REST Resource: projects.locations.instances.vulnerabilityReports

Resource: VulnerabilityReport

This API resource represents the vulnerability report for a specified Compute Engine virtual machine (VM) instance at a given point in time.

For more information, see Vulnerability reports.

JSON representation 
{
  "name": string,
  "vulnerabilities": [
    {
      object (Vulnerability)
    }
  ],
  "updateTime": string
}
Fields
name

string

Output only. The vulnerabilityReport API resource name.

Format: projects/{project_number}/locations/{location}/instances/{instance_id}/vulnerabilityReport
vulnerabilities[]

object (Vulnerability)

Output only. List of vulnerabilities affecting the VM.
updateTime

string (Timestamp format)

Output only. The timestamp for when the last vulnerability report was generated for the VM.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Vulnerability

A vulnerability affecting the VM instance.

JSON representation 
{
  "details": {
    object (Details)
  },
  "installedInventoryItemIds": [
    string
  ],
  "availableInventoryItemIds": [
    string
  ],
  "createTime": string,
  "updateTime": string,
  "items": [
    {
      object (Item)
    }
  ]
}
Fields
details

object (Details)

Contains metadata as per the upstream feed of the operating system and NVD.
installedInventoryItemIds[]
(deprecated)

string

Corresponds to the INSTALLED_PACKAGE inventory item on the VM. This field displays the inventory items affected by this vulnerability. If the vulnerability report was not updated after the VM inventory update, these values might not display in VM inventory. For some distros, this field may be empty.
availableInventoryItemIds[]
(deprecated)

string

Corresponds to the AVAILABLE_PACKAGE inventory item on the VM. If the vulnerability report was not updated after the VM inventory update, these values might not display in VM inventory. If there is no available fix, the field is empty. The inventory_item value specifies the latest SoftwarePackage available to the VM that fixes the vulnerability.
createTime

string (Timestamp format)

The timestamp for when the vulnerability was first detected.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
updateTime

string (Timestamp format)

The timestamp for when the vulnerability was last modified.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
items[]

object (Item)

List of items affected by the vulnerability.

Details

Contains metadata information for the vulnerability. This information is collected from the upstream feed of the operating system.

JSON representation 
{
  "cve": string,
  "cvssV2Score": number,
  "cvssV3": {
    object (CVSSv3)
  },
  "severity": string,
  "description": string,
  "references": [
    {
      object (Reference)
    }
  ]
}
Fields
cve

string

The CVE of the vulnerability. CVE cannot be empty and the combination of <cve, classification> should be unique across vulnerabilities for a VM.
cvssV2Score

number

The CVSS V2 score of this vulnerability. CVSS V2 score is on a scale of 0 - 10 where 0 indicates low severity and 10 indicates high severity.
cvssV3

object (CVSSv3)

The full description of the CVSSv3 for this vulnerability from NVD.
severity

string

Assigned severity/impact ranking from the distro.
description

string

The note or description describing the vulnerability from the distro.
references[]

object (Reference)

Corresponds to the references attached to the VulnerabilityDetails.

CVSSv3

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

JSON representation 
{
  "baseScore": number,
  "exploitabilityScore": number,
  "impactScore": number,
  "attackVector": enum (AttackVector),
  "attackComplexity": enum (AttackComplexity),
  "privilegesRequired": enum (PrivilegesRequired),
  "userInteraction": enum (UserInteraction),
  "scope": enum (Scope),
  "confidentialityImpact": enum (Impact),
  "integrityImpact": enum (Impact),
  "availabilityImpact": enum (Impact)
}
Fields
baseScore

number

The base score is a function of the base metric scores. https://www.first.org/cvss/specification-document#Base-Metrics
exploitabilityScore

number

The Exploitability sub-score equation is derived from the Base Exploitability metrics. https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics
impactScore

number

The Impact sub-score equation is derived from the Base Impact metrics.
attackVector

enum (AttackVector)

This metric reflects the context by which vulnerability exploitation is possible.
attackComplexity

enum (AttackComplexity)

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
privilegesRequired

enum (PrivilegesRequired)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
userInteraction

enum (UserInteraction)

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.
scope

enum (Scope)

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
confidentialityImpact

enum (Impact)

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
integrityImpact

enum (Impact)

This metric measures the impact to integrity of a successfully exploited vulnerability.
availabilityImpact

enum (Impact)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

AttackVector

This metric reflects the context by which vulnerability exploitation is possible.

Enums
ATTACK_VECTOR_UNSPECIFIED Invalid value.
ATTACK_VECTOR_NETWORK The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet.
ATTACK_VECTOR_ADJACENT The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology.
ATTACK_VECTOR_LOCAL The vulnerable component is not bound to the network stack and the attacker's path is via read/write/execute capabilities.
ATTACK_VECTOR_PHYSICAL The attack requires the attacker to physically touch or manipulate the vulnerable component.

AttackComplexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Enums
ATTACK_COMPLEXITY_UNSPECIFIED Invalid value.
ATTACK_COMPLEXITY_LOW Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
ATTACK_COMPLEXITY_HIGH A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

PrivilegesRequired

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

Enums
PRIVILEGES_REQUIRED_UNSPECIFIED Invalid value.
PRIVILEGES_REQUIRED_NONE The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
PRIVILEGES_REQUIRED_LOW The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
PRIVILEGES_REQUIRED_HIGH The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.

UserInteraction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Enums
USER_INTERACTION_UNSPECIFIED Invalid value.
USER_INTERACTION_NONE The vulnerable system can be exploited without interaction from any user.
USER_INTERACTION_REQUIRED Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.

Scope

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Enums
SCOPE_UNSPECIFIED Invalid value.
SCOPE_UNCHANGED An exploited vulnerability can only affect resources managed by the same security authority.
SCOPE_CHANGED An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.

Impact

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack.

Enums
IMPACT_UNSPECIFIED Invalid value.
IMPACT_HIGH High impact.
IMPACT_LOW Low impact.
IMPACT_NONE No impact.

Reference

A reference for this vulnerability.

JSON representation 
{
  "url": string,
  "source": string
}
Fields
url

string

The url of the reference.
source

string

The source of the reference e.g. NVD.

Item

OS inventory item that is affected by a vulnerability or fixed as a result of a vulnerability.

JSON representation 
{
  "installedInventoryItemId": string,
  "availableInventoryItemId": string,
  "fixedCpeUri": string,
  "upstreamFix": string
}
Fields
installedInventoryItemId

string

Corresponds to the INSTALLED_PACKAGE inventory item on the VM. This field displays the inventory items affected by this vulnerability. If the vulnerability report was not updated after the VM inventory update, these values might not display in VM inventory. For some operating systems, this field might be empty.
availableInventoryItemId

string

Corresponds to the AVAILABLE_PACKAGE inventory item on the VM. If the vulnerability report was not updated after the VM inventory update, these values might not display in VM inventory. If there is no available fix, the field is empty. The inventory_item value specifies the latest SoftwarePackage available to the VM that fixes the vulnerability.
fixedCpeUri

string

The recommended CPE URI update that contains a fix for this vulnerability.
upstreamFix

string

The upstream OS patch, packages or KB that fixes the vulnerability.

Methods

get

 Gets the vulnerability report for the specified VM instance.

list

 List vulnerability reports for all VM instances in the specified zone.