// Copyright 2023 The Grafeas Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package grafeas.v1;

import "grafeas/v1/common.proto";

option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
option java_multiple_files = true;
option java_package = "io.grafeas.v1";
option objc_class_prefix = "GRA";

// A single VulnerabilityAssessmentNote represents
// one particular product's vulnerability assessment for one CVE.
message VulnerabilityAssessmentNote {
  // The title of the note. E.g. `Vex-Debian-11.4`
  string title = 1;

  // A one sentence description of this Vex.
  string short_description = 2;

  // A detailed description of this Vex.
  string long_description = 3;

  // Identifies the language used by this document,
  // corresponding to IETF BCP 47 / RFC 5646.
  string language_code = 4;

  // Publisher contains information about the publisher of
  // this Note.
  // (-- api-linter: core::0123::resource-annotation=disabled
  //     aip.dev/not-precedent: Publisher is not a separate resource. --)
  message Publisher {
    // Name of the publisher.
    // Examples: 'Google', 'Google Cloud Platform'.
    string name = 1;

    // Provides information about the authority of the issuing party to
    // release the document, in particular, the party's constituency and
    // responsibilities or other obligations.
    string issuing_authority = 2;

    // The context or namespace.
    // Contains a URL which is under control of the issuing party and can
    // be used as a globally unique identifier for that issuing party.
    // Example: https://csaf.io
    string publisher_namespace = 3;
  }

  // Publisher details of this Note.
  Publisher publisher = 5;

  // Product contains information about a product and how to uniquely identify
  // it.
  // (-- api-linter: core::0123::resource-annotation=disabled
  //     aip.dev/not-precedent: Product is not a separate resource. --)
  message Product {
    // Name of the product.
    string name = 1;

    // Token that identifies a product so that it can be referred to from other
    // parts in the document. There is no predefined format as long as it
    // uniquely identifies a group in the context of the current document.
    string id = 2;

    oneof identifier {
      // Contains a URI which is vendor-specific.
      // Example: The artifact repository URL of an image.
      string generic_uri = 3;
    }
  }

  // The product affected by this vex.
  Product product = 6;

  // Assessment provides all information that is related to a single
  // vulnerability for this product.
  message Assessment {
    // Holds the MITRE standard Common Vulnerabilities and Exposures (CVE)
    // tracking number for the vulnerability.
    // Deprecated: Use vulnerability_id instead to denote CVEs.
    string cve = 1 [deprecated = true];

    // The vulnerability identifier for this Assessment. Will hold one of
    // common identifiers e.g. CVE, GHSA etc.
    string vulnerability_id = 9;

    // A one sentence description of this Vex.
    string short_description = 2;

    // A detailed description of this Vex.
    string long_description = 3;

    // Holds a list of references associated with this vulnerability item and
    // assessment. These uris have additional information about the
    // vulnerability and the assessment itself. E.g. Link to a document which
    // details how this assessment concluded the state of this vulnerability.
    repeated grafeas.v1.RelatedUrl related_uris = 4;

    // Provides the state of this Vulnerability assessment.
    enum State {
      // No state is specified.
      STATE_UNSPECIFIED = 0;
      // This product is known to be affected by this vulnerability.
      AFFECTED = 1;
      // This product is known to be not affected by this vulnerability.
      NOT_AFFECTED = 2;
      // This product contains a fix for this vulnerability.
      FIXED = 3;
      // It is not known yet whether these versions are or are not affected
      // by the vulnerability. However, it is still under investigation.
      UNDER_INVESTIGATION = 4;
    }

    // Provides the state of this Vulnerability assessment.
    State state = 5;

    // Contains information about the impact of this vulnerability,
    // this will change with time.
    repeated string impacts = 6;

    // Justification provides the justification when the state of the
    // assessment if NOT_AFFECTED.
    message Justification {
      // Provides the type of justification.
      enum JustificationType {
        // JUSTIFICATION_TYPE_UNSPECIFIED.
        JUSTIFICATION_TYPE_UNSPECIFIED = 0;
        // The vulnerable component is not present in the product.
        COMPONENT_NOT_PRESENT = 1;
        // The vulnerable code is not present. Typically this case
        // occurs when source code is configured or built in a way that excludes
        // the vulnerable code.
        VULNERABLE_CODE_NOT_PRESENT = 2;
        // The vulnerable code can not be executed.
        // Typically this case occurs when the product includes the vulnerable
        // code but does not call or use the vulnerable code.
        VULNERABLE_CODE_NOT_IN_EXECUTE_PATH = 3;
        // The vulnerable code cannot be controlled by an attacker to exploit
        // the vulnerability.
        VULNERABLE_CODE_CANNOT_BE_CONTROLLED_BY_ADVERSARY = 4;
        // The product includes built-in protections or features that prevent
        // exploitation of the vulnerability. These built-in protections cannot
        // be subverted by the attacker and cannot be configured or disabled by
        // the user. These mitigations completely prevent exploitation based on
        // known attack vectors.
        INLINE_MITIGATIONS_ALREADY_EXIST = 5;
      }

      // The justification type for this vulnerability.
      JustificationType justification_type = 1;

      // Additional details on why this justification was chosen.
      string details = 2;
    }

    // Justification provides the justification when the state of the
    // assessment if NOT_AFFECTED.
    Justification justification = 7;

    // Specifies details on how to handle (and presumably, fix) a vulnerability.
    message Remediation {
      // The type of remediation that can be applied.
      enum RemediationType {
        // No remediation type specified.
        REMEDIATION_TYPE_UNSPECIFIED = 0;
        // A MITIGATION is available.
        MITIGATION = 1;
        // No fix is planned.
        NO_FIX_PLANNED = 2;
        // Not available.
        NONE_AVAILABLE = 3;
        // A vendor fix is available.
        VENDOR_FIX = 4;
        // A workaround is available.
        WORKAROUND = 5;
      }

      // The type of remediation that can be applied.
      RemediationType remediation_type = 1;

      // Contains a comprehensive human-readable discussion of the remediation.
      string details = 2;

      // Contains the URL where to obtain the remediation.
      grafeas.v1.RelatedUrl remediation_uri = 3;
    }

    // Specifies details on how to handle (and presumably, fix) a vulnerability.
    repeated Remediation remediations = 8;
  }

  // Represents a vulnerability assessment for the product.
  Assessment assessment = 7;
}