> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. # UpdateVersionUpgrade > Updates a version upgrade. ## OpenAPI ````yaml /api-reference/openapi.v3.json patch /v1/namespaces/{object.tenant_meta.namespace}/version-upgrades openapi: 3.0.3 info: description: Integrate your application with Endor Labs using the REST API. title: Endor Labs REST API Reference version: '1.0' servers: - url: https://api.endorlabs.com/ security: [] tags: - name: AISastCustomerContextService - name: APIKeyService - name: APIKeyValidatorService - name: ArtifactSignatureService - name: AuditLogService - name: AuthenticationLogService - name: AuthenticationService - name: AuthorizationPolicyService - name: BatchFileSegmentsService - name: BatchNotificationService - name: CallGraphDataService - name: CodeOwnersService - name: DependencyMetadataService - name: EndorIgnoreEntryService - name: ExporterService - name: FindingLogService - name: FindingService - name: HuggingFaceModelService - name: HuggingFaceOrganizationService - name: IPAddressPolicyService - name: IdentityProviderService - name: InstallationService - name: InvitationService - name: LicenseDependencyService - name: LicenseNoticesReportService - name: LicenseSummaryService - name: LinterResultService - name: MalwareService - name: MetricService - name: NamespaceService - name: NotificationService - name: NotificationTargetService - name: OnPremSchedulerService - name: PRCommentConfigService - name: PackageFirewallLogService - name: PackageLicenseOverrideService - name: PackageLicenseQueryService - name: PackageLicenseService - name: PackageManagerService - name: PackageVersionService - name: PluginBinaryService - name: PolicyService - name: PolicyTemplateService - name: ProjectService - name: ProvisioningResultService - name: QueryMalwareService - name: QueryService - name: QuerySimilarPackagesService - name: QueryVulnerabilityService - name: RegistryIngestionCheckpointService - name: RepositoryService - name: RepositoryVersionService - name: RuleSetImportService - name: SBOMExportService - name: SBOMImportService - name: SCMCredentialService - name: SavedQueryService - name: ScanLogRequestService - name: ScanProfileService - name: ScanResultService - name: ScanWorkflowResultService - name: ScanWorkflowService - name: SecretRuleService - name: SemgrepRuleService - name: SystemConfigService - name: TenantService - name: VEXExportService - name: VectorStoreService - name: VersionUpgradeService - name: VulnerabilityService paths: /v1/namespaces/{object.tenant_meta.namespace}/version-upgrades: patch: tags: - VersionUpgradeService summary: UpdateVersionUpgrade description: Updates a version upgrade. operationId: VersionUpgradeService_UpdateVersionUpgrade parameters: - description: >- Namespaces are a way to organize organizational units into virtual groupings of resources. Namespaces must be a fully qualified name, for example, the child namespace of namespace "endor.prod" called "app" is called "endor.prod.app". in: path name: object.tenant_meta.namespace required: true schema: type: string x-endor-name: Namespace requestBody: content: application/json: schema: $ref: >- #/components/schemas/VersionUpgradeServiceUpdateVersionUpgradeBody required: true x-originalParamName: body responses: '200': content: application/json: schema: $ref: '#/components/schemas/v1VersionUpgrade' description: A successful response. default: content: application/json: schema: $ref: '#/components/schemas/googlerpcStatus' description: An unexpected error response. components: schemas: VersionUpgradeServiceUpdateVersionUpgradeBody: description: Request to update a version upgrade. properties: object: description: >- VersionUpgrade contains all information about a possible version upgrade of a dependency package. This upgrade object can be under a project or a package version object. properties: context: $ref: '#/components/schemas/v1Context' meta: $ref: '#/components/schemas/v1Meta' spec: $ref: '#/components/schemas/v1VersionUpgradeSpec' tenant_meta: description: Tenant metadata information. title: Tenant metadata information. type: object uuid: description: The UUID of the resource. readOnly: true type: string type: object request: $ref: '#/components/schemas/v1UpdateRequest' required: - meta - context type: object v1VersionUpgrade: description: >- VersionUpgrade contains all information about a possible version upgrade of a dependency package. This upgrade object can be under a project or a package version object. properties: context: $ref: '#/components/schemas/v1Context' meta: $ref: '#/components/schemas/v1Meta' spec: $ref: '#/components/schemas/v1VersionUpgradeSpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of the resource. readOnly: true type: string required: - tenant_meta - meta - context type: object googlerpcStatus: description: >- The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). properties: code: description: |- The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. format: int32 type: integer details: description: >- A list of messages that carry the error details. There is a common set of message types for APIs to use. items: $ref: '#/components/schemas/googleprotobufAny' type: array message: description: >- A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. type: string type: object v1Context: description: Contexts keep objects from different scans separated. properties: id: description: The context ID, such as a pull request ID or branch reference. type: string tags: description: |- A list of tags applied to a context. Used primarily for CI and SBOM contexts. items: type: string type: array type: $ref: '#/components/schemas/ContextContextType' will_be_deleted_at: description: |- Time that all objects in this context will be deleted. This field is deprecated and will be removed in the future. Please use the meta.will_be_deleted_at field instead. format: date-time readOnly: true type: string required: - type - id type: object v1Meta: description: Common fields for all Endor Labs resources. properties: annotations: additionalProperties: type: string description: >- Annotations can be used to attach metadata to a resource message. Annotation values can be small or large, structured or unstructured, and may include characters not permitted by labels. The keys may contain alphanumerics, underscores (_), dots (.) and dashes (-). The values of an annotation must be 16384 bytes or smaller. type: object create_time: description: |- Time the resource was created. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string created_by: description: |- Name and authentication source of the user who created the object, for example, ewok@endor.ai@google@api-key. readOnly: true type: string description: description: Resource description. Must be less than 1024 bytes. type: string index_data: $ref: '#/components/schemas/v1IndexData' kind: description: >- Resource kind, for example, HelloResponse. Auto-generated using the protobuf message proto.MessageName().Name(). readOnly: true type: string name: description: Resource name. Must be 63 characters or less. type: string parent_kind: description: Parent object resource kind, for example, Project. type: string parent_uuid: description: Parent object UUID. type: string references: additionalProperties: $ref: '#/components/schemas/googleprotobufAny' description: Map of objects referenced in a query API. readOnly: true type: object tags: description: >- List of tags attached to the resource. Tags can be used to select objects and to find collections of objects that satisfy certain conditions. A tag must be 255 characters or less. items: type: string type: array update_time: description: |- Time the resource was last updated. Note: Updated on all create/patch/delete operations. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string updated_by: description: >- Name and authentication source of the last user who updated the object, for example, vulnerabilityingestor@endor.ai@x509. readOnly: true type: string upsert_time: description: |- Time the resource was last upserted. Note: create_time is only set the first time the resource is created. upsert_time is set every time the resource is upseted. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time readOnly: true type: string version: description: Message version. readOnly: true type: string required: - name type: object v1VersionUpgradeSpec: properties: all_upgrades: $ref: '#/components/schemas/VersionUpgradeUpgradeList' configuration: $ref: '#/components/schemas/v1ReleaseUpgradeConfiguration' finding_fixing_upgrades: additionalProperties: $ref: '#/components/schemas/VersionUpgradeUpgradeList' description: Upgrades that fix findings. type: object name: description: The name of the project or package version for this record. type: string prioritized_upgrades: $ref: '#/components/schemas/VersionUpgradeUpgradeList' project_uuid: description: The UUID of the project to which this version upgrade relates. type: string stats: $ref: '#/components/schemas/v1ReleaseUpgradeStats' upgrade_info: $ref: '#/components/schemas/v1ReleaseUpgradeInfo' required: - project_uuid - name type: object v1UpdateRequest: description: Message used for all update requests. properties: force: description: |- Force will force the update of the resource if any checks fail. type: boolean update_mask: description: Fields to update. Defaults to all fields. type: string type: object v1TenantMeta: description: Tenant related data for the tenant containing the resource. properties: namespace: description: >- Namespaces are a way to organize organizational units into virtual groupings of resources. Namespaces must be a fully qualified name, for example, the child namespace of namespace "endor.prod" called "app" is called "endor.prod.app". type: string required: - namespace type: object googleprotobufAny: additionalProperties: {} description: >- `Any` contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message. Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type. Example 1: Pack and unpack a message in C++. Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... } Example 2: Pack and unpack a message in Java. Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); } Example 3: Pack and unpack a message in Python. foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ... Example 4: Pack and unpack a message in Go foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... } The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z". JSON ==== The JSON representation of an `Any` value uses the regular representation of the deserialized, embedded message, with an additional field `@type` which contains the type URL. Example: package google.profile; message Person { string first_name = 1; string last_name = 2; } { "@type": "type.googleapis.com/google.profile.Person", "firstName": , "lastName": } If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field `value` which holds the custom JSON in addition to the `@type` field. Example (for message [google.protobuf.Duration][]): { "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" } properties: '@type': description: >- A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL's path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading "." is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics. type: string type: object ContextContextType: default: CONTEXT_TYPE_UNSPECIFIED description: |2- - CONTEXT_TYPE_MAIN: Objects from a scan of the default branch. All objects in the oss namespace are in the main context. The context id is always "default". - CONTEXT_TYPE_EXTERNAL: Indicates that this object is a copy/temporary value of an object in another project. Used for same-tenant dependencies. In source code reference this is equivalent to "vendor" folders. Package versions in the external context are only scanned for call graphs. No other operations are performed on them. - CONTEXT_TYPE_CI_RUN: Objects from a PR scan. The context id is the PR UUID. Objects in this context are deleted after 30 days. - CONTEXT_TYPE_SBOM: Objects from an SBOM scan. The context id is the SBOM serial number or some other unique identifier. - CONTEXT_TYPE_REF: Objects from a scan of a specific branch. The context id is the branch reference name. enum: - CONTEXT_TYPE_UNSPECIFIED - CONTEXT_TYPE_MAIN - CONTEXT_TYPE_EXTERNAL - CONTEXT_TYPE_CI_RUN - CONTEXT_TYPE_SBOM - CONTEXT_TYPE_REF type: string v1IndexData: description: |- IndexData is used to index the resource for search. It's an internal object. properties: data: items: type: string readOnly: true type: array search_score: description: >- search_score is the score of the resource for search. Internal use only. format: float readOnly: true type: number tenant: readOnly: true type: string will_be_deleted_at: description: Time that the resource will be deleted. format: date-time readOnly: true type: string type: object VersionUpgradeUpgradeList: properties: upgrade_list: items: $ref: '#/components/schemas/v1ReleaseUpgradeInfo' type: array type: object v1ReleaseUpgradeConfiguration: properties: avoid_pre_releases: description: Avoid prereleases. type: boolean no_upgrade_package_set: description: These packages can not be upgraded and will be skipped. items: type: string type: array prefer_minor_version_upgrades: description: >- Give higher priority to upgrades to versions with the same major version since these are more likely to be compatible. type: boolean reachable_findings_only: description: Only consider reachable findings. type: boolean score_improvement_threshold: description: Score improvement to consider an upgrade. format: int32 type: integer skip_test: description: >- If true, ignores all the direct dependencies that are marked as TEST/BUILD. type: boolean target_dependency: description: Only analyze this direct dependency and ignore the others. type: string top_only: description: Only show the top N dependency upgrades. format: int32 type: integer upgrade_if_better_scores: description: >- Whether to consider a version upgrade just to improve the Endor scores or not. type: boolean upgrade_if_operational_findings: description: >- Whether to consider a version upgrade if the current version has only operational findings or not. type: string upgrade_if_vulnerability_findings: description: >- Whether to consider a version upgrade if the current version has vulnerability findings or not. type: string use_cia: description: Whether using change impact analysis or not. type: boolean type: object v1ReleaseUpgradeStats: properties: cia_invocations: description: CIA Invocations. format: int32 type: integer compute_time: description: Compute time. format: float type: number data_load_time: description: Data load time. format: float type: number database_version_count: description: >- The number of versions for direct dependencies we found in our database. format: int32 type: integer dep_meta_count: description: Dependency meta Count. format: int32 type: integer dep_uuids: description: Dependency UUIDs. format: int32 type: integer direct_dependency_count: description: Direct dependency count. format: int32 type: integer direct_deps_count: description: Direct cependencies count. format: int32 type: integer direct_deps_package_count: description: Direct dependencies package count. format: int32 type: integer findings_after_filtering: description: Findings after filtering. format: int32 type: integer findings_fixed_by_upgrade_count: description: Findings Fixed By Upgrade Count. format: int32 type: integer findings_read: description: Findings read. format: int32 type: integer incomplete_releases: description: Releases not considered because of lack of information. format: int32 type: integer max_releases_behind: description: Max Releases Behind. format: int32 type: integer missing_version_count: description: The number of direct dependency versions we miss from our database. format: int32 type: integer namespace: description: Namespace. type: string package_count: description: Package Count. format: int32 type: integer package_manager_version_count: description: >- The number of versions for direct dependencies that we found in the package manager. format: int32 type: integer pre_upgrade_findings_count: description: Pre-upgrade Findings Count. format: int32 type: integer project_name: description: Project Name. type: string project_uuid: description: Project UUID. type: string score_breakdown: additionalProperties: format: int32 type: integer description: Score breakdown. type: object scores_read: description: Scores read. format: int32 type: integer skipped_due_to_cia: description: Skipped due To CIA. format: int32 type: integer upgrades_proposed: description: Upgrades proposed. format: int32 type: integer upgrades_reviewed: description: Upgrades reviewed. format: int32 type: integer upgrades_skipped: description: Upgrades skipped. format: int32 type: integer zero_conflict_upgrades_proposed: description: Zero conflict upgrades proposed. format: int32 type: integer type: object v1ReleaseUpgradeInfo: description: Protobuf definition for ReleaseUpgradeInfo. properties: cia_results: description: Details from the CIA analysis. items: $ref: '#/components/schemas/v1VersionDiffResult' type: array cia_status: description: The status of the CIA analysis, including errors. type: string conflicts: description: >- The number of conflicts between the dependencies of the two versions. format: int32 type: integer conflicts_map: additionalProperties: $ref: '#/components/schemas/v1Conflict' description: The list of conflicting direct dependency packages. type: object cur_dep_count: description: The number of dependencies in the current version. format: int32 type: integer current_conflicts: description: The count of conflicts with even the current version. format: int32 type: integer deps_added: description: The number of new dependencies added in the upgrade. format: int32 type: integer deps_removed: description: The number of dependencies removed in the upgrade. format: int32 type: integer direct_dependency_manifest_files: description: Manifest file information for the direct dependency being upgraded. items: type: string type: array direct_dependency_package: description: The package being upgraded. type: string endor_scores_improvement: additionalProperties: format: int32 type: integer title: The breakdown of the Endor score improvements in the upgrade type: object from_pkg_version_uuid: description: The UUID of the package version of the current dependency version. type: string from_version: description: The current version of the dependency. type: string from_version_age_in_days: description: Deprecated. format: int32 type: integer from_version_publish_time: description: Publish time of the from version. format: date-time type: string is_best: description: Whether this the best upgrade according to our analysis or not. type: boolean is_endor_patch: description: True if this is an Endor Labs Assured package version. type: boolean is_latest: description: Whether this an upgrade to the latest version or not. type: boolean minor_conflicts: description: >- The number of minor (same major version) conflicts between the dependencies of the two versions. format: int32 type: integer minor_conflicts_map: additionalProperties: $ref: '#/components/schemas/v1Conflict' description: The list of minor (same major version) conflicts. type: object other_finding_info: $ref: '#/components/schemas/v1FindingUpgradeBreakdown' package_count: description: The number of packages affected by the upgrade. format: int32 type: integer project: description: The name of the project. type: string root_package_version: description: The project package that imports this dependency. type: string root_pkg_version_uuid: description: The UUID of the root package version. type: string score: description: The internal score for this upgrade. format: int32 type: integer score_explanation: description: The reasons for the score. type: string to_pkg_version_uuid: description: >- The UUID of the package version of the dependency version to which we upgrade. type: string to_version: description: The version to which the package is to be upgraded. type: string to_version_age_in_days: description: Deprecated. format: int32 type: integer to_version_publish_time: description: Publish time of the to version. format: date-time type: string total_findings_fixed: description: >- Count of findings (all types and severity levels) fixed by the upgrade. format: int32 type: integer total_findings_introduced: description: >- Count of findings (all types and severity levels) introduced by the upgrade. format: int32 type: integer update_dep_count: description: The number of dependencies in the upgrade. format: int32 type: integer upgrade_risk: description: Upgrade risk. type: string vuln_finding_info: $ref: '#/components/schemas/v1FindingUpgradeBreakdown' worth_it: description: Whether the upgrade worth it or not. type: boolean type: object v1VersionDiffResult: description: Protobuf definition for VersionDiffResult. properties: confidence: $ref: '#/components/schemas/v1Confidence' function_change: $ref: '#/components/schemas/v1FunctionChange' reachable_path: items: type: string type: array type_change: $ref: '#/components/schemas/v1TypeChange' violating_types: additionalProperties: $ref: '#/components/schemas/VersionDiffResultRepeatedString' type: object type: object v1Conflict: description: Protobuf definition for Conflict. properties: conflicting_current: description: The conflicting transitive dependency, current version. type: string conflicting_directs_current: description: >- The direct dependencies using the conflicting transitive dependency in the current version. items: type: string type: array conflicting_directs_upgrade: description: >- The direct dependencies using the conflicting transitive dependency after the upgrade. items: type: string type: array conflicting_upgrade: description: The conflicting transitive dependency, version after the upgrade. type: string current: description: The current version of the direct dependency being upgraded. type: string upgrade: description: The new version of the direct dependency being upgraded. type: string type: object v1FindingUpgradeBreakdown: description: Protobuf definition for FindingUpgradeBreakdown. properties: current_count: description: The finding count in the current version across all severities. format: int32 type: integer fixed_findings: description: Fixed findings. items: type: string type: array reduction: description: The reduction in findings across all severities. format: int32 type: integer severity: additionalProperties: $ref: '#/components/schemas/v1FindingUpgradeInfo' description: The breakdown of finding information per severity level. type: object upgrade_count: description: The finding count in the upgrade version across all severities. format: int32 type: integer type: object v1Confidence: default: CONFIDENCE_UNSPECIFIED description: Protobuf definition for Confidence. enum: - CONFIDENCE_UNSPECIFIED - CONFIDENCE_UNKNOWN - CONFIDENCE_HIGH - CONFIDENCE_MEDIUM - CONFIDENCE_LOW type: string v1FunctionChange: description: Protobuf definition for FunctionChange. properties: defined: type: boolean diff_change: $ref: '#/components/schemas/v1ChangeType' function_reference: type: string id: type: string modifier_change: $ref: '#/components/schemas/v1ModifierChangeType' type: object v1TypeChange: description: Protobuf definition for TypeChange. properties: declared_type: type: string diff_change: $ref: '#/components/schemas/v1ChangeType' id: type: string modifier_change: $ref: '#/components/schemas/v1ModifierChangeType' package_name: type: string type: object VersionDiffResultRepeatedString: properties: values: items: type: string type: array type: object v1FindingUpgradeInfo: description: Protobuf definition for FindingUpgradeInfo. properties: current_count: description: The finding count in the current version. format: int32 type: integer fixed: additionalProperties: $ref: '#/components/schemas/v1Finding' description: The findings fixed. type: object fixed_count: description: The number of total findings fixed by the upgrade. format: int32 type: integer fixed_summary: additionalProperties: $ref: '#/components/schemas/v1FindingSummaryInfo' description: The findings fixed. Summary information only. type: object introduced: additionalProperties: $ref: '#/components/schemas/v1Finding' description: The findings introduced. type: object introduced_count: description: The number of total findings introduced by the upgrade. format: int32 type: integer introduced_summary: additionalProperties: $ref: '#/components/schemas/v1FindingSummaryInfo' description: The findings introduced. Summary information only. type: object reachable_fixed_count: description: The number of reachable findings fixed by the upgrade. format: int32 type: integer reachable_introduced_count: description: The number of reachable findings introduced by the upgrade. format: int32 type: integer reduction: description: Overall reduction in findings. format: int32 type: integer upgrade_count: description: The finding count in the upgrade version. format: int32 type: integer type: object v1ChangeType: default: CHANGE_TYPE_UNSPECIFIED description: Protobuf definition for ChangeType. enum: - CHANGE_TYPE_UNSPECIFIED - CHANGE_TYPE_ADDED - CHANGE_TYPE_REMOVED - CHANGE_TYPE_CHANGED - CHANGE_TYPE_RENAMED type: string v1ModifierChangeType: default: MODIFIER_CHANGE_TYPE_UNSPECIFIED description: Protobuf definition for ModifierChangeType. enum: - MODIFIER_CHANGE_TYPE_UNSPECIFIED - MODIFIER_CHANGE_TYPE_SIGNATURE - MODIFIER_CHANGE_TYPE_TO_ABSTRACT - MODIFIER_CHANGE_TYPE_TO_FINAL - MODIFIER_CHANGE_TYPE_PUBLIC_TO_PROTECTED - MODIFIER_CHANGE_TYPE_PUBLIC_TO_PRIVATE - MODIFIER_CHANGE_TYPE_PROTECTED_TO_PRIVATE - MODIFIER_CHANGE_TYPE_TO_STATIC - MODIFIER_CHANGE_TYPE_TO_NONSTATIC type: string v1Finding: description: |- A finding contains details of a problem that needs to be fixed. The finding applies to the parent object, which can be one of: Repository, RepositoryVersion, or PackageVersion. Finding objects are connected to the project via spec.project_uuid. properties: context: $ref: '#/components/schemas/v1Context' meta: $ref: '#/components/schemas/v1Meta' spec: $ref: '#/components/schemas/v1FindingSpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of the object. readOnly: true type: string required: - meta - spec - context type: object v1FindingSummaryInfo: description: FindingSummaryInfo contains some selected fields for a finding. properties: description: type: string finding_categories: items: $ref: '#/components/schemas/v1FindingCategory' type: array finding_tags: items: $ref: '#/components/schemas/v1FindingTags' type: array level: $ref: '#/components/schemas/SpecFindingLevel' name: type: string parent_uuid: type: string target_dependency_package_name: type: string uuid: type: string type: object v1FindingSpec: description: Finding specific data. properties: actions: $ref: '#/components/schemas/v1Actions' approximation: description: |- True if this finding is for an approximate dependency based on the unresolved package dependencies. type: boolean call_graph_analysis_type: $ref: '#/components/schemas/v1CallGraphAnalysisType' code_owners: $ref: '#/components/schemas/v1CodeOwnerData' dependency_file_paths: description: >- List of relative paths to the dependency files used to create the bom, if applicable. This field is optional and is only set when the source code of the package version is known. For example, for Golang it contains go.mod and go.sum. items: type: string type: array dismiss: description: |- Set to true to exclude finding from action policies (a.k.a. admission and notification policies). Findings can be dismissed in bulk by exception policies and/or individually via the snooze parameters or the ignore file. type: boolean ecosystem: $ref: '#/components/schemas/v1Ecosystem' exceptions: $ref: '#/components/schemas/v1Exceptions' explanation: description: Information about why this finding is considered noteworthy. type: string extra_key: description: >- Additional information used to create a unique finding. In some cases we want to create multiple findings for the same combination of parent_uuid, meta.name, and target_uuid, for example when there are multiple vulnerabilities affecting the same dependency. By setting different values in this field, we are able to create a unique finding per combination of parent_uuid, meta.name, target_uuid, and extra_key. type: string finding_categories: description: List of categories that capture the use case the finding fits in. items: $ref: '#/components/schemas/v1FindingCategory' type: array finding_metadata: $ref: '#/components/schemas/v1FindingMetadata' finding_tags: description: |- List of tags, or attributes, that describe the scope of the finding and can be used to filter findings. items: $ref: '#/components/schemas/v1FindingTags' type: array fixing_patch: $ref: '#/components/schemas/v1FindingFixingPatch' fixing_upgrades: $ref: '#/components/schemas/v1FindingFixingUpgrades' ignore: $ref: '#/components/schemas/v1DismissParams' last_processed: description: Last time the finding was processed. format: date-time type: string latest_version: description: Latest version of dependency, if available. type: string level: $ref: '#/components/schemas/SpecFindingLevel' location_urls: additionalProperties: type: string description: >- The URLs that correspond to the paths contained in dependency_file_paths. type: object method: $ref: '#/components/schemas/v1SystemEvaluationMethodDefinition' project_uuid: description: The UUID of the project to which this finding belongs. type: string proposed_version: description: Recommended version of dependency if available. type: string reachable_paths: description: |- Function paths to the vulnerable method. Only applies to vulnerability findings. items: $ref: '#/components/schemas/FindingSpecPath' type: array relationship: description: |- String describing the relationship to dependency, For example, "Foo is a direct dependency of bar.", if applicable. type: string remediation: description: String describing the recommended remediation to fix this finding. type: string remediation_action: $ref: '#/components/schemas/v1FindingRemediation' snooze: $ref: '#/components/schemas/v1DismissParams' source_code_version: $ref: '#/components/schemas/v1Version' summary: description: A more detailed description of the finding. type: string target_dependency_name: description: |- Dependency package name, if applicable. This is just the name (i.e. it does not include the ecosystem or the version). type: string target_dependency_package_name: description: >- Fully qualified name of the dependency, e.g. eco://package@version, if applicable. type: string target_dependency_version: description: >- Dependency version, if applicable. This is just the version (i.e. it does not include the ecosystem or the package name). type: string target_uuid: description: |- The UUID of the DependencyMetadata object for the dependency, if applicable. type: string required: - project_uuid - last_processed - level - summary - finding_tags - target_uuid - extra_key type: object v1FindingCategory: default: FINDING_CATEGORY_UNSPECIFIED description: |- Finding categories loosely correspond to use cases. - FINDING_CATEGORY_VULNERABILITY: Vulnerability. - FINDING_CATEGORY_SUPPLY_CHAIN: Supply chain specific problem (malicious packages, typosquats). - FINDING_CATEGORY_LICENSE_RISK: License issue. - FINDING_CATEGORY_SCPM: Security posture management. - FINDING_CATEGORY_SECURITY: Generic security issue. - FINDING_CATEGORY_OPERATIONAL: Generic operational issue. - FINDING_CATEGORY_SECRETS: Exposed secret. - FINDING_CATEGORY_MALWARE: Malware. - FINDING_CATEGORY_CICD: CI/CD pipeline issue. - FINDING_CATEGORY_TOOLS: Tooling issue. - FINDING_CATEGORY_GHACTIONS: Finding applies to a GitHub action dependency. - FINDING_CATEGORY_CONTAINER: Finding applies to a container image. - FINDING_CATEGORY_SAST: SAST. - FINDING_CATEGORY_AI_MODELS: AI Models. - FINDING_CATEGORY_SECURITY_REVIEW: Security review. - FINDING_CATEGORY_SCA: Software Composition Analysis issue. enum: - FINDING_CATEGORY_UNSPECIFIED - FINDING_CATEGORY_VULNERABILITY - FINDING_CATEGORY_SUPPLY_CHAIN - FINDING_CATEGORY_LICENSE_RISK - FINDING_CATEGORY_SCPM - FINDING_CATEGORY_SECURITY - FINDING_CATEGORY_OPERATIONAL - FINDING_CATEGORY_SECRETS - FINDING_CATEGORY_MALWARE - FINDING_CATEGORY_CICD - FINDING_CATEGORY_TOOLS - FINDING_CATEGORY_GHACTIONS - FINDING_CATEGORY_CONTAINER - FINDING_CATEGORY_SAST - FINDING_CATEGORY_AI_MODELS - FINDING_CATEGORY_SECURITY_REVIEW - FINDING_CATEGORY_SCA type: string v1FindingTags: default: FINDING_TAGS_UNSPECIFIED description: |- Finding attributes. - FINDING_TAGS_DIRECT: Finding applies to a direct dependency. - FINDING_TAGS_TRANSITIVE: Finding applies to a transitive (indirect) dependency. - FINDING_TAGS_PROJECT_INTERNAL: Finding applies to a dependency that belongs to the same project. - FINDING_TAGS_NAMESPACE_INTERNAL: Finding applies to a dependency that belongs to the same namespace. - FINDING_TAGS_REACHABLE_DEPENDENCY: Finding applies to a reachable dependency. - FINDING_TAGS_UNREACHABLE_DEPENDENCY: Finding applies to an unreachable dependency. - FINDING_TAGS_POTENTIALLY_REACHABLE_DEPENDENCY: Finding applies to a potentially reachable dependency. - FINDING_TAGS_REACHABLE_FUNCTION: Finding applies to a reachable function. - FINDING_TAGS_UNREACHABLE_FUNCTION: Finding applies to an unreachable function. - FINDING_TAGS_POTENTIALLY_REACHABLE_FUNCTION: Finding applies to a potentially reachable function. - FINDING_TAGS_FIXABLE: Deprecated. - FINDING_TAGS_UNFIXABLE: Finding is unfixable. - FINDING_TAGS_PRODUCTION: Deprecated. - FINDING_TAGS_TEST: Finding applies to a dependency not in production code. - FINDING_TAGS_NORMAL: Finding applies to a normal, non-test, dependency. - FINDING_TAGS_FIX_AVAILABLE: There is a fix available for the CVE reported in this finding. - FINDING_TAGS_SELF: Finding applies only to the analyzed package version, there is no dependency involved. - FINDING_TAGS_POLICY: Deprecated. - FINDING_TAGS_CI_BLOCKER: Finding caused a CI failure. - FINDING_TAGS_VALID_SECRET: Finding applies to a valid secret. - FINDING_TAGS_INVALID_SECRET: Finding applies to an invalid secret. - FINDING_TAGS_PATH_EXTERNAL: Finding applies to a transitive dependency that can only be reached via external, non-OSS, project paths. - FINDING_TAGS_MALWARE: Finding applies to malicious package. - FINDING_TAGS_UNDER_REVIEW: Finding applies to suspicious package under review. - FINDING_TAGS_PHANTOM: Finding applies to a phantom dependency. - FINDING_TAGS_EXCEPTION: Finding is exempt from action policies. - FINDING_TAGS_CI_WARNING: Finding caused a CI warning. - FINDING_TAGS_NOTIFICATION: Finding triggered a notification. - FINDING_TAGS_EXPLOITED: This vulnerability is known to be exploited. - FINDING_TAGS_DISPUTED: This vulnerability has been marked as 'disputed'. - FINDING_TAGS_WITHDRAWN: This vulnerability has been marked as 'withdrawn'. - FINDING_TAGS_FALSE_POSITIVE: This finding has been analyzed to be a false positive. - FINDING_TAGS_TRUE_POSITIVE: This finding has been analyzed to be a true positive. - FINDING_TAGS_SNOOZED: Finding has been snoozed. - FINDING_TAGS_AI: This finding was generated using AI. - FINDING_TAGS_IGNORED: Finding has been ignored via the ignore file. - FINDING_TAGS_SEGMENT_MATCH: Finding applies to a dependency discovered via segment-matching. enum: - FINDING_TAGS_UNSPECIFIED - FINDING_TAGS_DIRECT - FINDING_TAGS_TRANSITIVE - FINDING_TAGS_PROJECT_INTERNAL - FINDING_TAGS_NAMESPACE_INTERNAL - FINDING_TAGS_REACHABLE_DEPENDENCY - FINDING_TAGS_UNREACHABLE_DEPENDENCY - FINDING_TAGS_POTENTIALLY_REACHABLE_DEPENDENCY - FINDING_TAGS_REACHABLE_FUNCTION - FINDING_TAGS_UNREACHABLE_FUNCTION - FINDING_TAGS_POTENTIALLY_REACHABLE_FUNCTION - FINDING_TAGS_FIXABLE - FINDING_TAGS_UNFIXABLE - FINDING_TAGS_PRODUCTION - FINDING_TAGS_TEST - FINDING_TAGS_NORMAL - FINDING_TAGS_FIX_AVAILABLE - FINDING_TAGS_SELF - FINDING_TAGS_POLICY - FINDING_TAGS_CI_BLOCKER - FINDING_TAGS_VALID_SECRET - FINDING_TAGS_INVALID_SECRET - FINDING_TAGS_PATH_EXTERNAL - FINDING_TAGS_MALWARE - FINDING_TAGS_UNDER_REVIEW - FINDING_TAGS_PHANTOM - FINDING_TAGS_EXCEPTION - FINDING_TAGS_CI_WARNING - FINDING_TAGS_NOTIFICATION - FINDING_TAGS_EXPLOITED - FINDING_TAGS_DISPUTED - FINDING_TAGS_WITHDRAWN - FINDING_TAGS_FALSE_POSITIVE - FINDING_TAGS_TRUE_POSITIVE - FINDING_TAGS_SNOOZED - FINDING_TAGS_AI - FINDING_TAGS_IGNORED - FINDING_TAGS_SEGMENT_MATCH type: string SpecFindingLevel: default: FINDING_LEVEL_UNSPECIFIED description: |- Finding severity level. - FINDING_LEVEL_CRITICAL: Critical finding. - FINDING_LEVEL_HIGH: Very important findings. - FINDING_LEVEL_MEDIUM: Important findings. - FINDING_LEVEL_LOW: Low priority finding. enum: - FINDING_LEVEL_UNSPECIFIED - FINDING_LEVEL_CRITICAL - FINDING_LEVEL_HIGH - FINDING_LEVEL_MEDIUM - FINDING_LEVEL_LOW type: string v1Actions: description: Metadata added by the admission or notification policy scanner. properties: policy_uuids: description: List of action policies triggered by this finding. items: type: string type: array type: object v1CallGraphAnalysisType: default: CALL_GRAPH_ANALYSIS_TYPE_UNSPECIFIED description: |- Call graph analysis type for findings. - CALL_GRAPH_ANALYSIS_TYPE_UNSPECIFIED: Unspecified call graph analysis type. - CALL_GRAPH_ANALYSIS_TYPE_FULL: Full call graph analysis was performed. - CALL_GRAPH_ANALYSIS_TYPE_PRECOMPUTED: Precomputed call graph analysis was used. enum: - CALL_GRAPH_ANALYSIS_TYPE_UNSPECIFIED - CALL_GRAPH_ANALYSIS_TYPE_FULL - CALL_GRAPH_ANALYSIS_TYPE_PRECOMPUTED type: string v1CodeOwnerData: description: Code owner information for a file path or pattern. properties: labels: description: List of labels. items: type: string type: array owners: description: List of code owners. items: type: string type: array type: object v1Ecosystem: default: ECOSYSTEM_UNSPECIFIED description: >2- - ECOSYSTEM_GO: GoLang. - ECOSYSTEM_MAVEN: Maven. - ECOSYSTEM_PYPI: Python. - ECOSYSTEM_CARGO: Rust. - ECOSYSTEM_NPM: Javascript. - ECOSYSTEM_GEM: Ruby. - ECOSYSTEM_NUGET: Dotnet. - ECOSYSTEM_PACKAGIST: PHP. - ECOSYSTEM_SBOM: SBOMs. - ECOSYSTEM_RPM: RPM. - ECOSYSTEM_DEBIAN: Debian. - ECOSYSTEM_GITHUB_ACTION: GitHub Actions. - ECOSYSTEM_COCOAPOD: Cocoapods. - ECOSYSTEM_APK: APK (alpine et.al). - ECOSYSTEM_CONTAINER: Containers. - ECOSYSTEM_HUGGING_FACE: Hugging Face. - ECOSYSTEM_C: C/C++. - ECOSYSTEM_GIT: ecosystem GIT for GIT repository dependencies. This can be used for package name of the resolved dependencies when a given repository has dependencies to other GIT repositories. Currently we use this to represent vulnerabilities for the given GIT repository. ex: git submodules, C/C++ dependencies. - ECOSYSTEM_AI_MODEL: AI models. - ECOSYSTEM_SWIFT: Ecosystem Swift consists of native Swift packages, which are defined using the Package.swift manifest file and managed by the Swift Package Manager. There is a separate ecosystem for Cocoapod packages called ECOSYSTEM_COCOAPOD, which is an alternative package manager for Swift packages. - ECOSYSTEM_CONAN: Ecosystem Conan for C/C++ packages managed by the Conan 2.x package manager. enum: - ECOSYSTEM_UNSPECIFIED - ECOSYSTEM_GO - ECOSYSTEM_MAVEN - ECOSYSTEM_PYPI - ECOSYSTEM_CARGO - ECOSYSTEM_NPM - ECOSYSTEM_GEM - ECOSYSTEM_NUGET - ECOSYSTEM_PACKAGIST - ECOSYSTEM_SBOM - ECOSYSTEM_RPM - ECOSYSTEM_DEBIAN - ECOSYSTEM_GITHUB_ACTION - ECOSYSTEM_COCOAPOD - ECOSYSTEM_APK - ECOSYSTEM_CONTAINER - ECOSYSTEM_HUGGING_FACE - ECOSYSTEM_C - ECOSYSTEM_GIT - ECOSYSTEM_AI_MODEL - ECOSYSTEM_SWIFT - ECOSYSTEM_CONAN type: string v1Exceptions: description: Metadata added by the exception policy scanner. properties: policy_uuids: description: List of exception policies triggered by this finding. items: type: string type: array tags: description: List of tags set by exception policies. items: type: string type: array type: object v1FindingMetadata: description: Metadata associated with a finding. properties: ci_blocking_policy_info: $ref: '#/components/schemas/v1FindingPolicyInfo' container_data: $ref: '#/components/schemas/v1FindingContainerData' custom: description: Custom finding metadata. cvss_version: $ref: '#/components/schemas/SpecCVSSVersion' dependency_package_version_metadata: $ref: '#/components/schemas/v1PackageVersionMetadata' dependency_score_card: $ref: '#/components/schemas/v1ScoreCard' dependency_score_factor_list: $ref: '#/components/schemas/v1ScoreFactorList' malware: $ref: '#/components/schemas/v1Malware' root_package_resolved_dependencies: $ref: '#/components/schemas/v1Bom' root_package_score_card: $ref: '#/components/schemas/v1ScoreCard' root_package_score_factor_list: $ref: '#/components/schemas/v1ScoreFactorList' root_package_version_metadata: $ref: '#/components/schemas/v1PackageVersionMetadata' security_review_data: $ref: '#/components/schemas/v1SecurityReviewFindingData' source_policy_info: $ref: '#/components/schemas/v1FindingPolicyInfo' typosquatted_dependency_version_metadata: $ref: '#/components/schemas/v1PackageVersionMetadata' vulnerability: $ref: '#/components/schemas/v1Vuln' type: object v1FindingFixingPatch: description: FindingFixingPatch that can fix the finding. properties: endor_patch_available: type: boolean type: object v1FindingFixingUpgrades: description: Upgrades that can fix the finding. properties: upgrade_list: description: List of upgrades that can fix the finding. items: $ref: '#/components/schemas/FindingFixingUpgradesUpgradeInfo' type: array type: object v1DismissParams: description: Metadata associated with a snooze or ignore request. properties: comments: description: Comments for the snooze or ignore. type: string entry_id: description: The ignore file entry id. type: string expiration_time: description: Expiration time of the snooze or ignore. format: date-time type: string expire_if_fix_available: description: >- Set to true if the snooze or ignore should expire if a fix is available. type: boolean file_name: description: Name of the file that was used to ignore the finding. type: string reason: $ref: '#/components/schemas/v1ExceptionReason' update_time: description: Timestamp of the last update. format: date-time type: string updated_by: description: Username of the user who last updated the snooze or ignore. type: string type: object v1SystemEvaluationMethodDefinition: default: SYSTEM_EVALUATION_METHOD_DEFINITION_UNSPECIFIED description: >- SystemEvaluationMethodDefinition is the type of evaluation method implemented by the system. - SYSTEM_EVALUATION_METHOD_DEFINITION_VULNERABILITIES: VULNERABILITIES calculates vulnerability related findings. - SYSTEM_EVALUATION_METHOD_DEFINITION_SCORES: SCORES calculates score related findings. - SYSTEM_EVALUATION_METHOD_DEFINITION_CONDITIONS: CONDITIONS calculates findings related to specific conditions. - SYSTEM_EVALUATION_METHOD_DEFINITION_POLICIES: POLICIES evaluates methods based on user defined policies. - SYSTEM_EVALUATION_METHOD_DEFINITION_TYPOSQUATTING: TYPOSQUATTING calculates the findings related to typosquatted packages. - SYSTEM_EVALUATION_METHOD_DEFINITION_CIS: CIS calculates the findings related to CIS benchmark requirements. - SYSTEM_EVALUATION_METHOD_DEFINITION_MALWARE: MALWARE calculates the findings related to malware. - SYSTEM_EVALUATION_METHOD_DEFINITION_SECURITY_REVIEW: SECURITY REVIEW calculates security review related findings. - SYSTEM_EVALUATION_METHOD_DEFINITION_AI_SAST: AI_SAST calculates AI SAST related findings. enum: - SYSTEM_EVALUATION_METHOD_DEFINITION_UNSPECIFIED - SYSTEM_EVALUATION_METHOD_DEFINITION_VULNERABILITIES - SYSTEM_EVALUATION_METHOD_DEFINITION_SCORES - SYSTEM_EVALUATION_METHOD_DEFINITION_CONDITIONS - SYSTEM_EVALUATION_METHOD_DEFINITION_POLICIES - SYSTEM_EVALUATION_METHOD_DEFINITION_TYPOSQUATTING - SYSTEM_EVALUATION_METHOD_DEFINITION_CIS - SYSTEM_EVALUATION_METHOD_DEFINITION_MALWARE - SYSTEM_EVALUATION_METHOD_DEFINITION_SECURITY_REVIEW - SYSTEM_EVALUATION_METHOD_DEFINITION_AI_SAST type: string FindingSpecPath: description: Information about one path. properties: nodes: description: List of structured, annotated function nodes. items: $ref: '#/components/schemas/PathNode' type: array type: object v1FindingRemediation: default: FINDING_REMEDIATION_UNSPECIFIED description: |- Recommended action to resolve the finding. - FINDING_REMEDIATION_UPGRADE: Upgrade to a later version. - FINDING_REMEDIATION_DOWNGRADE: Downgrade to an older version. - FINDING_REMEDIATION_REPLACE: Replace dependency with another package. - FINDING_REMEDIATION_REMOVE: Remove unused dependency. - FINDING_REMEDIATION_VENDOR: Vendor a dependency. - FINDING_REMEDIATION_IMPROVE: Make changes to improve a dependency. - FINDING_REMEDIATION_REIMPLEMENT: Reimplement a dependency locally. - FINDING_REMEDIATION_REVIEW: Review, no remediation to suggest - FINDING_REMEDIATION_NOTIFICATION: Notification, there may not be any remediation - FINDING_REMEDIATION_PIN: Pin dependency to one of the recommended versions enum: - FINDING_REMEDIATION_UNSPECIFIED - FINDING_REMEDIATION_UPGRADE - FINDING_REMEDIATION_DOWNGRADE - FINDING_REMEDIATION_REPLACE - FINDING_REMEDIATION_REMOVE - FINDING_REMEDIATION_VENDOR - FINDING_REMEDIATION_IMPROVE - FINDING_REMEDIATION_REIMPLEMENT - FINDING_REMEDIATION_REVIEW - FINDING_REMEDIATION_NOTIFICATION - FINDING_REMEDIATION_PIN type: string v1Version: properties: metadata: additionalProperties: type: string description: Version metadata. type: object ref: description: |- Resolved ref of the source control version. Can be a tag, a branch or a SHA. type: string sha: description: >- SHA of the source control version. Because the SHA might not be possible to resolved this field is optional. type: string required: - ref type: object v1FindingPolicyInfo: description: Details about the policy that created the finding. properties: description: description: Policy description. type: string finding_name: description: Finding name. type: string name: description: Policy name. type: string results: description: List of policy matches. items: $ref: '#/components/schemas/FindingPolicyInfoPolicyResult' type: array tags: description: Policy meta tags. items: type: string type: array total_num_results: description: >- The total number of results matched by the policy. This number may be greater than the list of policy matches in the results field, which is truncated if there are more than 5 results. format: int32 type: integer uuid: description: Policy UUID. type: string type: object v1FindingContainerData: properties: base_image: description: |- Base image of the container image where the target dependency was found. type: string has_base_layer: description: >- Set to true if the target dependency was found in the base layer of the container image. type: boolean layer_digests: description: |- List of layer digests for the container image where the target dependency was found. items: type: string type: array type: object SpecCVSSVersion: default: CVSS_VERSION_UNSPECIFIED description: The CVSS version. enum: - CVSS_VERSION_UNSPECIFIED - CVSS_VERSION_V2 - CVSS_VERSION_V3 - CVSS_VERSION_V4 type: string v1PackageVersionMetadata: description: PackageVersionMetadata represents a metadata for a package version. properties: meta: $ref: '#/components/schemas/v1Meta' spec: $ref: '#/components/schemas/v1PackageVersionMetadataSpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of the package version metadata. readOnly: true type: string required: - meta - spec type: object v1ScoreCard: description: A scorecard contains a total score per ScoreCategory. properties: analysis_scope_description: description: Description of the analysis scope. type: string category_scores: description: The per category scores. items: $ref: '#/components/schemas/v1CategoryScore' type: array overall_score: description: The overall score. format: float type: number type: object v1ScoreFactorList: description: >- A list of score factors that are directly exported by the related anlaytics. properties: score_factors: items: $ref: '#/components/schemas/v1ScoreFactor' type: array type: object v1Malware: properties: meta: $ref: '#/components/schemas/v1Meta' spec: $ref: '#/components/schemas/v1MalwareSpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of a malware record. readOnly: true type: string required: - meta - spec type: object v1Bom: properties: dependencies: description: >- Different package managers use different dependency graph serialization strategies. Include the serialized list here to avoid re-implementing this within endoctl. items: $ref: '#/components/schemas/BomDependency' type: array dependency_files: description: >- The list of the dependency files used to create the BOM. This field is optional and is only set when the source code of the package versions is known. It will contain the list of relative path of files used to compute the BOM. For instance for Golang, it will contain the go.mod and go.sum. items: $ref: '#/components/schemas/BomDependencyFile' type: array dependency_graph: additionalProperties: items: type: object type: array title: |- A dependency graph is a K/V pair of package names. The format of the key must be: - mvn://MVN_CENTRAL/foo:bar@2.1 - mvn://CLIENT_REPO/foo:bar@2.1-SNAPSHOT - go://github.com/myorg/myrepo/mypkg@sha type: object resolution_timestamp: format: date-time type: string required: - resolution_timestamp type: object v1SecurityReviewFindingData: properties: ai_meta: $ref: '#/components/schemas/v1AIMeta' category: $ref: >- #/components/schemas/PullRequestSecurityReviewResultInfoSecurityReviewCategory code_snippet: $ref: '#/components/schemas/PullRequestSecurityReviewResultInfoCodeSnippet' justification: description: Justification for the security review category. type: string security_impact_type: $ref: '#/components/schemas/SecurityAspectMetricSecurityImpactType' type: object v1Vuln: description: Vuln represents an Endor Labs vulnerability in the system. properties: meta: $ref: '#/components/schemas/v1Meta' spec: $ref: '#/components/schemas/v1VulnSpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of a vulnerability. readOnly: true type: string required: - meta type: object FindingFixingUpgradesUpgradeInfo: description: Information about one upgrade. properties: direct_dependency_name: description: Fully qualified name of the direct dependency to be upgraded. type: string from_version: description: Current version of the direct dependency. type: string package_name: description: Fully qualified name of the root package. type: string to_version: description: Version that the direct dependency should be upgraded to. type: string upgrade_risk: description: The risk of the upgrade. type: string type: object v1ExceptionReason: default: EXCEPTION_REASON_UNSPECIFIED description: |- Reasons for dismissing a finding. - EXCEPTION_REASON_FALSE_POSITIVE: Tool is incorrect. This is not a real issue. - EXCEPTION_REASON_RISK_ACCEPTED: Risk acknowledged and accepted. - EXCEPTION_REASON_IN_TRIAGE: Issue is actively being triaged. - EXCEPTION_REASON_OTHER: Other reason. Use policy description or dismiss comments to elaborate. - EXCEPTION_REASON_RESOLVED: Issue has been resolved. For example, a secret is no longer valid. enum: - EXCEPTION_REASON_UNSPECIFIED - EXCEPTION_REASON_FALSE_POSITIVE - EXCEPTION_REASON_RISK_ACCEPTED - EXCEPTION_REASON_IN_TRIAGE - EXCEPTION_REASON_OTHER - EXCEPTION_REASON_RESOLVED type: string PathNode: description: Information about one function node. properties: function_ref: $ref: '#/components/schemas/NodeFunctionRef' internal: type: boolean package_version: type: string type: object FindingPolicyInfoPolicyResult: description: Policy output. properties: fields: additionalProperties: type: string description: Map of all key-value fields in the result. type: object type: object v1PackageVersionMetadataSpec: properties: ecosystem: $ref: '#/components/schemas/v1Ecosystem' last_updated: description: The last time that this entry was updated. format: date-time type: string versions: items: $ref: '#/components/schemas/endorv1VersionMetadata' type: array required: - versions - ecosystem type: object v1CategoryScore: description: >- The score for one score category. The is the overall score for a specific category. It is computed from the score factors that have been created for the category. There is going to be only a single instance of this information for the repo per score category. Example: Category: SCORE_CATEGORY_BEST_PRACTICES Score: 5 Description: This score provides an overview of how this repo does when considering security best practices. The value is a number in the range 1 to 10, with 10 being the best. properties: category: $ref: '#/components/schemas/v1ScoreCategory' centered_score: description: >- Centered score for the category. This score is normalized to be centered on 5 and is a float, so it has a higher resolution. format: float type: number description: description: Text description of the category. type: string raw_score: description: |- Raw score for the category. This is the score by adding up the score factors, not centered around 5. format: float type: number score: description: The score for this score. format: int32 type: integer type: object v1ScoreFactor: description: >- A score factor for an object. Each score factor describes a piece of information used while computing the overall score. Each factor is associated with a specific category. Score factors can have a positive impact on the repository score and then they have a positive score, or can have a negative impact on the overall score and then they have a positive score. The description captures additional information for the particular factor. In general there are many (tens or hundreds) of such score factors split across the ScoreCategory categories. Postive score factor example: Category: SCORE_CATEGORY_BEST_PRACTICES Score: 2 Description: The repository is enforcing signed commits. Negative score factor example: Category: SCORE_CATEGORY_VULNERABILITIES Score: -1 Description: the repository has unresolved issues related to vulnerabilities that have been open for more than 3 months. properties: category: $ref: '#/components/schemas/v1ScoreCategory' description: description: Text description of the factor and its meaning. type: string evidence: description: The details of what the factor was raised. type: string id: description: Unique ID to identify the factor. type: string name: description: An external name for the factor. type: string score: description: The score for this factor. format: int32 type: integer score_float: description: The float value of the score for the factor. format: float type: number type: object v1MalwareSpec: properties: additional_notes: description: Additional notes for the malware record. items: type: string type: array advisory_last_updated: description: Timestamp of the last update of the malware record by the advisory. format: date-time type: string advisory_published: description: Date when the advisory published the malware record. format: date-time type: string aliases: description: Aliases of the malware record. items: type: string type: array contested: description: Has the malware record been contested. type: boolean contested_date: description: Date when the malware record was contested. format: date-time readOnly: true type: string contested_reason: description: Reason for the malware record being contested. type: string contributing_feeds: description: >- Feeds that contributed to this record. Set on merge when more than one source applies; each value is a concrete feed (not UNSPECIFIED). Empty when a single feed supplies the record or provenance is not tracked. items: $ref: '#/components/schemas/SpecMalwareSource' readOnly: true type: array cwe_id: description: The CWE ID for the malware record. type: string deletion_exempt: description: >- When true, this record is exempt from orphaned malware deletion and will never be automatically removed during ingestion cleanup, regardless of whether it was ingested. type: boolean ecosystem: $ref: '#/components/schemas/v1Ecosystem' malware_detected_on: description: Date when the malware was detected. format: date-time type: string package_name: description: Name of malicious package. type: string package_version: $ref: '#/components/schemas/v1PackageVersion' pkg_release_date: description: Release date of the package version. format: date-time type: string purl: description: PURL of the package without the version component. type: string ranges: $ref: '#/components/schemas/SpecMalwareRanges' reasons: description: Reasons for flagging the package as malicious. items: type: string type: array references: description: Reference URLs for the malware record. items: $ref: '#/components/schemas/VulnSpecReference' type: array source: $ref: '#/components/schemas/SpecMalwareSource' status: description: Status of the malware record. type: string summary: description: Summary of the malware record. type: string upsert_key: description: >- The upsert key of the malware record. This will be ecosystem+package_name_version for specific version type records. For range type records, it will be ecosystem+package_name. type: string version: $ref: '#/components/schemas/SpecMalwareVersion' required: - ecosystem - package_name type: object BomDependency: properties: abstract: description: >- Whether this is an abstract dependency, such as a secondary BOM file. type: boolean cocoapod_dependency_scope: $ref: '#/components/schemas/v1DependencyScope' composition_metadata: $ref: '#/components/schemas/v1ContainerCompositionMetadata' conan_dependency_scope: $ref: '#/components/schemas/v1DependencyScope' container_layers: description: >- A list of layers where a dependency is introduced in final the container image. It is an optional field. Each entry contains the layer ID (the SHA256 digest of the layer) and the file locations within the layer that indicate the presence of the dependency in the container. items: $ref: '#/components/schemas/v1ContainerDependencyLayer' type: array dependency_scope: $ref: '#/components/schemas/v1DependencyScope' eol_timestamp: description: End of life timestamp of the dependency if known. format: date-time type: string file_locations: description: |- An optional field for BOM dependencies that are either vendored or discovered in containers and identify the list of file locations that this dependency is seen at. items: type: string type: array gem_dependency_scope: $ref: '#/components/schemas/PackageVersionDependencyGemDependencySpecScope' github_action_kind: $ref: >- #/components/schemas/PackageVersionDependencyGitHubActionDependencySpecScope golang_dependency_scope: $ref: '#/components/schemas/PackageVersionDependencyGoDependencySpecScope' hugging_face_dependency_scope: $ref: '#/components/schemas/v1DependencyScope' imported_type: $ref: '#/components/schemas/DependencyImportedType' js_dependency_scope: $ref: '#/components/schemas/PackageVersionDependencyNpmDependencySpecScope' maven_dependency_scope: $ref: >- #/components/schemas/PackageVersionDependencyMavenDependencySpecScope name: type: string nuget_dependency_scope: $ref: '#/components/schemas/v1DependencyScope' packagist_dependency_scope: $ref: >- #/components/schemas/PackageVersionDependencyPackagistDependencySpecScope patched: description: patched indicates whether the dependency version was patched or not. type: boolean pinned: description: Whether the dependency version is fixed to a single version or not. type: boolean platform_source: $ref: '#/components/schemas/v1PlatformSource' public: description: |- A boolean to know if the dependency is public or not. This field might not be set. type: boolean purl: description: >- purl is the package URL notation of the dependency. Populated only for containers and OS packages. type: string pypi_dependency_scope: $ref: '#/components/schemas/PackageVersionDependencyPypiDependencySpecScope' release_date: description: The date that the dependency was released, if known. format: date-time type: string runtime_files: description: >- A list of files accessed when a dependency is called at runtime in the container image. This is an optional field. It is only set when a dependency is found to be used at runtime in the container image. items: $ref: '#/components/schemas/v1ContainerRuntimeDependencyFile' type: array rust_dependency_kind: $ref: '#/components/schemas/CargoDependencySpecDependencyKind' source_repository_http_clone_url: description: >- The HTTP clone URL of the dependency if found. This field might not be set. type: string source_repository_ref: description: |- The ref of the source repsotiory. This can be a tag or a commit SHA. This field might not be set. type: string swift_dependency_scope: $ref: '#/components/schemas/v1DependencyScope' targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array user_app_dep: description: >- For container BOMs, set to true if this is a user application (i.e. the user associated it with an SCA scan). type: boolean vendored: description: Whether this is dependency comes from vendored code or not. type: boolean required: - name type: object BomDependencyFile: properties: path: description: Relative path of the dependency file used to compute the BOM. type: string type: object v1AIMeta: description: |- AI metadata for the finding. This is only used for findings generated by AI. properties: confidence_justification: description: Confidence justification for the finding. type: string confidence_level: $ref: '#/components/schemas/v1AIMetaConfidenceLevel' llm_context: $ref: '#/components/schemas/v1LLMContext' type: object PullRequestSecurityReviewResultInfoSecurityReviewCategory: default: SECURITY_REVIEW_CATEGORY_UNSPECIFIED description: >- SecurityCategory represents the different categories of security aspects that can be evaluated. - SECURITY_REVIEW_CATEGORY_UNSPECIFIED: Default when category is unknown - SECURITY_REVIEW_CATEGORY_DEPENDENCY: Integration of external code, packages, and frameworks - SECURITY_REVIEW_CATEGORY_ACCESS_CONTROL: Authentication, authorization mechanisms and session management - SECURITY_REVIEW_CATEGORY_API_ENDPOINT: API and service entry points - SECURITY_REVIEW_CATEGORY_DATABASE: Database architecture and security - SECURITY_REVIEW_CATEGORY_CRYPTOGRAPHIC: Cryptographic systems and implementations - SECURITY_REVIEW_CATEGORY_PAYMENT_PROCESSING: Payment processing and financial systems - SECURITY_REVIEW_CATEGORY_MEMORY_PROTECTION: Memory management and protection - SECURITY_REVIEW_CATEGORY_PII_DATA_HANDLING: Processing of PII and sensitive information - SECURITY_REVIEW_CATEGORY_INPUT_VALIDATION: Input validation and processing security - SECURITY_REVIEW_CATEGORY_INFRASTRUCTURE: Infrastructure security - SECURITY_REVIEW_CATEGORY_CI_CD: CI/CD pipeline security - SECURITY_REVIEW_CATEGORY_CONFIGURATION: Application and infrastructure configuration - SECURITY_REVIEW_CATEGORY_NETWORK: Network security and communication protocols - SECURITY_REVIEW_CATEGORY_AI: AI/LLM integration security - SECURITY_REVIEW_CATEGORY_IMPROVEMENT: Improvement to the security posture - SECURITY_REVIEW_CATEGORY_VULNERABILITY: Vulnerability found in the code - SECURITY_REVIEW_CATEGORY_BUG: Bug found in the code enum: - SECURITY_REVIEW_CATEGORY_UNSPECIFIED - SECURITY_REVIEW_CATEGORY_DEPENDENCY - SECURITY_REVIEW_CATEGORY_ACCESS_CONTROL - SECURITY_REVIEW_CATEGORY_API_ENDPOINT - SECURITY_REVIEW_CATEGORY_DATABASE - SECURITY_REVIEW_CATEGORY_CRYPTOGRAPHIC - SECURITY_REVIEW_CATEGORY_PAYMENT_PROCESSING - SECURITY_REVIEW_CATEGORY_MEMORY_PROTECTION - SECURITY_REVIEW_CATEGORY_PII_DATA_HANDLING - SECURITY_REVIEW_CATEGORY_INPUT_VALIDATION - SECURITY_REVIEW_CATEGORY_INFRASTRUCTURE - SECURITY_REVIEW_CATEGORY_CI_CD - SECURITY_REVIEW_CATEGORY_CONFIGURATION - SECURITY_REVIEW_CATEGORY_NETWORK - SECURITY_REVIEW_CATEGORY_AI - SECURITY_REVIEW_CATEGORY_IMPROVEMENT - SECURITY_REVIEW_CATEGORY_VULNERABILITY - SECURITY_REVIEW_CATEGORY_BUG type: string PullRequestSecurityReviewResultInfoCodeSnippet: description: >- CodeSnippet represents a specific portion of code that has security implications. This could be sensitive operations, security controls, or potential vulnerabilities. properties: change_kind: $ref: '#/components/schemas/PullRequestSecurityReviewResultInfoChangeKind' description: title: Description of what the code snippet does type: string file: title: File path where the snippet is located type: string impact: title: Security impact or implications of this code type: string language: title: Code language of the snippet type: string line: format: int32 title: Starting line number of the snippet type: integer line_end: format: int32 title: Ending line number of the snippet type: integer snippet: title: The actual code content of the snippet type: string required: - file - line type: object SecurityAspectMetricSecurityImpactType: default: SECURITY_IMPACT_TYPE_UNSPECIFIED description: >- Indicates whether a code change improves security, introduces regression, or is neutral. - SECURITY_IMPACT_TYPE_UNSPECIFIED: Default unspecified value. - SECURITY_IMPACT_TYPE_IMPROVEMENT: The change improves security. - SECURITY_IMPACT_TYPE_REGRESSION: The change introduces security regression. - SECURITY_IMPACT_TYPE_NEUTRAL: The change has neutral security impact. enum: - SECURITY_IMPACT_TYPE_UNSPECIFIED - SECURITY_IMPACT_TYPE_IMPROVEMENT - SECURITY_IMPACT_TYPE_REGRESSION - SECURITY_IMPACT_TYPE_NEUTRAL type: string v1VulnSpec: properties: additional_endor_notes: description: Notes from the Endor Labs analysis of the vulnerability. items: type: string type: array additional_notes: description: Notes by the person that processed the CVE. items: type: string type: array affected: items: $ref: '#/components/schemas/VulnSpecAffected' type: array aliases: description: Optional. IDs for the same vulnerability in other databases. items: type: string type: array credits: description: Optional. Credits for the vulnerability. items: $ref: '#/components/schemas/VulnSpecCredit' type: array cvss_v3_severity: $ref: '#/components/schemas/SpecCVSSV3Severity' cvss_v4_severity: $ref: '#/components/schemas/SpecCVSSV4Severity' database_specific: description: >- Optional. JSON object holding additional information about the vulnerability as defined by the database for which the record applies. type: object deepdive: description: >- Indicates whether the research team performed full analysis on multiple artifact_ids involved in CVE. type: boolean disputed: description: >- Indicates whether the research team considers a CVE should be disputed based on analysis. type: boolean epss_score: $ref: '#/components/schemas/SpecEPSSScore' malicious: description: Indicates whether this item is classified as malicious or not. type: boolean modified: description: The RFC3339 timestamp indicating when this entry was last modified. format: date-time type: string published: description: The RFC3339 timestamp indicating when this entry was published. format: date-time type: string raw: $ref: '#/components/schemas/SpecRaw' references: description: Reference URLs for the vulnerability. items: $ref: '#/components/schemas/VulnSpecReference' type: array related: description: >- Optional. List of IDs of closely related vulnerabilities, such as the same problem in alternate ecosystems. items: type: string type: array summary: description: Long summary of the vulnerability. type: string withdrawn: description: >- Optional. The RFC3339 timestamp indicating when this entry is considered to be withdrawn. format: date-time type: string type: object NodeFunctionRef: properties: args: items: type: string type: array classname: type: string declared_type: type: string function_or_attribute_name: type: string language: type: string language_specific: type: string namespace: type: string product: type: string registry: type: string return_type: type: string signature: type: string version: type: string type: object endorv1VersionMetadata: properties: checksums: description: A list of checksum types. items: $ref: '#/components/schemas/v1Checksum' type: array consumed: description: Set to true once the corresponding source metadata has been created. type: boolean eol_timestamp: description: End of life timestamp the package version if known. format: date-time type: string last_updated: description: >- The last time that this particular version was re-synced with the source. format: date-time type: string license: description: Raw license information as returned by the package manager. items: type: string type: array license_info: description: Detailed license information populated by Endor. items: $ref: '#/components/schemas/v1LicenseInfo' type: array lts: description: Set to true if a version is a long-term support (LTS) version. type: boolean platform_source: $ref: '#/components/schemas/v1PlatformSource' release_time: format: date-time type: string source_code_ref: description: |- The source code reference if known. Optional. This can be a tag or a commit SHA. type: string source_code_url: description: Source code URL of the package if known. type: string version: title: |- The version of the package. For example - 5.23.4 type: string required: - version - release_time - license type: object v1ScoreCategory: default: SCORE_CATEGORY_UNSPECIFIED description: |- The types of scores that Endor Labs tracks. - SCORE_CATEGORY_POPULARITY: Tracks a project's popularity. - SCORE_CATEGORY_ACTIVITY: Tracks the amount of activity around a project. - SCORE_CATEGORY_BEST_PRACTICES: Tracks how much a project follows various development best practices. - SCORE_CATEGORY_SUSPICIOUS_ACTIVITY: Tracks suspicious activity on a project. - SCORE_CATEGORY_DEPENDENCIES: Tracks the dependencies of a project. - SCORE_CATEGORY_SECURITY: Tracks security aspects of a project. - SCORE_CATEGORY_CODE_QUALITY: Tracks the code quality of a project. - SCORE_CATEGORY_OPERATIONAL_RISK: Tracks the operationa risk of a project. enum: - SCORE_CATEGORY_UNSPECIFIED - SCORE_CATEGORY_POPULARITY - SCORE_CATEGORY_ACTIVITY - SCORE_CATEGORY_BEST_PRACTICES - SCORE_CATEGORY_SUSPICIOUS_ACTIVITY - SCORE_CATEGORY_DEPENDENCIES - SCORE_CATEGORY_SECURITY - SCORE_CATEGORY_CODE_QUALITY - SCORE_CATEGORY_OPERATIONAL_RISK type: string SpecMalwareSource: default: MALWARE_SOURCE_UNSPECIFIED description: |2- - MALWARE_SOURCE_ENDOR: Merged from one or more external malware feeds (OSV, AMF, INTERNAL etc). - MALWARE_SOURCE_INTERNAL: Endor security research team assessments. enum: - MALWARE_SOURCE_UNSPECIFIED - MALWARE_SOURCE_ENDOR - MALWARE_SOURCE_OSV - MALWARE_SOURCE_AMF - MALWARE_SOURCE_INTERNAL type: string v1PackageVersion: description: PackageVersion represents a version of a package. properties: context: $ref: '#/components/schemas/v1Context' meta: $ref: '#/components/schemas/v1Meta' processing_status: $ref: '#/components/schemas/v1ProcessingStatus' spec: $ref: '#/components/schemas/v1PackageVersionSpec' tenant_meta: $ref: '#/components/schemas/v1TenantMeta' uuid: description: The UUID of the package version resource. readOnly: true type: string required: - meta - spec - context type: object SpecMalwareRanges: properties: ranges: items: $ref: '#/components/schemas/SpecMalwareRange' type: array type: object VulnSpecReference: properties: type: $ref: '#/components/schemas/ReferenceReferenceType' url: description: The vulnerability URL. type: string required: - type - url type: object SpecMalwareVersion: properties: osv_id: description: The status of the malware record. type: string version: description: The version of the malware record. type: string type: object v1DependencyScope: default: DEPENDENCY_SCOPE_UNSPECIFIED description: |2- - DEPENDENCY_SCOPE_UNSPECIFIED: Dependency scope is undefined. - DEPENDENCY_SCOPE_TEST: Dependency is only used for testing. - DEPENDENCY_SCOPE_BUILD: Dependency is only used for building the package. - DEPENDENCY_SCOPE_NORMAL: Dependency is used in normal, non-test, code. enum: - DEPENDENCY_SCOPE_UNSPECIFIED - DEPENDENCY_SCOPE_TEST - DEPENDENCY_SCOPE_BUILD - DEPENDENCY_SCOPE_NORMAL type: string v1ContainerCompositionMetadata: description: >- ContainerCompositionMetadata is the metadata of the composition of a container image. properties: package_type: $ref: '#/components/schemas/v1ContainerPackageType' type: object v1ContainerDependencyLayer: description: ContainerDependency is a dependency of a container image. properties: digest: description: |- The SHA256 digest of the layer, where a dependency is found to be present in the container. type: string file_locations: description: >- The locations of the files in the container, through which the dependency is evident to be present in the container. items: type: string type: array required: - digest type: object PackageVersionDependencyGemDependencySpecScope: default: SCOPE_UNSPECIFIED description: |- Scope. - SCOPE_UNSPECIFIED: Unspecified scope when it is unclear what the scope is. - SCOPE_NORMAL: Default scope when no other scope is provided. - SCOPE_DEVELOPMENT: All development and test dependencies. enum: - SCOPE_UNSPECIFIED - SCOPE_NORMAL - SCOPE_DEVELOPMENT type: string PackageVersionDependencyGitHubActionDependencySpecScope: default: SCOPE_UNSPECIFIED description: |- The scope of the GitHub action dependency. - SCOPE_UNSPECIFIED: unspecified scope when it is unclear what the scope is. - SCOPE_NORMAL: NORMAL indicates that the GitHub action is being used in prod context. - SCOPE_TEST: TEST indicates that the GitHub action is being used in test context. enum: - SCOPE_UNSPECIFIED - SCOPE_NORMAL - SCOPE_TEST type: string PackageVersionDependencyGoDependencySpecScope: default: SCOPE_UNSPECIFIED enum: - SCOPE_UNSPECIFIED - SCOPE_NORMAL - SCOPE_TEST type: string DependencyImportedType: default: IMPORTED_TYPE_UNSPECIFIED description: |- ImportedType is the state of import. - IMPORTED_TYPE_UNSPECIFIED: UNSPECIFIED is the default state. This state denotes that imported dependency analysis has not been run yet for this dependency. - IMPORTED_TYPE_IN_SOURCE: IN_SOURCE means the imported dependency analysis succeeded and found that the dependency is imported in source. - IMPORTED_TYPE_NOT_IN_SOURCE: NOT_IN_SOURCE means the imported dependency analysis succeeded and found that the dependency is not imported in source. - IMPORTED_TYPE_PHANTOM: PHANTOM means the imported dependency analysis succeeded and found that the dependency is imported only in the source (a phantom dependency). - IMPORTED_TYPE_SEGMENT_MATCH: Dependency was discovered through code segment match. - IMPORTED_TYPE_INSTALLED_IN_USE: Dependency was discovered through installed dependencies and it is in use. enum: - IMPORTED_TYPE_UNSPECIFIED - IMPORTED_TYPE_IN_SOURCE - IMPORTED_TYPE_NOT_IN_SOURCE - IMPORTED_TYPE_PHANTOM - IMPORTED_TYPE_SEGMENT_MATCH - IMPORTED_TYPE_INSTALLED_IN_USE type: string PackageVersionDependencyNpmDependencySpecScope: default: SCOPE_UNSPECIFIED description: |- The scope of the npm dependency. - SCOPE_UNSPECIFIED: unspecified scope when it is unclear what the scope is. - SCOPE_DEPENDENCY: DEPENDENCY indicates that the dependency is required for the package to function. - SCOPE_DEV_DEPENDENCY: DEV_DEPENDENCY indicates that the dependency is required for development purposes. - SCOPE_OPTIONAL_DEPENDENCY: OPTIONAL_DEPENDENCY indicates that the dependency is optional. - SCOPE_PEER_DEPENDENCY: PEER_DEPENDENCY indicates that the dependency is Peer. enum: - SCOPE_UNSPECIFIED - SCOPE_DEPENDENCY - SCOPE_DEV_DEPENDENCY - SCOPE_OPTIONAL_DEPENDENCY - SCOPE_PEER_DEPENDENCY type: string PackageVersionDependencyMavenDependencySpecScope: default: SCOPE_UNSPECIFIED description: |2- - SCOPE_UNSPECIFIED: Scope is not set. - SCOPE_COMPILE: Dependency is required at compile time. - SCOPE_PROVIDED: Dependency is provided at runtime by JDK or a container. - SCOPE_RUNTIME: Dependency is required at runtime but not at compile time. - SCOPE_TEST: Dependency is not required at runtime and is only used for test purposes. - SCOPE_SYSTEM: Dependency is provided by the host system. - SCOPE_CUSTOM: Scope is not predefined and is a customized value for certain ecosystems. - SCOPE_VENDORED_CODE: Dependency is provided by source code vendored. - SCOPE_IMPORT: Dependency is imported via pom/abstract dependency. enum: - SCOPE_UNSPECIFIED - SCOPE_COMPILE - SCOPE_PROVIDED - SCOPE_RUNTIME - SCOPE_TEST - SCOPE_SYSTEM - SCOPE_CUSTOM - SCOPE_VENDORED_CODE - SCOPE_IMPORT type: string PackageVersionDependencyPackagistDependencySpecScope: default: SCOPE_UNSPECIFIED description: |- Scope. - SCOPE_UNSPECIFIED: unspecified scope when it is unclear what the scope is. - SCOPE_NORMAL: default scope when no other scope is provided. - SCOPE_DEVELOPMENT: all development and test dependencies. enum: - SCOPE_UNSPECIFIED - SCOPE_NORMAL - SCOPE_DEVELOPMENT type: string v1PlatformSource: default: PLATFORM_SOURCE_UNSPECIFIED description: Type of source control platform a resource was discovered on. enum: - PLATFORM_SOURCE_UNSPECIFIED - PLATFORM_SOURCE_GITHUB - PLATFORM_SOURCE_GITLAB - PLATFORM_SOURCE_GITSERVER - PLATFORM_SOURCE_BITBUCKET - PLATFORM_SOURCE_BINARY - PLATFORM_SOURCE_HUGGING_FACE - PLATFORM_SOURCE_AZURE - PLATFORM_SOURCE_ARCHIVE - PLATFORM_SOURCE_EXTERNAL_AI_SERVICE - PLATFORM_SOURCE_GITHUB_ENTERPRISE type: string PackageVersionDependencyPypiDependencySpecScope: default: SCOPE_UNSPECIFIED description: |- Scope. - SCOPE_UNSPECIFIED: Unspecified scope when it is unclear what the scope is. - SCOPE_NORMAL: Default scope when no other scope is provided. - SCOPE_OPTIONAL: All optional dependencies and extras related to features, dev, test or any other. enum: - SCOPE_UNSPECIFIED - SCOPE_NORMAL - SCOPE_OPTIONAL type: string v1ContainerRuntimeDependencyFile: description: >- ContainerRuntimeDependencyFile is a file accessed in the container image at runtime. properties: digests: description: Digest of the file. items: $ref: '#/components/schemas/v1Digest' type: array file_type: $ref: '#/components/schemas/v1FileType' path: description: Path of the dependency file as seen in the container image. type: string real_path: description: >- Actual path of the file accessed when a dependency is called at runtime in the container image. type: string type: object CargoDependencySpecDependencyKind: default: DEPENDENCY_KIND_UNSPECIFIED description: |2- - DEPENDENCY_KIND_UNSPECIFIED: Unspecified kind indicates that we are unsure about the type of dependency. - DEPENDENCY_KIND_NORMAL: Normal kind is the default type of dependency. - DEPENDENCY_KIND_DEVELOPMENT: Development kind indicates that the dependency is used for testing purposes. - DEPENDENCY_KIND_BUILD: Build kind indicates that the dependency is solely used for buildingthe package. enum: - DEPENDENCY_KIND_UNSPECIFIED - DEPENDENCY_KIND_NORMAL - DEPENDENCY_KIND_DEVELOPMENT - DEPENDENCY_KIND_BUILD type: string v1Target: properties: exclude: description: Set to true if a dependency is excluded from the target. type: boolean name: description: 'Target name. Example: linux, dotnet, x86_64.' type: string type: $ref: '#/components/schemas/TargetTargetType' version: description: >- Target version, for example, 6.0.0 for the dotnet framework version 6.0.0. If there is no version specified for a target then that means that a dependency is applicable for all versions of that target. This field is optional because few targets, such as CPU_ARCH, do not have a version. type: string required: - type - name - exclude type: object v1AIMetaConfidenceLevel: default: CONFIDENCE_LEVEL_UNSPECIFIED description: |- Confidence level for the finding. - CONFIDENCE_LEVEL_CRITICAL: Critical finding. - CONFIDENCE_LEVEL_HIGH: Very important findings. - CONFIDENCE_LEVEL_MEDIUM: Important findings. - CONFIDENCE_LEVEL_LOW: Low priority finding. enum: - CONFIDENCE_LEVEL_UNSPECIFIED - CONFIDENCE_LEVEL_CRITICAL - CONFIDENCE_LEVEL_HIGH - CONFIDENCE_LEVEL_MEDIUM - CONFIDENCE_LEVEL_LOW type: string v1LLMContext: properties: structured_content: $ref: '#/components/schemas/LLMContextStructuredContent' unstructured_content: description: The unstructured content of the LLM context. type: string type: object PullRequestSecurityReviewResultInfoChangeKind: default: CHANGE_KIND_UNSPECIFIED description: >- ChangeKind indicates the type of modification made to a code element (file, function, or snippet) within the pull request. This helps track whether items are newly added, modified, or removed. - CHANGE_KIND_UNSPECIFIED: Default state when the change type is unknown - CHANGE_KIND_NEW: Indicates a newly added element - CHANGE_KIND_MODIFIED: Indicates an existing element that was modified - CHANGE_KIND_REMOVED: Indicates an element that was removed enum: - CHANGE_KIND_UNSPECIFIED - CHANGE_KIND_NEW - CHANGE_KIND_MODIFIED - CHANGE_KIND_REMOVED type: string VulnSpecAffected: properties: affected_callpath_uris: description: >- Affected function URIs in FastenURI format. For example, "/com.atlassian.connect.spring.internal.lifecycle/LifecycleController.installed(%2Fcom.atlassian.connect.spring.internal.lifecycle%2FLifecycleEvent,%2Fcom.atlassian.connect.spring%2FAtlassianHostUser)%2Forg.springframework.http%2FResponseEntity". items: type: string type: array affected_filepaths: description: >- Class name that this vulnerability affects in JVM notation. For example, "com/atlassian/connect/spring/internal/lifecycle/LifecycleController.class". items: type: string type: array database_specific: description: >- Optional. JSON object holding additional information about the vulnerability as defined by the database for which the record applies. type: object ecosystem_specific: description: >- Optional. JSON object holding additional information about the vulnerability as defined by the ecosystem for which the record applies. type: object fix_commits: items: type: string title: Links to the commits that fix the vulnerability type: array has_been_fixed: type: boolean maintainer_cvss_level: $ref: '#/components/schemas/SpecCVSSSeverityLevel' maintainer_severity: $ref: '#/components/schemas/CVSSV3SeverityLevel' package: $ref: '#/components/schemas/SpecAffectedPackage' ranges: items: $ref: '#/components/schemas/SpecAffectedRange' type: array source: $ref: '#/components/schemas/AffectedSource' versions: items: type: string type: array type: object VulnSpecCredit: properties: contact: description: Contact methods (URLs). items: type: string type: array name: description: The name to give the credit. type: string type: object SpecCVSSV3Severity: properties: level: $ref: '#/components/schemas/CVSSV3SeverityLevel' score: description: |- The Common Vulnerability Scoring System (CVSS score) provides a numerical (0-10) representation of the severity of an information security vulnerability. format: float type: number temporal_level: $ref: '#/components/schemas/CVSSV3SeverityLevel' temporal_score: description: |- The Common Vulnerability Scoring System (CVSS score) provides a numerical (0-10) representation of the severity of an information security vulnerability. format: float type: number temporal_vector: description: >- A specially formatted vector indicating the attack surface and severity of the vulnerability. Format is here: https://www.first.org/cvss/specification-document. type: string vector: description: >- A specially formatted vector indicating the attack surface and severity of the vulnerability. Format is here: https://www.first.org/cvss/specification-document. type: string type: object SpecCVSSV4Severity: properties: base_level: $ref: '#/components/schemas/CVSSV4SeverityV4Level' base_score: description: |- The Common Vulnerability Scoring System v4.0 base score provides a numerical (0-10) representation of the severity of an information security vulnerability. format: float type: number environmental_level: $ref: '#/components/schemas/CVSSV4SeverityV4Level' environmental_score: description: |- The CVSS v4.0 environmental score provides context-specific scoring based on the deployment environment. format: float type: number threat_level: $ref: '#/components/schemas/CVSSV4SeverityV4Level' threat_score: description: |- The CVSS v4.0 threat score provides additional context about the exploitability of the vulnerability. format: float type: number vector: description: >- A specially formatted vector indicating the attack surface and severity of the vulnerability. Format is here: https://www.first.org/cvss/v4.0/specification-document. type: string type: object SpecEPSSScore: properties: percentile_score: format: double type: number probability_score: format: double type: number type: object SpecRaw: properties: endor_vulnerability: $ref: '#/components/schemas/endorv1Vulnerability' epss_record: $ref: '#/components/schemas/SpecEPSSRecord' kev_record: $ref: '#/components/schemas/SpecKEVRecord' nvd_vulnerability: $ref: '#/components/schemas/v1NVDVulnerability' osv_vulnerability: $ref: '#/components/schemas/osvVulnerability' type: object v1Checksum: description: >- The details of checksum including the algorithm used to prepare the checksum. properties: algorithm: $ref: '#/components/schemas/ChecksumHashAlgorithm' value: description: >- A string representation (base64 encoded) of the SHA/MD5 checksum of the package. type: string required: - value - algorithm type: object v1LicenseInfo: description: LicenseInfo contains information for a license. properties: file: description: The name of the file where the license was found. type: string file_location: description: The line in the file where the license text begins. format: int32 type: integer mapping_info: $ref: '#/components/schemas/v1LicenseMappingInfo' matched_text: description: The license text that was matched. type: string name: description: |- Raw license description as found, for example in package managers. It is free form text that may not contain a valid SPDX ID. type: string spdxid: description: Normalized SPDX id if known. type: string type: description: License classification (based on licenseclassifier by Google). type: string url: description: The URL that points to the license description. type: string required: - name type: object v1ProcessingStatus: properties: analytic_time: description: |- Last time a project was analyzed. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time type: string disable_automated_scan: description: >- This is a private package and it must not be scanned by the background scheduler. It will be scanned by an endorctl client instead. Default: false. type: boolean metadata: $ref: '#/components/schemas/v1ProcessingStatusMetadata' queue_time: description: |- Last time a project was queued. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt. format: date-time type: string scan_state: $ref: '#/components/schemas/v1ScanState' scan_time: description: |- Last time a project was ingested. Format: 2017-01-15T01:30:15.01Z RFC 3339: https://www.ietf.org/rfc/rfc3339.txt format: date-time type: string type: object v1PackageVersionSpec: properties: bazel_metadata: $ref: '#/components/schemas/v1BazelMetadata' call_graph_available: description: >- Set to true if a call graph was successfully created by the latest scan. type: boolean code_owners: $ref: '#/components/schemas/v1CodeOwnerData' container_metadata: $ref: '#/components/schemas/v1ContainerMetadata' ecosystem: $ref: '#/components/schemas/v1Ecosystem' internal_reference_key: description: >- Unique key for the package generated by Endor Labs to simplify lookups. readOnly: true type: string language: $ref: '#/components/schemas/v1Language' package_name: description: |- The name of the package of this package version. It is calculated automatically from the package version name. readOnly: true type: string precomputed_call_graph_state: $ref: '#/components/schemas/v1PrecomputedState' project_uuid: description: The UUID of the project to which this package version belongs. type: string relative_path: description: |- Relative path of the package from where the package was discovered relative to the workspace root. type: string release_timestamp: description: |- The release timestamp corresponding to the time a particular package version was released. format: date-time type: string resolution_errors: $ref: '#/components/schemas/PackageVersionResolutionErrors' resolved_dependencies: $ref: '#/components/schemas/v1Bom' source_code_reference: $ref: '#/components/schemas/PackageVersionSourceCodeReference' unresolved_dependencies: description: >- The exact dependency declarations in the package manager descriptor file. In Golang, this represents the list of dependencies in the go.mod. In Java/Maven, this represents the list of dependencies in the pom.xml. items: $ref: '#/components/schemas/v1PackageVersionDependency' type: array required: - project_uuid type: object SpecMalwareRange: description: Affected ranges. properties: fixed: description: The version or commit in which malicious behaviour was fixed. type: string introduced: description: |- The earliest version or commit in which malicious behaviour was introduced. type: string osv_id: description: The OSV ID for the malware record. type: string repo: description: The repository URL. type: string type: $ref: '#/components/schemas/MalwareRangeMalwareRangeType' type: object ReferenceReferenceType: default: REFERENCE_TYPE_UNSPECIFIED enum: - REFERENCE_TYPE_UNSPECIFIED - REFERENCE_TYPE_WEB - REFERENCE_TYPE_ADVISORY - REFERENCE_TYPE_REPORT - REFERENCE_TYPE_FIX - REFERENCE_TYPE_PACKAGE - REFERENCE_TYPE_ARTICLE type: string v1ContainerPackageType: default: CONTAINER_PACKAGE_TYPE_UNSPECIFIED description: |- ContainerPackageType is the type of container package. - CONTAINER_PACKAGE_TYPE_UNSPECIFIED: Unspecified container package type. - CONTAINER_PACKAGE_TYPE_LIBRARY: Library container package type. - CONTAINER_PACKAGE_TYPE_APPLICATION: Application container package type. - CONTAINER_PACKAGE_TYPE_APPLICATION_LIBRARY: Application and Library container package type. - CONTAINER_PACKAGE_TYPE_OS_LIBRARY: OS Library container package type. - CONTAINER_PACKAGE_TYPE_OS_APPLICATION: OS Application container package type. - CONTAINER_PACKAGE_TYPE_OS_APPLICATION_LIBRARY: OS Application and Library container package type. enum: - CONTAINER_PACKAGE_TYPE_UNSPECIFIED - CONTAINER_PACKAGE_TYPE_LIBRARY - CONTAINER_PACKAGE_TYPE_APPLICATION - CONTAINER_PACKAGE_TYPE_APPLICATION_LIBRARY - CONTAINER_PACKAGE_TYPE_OS_LIBRARY - CONTAINER_PACKAGE_TYPE_OS_APPLICATION - CONTAINER_PACKAGE_TYPE_OS_APPLICATION_LIBRARY type: string v1Digest: description: Digest is a digest of a file/container image. properties: algorithm: $ref: '#/components/schemas/v1DigestType' value: description: Digest value of the file. type: string required: - algorithm - value type: object v1FileType: default: FILE_TYPE_UNSPECIFIED enum: - FILE_TYPE_UNSPECIFIED - FILE_TYPE_FILE - FILE_TYPE_SYMLINK type: string TargetTargetType: default: TARGET_TYPE_UNSPECIFIED description: |2- - TARGET_TYPE_LANGUAGE: Language target, for example: Go 1.7 or Java 8. - TARGET_TYPE_FRAMEWORK: Framework target, for example: spring boot 2.0 or dotnet 4.6.2. - TARGET_TYPE_OS: OS target, for example: linux, windows, macos. - TARGET_TYPE_CPU_ARCH: CPU architecture target, for example: amd64, arm64, arm. enum: - TARGET_TYPE_UNSPECIFIED - TARGET_TYPE_LANGUAGE - TARGET_TYPE_FRAMEWORK - TARGET_TYPE_OS - TARGET_TYPE_CPU_ARCH type: string LLMContextStructuredContent: properties: data: description: The actual content data. type: string schema: description: >- The schema defining the structure and validation rules for the content. type: object type: object SpecCVSSSeverityLevel: default: CVSS_SEVERITY_LEVEL_UNSPECIFIED description: Common severity level enum used across different CVSS versions. enum: - CVSS_SEVERITY_LEVEL_UNSPECIFIED - CVSS_SEVERITY_LEVEL_NONE - CVSS_SEVERITY_LEVEL_LOW - CVSS_SEVERITY_LEVEL_MEDIUM - CVSS_SEVERITY_LEVEL_HIGH - CVSS_SEVERITY_LEVEL_CRITICAL type: string CVSSV3SeverityLevel: default: LEVEL_UNSPECIFIED enum: - LEVEL_UNSPECIFIED - LEVEL_NONE - LEVEL_LOW - LEVEL_MEDIUM - LEVEL_HIGH - LEVEL_CRITICAL type: string SpecAffectedPackage: description: Package information and version. properties: cpe: type: string cpes: description: List of CPEs associated with the affected package. items: type: string type: array ecosystem: $ref: '#/components/schemas/v1Ecosystem' name: type: string purl: type: string required: - name - ecosystem type: object SpecAffectedRange: description: Affected ranges. properties: fixed: description: The version or commit in which this vulnerability was fixed. type: string introduced: description: |- The earliest version or commit in which this vulnerability was introduced. type: string last_affected: description: >- The last version known to be affected. Versions strictly after this are assumed to be fixed. Used when an explicit fixed version is unavailable. type: string repo: description: The repository URL. type: string type: $ref: '#/components/schemas/RangeRangeType' type: object AffectedSource: default: SOURCE_UNSPECIFIED enum: - SOURCE_UNSPECIFIED - SOURCE_OSV - SOURCE_ENDOR - SOURCE_OVAL type: string CVSSV4SeverityV4Level: default: V4_LEVEL_UNSPECIFIED enum: - V4_LEVEL_UNSPECIFIED - V4_LEVEL_NONE - V4_LEVEL_LOW - V4_LEVEL_MEDIUM - V4_LEVEL_HIGH - V4_LEVEL_CRITICAL type: string endorv1Vulnerability: description: >- Vulnerability models information that can be extracted by analyzing CVEs. properties: additional_notes: description: Notes by the person that processed the CVE. type: string component: description: |- Information about affected artifacts, versions and function identifiers. items: $ref: '#/components/schemas/VulnerabilityComponent' type: array cve_description: description: A freeform textual summary of the vulnerability. type: string cve_id: description: The CVE ID, as it appears in the NVD. For example, CVE-2021-36090. type: string cve_references: items: type: string title: Web links containing extra information about the CVE type: array cvss_score: description: >- The Common Vulnerability Scoring System (CVSS score) provides a numerical (0-10) representation of the severity of an information security vulnerability. format: float type: number cvss_vector: title: >- A specially formatted vector indicating the attack surface and severity of the vulnerability. Format is here: https://www.first.org/cvss/specification-document type: string cwe: title: |- The Common Weakness Enumeration field, if any. See: https://cwe.mitre.org type: string deepdive: description: >- Indicates whether the research team performed full analysis on multiple artifact_ids involved in CVE. type: boolean disputed: description: >- Indicates whether the research team considers a CVE should be disputed based on analysis. type: boolean ecosystem: title: A free form name of the ecosystem, e.g. Maven type: string fix_commit: items: type: string title: Links to the commit(s) that fix the vulnerability type: array last_updated: description: The timestamp when the vulnerability was last updated. format: date-time type: string malicious: description: Indicates whether this item is classified as malicious or not. type: boolean nofix: description: >- Indicates whether the fix is not released or not disclosed for a CVE. In such cases, the endor_uri string might not be available. type: boolean package_name: title: |- A free form name of the affected package / project, e.g. Apache commons-compress type: string schema_version: description: The schema version used for this vulnerability descriptor. type: string withdrawn: description: Indicates whether the underlying vulnerability has been withdrawn. format: date-time type: string required: - cve_id - cve_description - package_name - ecosystem - schema_version type: object SpecEPSSRecord: properties: cve_id: type: string ingestion_time: format: date-time type: string percentile: format: double type: number probability: format: double type: number type: object SpecKEVRecord: properties: cve_id: type: string date_added: format: date-time type: string due_date: format: date-time type: string known_ransomware_campaign_use: type: string notes: type: string product: type: string required_action: type: string short_description: type: string vendor_project: type: string vulnerability_name: type: string type: object v1NVDVulnerability: description: >- NVD Vulnerability. Based on schema definition provided by NVD here. https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema. properties: cve: $ref: '#/components/schemas/NVDVulnerabilityRootCve' type: object osvVulnerability: description: >- A vulnerability entry. The protobuf representation is *NOT* stable and only used for implementing the JSON based API. properties: affected: description: Required. Affected commit ranges and versions. items: $ref: '#/components/schemas/osvAffected' type: array aliases: description: Optional. IDs for the same vulnerability in other databases. items: type: string type: array credits: description: Optional. Credits for the vulnerability. items: $ref: '#/components/schemas/osvCredit' type: array database_specific: description: >- Optional. JSON object holding additional information about the vulnerability as defined by the database for which the record applies. type: object details: description: >- Required. Any additional human readable details for the vulnerability. type: string id: description: >- The `id` field is a unique identifier for the vulnerability entry. It is a string of the format `-`, where `DB` names the database and `ENTRYID` is in the format used by the database. For example: “OSV-2020-111”, “CVE-2021-3114”, or “GHSA-vp9c-fpxx-744v”. type: string modified: description: The RFC3339 timestamp indicating when this entry was last modified. format: date-time type: string package: $ref: '#/components/schemas/osvPackage' published: description: The RFC3339 timestamp indicating when this entry was published. format: date-time type: string references: description: |- Optional. URLs to more information/advisories (including the scheme e.g "https://"). items: $ref: '#/components/schemas/osvReference' type: array related: description: >- Optional. List of IDs of closely related vulnerabilities, such as the same problem in alternate ecosystems. items: type: string type: array schema_version: description: The OSV schema version. type: string severity: description: Optional. Severity of the vulnerability. items: $ref: '#/components/schemas/osvSeverity' type: array summary: description: >- Required. One line human readable summary for the vulnerability. It is recommended to keep this under 120 characters. type: string withdrawn: description: >- Optional. The RFC3339 timestamp indicating when this entry is considered to be withdrawn. format: date-time type: string type: object ChecksumHashAlgorithm: default: HASH_ALGORITHM_UNSPECIFIED description: |- An enum with the possible hash functions used to create checksum value. - HASH_ALGORITHM_MD5: HASH_ALGORITHM_MD5 for MD5 hash function. - HASH_ALGORITHM_SHA1: HASH_ALGORITHM_SHA1 for SHA1 hash function. - HASH_ALGORITHM_SHA224: HASH_ALGORITHM_SHA224 for SHA224 hash function. - HASH_ALGORITHM_SHA256: HASH_ALGORITHM_SHA256 for SHA256 hash function. - HASH_ALGORITHM_SHA384: HASH_ALGORITHM_SHA384 for SHA384 hash function. - HASH_ALGORITHM_SHA512: HASH_ALGORITHM_SHA512 for SHA512 hash function. enum: - HASH_ALGORITHM_UNSPECIFIED - HASH_ALGORITHM_MD5 - HASH_ALGORITHM_SHA1 - HASH_ALGORITHM_SHA224 - HASH_ALGORITHM_SHA256 - HASH_ALGORITHM_SHA384 - HASH_ALGORITHM_SHA512 type: string v1LicenseMappingInfo: default: LICENSE_MAPPING_INFO_UNSPECIFIED description: |- LicenseMappingInfo contains additional information that we determine when we attempt to match a license string to a known SPDX id. - LICENSE_MAPPING_INFO_NOT_OSS: This does not look to like an OSS license. - LICENSE_MAPPING_INFO_IN_CODE: License information is to be found in the code. - LICENSE_MAPPING_INFO_UNKNOWN: Cannot determine anything about the license. - LICENSE_MAPPING_INFO_NOT_INCOMPLETE: There is some license information, but is not detailed enough. - LICENSE_MAPPING_INFO_PRIVATE: Appears to be a private package. - LICENSE_MAPPING_INFO_EXACT: An exact match to a SPDX id. - LICENSE_MAPPING_INFO_UNLICENSED: Seems to be explicitly without license. enum: - LICENSE_MAPPING_INFO_UNSPECIFIED - LICENSE_MAPPING_INFO_NOT_OSS - LICENSE_MAPPING_INFO_IN_CODE - LICENSE_MAPPING_INFO_UNKNOWN - LICENSE_MAPPING_INFO_NOT_INCOMPLETE - LICENSE_MAPPING_INFO_PRIVATE - LICENSE_MAPPING_INFO_EXACT - LICENSE_MAPPING_INFO_UNLICENSED type: string v1ProcessingStatusMetadata: properties: full_history_scan_time: format: date-time title: Last time a project was scanned with deep secrets scanning type: string type: object v1ScanState: default: SCAN_STATE_UNSPECIFIED description: |- Scan state for a project or package version. - SCAN_STATE_NOT_PROCESSED: Object has not been processed by the system yet. Set when the project or package is created for the first time. A new project or package version is automatically placed in this state. - SCAN_STATE_IDLE: Object has been scanned at least once. - SCAN_STATE_INGESTING: Object is being scanned. - SCAN_STATE_ANALYTIC: Object is being analyzed. - SCAN_STATE_UNREACHABLE: Object cannot be ingested because it is not reachable from the scheduler. - SCAN_STATE_REQUEST_FULL_RESCAN: Object is marked for a complete rescan. This only applies to OSS projects. - SCAN_STATE_REQUEST_INCREMENTAL_RESCAN: Object is marked for an incremental rescan, where only new packages discovered in the scan are added. Indicates that this project should be rescanned with a higher priority. Often because it is used by a customer and we need any new packages to be discovered and scanned with higher priority. If the project is put in this state, we will scan any new packages at high priority but we will not re-scan older packages. - SCAN_STATE_QUEUED: Object is queued to be scanned. - SCAN_STATE_QUARANTINED: Scan scheduling was unsuccessful due to a system errors. Object is quarantined from additional scheduling. Potentially object is an orphan or similar situations. enum: - SCAN_STATE_UNSPECIFIED - SCAN_STATE_NOT_PROCESSED - SCAN_STATE_IDLE - SCAN_STATE_INGESTING - SCAN_STATE_ANALYTIC - SCAN_STATE_UNREACHABLE - SCAN_STATE_REQUEST_FULL_RESCAN - SCAN_STATE_REQUEST_INCREMENTAL_RESCAN - SCAN_STATE_QUEUED - SCAN_STATE_QUARANTINED type: string v1BazelMetadata: description: BazelMetadata contains the Bazel metadata. properties: build_path: description: The build path. type: string type: object v1ContainerMetadata: description: ContainerMetadata is the metadata of a container image. properties: architecture: $ref: '#/components/schemas/v1ContainerArchitecture' base_image: $ref: '#/components/schemas/v1ContainerBaseImage' chain_id: description: Chain ID for the image's layers. type: string command: description: List of container command arguments. items: type: string type: array digest: description: The SHA256 digest of the container image. type: string distribution: description: The OS distribution of the base image. type: string entrypoint: description: List of container entrypoint arguments. items: type: string type: array environment: description: List of container environment variables. items: type: string type: array exposed_ports: description: List of container exposed ports. items: type: string type: array labels: additionalProperties: type: string description: Map of container labels. type: object layers: description: >- The list of layers of the container in the order they are applied to assemble the container image. The layers are the SHA256 digest of the container image layers. The list is equivalent to the output of `docker inspect --format='{{.RootFS.Layers}}' `. items: $ref: '#/components/schemas/v1ContainerLayer' type: array profile_details: $ref: '#/components/schemas/v1ContainerProfileDetails' profile_error: $ref: '#/components/schemas/v1ContainerProfileError' profiled: description: True if the container image has been profiled. type: boolean repo_digest: description: >- The repo digest of the container image (e.g., "your-image-name@sha256:..."). type: string used_as_base: $ref: '#/components/schemas/v1ContainerAsBase' version: description: The version of the OS distribution of the base image. type: string working_directory: description: The working directory of the container. type: string type: object v1Language: default: LANGUAGE_UNSPECIFIED enum: - LANGUAGE_UNSPECIFIED - LANGUAGE_GO - LANGUAGE_JAVA - LANGUAGE_SCALA - LANGUAGE_PYTHON - LANGUAGE_RUST - LANGUAGE_JS - LANGUAGE_RUBY - LANGUAGE_CSHARP - LANGUAGE_PHP - LANGUAGE_TYPESCRIPT - LANGUAGE_KOTLIN - LANGUAGE_SWIFT - LANGUAGE_OBJECTIVEC - LANGUAGE_C - LANGUAGE_CPP - LANGUAGE_SWIFTURL - LANGUAGE_CONAN type: string v1PrecomputedState: default: PRECOMPUTED_STATE_UNSPECIFIED description: |- PrecomputedState represents the state of precomputed operations. - PRECOMPUTED_STATE_UNSPECIFIED: UNSPECIFIED indicates that the precomputed state is not set or unknown. - PRECOMPUTED_STATE_SUCCESS: SUCCESS indicates that the precomputed operation completed successfully. - PRECOMPUTED_STATE_FAILURE: FAILURE indicates that the precomputed operation failed. enum: - PRECOMPUTED_STATE_UNSPECIFIED - PRECOMPUTED_STATE_SUCCESS - PRECOMPUTED_STATE_FAILURE type: string PackageVersionResolutionErrors: description: ResolutionErrors captures the error results. properties: call_graph: $ref: '#/components/schemas/v1ResolutionStatus' resolved: $ref: '#/components/schemas/v1ResolutionStatus' unresolved: $ref: '#/components/schemas/v1ResolutionStatus' type: object PackageVersionSourceCodeReference: properties: http_clone_url: description: The URL of the source code repository. type: string platform_source: $ref: '#/components/schemas/v1PlatformSource' version: $ref: '#/components/schemas/v1Version' type: object v1PackageVersionDependency: description: PackageVersionDependency is a dependency of a package version. properties: c: $ref: >- #/components/schemas/PackageVersionDependencyUnresolvedDependencySpec cargo: $ref: '#/components/schemas/PackageVersionDependencyCargoDependencySpec' cocoapod: $ref: '#/components/schemas/PackageVersionDependencyCocoapodDependencySpec' conan: $ref: '#/components/schemas/PackageVersionDependencyConanDependencySpec' gem: $ref: '#/components/schemas/PackageVersionDependencyGemDependencySpec' githubaction: $ref: >- #/components/schemas/PackageVersionDependencyGitHubActionDependencySpec go: $ref: '#/components/schemas/PackageVersionDependencyGoDependencySpec' hugging_face: $ref: >- #/components/schemas/PackageVersionDependencyHuggingFaceDependencySpec maven: $ref: '#/components/schemas/PackageVersionDependencyMavenDependencySpec' npm: $ref: '#/components/schemas/PackageVersionDependencyNpmDependencySpec' nuget: $ref: '#/components/schemas/PackageVersionDependencyNugetDependencySpec' packagist: $ref: '#/components/schemas/PackageVersionDependencyPackagistDependencySpec' pypi: $ref: '#/components/schemas/PackageVersionDependencyPypiDependencySpec' swift: $ref: '#/components/schemas/PackageVersionDependencySwiftDependencySpec' type: object MalwareRangeMalwareRangeType: default: MALWARE_RANGE_TYPE_UNSPECIFIED description: Type of the version information. enum: - MALWARE_RANGE_TYPE_UNSPECIFIED - MALWARE_RANGE_TYPE_GIT - MALWARE_RANGE_TYPE_SEMVER - MALWARE_RANGE_TYPE_ECOSYSTEM type: string v1DigestType: default: DIGEST_TYPE_UNSPECIFIED enum: - DIGEST_TYPE_UNSPECIFIED - DIGEST_TYPE_SHA1 - DIGEST_TYPE_SHA256 - DIGEST_TYPE_SHA512 - DIGEST_TYPE_MD5 type: string RangeRangeType: default: RANGE_TYPE_UNSPECIFIED description: Type of the version information. enum: - RANGE_TYPE_UNSPECIFIED - RANGE_TYPE_GIT - RANGE_TYPE_SEMVER - RANGE_TYPE_ECOSYSTEM type: string VulnerabilityComponent: properties: artifact_id: description: Indicates the artifact artifact_id that the CVE affects. type: string endor_uri: description: >- Affected function URIs in FastenURI format. For example, "/com.atlassian.connect.spring.internal.lifecycle/LifecycleController.installed(%2Fcom.atlassian.connect.spring.internal.lifecycle%2FLifecycleEvent,%2Fcom.atlassian.connect.spring%2FAtlassianHostUser)%2Forg.springframework.http%2FResponseEntity". items: type: string type: array fixed_versions: description: >- A list of all fixed versions. Can be more than one if the fix is applied on multiple release branches. items: type: string type: array group_id: description: Indicates the artifact group id that the CVE affects. type: string versions_range: description: >- Vulnerable version range in Maven notation. For example, "[1.1.0,2.1.3)". items: type: string type: array vulnerable_filepath: description: >- Class name that this vulnerability affects in JVM notation. For example, "com/atlassian/connect/spring/internal/lifecycle/LifecycleController.class". items: type: string type: array vulnerable_versions: description: A list of all affected artifact versions. items: type: string type: array required: - group_id - artifact_id type: object NVDVulnerabilityRootCve: properties: cisa_action_due: type: string cisa_exploit_add: type: string cisa_required_action: type: string cisa_vulnerability_name: type: string configurations: items: $ref: '#/components/schemas/RootCveConfig' type: array descriptions: items: $ref: '#/components/schemas/RootCveLangString' type: array evaluator_comment: type: string evaluator_impact: type: string evaluator_solution: type: string id: type: string last_modified: format: date-time type: string metrics: $ref: '#/components/schemas/RootCveCVSSMetric' published: format: date-time type: string references: items: $ref: '#/components/schemas/NVDVulnerabilityRootCveReference' type: array source_identifier: type: string vendor_comments: items: $ref: '#/components/schemas/RootCveVendorComment' type: array vuln_status: type: string vuln_typed_status: $ref: '#/components/schemas/v1NVDStatus' weaknesses: items: $ref: '#/components/schemas/RootCveWeakness' type: array required: - id - published - last_modified - descriptions - references type: object osvAffected: description: Affected versions and commits. properties: database_specific: description: >- Optional. JSON object holding additional information about the vulnerability as defined by the database for which the record applies. type: object ecosystem_specific: description: >- Optional. JSON object holding additional information about the vulnerability as defined by the ecosystem for which the record applies. type: object package: $ref: '#/components/schemas/osvPackage' ranges: description: Required. Range information. items: $ref: '#/components/schemas/osvRange' type: array versions: description: Optional. List of affected versions. items: type: string type: array type: object osvCredit: properties: contact: description: Contact methods (URLs). items: type: string type: array name: description: The name to give credit to. type: string type: object osvPackage: description: Package information and version. properties: ecosystem: description: |- Required. The ecosystem for this package. For the complete list of valid ecosystem names, see . type: string name: description: >- Required. Name of the package. Should match the name used in the package ecosystem (e.g. the npm package name). For C/C++ projects integrated in OSS-Fuzz, this is the name used for the integration. type: string purl: description: Optional. The package URL for this package. type: string type: object osvReference: description: Reference URL. properties: type: $ref: '#/components/schemas/osvReferenceType' url: description: Required. The URL. type: string type: object osvSeverity: properties: score: description: The quantitative score. type: string type: $ref: '#/components/schemas/osvSeverityType' type: object v1ContainerArchitecture: default: CONTAINER_ARCHITECTURE_UNSPECIFIED description: |- Container architecture. - CONTAINER_ARCHITECTURE_UNSPECIFIED: Unspecified architecture. - CONTAINER_ARCHITECTURE_UNKNOWN: Unknown architecture. - CONTAINER_ARCHITECTURE_AMD64: amd64 (64-bit x86) architecture. - CONTAINER_ARCHITECTURE_386: 386 (32-bit x86) architecture. - CONTAINER_ARCHITECTURE_ARM: arm (32-bit ARM) architecture. - CONTAINER_ARCHITECTURE_ARM64: arm64 (64-bit ARM) architecture. - CONTAINER_ARCHITECTURE_PPC64LE: ppc64le (PowerPC 64-bit, little-endian) architecture. - CONTAINER_ARCHITECTURE_PPC64: ppc64 (PowerPC 64-bit, big-endian) architecture . - CONTAINER_ARCHITECTURE_MIPS64LE: mips64le (MIPS 64-bit, little-endian) architecture. - CONTAINER_ARCHITECTURE_MIPS64: mips64 (MIPS 64-bit, big-endian) architecture. - CONTAINER_ARCHITECTURE_MIPSLE: mipsle (MIPS 32-bit, little-endian) architecture. - CONTAINER_ARCHITECTURE_MIPS: mips (MIPS 32-bit, big-endian) architecture. - CONTAINER_ARCHITECTURE_S390X: s390x (IBM System z 64-bit, big-endian) architecture. - CONTAINER_ARCHITECTURE_WASM: wasm (WebAssembly 32-bit) architecture. enum: - CONTAINER_ARCHITECTURE_UNSPECIFIED - CONTAINER_ARCHITECTURE_UNKNOWN - CONTAINER_ARCHITECTURE_AMD64 - CONTAINER_ARCHITECTURE_386 - CONTAINER_ARCHITECTURE_ARM - CONTAINER_ARCHITECTURE_ARM64 - CONTAINER_ARCHITECTURE_PPC64LE - CONTAINER_ARCHITECTURE_PPC64 - CONTAINER_ARCHITECTURE_MIPS64LE - CONTAINER_ARCHITECTURE_MIPS64 - CONTAINER_ARCHITECTURE_MIPSLE - CONTAINER_ARCHITECTURE_MIPS - CONTAINER_ARCHITECTURE_S390X - CONTAINER_ARCHITECTURE_WASM type: string v1ContainerBaseImage: description: The base image of a container Image. properties: chain_id: description: Chain ID for the base image's layers. type: string digest: description: The SHA256 digest of the base image. type: string name: description: The name of the base image. For example, "debian:bookworm-slim". type: string type: object v1ContainerLayer: description: A layer of a container image. properties: base_layer: description: True if the layer is came through the base image otherwise false. type: boolean command: description: |- The command that was run to create the layer. For example, `COPY /app /app`. This is an optional field. type: string digest: description: digest is the sha256 digest of the layer. type: string required: - digest type: object v1ContainerProfileDetails: description: >- ContainerProfileDetails represents the details of the container profiling. properties: application_type: $ref: '#/components/schemas/ContainerProfileDetailsApplicationType' detected_as_base_image: description: >- True if container image is a generic base image. For example, "debian:bookworm-slim" where entry point is generic shell like "/bin/sh" or "/bin/bash". type: boolean duration_ms: description: The duration of the profile in milliseconds. format: int64 type: string entry_point_package_version_name: description: >- Dependency that boots the container image and creates Process ID (PID) 1. type: string profile_type: $ref: '#/components/schemas/ContainerProfileDetailsProfileType' type: object v1ContainerProfileError: description: >- ContainerProfileError represents the error while profiling the container image. properties: description: description: A description of the profile error. type: string status: $ref: '#/components/schemas/ContainerProfileErrorContainerProfileStatus' type: object v1ContainerAsBase: description: >- ContainerAsBase captures usage of this container image as a base image elsewhere. properties: first_seen: description: First time this image was seen used as a base image. format: date-time type: string last_seen: description: Most recent time this image was seen used as a base image. format: date-time type: string update_options: $ref: '#/components/schemas/v1ContainerImageUpdateOptions' use_count: description: >- Number of times this image has been seen used as a base image. This number is used for trending and it's not meant for exact usage tracking. format: uint64 type: string used: description: True if this image is used as a base image elsewhere. type: boolean type: object v1ResolutionStatus: description: |- ResolutionStatus is the response status that indicates if the operation succeeded. The response status will be stored with the results. The caller will continue with subsequent requests and the server can continue with additional packages. properties: description: description: >- A description of the error. Plugins should use proper descriptions that will be helpful to users or operations. type: string error_analysis: description: |- The analysis of the error based on the error parsing rules that can provide additional context on possible fixes. items: $ref: '#/components/schemas/ResolutionStatusErrorAnalysis' type: array error_analysis_best_match: $ref: '#/components/schemas/ResolutionStatusErrorAnalysis' operation: description: |- The operation during which encountered the error. A Go plugin can return as operation reading go.mod file, a Java plugin can be reading a pom.xml. Every plugin is doing different operations and it should identify here the operation that failed. This again will help with debugging. type: string status_error: $ref: '#/components/schemas/ResolutionStatusStatusError' target: description: >- The target object (path or package) where the failure happened. For package scans it is the package. For the workspace scans it is the target path. type: string target_files: additionalProperties: type: string description: >- The content of manifest files or the list of files based on the operation. type: object type: object PackageVersionDependencyUnresolvedDependencySpec: description: Unresolved dependency data. properties: name: description: Package name, for example, Alamofire. type: string scope: $ref: '#/components/schemas/v1DependencyScope' targets: description: |- Targets that this dependency applies to. If there is no target then this dependency applies to all targets. items: $ref: '#/components/schemas/v1Target' type: array version_constraints: description: Version constraints, for example, ~> 1.2. type: string required: - name type: object PackageVersionDependencyCargoDependencySpec: description: |- CargoDependencySpec specifies a dependency for type defined in the Rust cargo_metadata crate. properties: cfg: $ref: '#/components/schemas/CargoDependencySpecCfg' features: description: The list of features enabled for this dependency. items: type: string type: array kind: $ref: '#/components/schemas/CargoDependencySpecDependencyKind' name: description: The name of dependency. type: string named: $ref: '#/components/schemas/CargoDependencySpecNamedPlatform' optional: description: Whether this dependency is required or optional. type: boolean path: description: / The file system path for a local path dependency. type: string registry: description: >- / The URL of the index of the registry where this dependency is from. / If not specified, the dependency is from crates.io. type: string rename: description: >- If the dependency is renamed, this is the new name for the dependency. type: string req: description: |- The required version, specified as a list of version requirements. that all have to be satisfied. items: $ref: '#/components/schemas/CargoDependencySpecCargoVersionReq' type: array source: description: The source repository query string to use, if any. type: string targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array uses_default_features: description: Whether the default features in this dependency are used or not. type: boolean version_constraints: description: Package version number rules. type: string required: - name - kind - optional - uses_default_features - version_constraints type: object PackageVersionDependencyCocoapodDependencySpec: description: |- CocoapodDependencySpec specifies storing a dependency for cocoapod packages. properties: name: title: |- The name of the package. Example: Alamofire type: string scope: $ref: '#/components/schemas/v1DependencyScope' targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array version_constraints: title: |- The Cocoapod version that is defined in the Podfile. Example: (~> 1.2) type: string required: - name type: object PackageVersionDependencyConanDependencySpec: description: >- ConanDependencySpec specifies storing an unresolved dependency for Conan packages. properties: name: description: Package name, for example, zlib. type: string scope: $ref: '#/components/schemas/v1DependencyScope' targets: description: |- Targets that this dependency applies to. If there is no target then this dependency applies to all targets. items: $ref: '#/components/schemas/v1Target' type: array version_constraints: description: Conan version constraints, for example, >=1.2 <2.0. type: string required: - name type: object PackageVersionDependencyGemDependencySpec: description: |- GemDependencySpec specifies storing a dependency for Ruby based repositories or packages. properties: name: title: |- The name of the Ruby dependency (name of a gem). Example: nokogiri type: string scope_type: $ref: '#/components/schemas/PackageVersionDependencyGemDependencySpecScope' targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array version_constraints: title: |- Package version number rules. Example-1: ~= 1.2 Example-2: >= 4.0.0, < 6.0.0 Example-3: == 5.4.7 type: string required: - name - version_constraints type: object PackageVersionDependencyGitHubActionDependencySpec: description: |- GitHubActionDependencySpec specifies storing a dependency for GitHub action packages. properties: action_type: $ref: '#/components/schemas/GitHubActionDependencySpecGHActionType' name: title: |- The name of the GitHub action Example: actions/checkout type: string scope: $ref: >- #/components/schemas/PackageVersionDependencyGitHubActionDependencySpecScope version: title: |- The version of the GitHub action Example: v1, v2, main type: string required: - name type: object PackageVersionDependencyGoDependencySpec: description: |- GoDependencySpec specifies a dependency for Go packages or repositories. properties: package: title: |- The package url of the go dependency. Example: go://github.com/hashicorp/golang-lru/simplelru@v0.5.4 type: string ref: description: The ref of the dependency package version. type: string scope_type: $ref: '#/components/schemas/PackageVersionDependencyGoDependencySpecScope' targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array required: - package - ref type: object PackageVersionDependencyHuggingFaceDependencySpec: description: |- HuggingFaceDependencySpec specifies storing a dependency for hugging face models. properties: name: title: |- The name of the model or package. Example: meta-llama/Meta-Llama-3-8B-Instruct type: string version: title: |- The version of the model or package. Example: main type: string required: - name type: object PackageVersionDependencyMavenDependencySpec: description: |- MavenDependencySpec specifies a dependency for Maven repositories or packages. properties: artifact_id: description: The name of a Maven project. type: string classifier: description: |- Differentiates Maven artifacts that were built from the same POM for different contexts. Some examples are "tests", "client", and "sources". type: string exclusions: description: Maven dependencies of a package version explicitly excluded. type: string group_id: description: A unique identifier for an organization or project in Maven. type: string optional: description: |- Whether a Maven dependency is needed or not for a project to work correctly. type: boolean scope: description: >- Maven dependency scopes which can help to limit the transitivity of the dependencies and determine build tasks and lifecycle a dependency applies to. Deprecated. Maintained for compatibility. type: string scope_type: $ref: >- #/components/schemas/PackageVersionDependencyMavenDependencySpecScope targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array type: description: |- The Maven dependency type. Some examples are "jar", "ear", and "test-jar". type: string version_constraints: description: Maven version number rules. type: string required: - group_id - artifact_id - version_constraints type: object PackageVersionDependencyNpmDependencySpec: description: |- NpmDependencySpec specifies storing a dependency for npm based repositories or packages. properties: name: title: |- name specifies the package name of the npm package. Example: react type: string scope: $ref: '#/components/schemas/PackageVersionDependencyNpmDependencySpecScope' targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array version: title: >- version specifies the version of the npm dependency if concrete version is defined in package.json. Example: 1.0.0 type: string version_constraint: title: >- versionConstraints are module version number rules if no concrete version is found. Example-1: ~= 3.2 Example-2: >= 2.0.0, < 3.0.0 Example-3: == 4.7.0 type: string required: - name type: object PackageVersionDependencyNugetDependencySpec: description: |- NugetDependencySpec specifies storing a dependency for NuGet based repositories or packages. properties: name: title: |- The package URL of the NuGet package. Example: nuget://System.Text.JSON@1.0.0 type: string scope: $ref: '#/components/schemas/v1DependencyScope' targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array version_constraints: title: |- The NuGet package version that is defined in the csproj file. Example-1: [1.0.0, 2.0.0), Example-2: * Example-3: (1.0.0, 2.0.0] type: string required: - name type: object PackageVersionDependencyPackagistDependencySpec: description: |- PackagistDependencySpec specifies storing a dependency for php based repositories or packages. properties: name: title: |- The name of the PHP package dependency. Example: monolog/monolog type: string scope_type: $ref: >- #/components/schemas/PackageVersionDependencyPackagistDependencySpecScope targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array version_constraints: title: |- Package version number rules. Example-1: ^1.5.3 || ^2.0 Example-2: ^1.8.1 Example-3: ^2.8.52 || ^3.4.35 || ^4.4 || ^5.0 || ^6.0 type: string required: - name - version_constraints type: object PackageVersionDependencyPypiDependencySpec: description: |- PypiDependencySpec specifies a dependency for Python based repositories or packages. properties: name: title: |- The package name of the python dependency. Example: multidict type: string package_manager_type: $ref: >- #/components/schemas/PackageVersionDependencyPypiDependencySpecPackageManagerType scope_type: $ref: '#/components/schemas/PackageVersionDependencyPypiDependencySpecScope' targets: description: >- The targets to which this dependency applies. If there is no target then this dependency will be applicable for all the targets. A dependency can be valid for multiple targets. items: $ref: '#/components/schemas/v1Target' type: array version_constraints: title: |- Package version number rules. Example-1: ~= 3.2 Example-2: >= 2.0.0, < 3.0.0 Example-3: == 4.7.0 type: string required: - name - version_constraints type: object PackageVersionDependencySwiftDependencySpec: description: SwiftDependencySpec specifies storing a dependency for Swift packages. properties: branch: minLength: 1 type: string exact: minLength: 1 type: string name: minLength: 1 title: |- The name of the Swift package. Example: github.com/Alamofire/Alamofire type: string range: $ref: >- #/components/schemas/PackageVersionDependencySwiftDependencySpecRange revision: minLength: 1 type: string scope: $ref: '#/components/schemas/v1DependencyScope' targets: description: The targets to which this dependency applies. items: $ref: '#/components/schemas/v1Target' type: array required: - name - exact - revision - branch - range type: object RootCveConfig: properties: negate: type: boolean nodes: items: $ref: '#/components/schemas/ConfigCVSSNode' type: array operator: $ref: '#/components/schemas/ConfigOperator' type: object RootCveLangString: properties: lang: type: string value: type: string required: - lang - value type: object RootCveCVSSMetric: properties: cvss_metric_v2: items: $ref: '#/components/schemas/NVDVulnerabilityCvssMetricV2' type: array cvss_metric_v30: items: $ref: '#/components/schemas/NVDVulnerabilityCvssMetricV30' type: array cvss_metric_v31: items: $ref: '#/components/schemas/NVDVulnerabilityCvssMetricV31' type: array cvss_metric_v40: items: $ref: '#/components/schemas/NVDVulnerabilityCvssMetricV40' type: array type: object NVDVulnerabilityRootCveReference: properties: source: type: string tags: items: type: string type: array url: type: string required: - url type: object RootCveVendorComment: properties: comment: type: string last_modified: format: date-time type: string organization: type: string required: - organization - comment - last_modified type: object v1NVDStatus: default: NVD_STATUS_UNSPECIFIED enum: - NVD_STATUS_UNSPECIFIED - NVD_STATUS_RECEIVED - NVD_STATUS_AWAITING_ANALYSIS - NVD_STATUS_UNDERGOING_ANALYSIS - NVD_STATUS_ANALYZED - NVD_STATUS_MODIFIED - NVD_STATUS_DEFERRED - NVD_STATUS_REJECTED type: string RootCveWeakness: properties: description: items: $ref: '#/components/schemas/RootCveLangString' type: array source: type: string type: type: string required: - source - type - description type: object osvRange: description: Affected ranges. properties: events: description: Required. Version event information. items: $ref: '#/components/schemas/osvEvent' type: array repo: description: >- Required if type is GIT. The publicly accessible URL of the repo that can be directly passed to clone commands. type: string type: $ref: '#/components/schemas/osvRangeType' type: object osvReferenceType: default: NONE enum: - NONE - WEB - ADVISORY - REPORT - FIX - PACKAGE - ARTICLE type: string osvSeverityType: default: UNSPECIFIED description: Type of the severity. enum: - UNSPECIFIED - CVSS_V3 type: string ContainerProfileDetailsApplicationType: default: APPLICATION_TYPE_UNSPECIFIED description: >- ApplicationType represents the type of the application. - APPLICATION_TYPE_UNSPECIFIED: Unspecified application type. - APPLICATION_TYPE_CLI: CLI application type. It is typically set when container image does not have any exposed ports. - APPLICATION_TYPE_SERVER: Server application type. It is typically set when container image has exposed ports. enum: - APPLICATION_TYPE_UNSPECIFIED - APPLICATION_TYPE_CLI - APPLICATION_TYPE_SERVER type: string ContainerProfileDetailsProfileType: default: PROFILE_TYPE_UNSPECIFIED description: >- ProfileType represents the type of the profile. - PROFILE_TYPE_UNSPECIFIED: Unspecified profile type. - PROFILE_TYPE_BASIC: Basic profile type. It Indicates that a container image was profiled using a built in profiling mechanism. - PROFILE_TYPE_INSTRUMENTED: Instrumented profile type. It Indicates that a container image was profiled using an instrumented profiling mechanism. enum: - PROFILE_TYPE_UNSPECIFIED - PROFILE_TYPE_BASIC - PROFILE_TYPE_INSTRUMENTED type: string ContainerProfileErrorContainerProfileStatus: default: CONTAINER_PROFILE_STATUS_UNSPECIFIED description: >- ContainerProfileStatus indicates the result of profiling a container image. - CONTAINER_PROFILE_STATUS_UNSPECIFIED: CONTAINER_PROFILE_STATUS_UNSPECIFIED indicates that the container profile status has not been set or is unknown. - CONTAINER_PROFILE_STATUS_PLUGIN_NOT_FOUND: CONTAINER_PROFILE_STATUS_PLUGIN_NOT_FOUND indicates that the Mint toolkit plugin required for profiling the container image was not found. This typically occurs when the profiling environment is misconfigured or the required Mint toolkit plugin is not installed. - CONTAINER_PROFILE_STATUS_TIMEOUT: CONTAINER_PROFILE_STATUS_TIMEOUT indicates that the profiling operation exceeded the allowed time limit. This typically occurs for complex container images that require extensive processing time or when system resources are constrained. - CONTAINER_PROFILE_STATUS_IMAGE_TOO_LARGE: CONTAINER_PROFILE_STATUS_IMAGE_TOO_LARGE indicates that the container image exceeds the maximum allowed size for profiling. This typically occurs when the uncompressed container image size exceeds the system's configured size limit for profiling operations. - CONTAINER_PROFILE_STATUS_IMAGE_NOT_RUNNABLE: CONTAINER_PROFILE_STATUS_IMAGE_NOT_RUNNABLE indicates that the container image cannot be executed without additional configuration. This typically occurs when the container image requires specific environment variables, volumes, network configuration, or entrypoint arguments that were not provided during the profiling attempt. - CONTAINER_PROFILE_STATUS_MINT_PLUGIN_ERROR: CONTAINER_PROFILE_STATUS_MINT_PLUGIN_ERROR indicates that the Mint plugin encountered an error while profiling the container image. This typically occurs when the Mint plugin encounters an unexpected condition, such as incompatible image format, corrupted layers, or internal plugin failures during the profiling process. - CONTAINER_PROFILE_STATUS_ARTIFACTS_NOT_FOUND: CONTAINER_PROFILE_STATUS_ARTIFACTS_NOT_FOUND indicates that the expected profiling artifacts were not found after the profiling operation completed. This typically occurs when the profiling process runs successfully but fails to produce or persist the expected output artifacts, possibly due to storage issues or unexpected container behavior during profiling. - CONTAINER_PROFILE_STATUS_INTERNAL_ERROR: CONTAINER_PROFILE_STATUS_INTERNAL_ERROR indicates that an internal error occurred while profiling the container image. This typically occurs when an unexpected error occurs during the profiling process, such as a programming error or an unexpected system failure. - CONTAINER_PROFILE_STATUS_PLUGIN_SETUP: CONTAINER_PROFILE_STATUS_PLUGIN_SETUP indicates that an error occurred while setting up the Mint toolkit plugin. This typically occurs when there is an error in setting up the Mint toolkit plugin. - CONTAINER_PROFILE_STATUS_PROFILE_LOAD: CONTAINER_PROFILE_STATUS_PROFILE_LOAD indicates that the profiling data was not found or corrupted. Indicates that the profiling is successfully completed but the profiling data was not found or corrupted. It can happen if the creport.json file is not found or corrupted. - CONTAINER_PROFILE_STATUS_MINT_VERSION_INCOMPATIBLE: CONTAINER_PROFILE_STATUS_MINT_VERSION_INCOMPATIBLE indicates that the Mint version is incompatible with the profiling requirements. This typically occurs when the Mint version is not compatible with the profiling requirements. - CONTAINER_PROFILE_STATUS_IMAGE_TYPE_BASE: CONTAINER_PROFILE_STATUS_IMAGE_TYPE_BASE indicates that the container image was identified as a base image (OS distribution or language runtime) and dynamic profiling was skipped because base images contain no application code to profile. enum: - CONTAINER_PROFILE_STATUS_UNSPECIFIED - CONTAINER_PROFILE_STATUS_PLUGIN_NOT_FOUND - CONTAINER_PROFILE_STATUS_TIMEOUT - CONTAINER_PROFILE_STATUS_IMAGE_TOO_LARGE - CONTAINER_PROFILE_STATUS_IMAGE_NOT_RUNNABLE - CONTAINER_PROFILE_STATUS_MINT_PLUGIN_ERROR - CONTAINER_PROFILE_STATUS_ARTIFACTS_NOT_FOUND - CONTAINER_PROFILE_STATUS_INTERNAL_ERROR - CONTAINER_PROFILE_STATUS_PLUGIN_SETUP - CONTAINER_PROFILE_STATUS_PROFILE_LOAD - CONTAINER_PROFILE_STATUS_MINT_VERSION_INCOMPATIBLE - CONTAINER_PROFILE_STATUS_IMAGE_TYPE_BASE type: string v1ContainerImageUpdateOptions: description: >- ContainerImageUpdateOptions groups possible base image update candidates. properties: latest_version: $ref: '#/components/schemas/v1ContainerImageUpdateOption' next_version: $ref: '#/components/schemas/v1ContainerImageUpdateOption' refreshed: $ref: '#/components/schemas/v1ContainerImageUpdateOption' update_time: description: Time when these update options were determined. format: date-time type: string type: object ResolutionStatusErrorAnalysis: description: |- ErrorAnalysis is the analysis of the error based on the error parsing rules. properties: error_category: $ref: '#/components/schemas/SpecErrorCategory' explanation: description: Explanation of the error based on the error parsing rules. type: string fixable: description: Fixable indicates if the error is fixable through configuration. type: boolean fixable_notes: description: notes about the fixable status. type: string matching_rule: description: matching_rule is the rule that matched the error. type: string matching_snippet: description: matching_snippet is the snippet of the error that matched the rule. type: string type: object ResolutionStatusStatusError: default: STATUS_ERROR_UNSPECIFIED description: >- StatusError is the type of issue discovered. - STATUS_ERROR_MANIFEST_LOAD: MANIFEST_LOAD indicates that the system is unable to find the manifest of the language (pom.xml, packages.json, etc). This status error is only used for unresolved dependencies. When it happens, the state of the package version will be as follows: - The unresolved dependencies will not be computed by the system. - The resolved dependencies will not be computed by the system. - The callgraph will not be computed by the system. For tenant packages: When it happens, the scan of the package version is marked as failed and endorctl will log an error. For OSS packages: When it happens and if the package version is in the OSS namespace, the package version will not be scanned anymore. When it happens, the scan of the package version is marked as failed and endorctl will log an error. - STATUS_ERROR_MANIFEST_PARSE: MANIFEST_PARSE indicates that the system failed to parse the manifest. This status error is only used for unresolved dependencies. When it happens, the state of the package version will be as follows: - The unresolved dependencies will not be computed by the system. - The resolved dependencies will not be computed by the system. - The callgraph will be computed by the system. For tenant packages: When it happens, the scan of the package version is marked as failed and endorctl will log an error. For OSS packages: When it happens and if the package version is in the OSS namespace, the package version will not be scanned anymore. When it happens, the scan of the package version is marked as failed and endorctl will log an error. - STATUS_ERROR_MANIFEST_EMPTY: MANIFEST_EMPTY indicates that the system failed to find any dependencies and is returning empty results on purpose. DEPRECATED: use STATUS_ERROR_MANIFEST_PARSE instead. - STATUS_ERROR_DEPENDENCY: DEPENDENCY indicates that the system failed to resolve a dependency. Usually this happens when a manifest contains bad associations of dependencies and versions. This status error is only used for resolved dependencies. When it happens, the state of the package version will be as follows: - The unresolved dependencies will be computed by the system. - The resolved dependencies will not be computed by the system. - The callgraph will be computed by the system. For tenant packages: When it happens, the scan of the package version is marked as failed and endorctl will log an error. For OSS packages: When it happens and if the package version is in the OSS namespace, the package version will not be scanned anymore. When it happens, the scan of the package version is marked as failed and endorctl will log an error. - STATUS_ERROR_CALL_GRAPH: CALL_GRAPH indicates that the system failed to construct the call graph. This status error is only used for callgraph computation. When it happens, the state of the package version will be as follows: - The unresolved dependencies will be computed by the system. - The resolved dependencies will be computed by the system. - The callgraph will not be computed by the system. For tenant packages: When it happens, the scan of the package version will not be marked as failed, only a warning log will be emitted by the system. For OSS packages: When it happens, the scan of the package version will not be marked as failed, only a warning log will be emitted by the system. - STATUS_ERROR_MISSING_ARTIFACT: MISSING_ARTIFACT indicates that the system failed to compute the callgraph because the package is not built. This status error is only used for callgraph computation. For OSS packages: When it happens, the system will try to build the package and the computation of the callgraph will be launched again. It should be noted that we should never have this state set in a package version. This is a transient state only used by the system. This state can not happen for tenant packages, we always expect that tenant packages will be built for us. - STATUS_ERROR_BUILD: BUILD indicates that the plugin failed to build the package version. This status error is only used for unresolved dependencies. When it happens, the state of the package version will be as follows: - The unresolved dependencies will not be computed by the system. - The resolved dependencies will not be computed by the system. - The callgraph will not be computed by the system. For OSS packages: When it happens and if the package version is in the OSS namespace, the package version will not be scanned anymore. When it happens, the scan of the package version is marked as failed and endorctl will log an error. It should be noted that this state can not happen for tenant packages, we always expect that tenant packages will be built for us. - STATUS_ERROR_PACKAGE_VERSION_UNAVAILABLE: PACKAGE_VERSION_UNAVAILABLE indicates that the package version is not available from the package manager. This status error is only used for unresolved dependencies. When it happens, the state of the package version will be as follows: - The unresolved dependencies will not be computed by the system. - The resolved dependencies will not be computed by the system. - The callgraph will not be computed by the system. For OSS packages:: When it happens and if the package version is in the OSS namespace, the package version will not be scanned anymore. When it happens, the scan of the package version is marked as failed and endorctl will log an error. It should be noted that this state can not happen for tenant packages, for tenant we scan based on the source code and we never download a package from a package manager. - STATUS_ERROR_NO_CODE_ARTIFACT: NO_CODE_ARTIFACT indicates that package version do not have any source code. The status error is only used for call graphs. When it happens, the state of the package version will be as follows: - The unresolved dependencies will be computed by the system. - The resolved dependencies will be computed by the system. - The call graph will not be computed by the system. For tenant packages: When it happens, the scan of the package version will not be marked as a call graph failure, only a warning log will be emitted by the system. For OSS packages: When it happens, the scan of the package version will not be marked as a call graph failure, only a warning log will be emitted by the system. - STATUS_ERROR_VENV: STATUS_ERROR_VENV indicates that the system failed to create the virtual environment required to generate the call graph. When it happens, the state of the package version will be as follows: - The unresolved dependencies will be computed by the system. - The resolved dependencies will be computed by the system. - The call graph will not be computed by the system. For tenant packages: When it happens, the scan of the package version will be not be marked as a call graph failure. This indicates that the client code was not setup correctly. For OSS packages: When it happens, the scan of the package version will not be marked as a call graph failure, only a warning log will be emitted by the system. - STATUS_ERROR_INTERNAL: STATUS_ERROR_INTERNAL indicates that there was an internal system failure such as a data stream error. When it happens, the state of the package version will be as follows: - The unresolved dependencies will be computed by the system. - The resolved dependencies will be computed by the system. - The call graph will not be computed by the system. For tenant packages: When it happens, the scan of the package version will be not be marked as a call graph failure. For OSS packages: When it happens, the scan of the package version will not be marked as a call graph failure, only a warning log will be emitted by the system. - STATUS_ERROR_UNSUPPORTED: STATUS_ERROR_UNSUPPORTED indicates that we scanned a package version having an unsupported language. When it happens, the state of the package version will be as follows: - The unresolved dependencies will not be computed by the system. - The resolved dependencies will not be computed by the system. - The call graph will not not becomputed by the system. For tenant packages: When it happens, the scan of the package version is marked as unsupported. For OSS packages: When it happens, the scan of the package version is marked as unsupported. enum: - STATUS_ERROR_UNSPECIFIED - STATUS_ERROR_MANIFEST_LOAD - STATUS_ERROR_MANIFEST_PARSE - STATUS_ERROR_MANIFEST_EMPTY - STATUS_ERROR_DEPENDENCY - STATUS_ERROR_CALL_GRAPH - STATUS_ERROR_MISSING_ARTIFACT - STATUS_ERROR_BUILD - STATUS_ERROR_PACKAGE_VERSION_UNAVAILABLE - STATUS_ERROR_NO_CODE_ARTIFACT - STATUS_ERROR_VENV - STATUS_ERROR_INTERNAL - STATUS_ERROR_UNSUPPORTED type: string CargoDependencySpecCfg: description: A cfg expression, like cfg(windows). properties: expr: $ref: '#/components/schemas/CfgCfgExpr' required: - expr type: object CargoDependencySpecNamedPlatform: description: A named platform, like x86_64-apple-darwin. properties: name: type: string required: - name type: object CargoDependencySpecCargoVersionReq: description: |- A crate with a matching name and repository can't be bound to a dependency if its version does not match this requirement. properties: major: format: uint64 type: string minor: format: uint64 type: string op: $ref: '#/components/schemas/CargoVersionReqOp' patch: description: / Patch is only allowed if minor is present. format: uint64 type: string pre: type: string required: - op - major type: object GitHubActionDependencySpecGHActionType: default: GH_ACTION_TYPE_UNSPECIFIED description: |- ActionType indicates what type of action is being used. eg. JS action, Docker action, composite action etc. - GH_ACTION_TYPE_UNSPECIFIED: Unspecified when it is unlcear what typeof action it is. - GH_ACTION_TYPE_GITHUB_REPO: Indicates action's source code is hosted in the GitHub repository. - GH_ACTION_TYPE_DOCKER: Indicates action written in Docker and is hosted in the Docker registry. - GH_ACTION_TYPE_INTERNAL: Indicates that action is using logic internal to the organization. it could be referring to another .yaml file or referring another directory which contains code for GitHub action. enum: - GH_ACTION_TYPE_UNSPECIFIED - GH_ACTION_TYPE_GITHUB_REPO - GH_ACTION_TYPE_DOCKER - GH_ACTION_TYPE_INTERNAL type: string PackageVersionDependencyPypiDependencySpecPackageManagerType: default: PACKAGE_MANAGER_TYPE_UNSPECIFIED description: |- Python package manager. - PACKAGE_MANAGER_TYPE_PIP: PIP package manager - PACKAGE_MANAGER_TYPE_PIPENV: PIPENV package manager - PACKAGE_MANAGER_TYPE_POETRY: POETRY package manager - PACKAGE_MANAGER_TYPE_PDM: PDM package manager - PACKAGE_MANAGER_TYPE_UV: UV package manager enum: - PACKAGE_MANAGER_TYPE_UNSPECIFIED - PACKAGE_MANAGER_TYPE_PIP - PACKAGE_MANAGER_TYPE_PIPENV - PACKAGE_MANAGER_TYPE_POETRY - PACKAGE_MANAGER_TYPE_PDM - PACKAGE_MANAGER_TYPE_UV type: string PackageVersionDependencySwiftDependencySpecRange: description: Range represents a version range. properties: lower_bound: minLength: 1 type: string upper_bound: minLength: 1 type: string required: - lower_bound - upper_bound type: object ConfigCVSSNode: properties: cpe_match: items: $ref: '#/components/schemas/CVSSNodeCpeMatch' type: array negate: type: boolean operator: $ref: '#/components/schemas/ConfigOperator' required: - operator - cpe_match type: object ConfigOperator: default: OPERATOR_UNSPECIFIED enum: - OPERATOR_UNSPECIFIED - OPERATOR_AND - OPERATOR_OR type: string NVDVulnerabilityCvssMetricV2: description: >- Based on schema definition provided by NVD here. https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v2.0.json. properties: ac_insuf_info: type: boolean base_severity: type: string cvss_data: $ref: '#/components/schemas/v1CvssDataV2' exploitability_score: format: float type: number impact_score: format: float type: number obtain_all_privilege: type: boolean obtain_other_privilege: type: boolean obtain_user_privilege: type: boolean source: type: string type: $ref: '#/components/schemas/v1NVDMetricType' user_interaction_required: type: boolean required: - source - type - cvss_data type: object NVDVulnerabilityCvssMetricV30: description: >- Based on schema definition provided by NVD here. https://csrc.nist.gov/schema/nvd/api/3.0/external/cvss-v2.0.json. properties: cvss_data: $ref: '#/components/schemas/v1CvssDataV30' exploitability_score: format: float type: number impact_score: format: float type: number source: type: string type: $ref: '#/components/schemas/v1NVDMetricType' required: - source - type - cvss_data type: object NVDVulnerabilityCvssMetricV31: description: >- Based on schema definition provided by NVD here. https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v3.1.json. properties: cvss_data: $ref: '#/components/schemas/v1CvssDataV31' exploitability_score: format: float type: number impact_score: format: float type: number source: type: string type: $ref: '#/components/schemas/v1NVDMetricType' required: - source - type - cvss_data type: object NVDVulnerabilityCvssMetricV40: description: >- CvssMetricV40. Based on schema definition provided by FIRST.ORG for CVSS v4.0. schema in https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v4.0.json. properties: cvss_data: $ref: '#/components/schemas/v1CvssDataV40' exploitability_score: format: float type: number impact_score: format: float type: number source: type: string type: $ref: '#/components/schemas/v1NVDMetricType' required: - source - type - cvss_data type: object osvEvent: description: Version events. properties: fixed: description: The version/commit that this vulnerability was fixed in. type: string introduced: description: |- The earliest version/commit where this vulnerability was introduced in. type: string limit: description: The limit to apply to the range. type: string type: object osvRangeType: default: UNSPECIFIED description: Type of the version information. enum: - UNSPECIFIED - GIT - SEMVER - ECOSYSTEM type: string v1ContainerImageUpdateOption: description: >- ContainerImageUpdateOption describes a single base image update candidate. properties: chain_id: description: Chain ID for the candidate image's layers. type: string digest: description: The SHA256 digest of the candidate image (e.g., "sha256:..."). type: string name: description: |- Full image reference including registry, repository, and tag (e.g., "docker.io/library/ubuntu:22.04"). type: string type: object SpecErrorCategory: default: ERROR_CATEGORY_UNSPECIFIED description: The type of error that the rule is for. enum: - ERROR_CATEGORY_UNSPECIFIED - ERROR_CATEGORY_PRIVATE_REGISTRY - ERROR_CATEGORY_TOOLCHAIN - ERROR_CATEGORY_REPOSITORY - ERROR_CATEGORY_OTHER type: string CfgCfgExpr: properties: all: $ref: '#/components/schemas/CfgAll' any: $ref: '#/components/schemas/CargoDependencySpecCfgAny' not: $ref: '#/components/schemas/CfgNot' value: $ref: '#/components/schemas/CargoDependencySpecCfgValue' type: object CargoVersionReqOp: default: OP_UNSPECIFIED enum: - OP_UNSPECIFIED - OP_EXACT - OP_GREATER - OP_GREATEREQ - OP_LESS - OP_LESSEQ - OP_TILDE - OP_CARET - OP_WILDCARD type: string CVSSNodeCpeMatch: properties: criteria: type: string match_criteria_id: type: string version_end_excluding: type: string version_end_including: type: string version_start_excluding: type: string version_start_including: type: string vulnerable: type: boolean required: - vulnerable - criteria - match_criteria_id type: object v1CvssDataV2: properties: access_complexity: $ref: '#/components/schemas/CvssDataV2AccessComplexity' access_vector: $ref: '#/components/schemas/v1NVDAttackVector' authentication: $ref: '#/components/schemas/CvssDataV2Auth' availability_impact: $ref: '#/components/schemas/CvssDataV2V2Impact' availability_requirement: $ref: '#/components/schemas/v1NVDRequirement' base_score: format: float type: number collateral_damage_potential: $ref: '#/components/schemas/CvssDataV2CollateralDamagePotential' confidentiality_impact: $ref: '#/components/schemas/CvssDataV2V2Impact' confidentiality_requirement: $ref: '#/components/schemas/v1NVDRequirement' environmental_score: format: float type: number exploitability: $ref: '#/components/schemas/CvssDataV2Exploitability' integrity_impact: $ref: '#/components/schemas/CvssDataV2V2Impact' integrity_requirement: $ref: '#/components/schemas/v1NVDRequirement' remediation_level: $ref: '#/components/schemas/v1NVDRemediationLevel' report_confidence: $ref: '#/components/schemas/CvssDataV2ReportConfidence' target_distribution: $ref: '#/components/schemas/CvssDataV2TargetDistribution' temporal_score: format: float type: number vector_string: type: string version: type: string required: - version - vector_string - base_score type: object v1NVDMetricType: default: NVD_METRIC_TYPE_UNSPECIFIED enum: - NVD_METRIC_TYPE_UNSPECIFIED - NVD_METRIC_TYPE_PRIMARY - NVD_METRIC_TYPE_SECONDARY type: string v1CvssDataV30: properties: attack_complexity: $ref: '#/components/schemas/v1NVDAttackComplexity' attack_vector: $ref: '#/components/schemas/v1NVDAttackVector' availability_impact: $ref: '#/components/schemas/v1NVDImpact' availability_requirement: $ref: '#/components/schemas/v1NVDRequirement' base_score: format: float type: number base_severity: $ref: '#/components/schemas/v1NVDSeverity' confidentiality_impact: $ref: '#/components/schemas/v1NVDImpact' confidentiality_requirement: $ref: '#/components/schemas/v1NVDRequirement' environmental_score: format: float type: number environmental_severity: $ref: '#/components/schemas/v1NVDSeverity' exploit_code_maturity: $ref: '#/components/schemas/v1NVDExploitCodeMaturity' integrity_impact: $ref: '#/components/schemas/v1NVDImpact' integrity_requirement: $ref: '#/components/schemas/v1NVDRequirement' modified_attack_complexity: $ref: '#/components/schemas/v1NVDModifiedAttackComplexity' modified_attack_vector: $ref: '#/components/schemas/v1NVDModifiedAttackVector' modified_availability_impact: $ref: '#/components/schemas/v1NVDModifiedImpact' modified_confidentiality_impact: $ref: '#/components/schemas/v1NVDModifiedImpact' modified_integrity_impact: $ref: '#/components/schemas/v1NVDModifiedImpact' modified_privileges_required: $ref: '#/components/schemas/v1NVDModifiedPrivilegesRequired' modified_scope: $ref: '#/components/schemas/v1NVDModifiedScope' modified_user_interaction: $ref: '#/components/schemas/v1NVDModifiedUserInteraction' privileges_required: $ref: '#/components/schemas/v1NVDPrivilegesRequired' remediation_level: $ref: '#/components/schemas/v1NVDRemediationLevel' report_confidence: $ref: '#/components/schemas/v1NVDReportConfidence' scope: $ref: '#/components/schemas/v1NVDScope' temporal_score: format: float type: number temporal_severity: $ref: '#/components/schemas/v1NVDSeverity' user_interaction: $ref: '#/components/schemas/v1NVDUserInteraction' vector_string: type: string version: type: string required: - version - vector_string - base_score - base_severity type: object v1CvssDataV31: properties: attack_complexity: $ref: '#/components/schemas/v1NVDAttackComplexity' attack_vector: $ref: '#/components/schemas/v1NVDAttackVector' availability_impact: $ref: '#/components/schemas/v1NVDImpact' availability_requirement: $ref: '#/components/schemas/v1NVDRequirement' base_score: format: float type: number base_severity: $ref: '#/components/schemas/v1NVDSeverity' confidentiality_impact: $ref: '#/components/schemas/v1NVDImpact' confidentiality_requirement: $ref: '#/components/schemas/v1NVDRequirement' environmental_score: format: float type: number environmental_severity: $ref: '#/components/schemas/v1NVDSeverity' exploit_code_maturity: $ref: '#/components/schemas/v1NVDExploitCodeMaturity' integrity_impact: $ref: '#/components/schemas/v1NVDImpact' integrity_requirement: $ref: '#/components/schemas/v1NVDRequirement' modified_attack_complexity: $ref: '#/components/schemas/v1NVDModifiedAttackComplexity' modified_attack_vector: $ref: '#/components/schemas/v1NVDModifiedAttackVector' modified_availability_impact: $ref: '#/components/schemas/v1NVDModifiedImpact' modified_confidentiality_impact: $ref: '#/components/schemas/v1NVDModifiedScope' modified_integrity_impact: $ref: '#/components/schemas/v1NVDModifiedImpact' modified_privileges_required: $ref: '#/components/schemas/v1NVDModifiedPrivilegesRequired' modified_scope: $ref: '#/components/schemas/v1NVDModifiedScope' modified_user_interaction: $ref: '#/components/schemas/v1NVDModifiedUserInteraction' privileges_required: $ref: '#/components/schemas/v1NVDPrivilegesRequired' remediation_level: $ref: '#/components/schemas/v1NVDRemediationLevel' report_confidence: $ref: '#/components/schemas/v1NVDReportConfidence' scope: $ref: '#/components/schemas/v1NVDScope' temporal_score: format: float type: number temporal_severity: $ref: '#/components/schemas/v1NVDSeverity' user_interaction: $ref: '#/components/schemas/v1NVDUserInteraction' vector_string: type: string version: type: string required: - version - vector_string - base_score - base_severity type: object v1CvssDataV40: properties: attack_complexity: $ref: '#/components/schemas/v1NVDV40AttackComplexity' attack_requirements: $ref: '#/components/schemas/v1NVDV40AttackRequirements' attack_vector: $ref: '#/components/schemas/v1NVDV40AttackVector' automatable: $ref: '#/components/schemas/v1NVDV40Automatable' availability_requirement: $ref: '#/components/schemas/v1NVDV40Requirement' base_score: format: float type: number base_severity: $ref: '#/components/schemas/v1NVDSeverity' confidentiality_requirement: $ref: '#/components/schemas/v1NVDV40Requirement' environmental_score: format: float type: number environmental_severity: $ref: '#/components/schemas/v1NVDSeverity' exploit_maturity: $ref: '#/components/schemas/v1NVDV40ExploitMaturity' integrity_requirement: $ref: '#/components/schemas/v1NVDV40Requirement' modified_attack_complexity: $ref: '#/components/schemas/v1NVDV40ModifiedAttackComplexity' modified_attack_requirements: $ref: '#/components/schemas/v1NVDV40ModifiedAttackRequirements' modified_attack_vector: $ref: '#/components/schemas/v1NVDV40ModifiedAttackVector' modified_privileges_required: $ref: '#/components/schemas/v1NVDV40ModifiedPrivilegesRequired' modified_sub_availability_impact: $ref: '#/components/schemas/v1NVDV40ModifiedSubImpact' modified_sub_confidentiality_impact: $ref: '#/components/schemas/v1NVDV40ModifiedSubImpact' modified_sub_integrity_impact: $ref: '#/components/schemas/v1NVDV40ModifiedSubImpact' modified_user_interaction: $ref: '#/components/schemas/v1NVDV40ModifiedUserInteraction' modified_vuln_availability_impact: $ref: '#/components/schemas/v1NVDV40ModifiedImpact' modified_vuln_confidentiality_impact: $ref: '#/components/schemas/v1NVDV40ModifiedImpact' modified_vuln_integrity_impact: $ref: '#/components/schemas/v1NVDV40ModifiedImpact' privileges_required: $ref: '#/components/schemas/v1NVDV40PrivilegesRequired' provider_urgency: $ref: '#/components/schemas/v1NVDV40ProviderUrgency' recovery: $ref: '#/components/schemas/v1NVDV40Recovery' safety: $ref: '#/components/schemas/v1NVDV40Safety' sub_availability_impact: $ref: '#/components/schemas/v1NVDV40Impact' sub_confidentiality_impact: $ref: '#/components/schemas/v1NVDV40Impact' sub_integrity_impact: $ref: '#/components/schemas/v1NVDV40Impact' threat_score: format: float type: number threat_severity: $ref: '#/components/schemas/v1NVDSeverity' user_interaction: $ref: '#/components/schemas/v1NVDV40UserInteraction' value_density: $ref: '#/components/schemas/v1NVDV40ValueDensity' vector_string: type: string version: type: string vuln_availability_impact: $ref: '#/components/schemas/v1NVDV40Impact' vuln_confidentiality_impact: $ref: '#/components/schemas/v1NVDV40Impact' vuln_integrity_impact: $ref: '#/components/schemas/v1NVDV40Impact' vulnerability_response_effort: $ref: '#/components/schemas/v1NVDV40VulnerabilityResponseEffort' required: - version - vector_string - base_score - base_severity type: object CfgAll: properties: expr: items: $ref: '#/components/schemas/CfgCfgExpr' type: array type: object CargoDependencySpecCfgAny: properties: expr: items: $ref: '#/components/schemas/CfgCfgExpr' type: array type: object CfgNot: properties: expr: $ref: '#/components/schemas/CfgCfgExpr' required: - expr type: object CargoDependencySpecCfgValue: properties: name: description: A named cfg value, like unix. type: string pair: $ref: '#/components/schemas/CfgKeyPair' type: object CvssDataV2AccessComplexity: default: ACCESS_COMPLEXITY_UNSPECIFIED enum: - ACCESS_COMPLEXITY_UNSPECIFIED - ACCESS_COMPLEXITY_HIGH - ACCESS_COMPLEXITY_MEDIUM - ACCESS_COMPLEXITY_LOW type: string v1NVDAttackVector: default: NVD_ATTACK_VECTOR_UNSPECIFIED enum: - NVD_ATTACK_VECTOR_UNSPECIFIED - NVD_ATTACK_VECTOR_NETWORK - NVD_ATTACK_VECTOR_ADJACENT_NETWORK - NVD_ATTACK_VECTOR_LOCAL - NVD_ATTACK_VECTOR_PHYSICAL type: string CvssDataV2Auth: default: AUTH_UNSPECIFIED enum: - AUTH_UNSPECIFIED - AUTH_MULTIPLE - AUTH_SINGLE - AUTH_NONE type: string CvssDataV2V2Impact: default: V2_IMPACT_IMPACT_UNSPECIFIED enum: - V2_IMPACT_IMPACT_UNSPECIFIED - V2_IMPACT_IMPACT_NONE - V2_IMPACT_IMPACT_PARTIAL - V2_IMPACT_IMPACT_COMPLETE type: string v1NVDRequirement: default: NVD_REQUIREMENT_UNSPECIFIED enum: - NVD_REQUIREMENT_UNSPECIFIED - NVD_REQUIREMENT_LOW - NVD_REQUIREMENT_MEDIUM - NVD_REQUIREMENT_HIGH - NVD_REQUIREMENT_NOT_DEFINED type: string CvssDataV2CollateralDamagePotential: default: COLLATERAL_DAMAGE_POTENTIAL_UNSPECIFIED enum: - COLLATERAL_DAMAGE_POTENTIAL_UNSPECIFIED - COLLATERAL_DAMAGE_POTENTIAL_NONE - COLLATERAL_DAMAGE_POTENTIAL_LOW - COLLATERAL_DAMAGE_POTENTIAL_LOW_MEDIUM - COLLATERAL_DAMAGE_POTENTIAL_MEDIUM_HIGH - COLLATERAL_DAMAGE_POTENTIAL_HIGH - COLLATERAL_DAMAGE_POTENTIAL_NOT_DEFINED type: string CvssDataV2Exploitability: default: EXPLOITABILITY_UNSPECIFIED enum: - EXPLOITABILITY_UNSPECIFIED - EXPLOITABILITY_UNPROVEN - EXPLOITABILITY_PROOF_OF_CONCEPT - EXPLOITABILITY_FUNCTIONAL - EXPLOITABILITY_HIGH - EXPLOITABILITY_NOT_DEFINED type: string v1NVDRemediationLevel: default: NVD_REMEDIATION_LEVEL_UNSPECIFIED enum: - NVD_REMEDIATION_LEVEL_UNSPECIFIED - NVD_REMEDIATION_LEVEL_OFFICIAL_FIX - NVD_REMEDIATION_LEVEL_TEMPORARY_FIX - NVD_REMEDIATION_LEVEL_WORKAROUND - NVD_REMEDIATION_LEVEL_UNAVAILABLE - NVD_REMEDIATION_LEVEL_NOT_DEFINED type: string CvssDataV2ReportConfidence: default: REPORT_CONFIDENCE_UNSPECIFIED enum: - REPORT_CONFIDENCE_UNSPECIFIED - REPORT_CONFIDENCE_UNCONFIRMED - REPORT_CONFIDENCE_UNCORROBORATED - REPORT_CONFIDENCE_CONFIRMED - REPORT_CONFIDENCE_NOT_DEFINED type: string CvssDataV2TargetDistribution: default: TARGET_DISTRIBUTION_UNSPECIFIED enum: - TARGET_DISTRIBUTION_UNSPECIFIED - TARGET_DISTRIBUTION_NONE - TARGET_DISTRIBUTION_LOW - TARGET_DISTRIBUTION_MEDIUM - TARGET_DISTRIBUTION_HIGH - TARGET_DISTRIBUTION_NOT_DEFINED type: string v1NVDAttackComplexity: default: NVD_ATTACK_COMPLEXITY_UNSPECIFIED enum: - NVD_ATTACK_COMPLEXITY_UNSPECIFIED - NVD_ATTACK_COMPLEXITY_HIGH - NVD_ATTACK_COMPLEXITY_LOW type: string v1NVDImpact: default: NVD_IMPACT_UNSPECIFIED enum: - NVD_IMPACT_UNSPECIFIED - NVD_IMPACT_NONE - NVD_IMPACT_LOW - NVD_IMPACT_HIGH type: string v1NVDSeverity: default: NVD_SEVERITY_UNSPECIFIED enum: - NVD_SEVERITY_UNSPECIFIED - NVD_SEVERITY_NONE - NVD_SEVERITY_LOW - NVD_SEVERITY_MEDIUM - NVD_SEVERITY_HIGH - NVD_SEVERITY_CRITICAL type: string v1NVDExploitCodeMaturity: default: NVD_EXPLOIT_CODE_MATURITY_UNSPECIFIED enum: - NVD_EXPLOIT_CODE_MATURITY_UNSPECIFIED - NVD_EXPLOIT_CODE_MATURITY_UNPROVEN - NVD_EXPLOIT_CODE_MATURITY_PROOF_OF_CONCEPT - NVD_EXPLOIT_CODE_MATURITY_FUNCTIONAL - NVD_EXPLOIT_CODE_MATURITY_HIGH - NVD_EXPLOIT_CODE_MATURITY_NOT_DEFINED type: string v1NVDModifiedAttackComplexity: default: NVD_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED enum: - NVD_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED - NVD_MODIFIED_ATTACK_COMPLEXITY_HIGH - NVD_MODIFIED_ATTACK_COMPLEXITY_LOW - NVD_MODIFIED_ATTACK_COMPLEXITY_NOT_DEFINED type: string v1NVDModifiedAttackVector: default: NVD_MODIFIED_ATTACK_VECTOR_UNSPECIFIED enum: - NVD_MODIFIED_ATTACK_VECTOR_UNSPECIFIED - NVD_MODIFIED_ATTACK_VECTOR_NETWORK - NVD_MODIFIED_ATTACK_VECTOR_ADJACENT_NETWORK - NVD_MODIFIED_ATTACK_VECTOR_LOCAL - NVD_MODIFIED_ATTACK_VECTOR_PHYSICAL - NVD_MODIFIED_ATTACK_VECTOR_NOT_DEFINED type: string v1NVDModifiedImpact: default: NVD_MODIFIED_IMPACT_UNSPECIFIED enum: - NVD_MODIFIED_IMPACT_UNSPECIFIED - NVD_MODIFIED_IMPACT_NONE - NVD_MODIFIED_IMPACT_LOW - NVD_MODIFIED_IMPACT_HIGH - NVD_MODIFIED_IMPACT_NOT_DEFINED type: string v1NVDModifiedPrivilegesRequired: default: NVD_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED enum: - NVD_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED - NVD_MODIFIED_PRIVILEGES_REQUIRED_HIGH - NVD_MODIFIED_PRIVILEGES_REQUIRED_LOW - NVD_MODIFIED_PRIVILEGES_REQUIRED_NONE - NVD_MODIFIED_PRIVILEGES_REQUIRED_NOT_DEFINED type: string v1NVDModifiedScope: default: NVD_MODIFIED_SCOPE_UNSPECIFIED enum: - NVD_MODIFIED_SCOPE_UNSPECIFIED - NVD_MODIFIED_SCOPE_UNCHANGED - NVD_MODIFIED_SCOPE_CHANGED - NVD_MODIFIED_SCOPE_NOT_DEFINED type: string v1NVDModifiedUserInteraction: default: NVD_MODIFIED_USER_INTERACTION_UNSPECIFIED enum: - NVD_MODIFIED_USER_INTERACTION_UNSPECIFIED - NVD_MODIFIED_USER_INTERACTION_NONE - NVD_MODIFIED_USER_INTERACTION_REQUIRED - NVD_MODIFIED_USER_INTERACTION_NOT_DEFINED type: string v1NVDPrivilegesRequired: default: NVD_PRIVILEGES_REQUIRED_UNSPECIFIED enum: - NVD_PRIVILEGES_REQUIRED_UNSPECIFIED - NVD_PRIVILEGES_REQUIRED_HIGH - NVD_PRIVILEGES_REQUIRED_LOW - NVD_PRIVILEGES_REQUIRED_NONE type: string v1NVDReportConfidence: default: NVD_REPORT_CONFIDENCE_UNSPECIFIED enum: - NVD_REPORT_CONFIDENCE_UNSPECIFIED - NVD_REPORT_CONFIDENCE_UNKNOWN - NVD_REPORT_CONFIDENCE_REASONABLE - NVD_REPORT_CONFIDENCE_CONFIRMED - NVD_REPORT_CONFIDENCE_NOT_DEFINED type: string v1NVDScope: default: NVD_SCOPE_UNSPECIFIED enum: - NVD_SCOPE_UNSPECIFIED - NVD_SCOPE_UNCHANGED - NVD_SCOPE_CHANGED type: string v1NVDUserInteraction: default: NVD_USER_INTERACTION_UNSPECIFIED enum: - NVD_USER_INTERACTION_UNSPECIFIED - NVD_USER_INTERACTION_NONE - NVD_USER_INTERACTION_REQUIRED type: string v1NVDV40AttackComplexity: default: NVDV40_ATTACK_COMPLEXITY_UNSPECIFIED enum: - NVDV40_ATTACK_COMPLEXITY_UNSPECIFIED - NVDV40_ATTACK_COMPLEXITY_HIGH - NVDV40_ATTACK_COMPLEXITY_LOW type: string v1NVDV40AttackRequirements: default: NVDV40_ATTACK_REQUIREMENTS_UNSPECIFIED enum: - NVDV40_ATTACK_REQUIREMENTS_UNSPECIFIED - NVDV40_ATTACK_REQUIREMENTS_NONE - NVDV40_ATTACK_REQUIREMENTS_PRESENT type: string v1NVDV40AttackVector: default: NVDV40_ATTACK_VECTOR_UNSPECIFIED enum: - NVDV40_ATTACK_VECTOR_UNSPECIFIED - NVDV40_ATTACK_VECTOR_NETWORK - NVDV40_ATTACK_VECTOR_ADJACENT - NVDV40_ATTACK_VECTOR_LOCAL - NVDV40_ATTACK_VECTOR_PHYSICAL type: string v1NVDV40Automatable: default: NVDV40_AUTOMATABLE_UNSPECIFIED enum: - NVDV40_AUTOMATABLE_UNSPECIFIED - NVDV40_AUTOMATABLE_NO - NVDV40_AUTOMATABLE_YES - NVDV40_AUTOMATABLE_NOT_DEFINED type: string v1NVDV40Requirement: default: NVDV40_REQUIREMENT_UNSPECIFIED enum: - NVDV40_REQUIREMENT_UNSPECIFIED - NVDV40_REQUIREMENT_LOW - NVDV40_REQUIREMENT_MEDIUM - NVDV40_REQUIREMENT_HIGH - NVDV40_REQUIREMENT_NOT_DEFINED type: string v1NVDV40ExploitMaturity: default: NVDV40_EXPLOIT_MATURITY_UNSPECIFIED enum: - NVDV40_EXPLOIT_MATURITY_UNSPECIFIED - NVDV40_EXPLOIT_MATURITY_UNREPORTED - NVDV40_EXPLOIT_MATURITY_PROOF_OF_CONCEPT - NVDV40_EXPLOIT_MATURITY_ATTACKED - NVDV40_EXPLOIT_MATURITY_NOT_DEFINED type: string v1NVDV40ModifiedAttackComplexity: default: NVDV40_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED enum: - NVDV40_MODIFIED_ATTACK_COMPLEXITY_UNSPECIFIED - NVDV40_MODIFIED_ATTACK_COMPLEXITY_HIGH - NVDV40_MODIFIED_ATTACK_COMPLEXITY_LOW - NVDV40_MODIFIED_ATTACK_COMPLEXITY_NOT_DEFINED type: string v1NVDV40ModifiedAttackRequirements: default: NVDV40_MODIFIED_ATTACK_REQUIREMENTS_UNSPECIFIED enum: - NVDV40_MODIFIED_ATTACK_REQUIREMENTS_UNSPECIFIED - NVDV40_MODIFIED_ATTACK_REQUIREMENTS_NONE - NVDV40_MODIFIED_ATTACK_REQUIREMENTS_PRESENT - NVDV40_MODIFIED_ATTACK_REQUIREMENTS_NOT_DEFINED type: string v1NVDV40ModifiedAttackVector: default: NVDV40_MODIFIED_ATTACK_VECTOR_UNSPECIFIED enum: - NVDV40_MODIFIED_ATTACK_VECTOR_UNSPECIFIED - NVDV40_MODIFIED_ATTACK_VECTOR_NETWORK - NVDV40_MODIFIED_ATTACK_VECTOR_ADJACENT - NVDV40_MODIFIED_ATTACK_VECTOR_LOCAL - NVDV40_MODIFIED_ATTACK_VECTOR_PHYSICAL - NVDV40_MODIFIED_ATTACK_VECTOR_NOT_DEFINED type: string v1NVDV40ModifiedPrivilegesRequired: default: NVDV40_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED enum: - NVDV40_MODIFIED_PRIVILEGES_REQUIRED_UNSPECIFIED - NVDV40_MODIFIED_PRIVILEGES_REQUIRED_HIGH - NVDV40_MODIFIED_PRIVILEGES_REQUIRED_LOW - NVDV40_MODIFIED_PRIVILEGES_REQUIRED_NONE - NVDV40_MODIFIED_PRIVILEGES_REQUIRED_NOT_DEFINED type: string v1NVDV40ModifiedSubImpact: default: NVDV40_MODIFIED_SUB_IMPACT_UNSPECIFIED enum: - NVDV40_MODIFIED_SUB_IMPACT_UNSPECIFIED - NVDV40_MODIFIED_SUB_IMPACT_NEGLIGIBLE - NVDV40_MODIFIED_SUB_IMPACT_LOW - NVDV40_MODIFIED_SUB_IMPACT_HIGH - NVDV40_MODIFIED_SUB_IMPACT_SAFETY - NVDV40_MODIFIED_SUB_IMPACT_NOT_DEFINED type: string v1NVDV40ModifiedUserInteraction: default: NVDV40_MODIFIED_USER_INTERACTION_UNSPECIFIED enum: - NVDV40_MODIFIED_USER_INTERACTION_UNSPECIFIED - NVDV40_MODIFIED_USER_INTERACTION_NONE - NVDV40_MODIFIED_USER_INTERACTION_PASSIVE - NVDV40_MODIFIED_USER_INTERACTION_ACTIVE - NVDV40_MODIFIED_USER_INTERACTION_NOT_DEFINED type: string v1NVDV40ModifiedImpact: default: NVDV40_MODIFIED_IMPACT_UNSPECIFIED enum: - NVDV40_MODIFIED_IMPACT_UNSPECIFIED - NVDV40_MODIFIED_IMPACT_NONE - NVDV40_MODIFIED_IMPACT_LOW - NVDV40_MODIFIED_IMPACT_HIGH - NVDV40_MODIFIED_IMPACT_NOT_DEFINED type: string v1NVDV40PrivilegesRequired: default: NVDV40_PRIVILEGES_REQUIRED_UNSPECIFIED enum: - NVDV40_PRIVILEGES_REQUIRED_UNSPECIFIED - NVDV40_PRIVILEGES_REQUIRED_HIGH - NVDV40_PRIVILEGES_REQUIRED_LOW - NVDV40_PRIVILEGES_REQUIRED_NONE type: string v1NVDV40ProviderUrgency: default: NVDV40_PROVIDER_URGENCY_UNSPECIFIED enum: - NVDV40_PROVIDER_URGENCY_UNSPECIFIED - NVDV40_PROVIDER_URGENCY_CLEAR - NVDV40_PROVIDER_URGENCY_GREEN - NVDV40_PROVIDER_URGENCY_AMBER - NVDV40_PROVIDER_URGENCY_RED - NVDV40_PROVIDER_URGENCY_NOT_DEFINED type: string v1NVDV40Recovery: default: NVDV40_RECOVERY_UNSPECIFIED enum: - NVDV40_RECOVERY_UNSPECIFIED - NVDV40_RECOVERY_AUTOMATIC - NVDV40_RECOVERY_USER - NVDV40_RECOVERY_IRRECOVERABLE - NVDV40_RECOVERY_NOT_DEFINED type: string v1NVDV40Safety: default: NVDV40_SAFETY_UNSPECIFIED enum: - NVDV40_SAFETY_UNSPECIFIED - NVDV40_SAFETY_NEGLIGIBLE - NVDV40_SAFETY_PRESENT - NVDV40_SAFETY_NOT_DEFINED type: string v1NVDV40Impact: default: NVDV40_IMPACT_UNSPECIFIED enum: - NVDV40_IMPACT_UNSPECIFIED - NVDV40_IMPACT_NONE - NVDV40_IMPACT_LOW - NVDV40_IMPACT_HIGH type: string v1NVDV40UserInteraction: default: NVDV40_USER_INTERACTION_UNSPECIFIED enum: - NVDV40_USER_INTERACTION_UNSPECIFIED - NVDV40_USER_INTERACTION_NONE - NVDV40_USER_INTERACTION_PASSIVE - NVDV40_USER_INTERACTION_ACTIVE type: string v1NVDV40ValueDensity: default: NVDV40_VALUE_DENSITY_UNSPECIFIED enum: - NVDV40_VALUE_DENSITY_UNSPECIFIED - NVDV40_VALUE_DENSITY_DIFFUSE - NVDV40_VALUE_DENSITY_CONCENTRATED - NVDV40_VALUE_DENSITY_NOT_DEFINED type: string v1NVDV40VulnerabilityResponseEffort: default: NVDV40_VULNERABILITY_RESPONSE_EFFORT_UNSPECIFIED enum: - NVDV40_VULNERABILITY_RESPONSE_EFFORT_UNSPECIFIED - NVDV40_VULNERABILITY_RESPONSE_EFFORT_LOW - NVDV40_VULNERABILITY_RESPONSE_EFFORT_MODERATE - NVDV40_VULNERABILITY_RESPONSE_EFFORT_HIGH - NVDV40_VULNERABILITY_RESPONSE_EFFORT_NOT_DEFINED type: string CfgKeyPair: properties: key: type: string value: type: string required: - key - value type: object ````