build: Modify the bazel.BUILD file by hand to include the compliance …

…protos which are not autogenerated (#315)

PiperOrigin-RevId: 420306668
Source-Link: googleapis/googleapis@9a8910e
Source-Link: googleapis/googleapis-gen@24c9bfc
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiMjRjOWJmYzRkNTlmNTBhNDllMjJhNjA3MGQxYzIyOWY1MjNkZWZkYyJ9
Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Ace Nassri <anassri@google.com>
Co-authored-by: Benjamin E. Coe <bencoe@google.com>
Co-authored-by: Patti Shin <pattishin@users.noreply.github.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>

packages/grafeas/.jsdoc.js

@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC
+// Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@ module.exports = {
     includePattern: '\\.js$'
   },
   templates: {
-    copyright: 'Copyright 2021 Google LLC',
+    copyright: 'Copyright 2022 Google LLC',
     includeDate: false,
     sourceFiles: false,
     systemName: '@google-cloud/grafeas',

packages/grafeas/protos/grafeas/v1/compliance.proto

@@ -16,7 +16,7 @@ syntax = "proto3";
 
 package grafeas.v1;
 
-import "grafeas/v1/vulnerability.proto";
+import "grafeas/v1/severity.proto";
 
 option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
 option java_multiple_files = true;

packages/grafeas/protos/grafeas/v1/cvss.proto

@@ -83,3 +83,78 @@ message CVSSv3 {
     IMPACT_NONE = 3;
   }
 }
+
+// Common Vulnerability Scoring System.
+// For details, see https://www.first.org/cvss/specification-document
+// This is a message we will try to use for storing multiple versions of
+// CVSS. The intention is that as new versions of CVSS scores get added, we
+// will be able to modify this message rather than adding new protos for each
+// new version of the score.
+message CVSS {
+  // The base score is a function of the base metric scores.
+  float base_score = 1;
+
+  float exploitability_score = 2;
+
+  float impact_score = 3;
+
+  // Base Metrics
+  // Represents the intrinsic characteristics of a vulnerability that are
+  // constant over time and across user environments.
+  AttackVector attack_vector = 4;
+  AttackComplexity attack_complexity = 5;
+  Authentication authentication = 6;
+  PrivilegesRequired privileges_required = 7;
+  UserInteraction user_interaction = 8;
+  Scope scope = 9;
+  Impact confidentiality_impact = 10;
+  Impact integrity_impact = 11;
+  Impact availability_impact = 12;
+
+  enum AttackVector {
+    ATTACK_VECTOR_UNSPECIFIED = 0;
+    ATTACK_VECTOR_NETWORK = 1;
+    ATTACK_VECTOR_ADJACENT = 2;
+    ATTACK_VECTOR_LOCAL = 3;
+    ATTACK_VECTOR_PHYSICAL = 4;
+  }
+
+  enum AttackComplexity {
+    ATTACK_COMPLEXITY_UNSPECIFIED = 0;
+    ATTACK_COMPLEXITY_LOW = 1;
+    ATTACK_COMPLEXITY_HIGH = 2;
+  }
+
+  enum Authentication {
+    AUTHENTICATION_UNSPECIFIED = 0;
+    AUTHENTICATION_MULTIPLE = 1;
+    AUTHENTICATION_SINGLE = 2;
+    AUTHENTICATION_NONE = 3;
+  }
+
+  enum PrivilegesRequired {
+    PRIVILEGES_REQUIRED_UNSPECIFIED = 0;
+    PRIVILEGES_REQUIRED_NONE = 1;
+    PRIVILEGES_REQUIRED_LOW = 2;
+    PRIVILEGES_REQUIRED_HIGH = 3;
+  }
+
+  enum UserInteraction {
+    USER_INTERACTION_UNSPECIFIED = 0;
+    USER_INTERACTION_NONE = 1;
+    USER_INTERACTION_REQUIRED = 2;
+  }
+
+  enum Scope {
+    SCOPE_UNSPECIFIED = 0;
+    SCOPE_UNCHANGED = 1;
+    SCOPE_CHANGED = 2;
+  }
+
+  enum Impact {
+    IMPACT_UNSPECIFIED = 0;
+    IMPACT_HIGH = 1;
+    IMPACT_LOW = 2;
+    IMPACT_NONE = 3;
+  }
+}

packages/grafeas/protos/grafeas/v1/discovery.proto

@@ -16,6 +16,7 @@ syntax = "proto3";
 
 package grafeas.v1;
 
+import "google/api/field_behavior.proto";
 import "google/protobuf/timestamp.proto";
 import "google/rpc/status.proto";
 import "grafeas/v1/common.proto";
@@ -80,4 +81,8 @@ message DiscoveryOccurrence {
 
   // The last time this resource was scanned.
   google.protobuf.Timestamp last_scan_time = 5;
+
+  // The time occurrences related to this discovery occurrence were archived.
+  google.protobuf.Timestamp archive_time = 6
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }

packages/grafeas/protos/grafeas/v1/severity.proto

@@ -0,0 +1,38 @@
+// Copyright 2021 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grafeas.v1;
+
+option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1";
+option objc_class_prefix = "GRA";
+
+// Note provider assigned severity/impact ranking.
+enum Severity {
+  // Unknown.
+  SEVERITY_UNSPECIFIED = 0;
+  // Minimal severity.
+  MINIMAL = 1;
+  // Low severity.
+  LOW = 2;
+  // Medium severity.
+  MEDIUM = 3;
+  // High severity.
+  HIGH = 4;
+  // Critical severity.
+  CRITICAL = 5;
+}

packages/grafeas/protos/grafeas/v1/vulnerability.proto

@@ -21,36 +21,21 @@ import "google/protobuf/timestamp.proto";
 import "grafeas/v1/common.proto";
 import "grafeas/v1/cvss.proto";
 import "grafeas/v1/package.proto";
+import "grafeas/v1/severity.proto";
 
 option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
 option java_multiple_files = true;
 option java_package = "io.grafeas.v1";
 option objc_class_prefix = "GRA";
 
-// Note provider assigned severity/impact ranking.
-enum Severity {
-  // Unknown.
-  SEVERITY_UNSPECIFIED = 0;
-  // Minimal severity.
-  MINIMAL = 1;
-  // Low severity.
-  LOW = 2;
-  // Medium severity.
-  MEDIUM = 3;
-  // High severity.
-  HIGH = 4;
-  // Critical severity.
-  CRITICAL = 5;
-}
-
 // A security vulnerability that can be found in resources.
 message VulnerabilityNote {
   // The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10
   // where 0 indicates low severity and 10 indicates high severity.
   float cvss_score = 1;
 
   // The note provider assigned severity of this vulnerability.
-  Severity severity = 2;
+  grafeas.v1.Severity severity = 2;
 
   // Details of all known distros and packages affected by this vulnerability.
   repeated Detail details = 3;
@@ -172,24 +157,15 @@ message VulnerabilityOccurrence {
   string type = 1;
 
   // Output only. The note provider assigned severity of this vulnerability.
-  Severity severity = 2;
+  grafeas.v1.Severity severity = 2;
 
   // Output only. The CVSS score of this vulnerability. CVSS score is on a
   // scale of 0 - 10 where 0 indicates low severity and 10 indicates high
   // severity.
   float cvss_score = 3;
 
-  // The CVSS v3 score for this vulnerability.
-  message CVSSV3 {
-    // The base score for for this vulnerability according to cvss v3.
-    float base_score = 1;
-    // The severity rating assigned to this vulnerability by vulnerability
-    // provider.
-    Severity severity = 2;
-  }
-
   // The cvss v3 score for the vulnerability.
-  CVSSV3 cvssv3 = 10;
+  CVSS cvssv3 = 10;
 
   // Required. The set of affected locations and their fixes (if available)
   // within the associated resource.
@@ -231,7 +207,8 @@ message VulnerabilityOccurrence {
     // The distro or language system assigned severity for this vulnerability
     // when that is available and note provider assigned severity when it is not
     // available.
-    Severity effective_severity = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
+    grafeas.v1.Severity effective_severity = 9
+        [(google.api.field_behavior) = OUTPUT_ONLY];
   }
 
   // Output only. A one sentence description of this vulnerability.
@@ -253,7 +230,7 @@ message VulnerabilityOccurrence {
   // PackageIssue level. In the case where multiple PackageIssues have differing
   // effective severities, this field should be the highest severity for any of
   // the PackageIssues.
-  Severity effective_severity = 8;
+  grafeas.v1.Severity effective_severity = 8;
 
   // Output only. Whether at least one of the affected packages has a fix
   // available.