package scalibr

Get desktop application:
View/edit binary Protocol Buffers messages

The additional data found in APK packages.

Used in: Package

string package_name = 1
string origin_name = 2
string os_id = 3
string os_version_id = 4
string maintainer = 5
string architecture = 6
string license = 7

Used in: Finding

optional AdvisoryId id = 1
A unique ID for the finding.
Advisory.TypeEnum type = 2
string title = 3
string description = 4
string recommendation = 5
Remediation instructions, e.g. "update to latest version".
optional Severity sev = 6

Used in: Advisory

UNKNOWN = 0
VULNERABILITY = 1
CIS_FINDING = 2

A unique identifier per advisory.

Used in: Advisory

string publisher = 1
e.g. "CVE".
string reference = 2
e.g. "CVE-2023-1234".

The additional data for packages extracted from CDX files.

Used in: Package

optional Purl purl = 1
repeated string cpes = 2

The additional data found in COS packages.

Used in: Package

string name = 1
string version = 2
string category = 3
string os_version = 4
string os_version_id = 5

Used in: Severity

float base_score = 1
float temporal_score = 2
float environmental_score = 3

The additional data found in Chrome extensions.

Used in: Package

string name = 1
string description = 2
string author_email = 3
repeated string host_permissions = 4
int32 manifest_version = 5
string minimum_chrome_version = 6
repeated string permissions = 7
string update_url = 8

Used in: Package

string namespace_name = 1
string image_name = 2
string image_digest = 3
string runtime = 4
int32 pid = 5
string snapshotter = 6
string snapshot_key = 7
string lower_dir = 8
string upper_dir = 9
string work_dir = 10
string id = 11
string pod_name = 12
string pod_namespace = 13

Used in: Package

string namespace_name = 1
string image_name = 2
string image_digest = 3
string runtime = 4
string id = 5
int32 pid = 6
string rootfs_path = 7

The additional data found in .NET deps json packages.

Used in: Package

string package_name = 1
string package_version = 2
string type = 3

The additional data found in DPKG packages. Next ID: 11

Used in: Package

string package_name = 1
string source_name = 2
string source_version = 3
string package_version = 4
string os_id = 5
string os_version_codename = 6
string os_version_id = 7
string maintainer = 8
string architecture = 9
string status = 10

The additional data found in Docker container.

Used in: Package

string image_name = 1
string image_digest = 2
string id = 3
repeated DockerPort ports = 4

Used in: DockerContainersMetadata

string ip = 1
uint32 private_port = 2
uint32 public_port = 3
string type = 4

A security finding found by a detector. It could describe things like a CVE or a CIS non-compliance.

Used in: Inventory, ScanResult

optional Advisory adv = 1
Info specific to the finding. Should always be the same for the same type of finding.
optional TargetDetails target = 2
Instance-specific info such as location of the vulnerable files.
string extra = 3
Additional free-text info.
repeated string detectors = 4
The name of the Detectors that found this finding. Set by the core library.

The additional data found in Flatpak packages.

Used in: Package

string package_name = 1
string package_id = 2
string package_version = 3
string release_date = 4
string os_name = 5
string os_id = 6
string os_version_id = 7
string os_build_id = 8
string developer = 9

The additional data found in Homebrew packages.

Used in: Package

(message has no fields)

The artifacts (e.g. software inventory, security findings) that a scan found.

Used in: ScanResult

repeated Package packages = 1
repeated Finding findings = 2

The additional data found in Java JAR packages.

Used in: Package

string artifact_id = 2
string group_id = 3
string sha1 = 4

The additional data found in Java lockfiles.

Used in: Package

string artifact_id = 1
string group_id = 2
repeated string dep_group_vals = 3
bool is_transitive = 4

The additional data found in npm packages.

Used in: Package

string author = 1
repeated string maintainers = 2
repeated string contributors = 3

The additional data found in MODULE packages.

Used in: Package

string package_name = 1
string package_version = 2
string package_vermagic = 3
string package_source_version_identifier = 4
string os_id = 5
string os_version_codename = 6
string os_version_id = 7
string package_author = 8

Details about the layer a package was found in.

Used in: Package

int32 index = 1
The index of the layer in the container image.
string diff_id = 2
The diff ID (typically a sha256 hash) of the layer in the container image.
string chain_id = 5
The layer chain ID (sha256 hash) of the layer in the container image. https://github.com/opencontainers/image-spec/blob/main/config.md#layer-chainid
string command = 3
The layer build command that was used to build the layer. This may not be found in all layers depending on how the container image is built.
bool in_base_image = 4
Denotes whether the layer is in the base image.

The additional data found in Mac Applications.

Used in: Package

string bundle_display_name = 1
string bundle_identifier = 2
string bundle_short_version_string = 3
string bundle_executable = 4
string bundle_name = 5
string bundle_package_type = 6
string bundle_signature = 7
string bundle_version = 8
string product_id = 9
string update_url = 10

The additional data found in Nix packages.

Used in: Package

string package_name = 1
string package_version = 2
string package_hash = 3
string package_output = 4
string os_id = 5
string os_version_codename = 6
string os_version_id = 7

The additional data for packages extracted by an OSV extractor wrapper.

Used in: Package

string purl_type = 1
string commit = 2
string ecosystem = 3
string compare_as = 4

The additional data found in PACMAN packages.

Used in: Package

string package_name = 1
string package_version = 2
string os_id = 3
string os_version_id = 4
string package_description = 5
string package_dependencies = 6

A software package or library found by an extractor. PURL or CPE needs to be set, maybe both.

Used in: Inventory, ScanResult, TargetDetails

string name = 11
Human-readable name of the software, to be used for things like logging. For vuln matching, use the name from metadata.
string version = 12
Version of the package.
optional SourceCodeIdentifier source_code = 26
Source code level package identifiers.
optional Purl purl = 1
Package URL of the software.
string ecosystem = 27
Ecosystem - For software packages this corresponds to an OSV ecosystem value, e.g. PyPI.
repeated string locations = 2
Paths or source of files related to the package.
string extractor = 10
The name of the Extractor that found this software. Set by the core library.
oneof metadata
The additional data found in the package.
- PythonPackageMetadata python_metadata = 5
- JavascriptPackageJSONMetadata javascript_metadata = 6
- APKPackageMetadata apk_metadata = 7
- DPKGPackageMetadata dpkg_metadata = 8
- RPMPackageMetadata rpm_metadata = 9
- COSPackageMetadata cos_metadata = 13
- DEPSJSONMetadata depsjson_metadata = 40
- SPDXPackageMetadata spdx_metadata = 14
- JavaArchiveMetadata java_archive_metadata = 15
- JavaLockfileMetadata java_lockfile_metadata = 31
- PACMANPackageMetadata pacman_metadata = 36
- NixPackageMetadata nix_metadata = 37
- KernelModuleMetadata kernel_module_metadata = 38
- VmlinuzMetadata vmlinuz_metadata = 39
- PortagePackageMetadata portage_metadata = 41
- OSVPackageMetadata osv_metadata = 16
- PythonRequirementsMetadata python_requirements_metadata = 21
- PythonSetupMetadata python_setup_metadata = 44
- ContainerdContainerMetadata containerd_container_metadata = 22
- SNAPPackageMetadata snap_metadata = 23
- FlatpakPackageMetadata flatpak_metadata = 24
- MacAppsMetadata mac_apps_metadata = 34
- ContainerdRuntimeContainerMetadata containerd_runtime_container_metadata = 25
- CDXPackageMetadata cdx_metadata = 30
- WindowsOSVersion windows_os_version_metadata = 33
- HomebrewPackageMetadata homebrew_metadata = 42
- ChromeExtensionsMetadata chrome_extensions_metadata = 47
- VSCodeExtensionsMetadata vscode_extensions_metadata = 46
- DockerContainersMetadata docker_containers_metadata = 48
repeated Package.AnnotationEnum annotations = 28
optional LayerDetails layer_details = 35
Details about the layer a package was found in. This should be set only for container image scanning.

Used in: Package

UNSPECIFIED = 0
TRANSITIONAL = 1
INSIDE_OS_PACKAGE = 2
INSIDE_CACHE_DIR = 3

Used in: ScanResult

string name = 1
int32 version = 2
optional ScanStatus status = 3

The additional data found in portage packages.

Used in: Package

string package_name = 1
string package_version = 2
string os_id = 3
string os_version_id = 4

Package URL, see https://github.com/package-url/purl-spec

Used in: CDXPackageMetadata, Package, SPDXPackageMetadata

string purl = 1
String representation.
string type = 2
Package type, e.g. "maven, npm, pypi".
string name = 3
Package name.
string version = 4
Package version.
string namespace = 5
Name prefix such as a Maven groupid, or Docker image owner.
repeated Qualifier qualifiers = 6
Extra qualifying data for a package such as an OS, architecture, etc.
string subpath = 7
Extra subpath within a package, relative to the package root.

The additional data found in python packages.

Used in: Package

string author = 1
string author_email = 2

Used in: Package

repeated string hash_checking_mode_values = 1
string version_comparator = 2
string requirement = 3

Used in: Package

string version_comparator = 2

Used in: Purl

string key = 1
string value = 2

The additional data found in RPM packages.

Used in: Package

string package_name = 1
string source_rpm = 2
int32 epoch = 3
string os_id = 4
string os_version_id = 5
string os_build_id = 6
string os_name = 7
string vendor = 8
string architecture = 9
string license = 10

The additional data found in SNAP packages.

Used in: Package

string name = 1
string version = 2
string grade = 3
string type = 4
repeated string architectures = 5
string os_id = 6
string os_version_codename = 7
string os_version_id = 8

The additional data for packages extracted from SPDX files.

Used in: Package

optional Purl purl = 1
repeated string cpes = 2

The results of a scan incl. scan status and artifacts found.

string version = 1
optional google.protobuf.Timestamp start_time = 2
optional google.protobuf.Timestamp end_time = 3
optional ScanStatus status = 4
Status of the overall scan.
repeated PluginStatus plugin_status = 5
Status and versions of the plugins that ran.
repeated Package inventories_deprecated = 6
TODO(b/400910349): Remove once integrators stop using these fields.
repeated Finding findings_deprecated = 7
optional Inventory inventory = 8

Used in: PluginStatus, ScanResult

ScanStatus.ScanStatusEnum status = 1
string failure_reason = 2

Used in: ScanStatus

UNSPECIFIED = 0
SUCCEEDED = 1
PARTIALLY_SUCCEEDED = 2
FAILED = 3

Used in: Advisory

Severity.SeverityEnum severity = 1
Required severity enum. Can be used for e.g. prioritizing filed bugs.
optional CVSS cvss_v2 = 2
Optional CVSS scores, only set for vulns with CVEs.
optional CVSS cvss_v3 = 3

Used in: Severity

UNSPECIFIED = 0
MINIMAL = 1
LOW = 2
MEDIUM = 3
HIGH = 4
CRITICAL = 5

Additional identifiers for source code software packages (e.g. NPM).

Used in: Package

string repo = 1
string commit = 2

Used in: Finding

optional Package package = 1
The software affected by the finding.
repeated string location = 3
Location of vulnerable files not related to the package, e.g. config files with misconfigurations.

The additional data found in VSCode extensions.

Used in: Package

string id = 1
string publisher_id = 2
string publisher_display_name = 3
string target_platform = 4
bool updated = 5
bool is_pre_release_version = 6
int64 installed_timestamp = 7

The additional data found in Vmlinuz packages.

Used in: Package

string name = 1
string version = 2
string architecture = 3
string extended_version = 4
string format = 5
int32 swap_device = 6
int32 root_device = 7
string video_mode = 8
string os_id = 9
string os_version_codename = 10
string os_version_id = 11
bool rw_root_fs = 12

Used in: Package

string product = 1
string full_version = 2

package scalibr

message APKPackageMetadata

string package_name = 1

string origin_name = 2

string os_id = 3

string os_version_id = 4

string maintainer = 5

string architecture = 6

string license = 7

message Advisory

optional AdvisoryId id = 1

Advisory.TypeEnum type = 2

string title = 3

string description = 4

string recommendation = 5

optional Severity sev = 6

enum Advisory.TypeEnum

UNKNOWN = 0

VULNERABILITY = 1

CIS_FINDING = 2

message AdvisoryId

string publisher = 1

string reference = 2

message CDXPackageMetadata

optional Purl purl = 1

repeated string cpes = 2

message COSPackageMetadata

string name = 1

string version = 2

string category = 3

string os_version = 4

string os_version_id = 5

message CVSS

float base_score = 1

float temporal_score = 2

float environmental_score = 3

message ChromeExtensionsMetadata

string name = 1

string description = 2

string author_email = 3

repeated string host_permissions = 4

int32 manifest_version = 5

string minimum_chrome_version = 6

repeated string permissions = 7

string update_url = 8

message ContainerdContainerMetadata

string namespace_name = 1

string image_name = 2

string image_digest = 3

string runtime = 4

int32 pid = 5

string snapshotter = 6

string snapshot_key = 7

string lower_dir = 8

string upper_dir = 9

string work_dir = 10

string id = 11

string pod_name = 12

string pod_namespace = 13

message ContainerdRuntimeContainerMetadata

string namespace_name = 1

string image_name = 2

string image_digest = 3

string runtime = 4

string id = 5

int32 pid = 6

string rootfs_path = 7

message DEPSJSONMetadata

string package_name = 1

string package_version = 2

string type = 3

message DPKGPackageMetadata

string package_name = 1

string source_name = 2

string source_version = 3

string package_version = 4

string os_id = 5

string os_version_codename = 6

string os_version_id = 7

string maintainer = 8