Default package

Get desktop application:
View/edit binary Protocol Buffers messages

Used in: Filter, Violation

• CheckTypeUnknown = 0

• CheckTypeVulnerability = 1

• CheckTypeMalware = 2

• CheckTypePopularity = 3

• CheckTypeMaintenance = 4

• CheckTypeSecurityScorecard = 5

• CheckTypeLicense = 6

• CheckTypeOther = 100

Used in: Package, PackageManifest, PackageManifestReport

• UNKNOWN_ECOSYSTEM = 0

• Maven = 1

• RubyGems = 2

• Go = 3

• Npm = 4

• PyPI = 5

• Cargo = 6

• NuGet = 7

• Packagist = 8

• Hex = 9

• Pub = 10

• CycloneDxSBOM = 11

• SpdxSBOM = 12

Used in: ExceptionSuite

• string id = 1

• string ecosystem = 2

• string name = 3

• string version = 4

• string expires = 5

• string pattern = 6

  To be used for special cases

• string name = 1

• string description = 2

• repeated Exception exceptions = 3

Used in: FilterSuite, Violation

• string name = 1

• string value = 2

• CheckType check_type = 3

• string summary = 4

• string description = 5

• repeated string references = 6

• repeated string tags = 7

• optional FilterInputPackageVersion pkg = 1

• optional FilterInputVulnerabilities vulns = 2

• optional InsightScorecard scorecard = 3

• repeated InsightProjectInfo projects = 4

• repeated string licenses = 5

Used in: FilterInput

• string ecosystem = 1

• string name = 2

• string version = 3

Only hold vulnerability IDs

Used in: FilterInput

• repeated InsightVulnerability all = 1

• repeated InsightVulnerability critical = 2

• repeated InsightVulnerability high = 3

• repeated InsightVulnerability medium = 4

• repeated InsightVulnerability low = 5

• string name = 1

• string description = 2

• repeated Filter filters = 3

• repeated string tags = 4

Used in: PackageReport

• string id = 1

  SPDX license ID

Used in: FilterInput, PackageReport

• string name = 1

• InsightProjectInfo.Type type = 2

• int32 stars = 3

• int32 forks = 4

• int32 issues = 5

• string url = 6

Used in: InsightProjectInfo

• UNKNOWN = 0

• GITHUB = 1

Used in: FilterInput

• map<string, float> scores = 1

• float score = 2

Used in: FilterInputVulnerabilities, PackageReport

• string id = 1

  OSV ID

• string cve = 2

  CVE ID. DO NOT USE THIS outside vet. Its used for internal legacy reason

• string title = 3

• repeated string aliases = 4

  Other IDs for same vuln in different databases

• repeated InsightVulnerabilitySeverity severities = 5

Used in: InsightVulnerability

• InsightVulnerabilitySeverity.Type type = 1

• string score = 2

  Score based on type (usually the CVSS metric)

• InsightVulnerabilitySeverity.Risk risk = 3

Used in: InsightVulnerabilitySeverity

• UNKNOWN_RISK = 0

• LOW = 1

• MEDIUM = 2

• HIGH = 3

• CRITICAL = 4

Used in: InsightVulnerabilitySeverity

• UNKNOWN_TYPE = 0

• CVSSV2 = 1

• CVSSV3 = 2

Used in: PackageManifest, PackageReport, RemediationAdvice, Violation

• Ecosystem ecosystem = 1

• string name = 2

• string version = 3

• Ecosystem ecosystem = 1

• string path = 2

• repeated Package packages = 3

Used in: Report

• string id = 1

• Ecosystem ecosystem = 2

• string path = 3

• repeated ReportThreat threats = 4

• string display_path = 5

• string source_type = 6

• string namespace = 7

PackageReport represents the first class entity for which we have different type of reporting information

Used in: Report

• optional Package package = 1

• repeated string manifests = 2

  The manifests identified by IDs where this package belongs to

• repeated Violation violations = 3

• repeated RemediationAdvice advices = 4

• repeated InsightVulnerability vulnerabilities = 5

  Insights data

• repeated InsightLicenseInfo licenses = 6

• repeated InsightProjectInfo projects = 8

• repeated ReportThreat threats = 7

  Threats

Used in: PackageReport

• RemediationAdviceType type = 1

• optional Package package = 2

• string target_package_name = 3

• string target_package_version = 4

• string target_alternate_package_name = 5

• string target_alternate_package_version = 6

Used in: RemediationAdvice

• UnknownAdviceType = 0

• UpgradePackage = 1

• AlternatePopularPackage = 2

• AlternateSecurePackage = 3

• optional ReportMeta meta = 1

• repeated PackageManifestReport manifests = 2

• repeated PackageReport packages = 3

Used in: Report

• string tool_name = 1

• string tool_version = 2

• string created_at = 3

We are introducing the concept of Threat as a reporting entity so that we can report threats like lockfile poisoning using a standard schema. But why do we need threats? Why not just use vet's paradigm of policy over enriched packages? The reason is, there are threats that are applicable in an environment, against a manifest or other entities or even group of entities. Hence it is required to introduce a threat as a reporting entity so that external tools can consume vet's reports and take actions based on the threats.

Used in: PackageManifestReport, PackageReport

• ReportThreat.ReportThreatId id = 1

• string instanceId = 2

  Unique threat instance ID per (ID, SubjectType, Subject) tuple

• string message = 3

• ReportThreat.SubjectType subject_type = 4

• string subject = 5

• ReportThreat.Confidence confidence = 6

• ReportThreat.Source source = 7

• string source_id = 8

Used in: ReportThreat

• UnknownConfidence = 0

• High = 1

• Medium = 2

• Low = 3

Used in: ReportThreat

• UnknownReportThreatId = 0

• LockfilePoisoning = 1

Used in: ReportThreat

• UnknownSource = 0

• CWE = 1

Used in: ReportThreat

• UnknownSubject = 0

• Package = 1

• Manifest = 2

Used in: PackageReport

• CheckType check_type = 1

• optional Package package = 2

• optional Filter filter = 3

• map<string, string> extra = 4