentRemediation"

},

"description": "Specifies details on how to handle (and presumably, fix) a vulnerability."

}

},

"description": "Assessment provides all information that is related to a single\nvulnerability for this product."

},

"VulnerabilityAssessmentNoteProduct": {

"type": "object",

"properties": {

"name": {

"type": "string",

"description": "Name of the product."

},

"id": {

"type": "string",

"description": "Token that identifies a product so that it can be referred to from other\nparts in the document. There is no predefined format as long as it\nuniquely identifies a group in the context of the current document."

},

"genericUri": {

"type": "string",

"description": "Contains a URI which is vendor-specific.\nExample: The artifact repository URL of an image."

}

},

"title": "Product contains information about a product and how to uniquely identify\nit.\n(-- api-linter: core::0123::resource-annotation=disabled\n aip.dev/not-precedent: Product is not a separate resource. --)"

},

"VulnerabilityAssessmentNotePublisher": {

"type": "object",

"properties": {

"name": {

"type": "string",

"description": "Name of the publisher.\nExamples: 'Google', 'Google Cloud Platform'."

},

"issuingAuthority": {

"type": "string",

"description": "Provides information about the authority of the issuing party to\nrelease the document, in particular, the party's constituency and\nresponsibilities or other obligations."

},

"publisherNamespace": {

"type": "string",

"title": "The context or namespace.\nContains a URL which is under control of the issuing party and can\nbe used as a globally unique identifier for that issuing party.\nExample: https://csaf.io"

}

},

"title": "Publisher contains information about the publisher of\nthis Note.\n(-- api-linter: core::0123::resource-annotation=disabled\n aip.dev/not-precedent: Publisher is not a separate resource. --)"

},

"VulnerabilityOccurrenceVexAssessment": {

"type": "object",

"properties": {

"cve": {

"type": "string",

"description": "Holds the MITRE standard Common Vulnerabilities and Exposures (CVE)\ntracking number for the vulnerability."

},

"relatedUris": {

"type": "array",

"items": {

"$ref": "#/definitions/v1RelatedUrl"

},

"description": "Holds a list of references associated with this vulnerability item and\nassessment."

},

"noteName": {

"type": "string",

"title": "The VulnerabilityAssessment note from which this VexAssessment was\ngenerated.\nThis will be of the form: `projects/[PROJECT_ID]/notes/[NOTE_ID]`.\n(-- api-linter: core::0122::name-suffix=disabled\n aip.dev/not-precedent: The suffix is kept for consistency. --)"

},

"state": {

"$ref": "#/definitions/AssessmentState",

"description": "Provides the state of this Vulnerability assessment."

},

"impacts": {

"type": "array",

"items": {

"type": "string"

},

"description": "Contains information about the impact of this vulnerability,\nthis will change with time."

},

"remediations": {

"type": "array",

"items": {

"$ref": "#/definitions/AssessmentRemediation"

},

"description": "Specifies details on how to handle (and presumably, fix) a vulnerability."

},

"justification": {

"$ref": "#/definitions/AssessmentJustification",

"description": "Justification provides the justification when the state of the\nassessment if NOT_AFFECTED."

}

},

"description": "VexAssessment provides all publisher provided Vex information that is\nrelated to this vulnerability."

},

},

"vulnerabilityAssessment": {

"$ref": "#/definitions/v1VulnerabilityAssessmentNote",

"description": "A note describing a vulnerability assessment."

"DSSE_ATTESTATION",

"VULNERABILITY_ASSESSMENT"

"description": "Kind represents the kinds of notes supported.\n\n - NOTE_KIND_UNSPECIFIED: Default value. This value is unused.\n - VULNERABILITY: The note and occurrence represent a package vulnerability.\n - BUILD: The note and occurrence assert build provenance.\n - IMAGE: This represents an image basis relationship.\n - PACKAGE: This represents a package installed via a package manager.\n - DEPLOYMENT: The note and occurrence track deployment events.\n - DISCOVERY: The note and occurrence track the initial discovery status of a resource.\n - ATTESTATION: This represents a logical \"role\" that can attest to artifacts.\n - UPGRADE: This represents an available package upgrade.\n - COMPLIANCE: This represents a Compliance Note\n - DSSE_ATTESTATION: This represents a DSSE attestation Note\n - VULNERABILITY_ASSESSMENT: This represents a Vulnerability Assessment."

"v1VulnerabilityAssessmentNote": {

"type": "object",

"properties": {

"title": {

"type": "string",

"title": "The title of the note. E.g. `Vex-Debian-11.4`"

},

"shortDescription": {

"type": "string",

"description": "A one sentence description of this Vex."

},

"longDescription": {

"type": "string",

"description": "A detailed description of this Vex."

},

"languageCode": {

"type": "string",

"description": "Identifies the language used by this document,\ncorresponding to IETF BCP 47 / RFC 5646."

},

"publisher": {

"$ref": "#/definitions/VulnerabilityAssessmentNotePublisher",

"description": "Publisher details of this Note."

},

"product": {

"$ref": "#/definitions/VulnerabilityAssessmentNoteProduct",

"description": "The product affected by this vex."

},

"assessment": {

"$ref": "#/definitions/VulnerabilityAssessmentNoteAssessment",

"description": "Represents a vulnerability assessment for the product."

}

},

"description": "A single VulnerabilityAssessmentNote represents\none particular product's vulnerability assessment for one CVE."

},

},

"vexAssessment": {

"$ref": "#/definitions/VulnerabilityOccurrenceVexAssessment"