- Resource: VulnerabilityReport
- Vulnerability
- Details
- CVSSv3
- AttackVector
- AttackComplexity
- PrivilegesRequired
- UserInteraction
- Scope
- Impact
- Reference
- Item
- Methods
Resource: VulnerabilityReport
This API resource represents the vulnerability report for a specified Compute Engine virtual machine (VM) instance at a given point in time.
For more information, see Vulnerability reports.
JSON representation |
---|
{
"name": string,
"vulnerabilities": [
{
object ( |
Fields | |
---|---|
name |
Output only. The Format: |
vulnerabilities[] |
Output only. List of vulnerabilities affecting the VM. |
update |
Output only. The timestamp for when the last vulnerability report was generated for the VM. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
Vulnerability
A vulnerability affecting the VM instance.
JSON representation |
---|
{ "details": { object ( |
Fields | |
---|---|
details |
Contains metadata as per the upstream feed of the operating system and NVD. |
installedInventoryItemIds[] |
Corresponds to the |
availableInventoryItemIds[] |
Corresponds to the |
create |
The timestamp for when the vulnerability was first detected. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
update |
The timestamp for when the vulnerability was last modified. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
items[] |
List of items affected by the vulnerability. |
Details
Contains metadata information for the vulnerability. This information is collected from the upstream feed of the operating system.
JSON representation |
---|
{ "cve": string, "cvssV2Score": number, "cvssV3": { object ( |
Fields | |
---|---|
cve |
The CVE of the vulnerability. CVE cannot be empty and the combination of <cve, classification> should be unique across vulnerabilities for a VM. |
cvss |
The CVSS V2 score of this vulnerability. CVSS V2 score is on a scale of 0 - 10 where 0 indicates low severity and 10 indicates high severity. |
cvss |
The full description of the CVSSv3 for this vulnerability from NVD. |
severity |
Assigned severity/impact ranking from the distro. |
description |
The note or description describing the vulnerability from the distro. |
references[] |
Corresponds to the references attached to the |
CVSSv3
Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document
JSON representation |
---|
{ "baseScore": number, "exploitabilityScore": number, "impactScore": number, "attackVector": enum ( |
Fields | |
---|---|
base |
The base score is a function of the base metric scores. https://www.first.org/cvss/specification-document#Base-Metrics |
exploitability |
The Exploitability sub-score equation is derived from the Base Exploitability metrics. https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics |
impact |
The Impact sub-score equation is derived from the Base Impact metrics. |
attack |
This metric reflects the context by which vulnerability exploitation is possible. |
attack |
This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. |
privileges |
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. |
user |
This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. |
scope |
The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. |
confidentiality |
This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. |
integrity |
This metric measures the impact to integrity of a successfully exploited vulnerability. |
availability |
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. |
AttackVector
This metric reflects the context by which vulnerability exploitation is possible.
Enums | |
---|---|
ATTACK_VECTOR_UNSPECIFIED |
Invalid value. |
ATTACK_VECTOR_NETWORK |
The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. |
ATTACK_VECTOR_ADJACENT |
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. |
ATTACK_VECTOR_LOCAL |
The vulnerable component is not bound to the network stack and the attacker's path is via read/write/execute capabilities. |
ATTACK_VECTOR_PHYSICAL |
The attack requires the attacker to physically touch or manipulate the vulnerable component. |
AttackComplexity
This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
Enums | |
---|---|
ATTACK_COMPLEXITY_UNSPECIFIED |
Invalid value. |
ATTACK_COMPLEXITY_LOW |
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. |
ATTACK_COMPLEXITY_HIGH |
A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. |
PrivilegesRequired
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
Enums | |
---|---|
PRIVILEGES_REQUIRED_UNSPECIFIED |
Invalid value. |
PRIVILEGES_REQUIRED_NONE |
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. |
PRIVILEGES_REQUIRED_LOW |
The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. |
PRIVILEGES_REQUIRED_HIGH |
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files. |
UserInteraction
This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.
Enums | |
---|---|
USER_INTERACTION_UNSPECIFIED |
Invalid value. |
USER_INTERACTION_NONE |
The vulnerable system can be exploited without interaction from any user. |
USER_INTERACTION_REQUIRED |
Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. |
Scope
The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
Enums | |
---|---|
SCOPE_UNSPECIFIED |
Invalid value. |
SCOPE_UNCHANGED |
An exploited vulnerability can only affect resources managed by the same security authority. |
SCOPE_CHANGED |
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. |
Impact
The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack.
Enums | |
---|---|
IMPACT_UNSPECIFIED |
Invalid value. |
IMPACT_HIGH |
High impact. |
IMPACT_LOW |
Low impact. |
IMPACT_NONE |
No impact. |
Reference
A reference for this vulnerability.
JSON representation |
---|
{ "url": string, "source": string } |
Fields | |
---|---|
url |
The url of the reference. |
source |
The source of the reference e.g. NVD. |
Item
OS inventory item that is affected by a vulnerability or fixed as a result of a vulnerability.
JSON representation |
---|
{ "installedInventoryItemId": string, "availableInventoryItemId": string, "fixedCpeUri": string, "upstreamFix": string } |
Fields | |
---|---|
installed |
Corresponds to the |
available |
Corresponds to the |
fixed |
The recommended CPE URI update that contains a fix for this vulnerability. |
upstream |
The upstream OS patch, packages or KB that fixes the vulnerability. |
Methods |
|
---|---|
|
Gets the vulnerability report for the specified VM instance. |
|
List vulnerability reports for all VM instances in the specified zone. |