package google.cloud.websecurityscanner.v1alpha

Get desktop application:
View/edit binary Protocol Buffers messages

Cloud Web Security Scanner Service identifies security vulnerabilities in web applications hosted on Google Cloud Platform. It crawls your application, and attempts to exercise as many user inputs and event handlers as possible.

• rpc CreateScanConfig (CreateScanConfigRequest, ScanConfig)

  web_security_scanner.proto:45

  Creates a new ScanConfig.

  message CreateScanConfigRequest

  web_security_scanner.proto:155

  Request for the `CreateScanConfig` method.

  • string parent = 1

    Required. The parent resource name where the scan is created, which should be a project resource name in the format 'projects/{projectId}'.

  • optional ScanConfig scan_config = 2

    Required. The ScanConfig to be created.

• rpc DeleteScanConfig (DeleteScanConfigRequest, protobuf.Empty)

  web_security_scanner.proto:54

  Deletes an existing ScanConfig and its child resources.

  message DeleteScanConfigRequest

  web_security_scanner.proto:170

  Request for the `DeleteScanConfig` method.

  • string name = 1

    Required. The resource name of the ScanConfig to be deleted. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.

• rpc GetScanConfig (GetScanConfigRequest, ScanConfig)

  web_security_scanner.proto:62

  Gets a ScanConfig.

  message GetScanConfigRequest

  web_security_scanner.proto:182

  Request for the `GetScanConfig` method.

  • string name = 1

    Required. The resource name of the ScanConfig to be returned. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.

• rpc ListScanConfigs (ListScanConfigsRequest, ListScanConfigsResponse)

  web_security_scanner.proto:70

  Lists ScanConfigs under a given project.

  message ListScanConfigsRequest

  web_security_scanner.proto:194

  Request for the `ListScanConfigs` method.

  • string parent = 1

    Required. The parent resource name, which should be a project resource name in the format 'projects/{projectId}'.

  • string page_token = 2

    A token identifying a page of results to be returned. This should be a `next_page_token` value returned from a previous List request. If unspecified, the first page of results is returned.

  • int32 page_size = 3

    The maximum number of ScanConfigs to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.

  message ListScanConfigsResponse

  web_security_scanner.proto:229

  Response for the `ListScanConfigs` method.

  • repeated ScanConfig scan_configs = 1

    The list of ScanConfigs returned.

  • string next_page_token = 2

    Token to retrieve the next page of results, or empty if there are no more results in the list.

• rpc UpdateScanConfig (UpdateScanConfigRequest, ScanConfig)

  web_security_scanner.proto:78

  Updates a ScanConfig. This method support partial update of a ScanConfig.

  message UpdateScanConfigRequest

  web_security_scanner.proto:216

  Request for the `UpdateScanConfigRequest` method.

  • optional ScanConfig scan_config = 2

    Required. The ScanConfig to be updated. The name field must be set to identify the resource to be updated. The values of fields not covered by the mask will be ignored.

  • optional protobuf.FieldMask update_mask = 3

    Required. The update mask applies to the resource. For the `FieldMask` definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask

• rpc StartScanRun (StartScanRunRequest, ScanRun)

  web_security_scanner.proto:87

  Start a ScanRun according to the given ScanConfig.

  message StartScanRunRequest

  web_security_scanner.proto:239

  Request for the `StartScanRun` method.

  • string name = 1

    Required. The resource name of the ScanConfig to be used. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.

• rpc GetScanRun (GetScanRunRequest, ScanRun)

  web_security_scanner.proto:96

  Gets a ScanRun.

  message GetScanRunRequest

  web_security_scanner.proto:251

  Request for the `GetScanRun` method.

  • string name = 1

    Required. The resource name of the ScanRun to be returned. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.

• rpc ListScanRuns (ListScanRunsRequest, ListScanRunsResponse)

  web_security_scanner.proto:105

  Lists ScanRuns under a given ScanConfig, in descending order of ScanRun stop time.

  message ListScanRunsRequest

  web_security_scanner.proto:264

  Request for the `ListScanRuns` method.

  • string parent = 1

    Required. The parent resource name, which should be a scan resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}'.

  • string page_token = 2

    A token identifying a page of results to be returned. This should be a `next_page_token` value returned from a previous List request. If unspecified, the first page of results is returned.

  • int32 page_size = 3

    The maximum number of ScanRuns to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.

  message ListScanRunsResponse

  web_security_scanner.proto:286

  Response for the `ListScanRuns` method.

  • repeated ScanRun scan_runs = 1

    The list of ScanRuns returned.

  • string next_page_token = 2

    Token to retrieve the next page of results, or empty if there are no more results in the list.

• rpc StopScanRun (StopScanRunRequest, ScanRun)

  web_security_scanner.proto:113

  Stops a ScanRun. The stopped ScanRun is returned.

  message StopScanRunRequest

  web_security_scanner.proto:296

  Request for the `StopScanRun` method.

  • string name = 1

    Required. The resource name of the ScanRun to be stopped. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.

• rpc ListCrawledUrls (ListCrawledUrlsRequest, ListCrawledUrlsResponse)

  web_security_scanner.proto:122

  List CrawledUrls under a given ScanRun.

  message ListCrawledUrlsRequest

  web_security_scanner.proto:309

  Request for the `ListCrawledUrls` method.

  • string parent = 1

    Required. The parent resource name, which should be a scan run resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.

  • string page_token = 2

    A token identifying a page of results to be returned. This should be a `next_page_token` value returned from a previous List request. If unspecified, the first page of results is returned.

  • int32 page_size = 3

    The maximum number of CrawledUrls to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.

  message ListCrawledUrlsResponse

  web_security_scanner.proto:332

  Response for the `ListCrawledUrls` method.

  • repeated CrawledUrl crawled_urls = 1

    The list of CrawledUrls returned.

  • string next_page_token = 2

    Token to retrieve the next page of results, or empty if there are no more results in the list.

• rpc GetFinding (GetFindingRequest, Finding)

  web_security_scanner.proto:130

  Gets a Finding.

  message GetFindingRequest

  web_security_scanner.proto:342

  Request for the `GetFinding` method.

  • string name = 1

    Required. The resource name of the Finding to be returned. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}/findings/{findingId}'.

• rpc ListFindings (ListFindingsRequest, ListFindingsResponse)

  web_security_scanner.proto:138

  List Findings under a given ScanRun.

  message ListFindingsRequest

  web_security_scanner.proto:355

  Request for the `ListFindings` method.

  • string parent = 1

    Required. The parent resource name, which should be a scan run resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.

  • string filter = 2

    Required. The filter expression. The expression must be in the format: <field> <operator> <value>. Supported field: 'finding_type'. Supported operator: '='.

  • string page_token = 3

    A token identifying a page of results to be returned. This should be a `next_page_token` value returned from a previous List request. If unspecified, the first page of results is returned.

  • int32 page_size = 4

    The maximum number of Findings to return, can be limited by server. If not specified or not positive, the implementation will select a reasonable value.

  message ListFindingsResponse

  web_security_scanner.proto:384

  Response for the `ListFindings` method.

  • repeated Finding findings = 1

    The list of Findings returned.

  • string next_page_token = 2

    Token to retrieve the next page of results, or empty if there are no more results in the list.

• rpc ListFindingTypeStats (ListFindingTypeStatsRequest, ListFindingTypeStatsResponse)

  web_security_scanner.proto:146

  List all FindingTypeStats under a given ScanRun.

  message ListFindingTypeStatsRequest

  web_security_scanner.proto:394

  Request for the `ListFindingTypeStats` method.

  • string parent = 1

    Required. The parent resource name, which should be a scan run resource name in the format 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.

  message ListFindingTypeStatsResponse

  web_security_scanner.proto:407

  Response for the `ListFindingTypeStats` method.

  • repeated FindingTypeStats finding_type_stats = 1

    The list of FindingTypeStats returned.

A CrawledUrl resource represents a URL that was crawled during a ScanRun. Web Security Scanner Service crawls the web applications, following all links within the scope of sites, to find the URLs to test against.

Used in: ListCrawledUrlsResponse

• string http_method = 1

  Output only. The http method of the request that was used to visit the URL, in uppercase.

• string url = 2

  Output only. The URL that was crawled.

• string body = 3

  Output only. The body of the request that was used to visit the URL.

A Finding resource represents a vulnerability instance identified during a ScanRun.

Used as response type in: WebSecurityScanner.GetFinding

Used as field type in: ListFindingsResponse

• string name = 1

  The resource name of the Finding. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanruns/{scanRunId}/findings/{findingId}'. The finding IDs are generated by the system.

• Finding.FindingType finding_type = 2

  The type of the Finding.

• string http_method = 3

  The http method of the request that triggered the vulnerability, in uppercase.

• string fuzzed_url = 4

  The URL produced by the server-side fuzzer and used in the request that triggered the vulnerability.

• string body = 5

  The body of the request that triggered the vulnerability.

• string description = 6

  The description of the vulnerability.

• string reproduction_url = 7

  The URL containing human-readable payload that user can leverage to reproduce the vulnerability.

• string frame_url = 8

  If the vulnerability was originated from nested IFrame, the immediate parent IFrame is reported.

• string final_url = 9

  The URL where the browser lands when the vulnerability is detected.

• string tracking_id = 10

  The tracking ID uniquely identifies a vulnerability instance across multiple ScanRuns.

• optional OutdatedLibrary outdated_library = 11

  An addon containing information about outdated libraries.

• optional ViolatingResource violating_resource = 12

  An addon containing detailed information regarding any resource causing the vulnerability such as JavaScript sources, image, audio files, etc.

• optional VulnerableHeaders vulnerable_headers = 15

  An addon containing information about vulnerable or missing HTTP headers.

• optional VulnerableParameters vulnerable_parameters = 13

  An addon containing information about request parameters which were found to be vulnerable.

• optional Xss xss = 14

  An addon containing information reported for an XSS, if any.

Types of Findings.

Used in: Finding, FindingTypeStats

• FINDING_TYPE_UNSPECIFIED = 0

  The invalid finding type.

• MIXED_CONTENT = 1

  A page that was served over HTTPS also resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or to monitor the actions taken by the user.

• OUTDATED_LIBRARY = 2

  The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.

• ROSETTA_FLASH = 5

  This type of vulnerability occurs when the value of a request parameter is reflected at the beginning of the response, for example, in requests using JSONP. Under certain circumstances, an attacker may be able to supply an alphanumeric-only Flash file in the vulnerable parameter causing the browser to execute the Flash file as if it originated on the vulnerable server.

• XSS_CALLBACK = 3

  A cross-site scripting (XSS) bug is found via JavaScript callback. For detailed explanations on XSS, see https://www.google.com/about/appsecurity/learning/xss/.

• XSS_ERROR = 4

  A potential cross-site scripting (XSS) bug due to JavaScript breakage. In some circumstances, the application under test might modify the test string before it is parsed by the browser. When the browser attempts to runs this modified test string, it will likely break and throw a JavaScript execution error, thus an injection issue is occurring. However, it may not be exploitable. Manual verification is needed to see if the test string modifications can be evaded and confirm that the issue is in fact an XSS vulnerability. For detailed explanations on XSS, see https://www.google.com/about/appsecurity/learning/xss/.

• CLEAR_TEXT_PASSWORD = 6

  An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.

• INVALID_CONTENT_TYPE = 7

  An application returns sensitive content with an invalid content type, or without an 'X-Content-Type-Options: nosniff' header.

• XSS_ANGULAR_CALLBACK = 8

  A cross-site scripting (XSS) vulnerability in AngularJS module that occurs when a user-provided string is interpolated by Angular.

• INVALID_HEADER = 9

  A malformed or invalid valued header.

• MISSPELLED_SECURITY_HEADER_NAME = 10

  Misspelled security header name.

• MISMATCHING_SECURITY_HEADER_VALUES = 11

  Mismatching values in a duplicate security header.

A FindingTypeStats resource represents stats regarding a specific FindingType of Findings under a given ScanRun.

Used in: ListFindingTypeStatsResponse

• Finding.FindingType finding_type = 1

  The finding type associated with the stats.

• int32 finding_count = 2

  The count of findings belonging to this finding type.

Information reported for an outdated library.

Used in: Finding

• string library_name = 1

  The name of the outdated library.

• string version = 2

  The version number.

• repeated string learn_more_urls = 3

  URLs to learn more information about the vulnerabilities in the library.

A ScanConfig resource contains the configurations to launch a scan. next id: 12

Used as response type in: WebSecurityScanner.CreateScanConfig, WebSecurityScanner.GetScanConfig, WebSecurityScanner.UpdateScanConfig

Used as field type in: CreateScanConfigRequest, ListScanConfigsResponse, UpdateScanConfigRequest

• string name = 1

  The resource name of the ScanConfig. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}'. The ScanConfig IDs are generated by the system.

• string display_name = 2

  Required. The user provided display name of the ScanConfig.

• int32 max_qps = 3

  The maximum QPS during scanning. A valid value ranges from 5 to 20 inclusively. If the field is unspecified or its value is set 0, server will default to 15. Other values outside of [5, 20] range will be rejected with INVALID_ARGUMENT error.

• repeated string starting_urls = 4

  Required. The starting URLs from which the scanner finds site pages.

• optional ScanConfig.Authentication authentication = 5

  The authentication configuration. If specified, service will use the authentication configuration during scanning.

• ScanConfig.UserAgent user_agent = 6

  The user agent used during scanning.

• repeated string blacklist_patterns = 7

  The blacklist URL patterns as described in https://cloud.google.com/security-scanner/docs/excluded-urls

• optional ScanConfig.Schedule schedule = 8

  The schedule of the ScanConfig.

• repeated ScanConfig.TargetPlatform target_platforms = 9

  Set of Cloud Platforms targeted by the scan. If empty, APP_ENGINE will be used as a default.

• optional ScanRun latest_run = 11

  Latest ScanRun if available.

Scan authentication configuration.

Used in: ScanConfig

• oneof authentication

  Required. Authentication configuration

  • Authentication.GoogleAccount google_account = 1

    Authentication using a Google account.

  • Authentication.CustomAccount custom_account = 2

    Authentication using a custom account.

Describes authentication configuration that uses a custom account.

Used in: Authentication

• string username = 1

  Required. The user name of the custom account.

• string password = 2

  Required. Input only. The password of the custom account. The credential is stored encrypted and not returned in any response nor included in audit logs.

• string login_url = 3

  Required. The login form URL of the website.

Describes authentication configuration that uses a Google account.

Used in: Authentication

• string username = 1

  Required. The user name of the Google account.

• string password = 2

  Required. Input only. The password of the Google account. The credential is stored encrypted and not returned in any response nor included in audit logs.

Scan schedule configuration.

Used in: ScanConfig

• optional protobuf.Timestamp schedule_time = 1

  A timestamp indicates when the next run will be scheduled. The value is refreshed by the server after each run. If unspecified, it will default to current server time, which means the scan will be scheduled to start immediately.

• int32 interval_duration_days = 2

  Required. The duration of time between executions in days.

Cloud platforms supported by Cloud Web Security Scanner.

Used in: ScanConfig

• TARGET_PLATFORM_UNSPECIFIED = 0

  The target platform is unknown. Requests with this enum value will be rejected with INVALID_ARGUMENT error.

• APP_ENGINE = 1

  Google App Engine service.

• COMPUTE = 2

  Google Compute Engine service.

Type of user agents used for scanning.

Used in: ScanConfig

• USER_AGENT_UNSPECIFIED = 0

  The user agent is unknown. Service will default to CHROME_LINUX.

• CHROME_LINUX = 1

  Chrome on Linux. This is the service default if unspecified.

• CHROME_ANDROID = 2

  Chrome on Android.

• SAFARI_IPHONE = 3

  Safari on IPhone.

A ScanRun is a output-only resource representing an actual run of the scan.

Used as response type in: WebSecurityScanner.GetScanRun, WebSecurityScanner.StartScanRun, WebSecurityScanner.StopScanRun

Used as field type in: ListScanRunsResponse, ScanConfig

• string name = 1

  The resource name of the ScanRun. The name follows the format of 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'. The ScanRun IDs are generated by the system.

• ScanRun.ExecutionState execution_state = 2

  The execution state of the ScanRun.

• ScanRun.ResultState result_state = 3

  The result state of the ScanRun. This field is only available after the execution state reaches "FINISHED".

• optional protobuf.Timestamp start_time = 4

  The time at which the ScanRun started.

• optional protobuf.Timestamp end_time = 5

  The time at which the ScanRun reached termination state - that the ScanRun is either finished or stopped by user.

• int64 urls_crawled_count = 6

  The number of URLs crawled during this ScanRun. If the scan is in progress, the value represents the number of URLs crawled up to now.

• int64 urls_tested_count = 7

  The number of URLs tested during this ScanRun. If the scan is in progress, the value represents the number of URLs tested up to now. The number of URLs tested is usually larger than the number URLS crawled because typically a crawled URL is tested with multiple test payloads.

• bool has_vulnerabilities = 8

  Whether the scan run has found any vulnerabilities.

• int32 progress_percent = 9

  The percentage of total completion ranging from 0 to 100. If the scan is in queue, the value is 0. If the scan is running, the value ranges from 0 to 100. If the scan is finished, the value is 100.

Types of ScanRun execution state.

Used in: ScanRun

• EXECUTION_STATE_UNSPECIFIED = 0

  Represents an invalid state caused by internal server error. This value should never be returned.

• QUEUED = 1

  The scan is waiting in the queue.

• SCANNING = 2

  The scan is in progress.

• FINISHED = 3

  The scan is either finished or stopped by user.

Types of ScanRun result state.

Used in: ScanRun

• RESULT_STATE_UNSPECIFIED = 0

  Default value. This value is returned when the ScanRun is not yet finished.

• SUCCESS = 1

  The scan finished without errors.

• ERROR = 2

  The scan finished with errors.

• KILLED = 3

  The scan was terminated by user.

Information regarding any resource causing the vulnerability such as JavaScript sources, image, audio files, etc.

Used in: Finding

• string content_type = 1

  The MIME type of this resource.

• string resource_url = 2

  URL of this violating resource.

Information about vulnerable or missing HTTP Headers.

Used in: Finding

• repeated VulnerableHeaders.Header headers = 1

  List of vulnerable headers.

• repeated VulnerableHeaders.Header missing_headers = 2

  List of missing headers.

Describes a HTTP Header.

Used in: VulnerableHeaders

• string name = 1

  Header name.

• string value = 2

  Header value.

Information about vulnerable request parameters.

Used in: Finding

• repeated string parameter_names = 1

  The vulnerable parameter names.

Information reported for an XSS.

Used in: Finding

• repeated string stack_traces = 1

  Stack traces leading to the point where the XSS occurred.

• string error_message = 2

  An error message generated by a javascript breakage.