forked from google/osv-scalibr
-
Notifications
You must be signed in to change notification settings - Fork 0
/
scan_result.proto
257 lines (232 loc) · 6.8 KB
/
scan_result.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
/*
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
syntax = "proto3";
package scalibr;
import "google/protobuf/timestamp.proto";
option go_package = "github.com/google/scalibr/binary/proto/scan_result_go_proto";
option java_multiple_files = true;
// The software inventory and security findings that a scan run found.
message ScanResult {
string version = 1;
google.protobuf.Timestamp start_time = 2;
google.protobuf.Timestamp end_time = 3;
// Status of the overall scan.
ScanStatus status = 4;
// Status and versions of the inventory+vuln plugins that ran.
repeated PluginStatus plugin_status = 5;
repeated Inventory inventories = 6;
repeated Finding findings = 7;
}
message ScanStatus {
ScanStatusEnum status = 1;
string failure_reason = 2;
enum ScanStatusEnum {
UNSPECIFIED = 0;
SUCCEEDED = 1;
PARTIALLY_SUCCEEDED = 2;
FAILED = 3;
}
}
message PluginStatus {
string name = 1;
int32 version = 2;
ScanStatus status = 3;
}
// A software package or library found by an extractor.
// PURL or CPE needs to be set, maybe both.
message Inventory {
reserved 3,17,18,19;
// Human-readable name of the software, to be used for things like logging.
// For vuln matching, use the name from metadata.
string name = 11;
// Version of the package.
string version = 12;
// Package URL of the software.
Purl purl = 1;
// Common Platform Enumerator
// https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/cpe
repeated string cpes = 4;
// Paths or source of files related to the package.
repeated string locations = 2;
// The name of the InventoryExtractor that found this software. Set by the
// core library.
string extractor = 10;
// The additional data found in the package.
oneof metadata {
PythonPackageMetadata python_metadata = 5;
JavascriptPackageJSONMetadata javascript_metadata = 6;
APKPackageMetadata apk_metadata = 7;
DPKGPackageMetadata dpkg_metadata = 8;
RPMPackageMetadata rpm_metadata = 9;
COSPackageMetadata cos_metadata = 13;
SPDXPackageMetadata spdx_metadata = 14;
JavaArchiveMetadata java_archive_metadata = 15;
OSVPackageMetadata osv_metadata = 16;
}
}
// Package URL, see https://github.com/package-url/purl-spec
message Purl {
// String representation.
string purl = 1;
// Package type, e.g. "maven, npm, pypi".
string type = 2;
// Package name.
string name = 3;
// Package version.
string version = 4;
// Name prefix such as a Maven groupid, or Docker image owner.
string namespace = 5;
// Extra qualifying data for a package such as an OS, architecture, etc.
repeated Qualifier qualifiers = 6;
// Extra subpath within a package, relative to the package root.
string subpath = 7;
}
message Qualifier {
string key = 1;
string value = 2;
}
// A security finding found by a detector. It could describe things like a CVE
// or a CIS non-compliance.
message Finding {
// Info specific to the finding. Should always be the same for the same type
// of finding.
Advisory adv = 1;
// Instance-specific info such as location of the vulnerable files.
TargetDetails target = 2;
// Additional free-text info.
string extra = 3;
// The name of the Detectors that found this finding. Set by the core library.
repeated string detectors = 4;
}
message Advisory {
// A unique ID for the finding.
AdvisoryId id = 1;
TypeEnum type = 2;
string title = 3;
string description = 4;
// Remediation instructions, e.g. "update to latest version".
string recommendation = 5;
Severity sev = 6;
enum TypeEnum {
UNKNOWN = 0;
VULNERABILITY = 1;
CIS_FINDING = 2;
}
}
// A unique identifier per advisory.
message AdvisoryId {
string publisher = 1; // e.g. "CVE".
string reference = 2; // e.g. "CVE-2023-1234".
}
message Severity {
// Required severity enum. Can be used for e.g. prioritizing filed bugs.
SeverityEnum severity = 1;
// Optional CVSS scores, only set for vulns with CVEs.
CVSS cvss_v2 = 2;
CVSS cvss_v3 = 3;
enum SeverityEnum {
UNSPECIFIED = 0;
MINIMAL = 1;
LOW = 2;
MEDIUM = 3;
HIGH = 4;
CRITICAL = 5;
}
}
message CVSS {
float base_score = 1;
float temporal_score = 2;
float environmental_score = 3;
}
message TargetDetails {
// The software affected by the finding.
Inventory inventory = 1;
// Location of vulnerable files not related to the inventory,
// e.g. config files with misconfigurations.
repeated string location = 3;
}
// The additional data found in python packages.
message PythonPackageMetadata {
string author = 1;
string author_email = 2;
}
// The additional data found in npm packages.
message JavascriptPackageJSONMetadata {
string author = 1;
repeated string maintainers = 2;
repeated string contributors = 3;
}
// The additional data found in APK packages.
message APKPackageMetadata {
string package_name = 1;
string origin_name = 2;
string os_id = 3;
string os_version_id = 4;
string maintainer = 5;
string architecture = 6;
string license = 7;
}
// The additional data found in DPKG packages.
message DPKGPackageMetadata {
string package_name = 1;
string source_name = 2;
string source_version = 3;
string package_version = 4;
string os_id = 5;
string os_version_codename = 6;
string os_version_id = 7;
string maintainer = 8;
string architecture = 9;
}
// The additional data found in RPM packages.
message RPMPackageMetadata {
string package_name = 1;
string source_rpm = 2;
int32 epoch = 3;
string os_id = 4;
string os_version_id = 5;
string os_build_id = 6;
string os_name = 7;
string vendor = 8;
string architecture = 9;
string license = 10;
}
// The additional data found in COS packages.
message COSPackageMetadata {
string name = 1;
string version = 2;
string category = 3;
string os_version = 4;
string os_version_id = 5;
}
// The additional data for packages extracted from SPDX files.
message SPDXPackageMetadata {
Purl purl = 1;
repeated string cpes = 2;
}
// The additional data found in Java JAR packages.
message JavaArchiveMetadata {
string artifact_id = 2;
string group_id = 3;
string sha1 = 4;
}
// The additional data for packages extracted by an OSV extractor wrapper.
message OSVPackageMetadata {
string purl_type = 1;
string commit = 2;
string ecosystem = 3;
string compare_as = 4;
}