feat(websecurityscanner): add finding types; add vulnerable headers; …

…update docstrings (via synth) (#9380)
googleapis · Oct 1, 2019 · 34f192e · 34f192e
1 parent 948bd7c
commit 34f192e
Show file tree

Hide file tree

Showing 17 changed files with 756 additions and 373 deletions.
diff --git a/google/cloud/websecurityscanner_v1alpha/gapic/enums.py b/google/cloud/websecurityscanner_v1alpha/gapic/enums.py
@@ -54,6 +54,13 @@ class FindingType(enum.IntEnum):
           https://www.google.com/about/appsecurity/learning/xss/.
           CLEAR_TEXT_PASSWORD (int): An application appears to be transmitting a password field in clear text.
           An attacker can eavesdrop network traffic and sniff the password field.
+          INVALID_CONTENT_TYPE (int): An application returns sensitive content with an invalid content type,
+          or without an 'X-Content-Type-Options: nosniff' header.
+          XSS_ANGULAR_CALLBACK (int): A cross-site scripting (XSS) vulnerability in AngularJS module that
+          occurs when a user-provided string is interpolated by Angular.
+          INVALID_HEADER (int): A malformed or invalid valued header.
+          MISSPELLED_SECURITY_HEADER_NAME (int): Misspelled security header name.
+          MISMATCHING_SECURITY_HEADER_VALUES (int): Mismatching values in a duplicate security header.
         """
 
         FINDING_TYPE_UNSPECIFIED = 0
@@ -63,6 +70,11 @@ class FindingType(enum.IntEnum):
         XSS_CALLBACK = 3
         XSS_ERROR = 4
         CLEAR_TEXT_PASSWORD = 6
+        INVALID_CONTENT_TYPE = 7
+        XSS_ANGULAR_CALLBACK = 8
+        INVALID_HEADER = 9
+        MISSPELLED_SECURITY_HEADER_NAME = 10
+        MISMATCHING_SECURITY_HEADER_VALUES = 11
 
 
 class ScanConfig(object):

diff --git a/google/cloud/websecurityscanner_v1alpha/gapic/web_security_scanner_client.py b/google/cloud/websecurityscanner_v1alpha/gapic/web_security_scanner_client.py
@@ -260,11 +260,9 @@ def create_scan_config(
             >>> response = client.create_scan_config(parent, scan_config)
 
         Args:
-            parent (str): Required.
-                The parent resource name where the scan is created, which should be a
+            parent (str): Required. The parent resource name where the scan is created, which should be a
                 project resource name in the format 'projects/{projectId}'.
-            scan_config (Union[dict, ~google.cloud.websecurityscanner_v1alpha.types.ScanConfig]): Required.
-                The ScanConfig to be created.
+            scan_config (Union[dict, ~google.cloud.websecurityscanner_v1alpha.types.ScanConfig]): Required. The ScanConfig to be created.
 
                 If a dict is provided, it must be of the same form as the protobuf
                 message :class:`~google.cloud.websecurityscanner_v1alpha.types.ScanConfig`
@@ -338,8 +336,7 @@ def delete_scan_config(
             >>> client.delete_scan_config(name)
 
         Args:
-            name (str): Required.
-                The resource name of the ScanConfig to be deleted. The name follows the
+            name (str): Required. The resource name of the ScanConfig to be deleted. The name follows the
                 format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.
             retry (Optional[google.api_core.retry.Retry]):  A retry object used
                 to retry requests. If ``None`` is specified, requests will
@@ -406,8 +403,7 @@ def get_scan_config(
             >>> response = client.get_scan_config(name)
 
         Args:
-            name (str): Required.
-                The resource name of the ScanConfig to be returned. The name follows the
+            name (str): Required. The resource name of the ScanConfig to be returned. The name follows the
                 format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.
             retry (Optional[google.api_core.retry.Retry]):  A retry object used
                 to retry requests. If ``None`` is specified, requests will
@@ -490,8 +486,7 @@ def list_scan_configs(
             ...         pass
 
         Args:
-            parent (str): Required.
-                The parent resource name, which should be a project resource name in the
+            parent (str): Required. The parent resource name, which should be a project resource name in the
                 format 'projects/{projectId}'.
             page_size (int): The maximum number of resources contained in the
                 underlying API response. If page streaming is performed per-
@@ -587,8 +582,7 @@ def update_scan_config(
             >>> response = client.update_scan_config(scan_config, update_mask)
 
         Args:
-            scan_config (Union[dict, ~google.cloud.websecurityscanner_v1alpha.types.ScanConfig]): Required.
-                The ScanConfig to be updated. The name field must be set to identify the
+            scan_config (Union[dict, ~google.cloud.websecurityscanner_v1alpha.types.ScanConfig]): Required. The ScanConfig to be updated. The name field must be set to identify the
                 resource to be updated. The values of fields not covered by the mask
                 will be ignored.
 
@@ -670,8 +664,7 @@ def start_scan_run(
             >>> response = client.start_scan_run(name)
 
         Args:
-            name (str): Required.
-                The resource name of the ScanConfig to be used. The name follows the
+            name (str): Required. The resource name of the ScanConfig to be used. The name follows the
                 format of 'projects/{projectId}/scanConfigs/{scanConfigId}'.
             retry (Optional[google.api_core.retry.Retry]):  A retry object used
                 to retry requests. If ``None`` is specified, requests will
@@ -741,8 +734,7 @@ def get_scan_run(
             >>> response = client.get_scan_run(name)
 
         Args:
-            name (str): Required.
-                The resource name of the ScanRun to be returned. The name follows the
+            name (str): Required. The resource name of the ScanRun to be returned. The name follows the
                 format of
                 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
             retry (Optional[google.api_core.retry.Retry]):  A retry object used
@@ -827,8 +819,7 @@ def list_scan_runs(
             ...         pass
 
         Args:
-            parent (str): Required.
-                The parent resource name, which should be a scan resource name in the
+            parent (str): Required. The parent resource name, which should be a scan resource name in the
                 format 'projects/{projectId}/scanConfigs/{scanConfigId}'.
             page_size (int): The maximum number of resources contained in the
                 underlying API response. If page streaming is performed per-
@@ -919,8 +910,7 @@ def stop_scan_run(
             >>> response = client.stop_scan_run(name)
 
         Args:
-            name (str): Required.
-                The resource name of the ScanRun to be stopped. The name follows the
+            name (str): Required. The resource name of the ScanRun to be stopped. The name follows the
                 format of
                 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
             retry (Optional[google.api_core.retry.Retry]):  A retry object used
@@ -1004,8 +994,7 @@ def list_crawled_urls(
             ...         pass
 
         Args:
-            parent (str): Required.
-                The parent resource name, which should be a scan run resource name in the
+            parent (str): Required. The parent resource name, which should be a scan run resource name in the
                 format
                 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
             page_size (int): The maximum number of resources contained in the
@@ -1097,8 +1086,7 @@ def get_finding(
             >>> response = client.get_finding(name)
 
         Args:
-            name (str): Required.
-                The resource name of the Finding to be returned. The name follows the
+            name (str): Required. The resource name of the Finding to be returned. The name follows the
                 format of
                 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}/findings/{findingId}'.
             retry (Optional[google.api_core.retry.Retry]):  A retry object used
@@ -1186,12 +1174,11 @@ def list_findings(
             ...         pass
 
         Args:
-            parent (str): Required.
-                The parent resource name, which should be a scan run resource name in the
+            parent (str): Required. The parent resource name, which should be a scan run resource name in the
                 format
                 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
-            filter_ (str): The filter expression. The expression must be in the format: . Supported
-                field: 'finding\_type'. Supported operator: '='.
+            filter_ (str): Required. The filter expression. The expression must be in the format: .
+                Supported field: 'finding\_type'. Supported operator: '='.
             page_size (int): The maximum number of resources contained in the
                 underlying API response. If page streaming is performed per-
                 resource, this parameter does not affect the return value. If page
@@ -1281,8 +1268,7 @@ def list_finding_type_stats(
             >>> response = client.list_finding_type_stats(parent)
 
         Args:
-            parent (str): Required.
-                The parent resource name, which should be a scan run resource name in the
+            parent (str): Required. The parent resource name, which should be a scan run resource name in the
                 format
                 'projects/{projectId}/scanConfigs/{scanConfigId}/scanRuns/{scanRunId}'.
             retry (Optional[google.api_core.retry.Retry]):  A retry object used

diff --git a/google/cloud/websecurityscanner_v1alpha/proto/crawled_url.proto b/google/cloud/websecurityscanner_v1alpha/proto/crawled_url.proto
@@ -1,4 +1,4 @@
-// Copyright 2018 Google Inc.
+// Copyright 2019 Google LLC.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,13 +11,12 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//
 
 syntax = "proto3";
 
 package google.cloud.websecurityscanner.v1alpha;
 
-import "google/api/annotations.proto";
-
 option go_package = "google.golang.org/genproto/googleapis/cloud/websecurityscanner/v1alpha;websecurityscanner";
 option java_multiple_files = true;
 option java_outer_classname = "CrawledUrlProto";
@@ -27,16 +26,13 @@ option java_package = "com.google.cloud.websecurityscanner.v1alpha";
 // Security Scanner Service crawls the web applications, following all links
 // within the scope of sites, to find the URLs to test against.
 message CrawledUrl {
-  // Output only.
-  // The http method of the request that was used to visit the URL, in
+  // Output only. The http method of the request that was used to visit the URL, in
   // uppercase.
   string http_method = 1;
 
-  // Output only.
-  // The URL that was crawled.
+  // Output only. The URL that was crawled.
   string url = 2;
 
-  // Output only.
-  // The body of the request that was used to visit the URL.
+  // Output only. The body of the request that was used to visit the URL.
   string body = 3;
 }
diff --git a/google/cloud/websecurityscanner_v1alpha/proto/crawled_url_pb2.py b/google/cloud/websecurityscanner_v1alpha/proto/crawled_url_pb2.py
diff --git a/google/cloud/websecurityscanner_v1alpha/proto/finding.proto b/google/cloud/websecurityscanner_v1alpha/proto/finding.proto
@@ -1,4 +1,4 @@
-// Copyright 2018 Google Inc.
+// Copyright 2019 Google LLC.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,12 +11,13 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+//
 
 syntax = "proto3";
 
 package google.cloud.websecurityscanner.v1alpha;
 
-import "google/api/annotations.proto";
+import "google/api/resource.proto";
 import "google/cloud/websecurityscanner/v1alpha/finding_addon.proto";
 
 option go_package = "google.golang.org/genproto/googleapis/cloud/websecurityscanner/v1alpha;websecurityscanner";
@@ -27,6 +28,11 @@ option java_package = "com.google.cloud.websecurityscanner.v1alpha";
 // A Finding resource represents a vulnerability instance identified during a
 // ScanRun.
 message Finding {
+  option (google.api.resource) = {
+    type: "websecurityscanner.googleapis.com/Finding"
+    pattern: "projects/{project}/scanConfigs/{scan_config}/scanRuns/{scan_run}/findings/{finding}"
+  };
+
   // Types of Findings.
   enum FindingType {
     // The invalid finding type.
@@ -71,70 +77,76 @@ message Finding {
     // An application appears to be transmitting a password field in clear text.
     // An attacker can eavesdrop network traffic and sniff the password field.
     CLEAR_TEXT_PASSWORD = 6;
+
+    // An application returns sensitive content with an invalid content type,
+    // or without an 'X-Content-Type-Options: nosniff' header.
+    INVALID_CONTENT_TYPE = 7;
+
+    // A cross-site scripting (XSS) vulnerability in AngularJS module that
+    // occurs when a user-provided string is interpolated by Angular.
+    XSS_ANGULAR_CALLBACK = 8;
+
+    // A malformed or invalid valued header.
+    INVALID_HEADER = 9;
+
+    // Misspelled security header name.
+    MISSPELLED_SECURITY_HEADER_NAME = 10;
+
+    // Mismatching values in a duplicate security header.
+    MISMATCHING_SECURITY_HEADER_VALUES = 11;
   }
 
-  // Output only.
   // The resource name of the Finding. The name follows the format of
   // 'projects/{projectId}/scanConfigs/{scanConfigId}/scanruns/{scanRunId}/findings/{findingId}'.
   // The finding IDs are generated by the system.
   string name = 1;
 
-  // Output only.
   // The type of the Finding.
   FindingType finding_type = 2;
 
-  // Output only.
   // The http method of the request that triggered the vulnerability, in
   // uppercase.
   string http_method = 3;
 
-  // Output only.
   // The URL produced by the server-side fuzzer and used in the request that
   // triggered the vulnerability.
   string fuzzed_url = 4;
 
-  // Output only.
   // The body of the request that triggered the vulnerability.
   string body = 5;
 
-  // Output only.
   // The description of the vulnerability.
   string description = 6;
 
-  // Output only.
   // The URL containing human-readable payload that user can leverage to
   // reproduce the vulnerability.
   string reproduction_url = 7;
 
-  // Output only.
   // If the vulnerability was originated from nested IFrame, the immediate
   // parent IFrame is reported.
   string frame_url = 8;
 
-  // Output only.
   // The URL where the browser lands when the vulnerability is detected.
   string final_url = 9;
 
-  // Output only.
   // The tracking ID uniquely identifies a vulnerability instance across
   // multiple ScanRuns.
   string tracking_id = 10;
 
-  // Output only.
   // An addon containing information about outdated libraries.
   OutdatedLibrary outdated_library = 11;
 
-  // Output only.
   // An addon containing detailed information regarding any resource causing the
   // vulnerability such as JavaScript sources, image, audio files, etc.
   ViolatingResource violating_resource = 12;
 
-  // Output only.
+  // An addon containing information about vulnerable or missing HTTP headers.
+  VulnerableHeaders vulnerable_headers = 15;
+
   // An addon containing information about request parameters which were found
   // to be vulnerable.
   VulnerableParameters vulnerable_parameters = 13;
 
-  // Output only.
   // An addon containing information reported for an XSS, if any.
   Xss xss = 14;
 }