Get desktop application:
View/edit binary Protocol Buffers messages
The additional data found in APK packages.
Used in:
A unique identifier per advisory.
Used in:
e.g. "CVE".
e.g. "CVE-2023-1234".
Used in:
Used in:
List of potential base images (repositories that have a matching ChainID).
Chain ID of the last layer in the image.
Used in:
Name of the image. (e.g. `debian`, `circleci/node`)
Name of the registry. (e.g. `docker.io`, `ghcr.io`)
Name of the plugin used to extract the base image.
The additional data for packages extracted from CDX files.
Used in:
The additional data found in COS packages.
Used in:
The additional data found in Chrome extensions.
Used in:
Used in:
Used in:
Layers are ordered from the earliest to the latest.
The base images that make up the chain. The first base image is always empty, acting as a placeholder for the scanned image itself. If the scanned image is a base image, there will be no layers pointing to the first base image. The base images are ordered from the biggest base image containing all base images to the smallest. e.g. [empty, postgresql, alpine]
Key value map of OS info from /etc/os-release.
Used in:
Used in:
The additional data found in .NET deps json packages.
Used in:
The additional data found in DPKG packages. Next ID: 11
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
FindingExploitabilitySignal is used to indicate that a finding is not exploitable.
Used in:
The name of the plugin (e.g. Annotator) that added this signal.
Reason for exclusion.
The additional data found in Flatpak packages.
Used in:
Describes generic security findings not associated with any specific package, e.g. weak credentials.
Used in: ,
Info specific to the finding. Should always be the same for the same type of finding.
Instance-specific info such as location of the vulnerable files.
The plugins (e.g. Detectors, Enrichers) that found this vuln.
Signals that indicate this finding is not exploitable.
Describes a security finding and how to remediate it. It should not contain any information specific to the target (e.g. which files were found vulnerable).
Used in:
A unique ID for the finding.
Remediation instructions, e.g. "update to latest version".
Instance-specific details about the generic security finding.
Used in:
Free-text info.
The additional data found in Homebrew packages.
Used in:
(message has no fields)
The artifacts (e.g. software inventory, security findings) that a scan found.
Used in:
The additional data found in Java JAR packages.
Used in:
The additional data found in Java lockfiles.
Used in:
The additional data found in npm packages.
Used in:
The additional data found in MODULE packages.
Used in:
Details about the layer a package was found in.
Used in:
The index of the layer in the container image.
The diff ID (typically a sha256 hash) of the layer in the container image.
The layer chain ID (sha256 hash) of the layer in the container image. https://github.com/opencontainers/image-spec/blob/main/config.md#layer-chainid
The layer build command that was used to build the layer. This may not be found in all layers depending on how the container image is built.
Denotes whether the layer is in the base image.
Used in:
The index of the layer within the ContainerImageMetadata.layer_metadata field.
The command that was used to build the layer.
Whether the layer is empty (currently always false).
The index of the base image match within the ContainerImageMetadata.base_image_chains field.
Used in:
The additional data found in Mac Applications.
Used in:
The additional data found in Macports packages.
Used in:
Used to report open ports on a system.
Used in:
The additional data found in Nix packages.
Used in:
Used in:
Used in:
The additional data for packages extracted by an OSV extractor wrapper.
Used in:
The additional data found in PACMAN packages.
Used in:
A software package or library found by an extractor. PURL or CPE needs to be set, maybe both.
Used in: ,
Human-readable name of the software, to be used for things like logging. For vuln matching, use the name from metadata.
Version of the package.
Source code level package identifiers.
Package URL of the software.
Ecosystem - For software packages this corresponds to an OSV ecosystem value, e.g. PyPI.
Paths or source of files related to the package.
TODO(b/400910349): Remove once integrators stop using these fields.
The names of the plugins that found this software. Set by the core library.
The additional data found in the package. LINT.IfChange
Deprecated - use exploitability_signals instead TODO(b/400910349): Remove once integrators stop using this.
Signals to indicate that specific vulnerabilities are not applicable to this package.
Software licenses information
Used in:
Used in:
The index of ContainerImageMetadata in Inventory.ContainerImageMetadata list.
The index of LayerMetadata in ContainerImageMetadata.LayerMetadata list.
PackageExploitabilitySignal is used to indicate that specific vulnerabilities are not applicable to a given package.
Used in:
The name of the plugin (e.g. Annotator) that added this signal.
Reason for exclusion.
Advisory Identifier (CVE, GHSA, ...) and aliases of the vulns that are not applicable to this package.
Indicates that all vulnerabilities associated with the package are irrelevant.
The source of the package.
Used in:
PUBLIC_REGISTRY is the public NPM registry.
OTHER is any other remote or private source (e.g. Github). This is used for packages that are not found in the public NPM registry.
LOCAL is the local filesystem that stores the package versions. This is used for when the package is locally-developed or -installed.
Used in:
The additional data found in Podman containers.
Used in:
The additional data found in portage packages.
Used in:
Used in:
Package URL, see https://github.com/package-url/purl-spec
Used in: , ,
String representation.
Package type, e.g. "maven, npm, pypi".
Package name.
Package version.
Name prefix such as a Maven groupid, or Docker image owner.
Extra qualifying data for a package such as an OS, architecture, etc.
Extra subpath within a package, relative to the package root.
The additional data found in python packages.
Used in:
Used in:
Used in:
Used in:
The additional data found in RPM packages.
Used in:
The additional data found in SNAP packages.
Used in:
The additional data for packages extracted from SPDX files.
Used in:
The results of a scan incl. scan status and artifacts found.
Status of the overall scan.
Status and versions of the plugins that ran.
TODO(b/400910349): Remove once integrators stop using these fields.
Used in: ,
Used in:
A secret (i.e. credential) found by Veles secret scanning.
Used in:
Used in:
Used in:
The Anthropic Model API key (regular API key for model access).
Used in:
The Anthropic Workspace API key (contains "admin01").
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
GCP OAuth2 access token, typically in format: "ya29.[alphanumeric_string]"
Used in:
GCP OAuth2 client ID in format: `12345678901-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com`
GCP OAuth2 client secret, typically 24+ character alphanumeric string prefixed with `GOCSPX-`
Used in:
Always filled.
derived from the private_key for validation
Filled only when explicitly requested.
Should not be filled out unless very explicitly requested accepting the risk that this might accidentally leak the key.
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Optional identity enrichment fields populated when available
Used in:
General ID field for uncertain UUID types when context is unclear
Used in:
Used in:
Used in:
Used in:
Device UUID from the token JSON.
Version field from the token JSON.
Encrypted payload data (from encCredentials.data).
Key ID used to encrypt the credentials (encCredentials.kid).
Initialization vector (encCredentials.iv).
Unique key kid (uniqueKey.kid).
Verifier salt (verifier.salt).
Verifier local hash (verifier.localHash).
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
PEM/OpenSSH private key block
DER-encoded key material
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
Used in:
JSON encoded Tink keyset
Used in:
Used in:
The default value for SecretStatusEnum. Set when no validation was attempted.
Deprecated. Use UNSPECIFIED instead.
The secret is confirmed to be invalid.
The secret is confirmed to be valid.
Validating the secret is not supported by the scanner.
Validation is supported but the validation failed.
Used in:
Additional identifiers for source code software packages (e.g. NPM).
Used in:
The additional data found in VSCode extensions.
Used in:
Vuln exclusion reasons - Mirrors the format from the official VEX documentation (https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf)
Used in: ,
The vulnerable component is not used in the affected artifact.
The component is used but vulnerable code was removed or not included.
Vulnerable code is included but is not executed.
Vulnerable code is executed but can't be exploited due to program logic.
Code can be executed but additional mitigations prevent exploitation.
The additional data found in Vmlinuz packages.
Used in:
Used in:
Used in:
The additional data found in Windows Package Manager (Winget) packages.
Used in: