package mql.fex.v1

Get desktop application:
View/edit binary Protocol Buffers messages

Affects is used to identify the affected components.

Used in: FindingExchange, VulnerabilityExchange

• optional Component component = 1

  Required. Root component that is affected

• repeated Component sub_components = 2

  Optional. List of sub-components that are affected

AttackTactic is used to identify the tactic used in an attack. Typically this refers to identifier on the MITRE ATT&CK framework.

Used in: Evidence

• string id = 1

  Unique identifier for the tactic

• string name = 2

  Name of the tactic

• string description = 3

  Description of the tactic

AttackTechnique is used to identify the technique used in an attack. Typically this refers to identifier on the MITRE ATT&CK framework.

Used in: Evidence

• string id = 1

  Unique identifier for the technique

• string name = 2

  Name of the technique

• string description = 3

  Description of the technique

Component is used to identify the affected component.

Used in: Affects

• string id = 1

  Required. Name of the component

• map<string, string> identifiers = 2

  Required. Version of the component

• map<string, string> properties = 3

  Additional properties

• oneof details

  Experimental. Component details based on type

  • FileComponent file = 21

Confidence levels in finding

Used in: Evidence, FindingDetail

• CONFIDENCE_UNSPECIFIED = 0

• CONFIDENCE_LOW = 1

• CONFIDENCE_MEDIUM = 2

• CONFIDENCE_HIGH = 3

Network Connection information

Used in: Evidence

• string destination_address = 1

  Destination address, either hostname or ip.

• int32 destination_port = 2

  Destination port

• string source_address = 3

  Optional: Source address, either hostname or ip.

• int32 source_port = 4

  Optional: Source port

• Connection.ConnectionProtocol protocol = 5

  Protocol used in the connection

Protocol defines the protocol used in the connection. Decimals are equivalent to the protocol numbers assigned by IANA. See https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Used in: Connection

• UNSPECIFIED = 0

  Unspecified protocol, does not correspond to any real protocol.

• ICMP = 1

  Internet Control Message Protocol.

• TCP = 6

  Transmission Control Protocol.

• UDP = 17

  User Datagram Protocol.

Experimental. Details about the container that lead to the finding. Only used for containerized environments.

Used in: Evidence, Kubernetes.Pod

• string name = 1

  Container name

• string image_uri = 2

  Container image URI (e.g. marketplace.gcr.io/google/ubuntu1804:latest)

• string digest = 3

  Container image digest

Experimental. Evidence shares details about the facts that lead to the finding

Used in: FindingExchange, VulnerabilityExchange

• optional AttackTactic tactic = 1

  Attack tactic used

• optional AttackTechnique technique = 2

  Attack technique used

• Confidence confidence = 3

  Confidence in the threat

• oneof details

  Details about the resource that lead to the finding

  • User user = 20

  • File file = 21

  • Process process = 22

  • Container container = 23

  • Kubernetes kubernetes = 24

  • RegistryKey registry_key = 25

  • Connection connection = 26

• map<string, string> properties = 4

  Additional properties specific to this evidence

Experimental. File information

Used in: Evidence, Process

• string path = 1

  Absolute path to the file

• int64 size = 2

  File size in bytes

• string md5 = 3

  MD5 hash of the file

• string sha256 = 4

  SHA256 hash of file

• string contents = 20

  Optional. File content.

Experimental. File-specific component details

Used in: Component

• string path = 1

  Path to the file

• string hash = 2

  File hash for version tracking

• string format = 3

  File format or type

• int64 size = 4

  File size in bytes

Core information about the finding

Used in: FindingExchange

• FindingDetail.Category category = 1

  Category of the finding

• optional Severity severity = 2

  Severity of the finding

• Confidence confidence = 3

  How confident the source is in this finding

• string description = 4

  Detailed description of the finding

• repeated Reference references = 5

  External references (e.g., CVE, CWE, OWASP)

• map<string, string> properties = 6

  Additional properties specific to this finding type

Used in: FindingDetail

• CATEGORY_UNSPECIFIED = 0

• CATEGORY_SECURITY = 1

• CATEGORY_VULNERABILITY = 2

• CATEGORY_ADVISORY = 3

• CATEGORY_THREAT = 4

• CATEGORY_MALWARE = 5

• CATEGORY_INFORMATIONAL = 6

FindingDocument is a wrapper message that can hold either a VulnerabilityExchange or a FindingExchange document.

Used in: FindingsUploadRequest

• oneof finding

  • VulnerabilityExchange vex = 1

  • FindingExchange fex = 2

FindingExchange are used for sharing information about findings across systems. Mondoo uses this format as a main mean to store detected finding information.

Used in: FindingDocument

• string id = 1

  Required. Unique identifier for this finding.

• string ref = 2

  Optional. External reference identifier from the original data source. We expect this to be a unique identifier in the original data source.

• string mrn = 3

  Mondoo Resource Name (MRN). This is read-only and is assigned by Mondoo.

• string group_id = 4

  Optional. Result group identifier. Used to group related findings.

• string summary = 5

  Required. Brief summary of the finding (e.g. "SQL Injection in endpoint")

• optional FindingDetail details = 6

  Optional. Detailed information about the finding

• optional google.protobuf.Timestamp first_seen_at = 7

  Required. Timestamp when the finding was first detected

• optional google.protobuf.Timestamp last_seen_at = 8

  Optional. Timestamp when the finding was last seen

• optional google.protobuf.Timestamp remediated_at = 9

  Optional. Timestamp when the finding was remediated

• Status status = 10

  Required. Current status of the finding

• optional Source source = 11

  Required. Information about the source that produced this finding

• repeated Affects affects = 12

  Required. List of affected components

• repeated Evidence evidences = 20

  Optional. Technical evidence

• repeated Remediation remediations = 21

  Optional. Available remediation options

FindingsUploadRequest is the file format uploaded to the ingest bucket for findings uploads. It contains all findings along with metadata needed by the processor.

• repeated FindingDocument findings = 1

• string source = 2

• bool mondoo_enrichment = 3

• string space_mrn = 4

• bool create_assets = 5

• optional google.protobuf.Timestamp import_started_at = 6

Experimental. Details about Kubernetes resource. Only used for Kubernetes environments.

Used in: Evidence

• repeated Kubernetes.Pod pods = 1

  Affected pods

• repeated Kubernetes.Node nodes = 2

  Affected nodes

Kubernetes node information

Used in: Kubernetes

• string name = 1

  Node name

• string id = 2

  Unique identifier for the node eg. EC2 instance ID

Kubernetes pod information

Used in: Kubernetes

• string name = 1

  Pod name

• string namespace = 2

  Pod namespace

• repeated Container containers = 3

  Container information

Experimental. Details about the process that lead to the finding

Used in: Evidence

• string cmdline = 1

  Process name or command line as displayed in the process list

• optional File binary = 2

  Process file information, eg. python binary

• optional File script = 3

  For scripts, the script file information

• int64 pid = 5

  The process ID.

• optional User user = 6

  User

• optional Process parent = 8

  The parent process.

Rating is used to provide a score for the vulnerability. Deprecated: use Severity instead

Used in: VulnerabilityExchange

• optional Source source = 1

  Required. Source of the rating

• float score = 2

  Optional. Score of the rating Note: To not get precision errors we need float

• string severity = 3

  Optional. Severity of the rating, e.g. "high", "medium", "low"

• string vector = 4

  Optional. Vector of the rating

• ScoringMethod method = 5

  Optional. Scoring method of the rating

Reference is used to provide additional information about the vulnerability.

Used in: FindingDetail, VulnerabilityExchange

• string id = 1

  Optional. ID of the reference

• string name = 2

  Required. Name of the reference

• string url = 3

  Required. URL of the reference

• string type = 4

  Type of reference (e.g., "CVE", "CWE")

• map<string, string> metadata = 5

  Additional reference metadata

Windows Registry Key information

Used in: Evidence

• string path = 1

  Path to the registry key (e.g., "HKLM\\SOFTWARE\\Microsoft\\Windows")

• string name = 2

  Name of the value (empty string for default value)

• string data = 3

  The actual data

Remediation is used to provide a fix for the vulnerability.

Used in: FindingExchange, VulnerabilityExchange

• Remediation.Category category = 1

  The category of the remediation

• string summary = 2

  Required. Summary of the remediation

• string details = 3

  Optional. Instruction details of the remediation

• string fix_type = 4

  Fix type like 'terraform', 'ansible', 'package'

• string fix_id = 5

  Optional. ID of the fix

• string url = 6

  Optional. URL to the fix

The category type of the remediation

Used in: Remediation

• Unspecified = 0

• NoFixPlanned = 1

• NoneAvailable = 2

• Fix = 3

• Workaround = 4

ScoringMethod is used to identify the scoring method of the rating.

Used in: Rating, Severity

• SCOREMETHOD_UNSPECIFIED = 0

• SCOREMETHOD_CVSSv2 = 1

• SCOREMETHOD_CVSSv3 = 2

• SCOREMETHOD_CVSSv4 = 3

• SCOREMETHOD_EPSS = 4

• SCOREMETHOD_SSVC = 5

• SCOREMETHOD_UBUNTU = 6

  This is the equivalent of the Ubuntu scoring method from OSV: https://ossf.github.io/osv-schema/#severity-field

Severity is used to provide a score for the vulnerability. This message is backwards compatible with the Rating message.

Used in: FindingDetail

• optional Source source = 1

  Required. Source of the rating

• float score = 2

  Optional. Score of the rating Note: To not get precision errors we need float

• string severity = 3

  Optional. Severity of the rating, e.g. "high", "medium", "low" Deprecated: Use rating instead

• string vector = 4

  Optional. Vector of the rating

• ScoringMethod method = 5

  Optional. Scoring method of the rating

• SeverityRating rating = 6

  Required. Severity rating of the rating

SeverityRating is used to identify the severity of a finding.

Used in: Severity

• SEVERITY_RATING_UNSPECIFIED = 0

• SEVERITY_RATING_CRITICAL = 1

  Critical risk severity

• SEVERITY_RATING_HIGH = 2

  High risk severity

• SEVERITY_RATING_MEDIUM = 3

  Medium risk severity

• SEVERITY_RATING_LOW = 4

  Low risk severity

• SEVERITY_RATING_NONE = 5

  No risk severity

Source is used to identify the source of the vulnerability.

Used in: FindingExchange, Rating, Severity, VulnerabilityExchange

• string name = 1

  Required. Name of the source

• string url = 2

  Optional. URL of the source

Status is used to identify the status of the vulnerability.

Used in: FindingExchange, VulnerabilityExchange

• STATUS_UNSPECIFIED = 0

  Unspecified status

• STATUS_NOT_AFFECTED = 1

  Vulnerability is not affected

• STATUS_AFFECTED = 2

  Vulnerability is affected

• STATUS_FIXED = 3

  Vulnerability is fixed

• STATUS_UNDER_INVESTIGATION = 4

  Vulnerability is under investigation

• STATUS_FALSE_POSITIVE = 5

  Not a real issue

• STATUS_WONT_FIX = 6

  Accepted risk

Experimental. User information

Used in: Evidence, Process

• string id = 1

  User ID

• string name = 2

  User name

• map<string, string> properties = 3

  Additional properties

VulnerabilityDetails are used to provide detailed information about the vulnerability.

Used in: VulnerabilityExchange

• string details = 1

  Optional. Description of the vulnerability

• string recommendation = 2

  Optional. Recommendation for the vulnerability

• string workaround = 3

  Optional. Workaround for the vulnerability

• optional google.protobuf.Timestamp created = 9

  Time the vulnerability was created

• optional google.protobuf.Timestamp published = 10

  Time the vulnerability was published

• optional google.protobuf.Timestamp updated = 11

  Time the vulnerability was last updated

VulnerabilityExchange are used for sharing information about vulnerabilities across systems. Mondoo uses this format as a main mean to store detected vulnerability information. The same document is generated independently from the source.

Used in: FindingDocument

• string ref = 1

  Optional. Externally provided ID from the original data source

• string id = 2

  Required. CVE or Advisory ID

• string mrn = 3

  Optional. Mondoo Resource Name (MRN)

• string summary = 4

  Required. Summary of the vulnerability

• repeated string aliases = 5

  Optional. List of aliases for the vulnerability

• repeated string related = 16

  Optional. related vulnerabilities, e.g. CVE-2024-123456

• repeated string upstream = 18

  Optional. upstream vulnerabilities, e.g. CVE-2024-123456

• optional VulnerabilityDetails details = 6

  Optional. Detailed information about the vulnerability

• optional Source source = 7

  Required. Source of the vulnerability

• repeated Rating ratings = 8

  Optional. List of severities for the vulnerability In OSV, this is called a Severity TODO: switch to new Severity message

• optional google.protobuf.Timestamp first_seen = 9

  Optional. Time the vulnerability was first seen

• optional google.protobuf.Timestamp remediated = 10

  Optional. Time the vulnerability was remediated

• repeated Affects affects = 11

  Required. List of affected components

• Status status = 12

  Required. Status of the vulnerability

• repeated Reference references = 13

  Optional. List of references for the vulnerability

• repeated Remediation remediations = 15

  Optional. List of available remediation

• optional google.protobuf.Struct database_specific = 17

  Optional. Database specific information DatabaseSpecific holds additional information about the vulnerability as defined by the database from which the record was obtained. See https://ossf.github.io/osv-schema/#database_specific-field.

• repeated Evidence evidences = 20

  Optional. Technical evidence