feat: added field severity to findings (#317)

Clients will now see a new field, severity, on findings. They will also be able to filter and group by severity on ListFinding and GroupFinding API calls.

PiperOrigin-RevId: 326514554

Source-Author: Google APIs <noreply@google.com>
Source-Date: Thu Aug 13 13:43:22 2020 -0700
Source-Repo: googleapis/googleapis
Source-Sha: 5ad09e867a8f1faa19fbd674e51fa9c3f5fe2770
Source-Link: googleapis/googleapis@5ad09e8

Author: yoshi-automation

packages/google-cloud-securitycenter/protos/google/cloud/securitycenter/v1p1beta1/finding.proto

@@ -55,6 +55,24 @@ message Finding {
     INACTIVE = 2;
   }
 
+  // The severity of the finding.
+  enum Severity {
+    // No severity specified. The default value.
+    SEVERITY_UNSPECIFIED = 0;
+
+    // Critical severity.
+    CRITICAL = 1;
+
+    // High severity.
+    HIGH = 2;
+
+    // Medium severity.
+    MEDIUM = 3;
+
+    // Low severity.
+    LOW = 4;
+  }
+
   // The relative resource name of this finding. See:
   // https://cloud.google.com/apis/design/resource_names#relative_resource_name
   // Example:
@@ -107,4 +125,7 @@ message Finding {
 
   // The time at which the finding was created in Security Command Center.
   google.protobuf.Timestamp create_time = 10;
+
+  // The severity of the finding.
+  Severity severity = 13;
 }

packages/google-cloud-securitycenter/protos/google/cloud/securitycenter/v1p1beta1/securitycenter_service.proto

@@ -17,7 +17,6 @@ syntax = "proto3";
 package google.cloud.securitycenter.v1p1beta1;
 
 import public "google/cloud/securitycenter/v1p1beta1/run_asset_discovery_response.proto";
-
 import "google/api/annotations.proto";
 import "google/api/client.proto";
 import "google/api/field_behavior.proto";
@@ -47,8 +46,7 @@ option ruby_package = "Google::Cloud::SecurityCenter::V1p1beta1";
 // V1p1Beta1 APIs for Security Center service.
 service SecurityCenter {
   option (google.api.default_host) = "securitycenter.googleapis.com";
-  option (google.api.oauth_scopes) =
-      "https://www.googleapis.com/auth/cloud-platform";
+  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
 
   // Creates a source.
   rpc CreateSource(CreateSourceRequest) returns (Source) {
@@ -59,7 +57,6 @@ service SecurityCenter {
     option (google.api.method_signature) = "parent,source";
   }
 
-  //
   // Creates a finding. The corresponding source must exist for finding
   // creation to succeed.
   rpc CreateFinding(CreateFindingRequest) returns (Finding) {
@@ -72,29 +69,25 @@ service SecurityCenter {
   }
 
   // Creates a notification config.
-  rpc CreateNotificationConfig(CreateNotificationConfigRequest)
-      returns (NotificationConfig) {
+  rpc CreateNotificationConfig(CreateNotificationConfigRequest) returns (NotificationConfig) {
     option (google.api.http) = {
       post: "/v1p1beta1/{parent=organizations/*}/notificationConfigs"
       body: "notification_config"
     };
-    option (google.api.method_signature) =
-        "parent,config_id,notification_config";
+    option (google.api.method_signature) = "parent,config_id,notification_config";
     option (google.api.method_signature) = "parent,notification_config";
   }
 
   // Deletes a notification config.
-  rpc DeleteNotificationConfig(DeleteNotificationConfigRequest)
-      returns (google.protobuf.Empty) {
+  rpc DeleteNotificationConfig(DeleteNotificationConfigRequest) returns (google.protobuf.Empty) {
     option (google.api.http) = {
       delete: "/v1p1beta1/{name=organizations/*/notificationConfigs/*}"
     };
     option (google.api.method_signature) = "name";
   }
 
   // Gets the access control policy on the specified Source.
-  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest)
-      returns (google.iam.v1.Policy) {
+  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
     option (google.api.http) = {
       post: "/v1p1beta1/{resource=organizations/*/sources/*}:getIamPolicy"
       body: "*"
@@ -103,17 +96,15 @@ service SecurityCenter {
   }
 
   // Gets a notification config.
-  rpc GetNotificationConfig(GetNotificationConfigRequest)
-      returns (NotificationConfig) {
+  rpc GetNotificationConfig(GetNotificationConfigRequest) returns (NotificationConfig) {
     option (google.api.http) = {
       get: "/v1p1beta1/{name=organizations/*/notificationConfigs/*}"
     };
     option (google.api.method_signature) = "name";
   }
 
   // Gets the settings for an organization.
-  rpc GetOrganizationSettings(GetOrganizationSettingsRequest)
-      returns (OrganizationSettings) {
+  rpc GetOrganizationSettings(GetOrganizationSettingsRequest) returns (OrganizationSettings) {
     option (google.api.http) = {
       get: "/v1p1beta1/{name=organizations/*/organizationSettings}"
     };
@@ -170,8 +161,7 @@ service SecurityCenter {
   }
 
   // Lists notification configs.
-  rpc ListNotificationConfigs(ListNotificationConfigsRequest)
-      returns (ListNotificationConfigsResponse) {
+  rpc ListNotificationConfigs(ListNotificationConfigsRequest) returns (ListNotificationConfigsResponse) {
     option (google.api.http) = {
       get: "/v1p1beta1/{parent=organizations/*}/notificationConfigs"
     };
@@ -192,8 +182,7 @@ service SecurityCenter {
   // This API can only be called with limited frequency for an organization. If
   // it is called too frequently the caller will receive a TOO_MANY_REQUESTS
   // error.
-  rpc RunAssetDiscovery(RunAssetDiscoveryRequest)
-      returns (google.longrunning.Operation) {
+  rpc RunAssetDiscovery(RunAssetDiscoveryRequest) returns (google.longrunning.Operation) {
     option (google.api.http) = {
       post: "/v1p1beta1/{parent=organizations/*}/assets:runDiscovery"
       body: "*"
@@ -205,7 +194,6 @@ service SecurityCenter {
     };
   }
 
-  //
   // Updates the state of a finding.
   rpc SetFindingState(SetFindingStateRequest) returns (Finding) {
     option (google.api.http) = {
@@ -216,8 +204,7 @@ service SecurityCenter {
   }
 
   // Sets the access control policy on the specified Source.
-  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest)
-      returns (google.iam.v1.Policy) {
+  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
     option (google.api.http) = {
       post: "/v1p1beta1/{resource=organizations/*/sources/*}:setIamPolicy"
       body: "*"
@@ -226,8 +213,7 @@ service SecurityCenter {
   }
 
   // Returns the permissions that a caller has on the specified source.
-  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest)
-      returns (google.iam.v1.TestIamPermissionsResponse) {
+  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
     option (google.api.http) = {
       post: "/v1p1beta1/{resource=organizations/*/sources/*}:testIamPermissions"
       body: "*"
@@ -248,8 +234,7 @@ service SecurityCenter {
 
   // Updates a notification config. The following update
   // fields are allowed: description, pubsub_topic, streaming_config.filter
-  rpc UpdateNotificationConfig(UpdateNotificationConfigRequest)
-      returns (NotificationConfig) {
+  rpc UpdateNotificationConfig(UpdateNotificationConfigRequest) returns (NotificationConfig) {
     option (google.api.http) = {
       patch: "/v1p1beta1/{notification_config.name=organizations/*/notificationConfigs/*}"
       body: "notification_config"
@@ -259,8 +244,7 @@ service SecurityCenter {
   }
 
   // Updates an organization's settings.
-  rpc UpdateOrganizationSettings(UpdateOrganizationSettingsRequest)
-      returns (OrganizationSettings) {
+  rpc UpdateOrganizationSettings(UpdateOrganizationSettingsRequest) returns (OrganizationSettings) {
     option (google.api.http) = {
       patch: "/v1p1beta1/{organization_settings.name=organizations/*/organizationSettings}"
       body: "organization_settings"
@@ -305,19 +289,17 @@ message CreateFindingRequest {
   ];
 
   // Required. Unique identifier provided by the client within the parent scope.
-  // It must be alphanumeric and less than or equal to 32 characters and
-  // greater than 0 characters in length.
   string finding_id = 2 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. The Finding being created. The name and security_marks will be
-  // ignored as they are both output only fields on this resource.
+  // Required. The Finding being created. The name and security_marks will be ignored as
+  // they are both output only fields on this resource.
   Finding finding = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
 // Request message for creating a notification config.
 message CreateNotificationConfigRequest {
-  // Required. Resource name of the new notification config's parent. Its format
-  // is "organizations/[organization_id]".
+  // Required. Resource name of the new notification config's parent. Its format is
+  // "organizations/[organization_id]".
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -331,11 +313,9 @@ message CreateNotificationConfigRequest {
   // characters, underscores or hyphens only.
   string config_id = 2 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. The notification config being created. The name and the service
-  // account will be ignored as they are both output only fields on this
-  // resource.
-  NotificationConfig notification_config = 3
-      [(google.api.field_behavior) = REQUIRED];
+  // Required. The notification config being created. The name and the service account
+  // will be ignored as they are both output only fields on this resource.
+  NotificationConfig notification_config = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
 // Request message for creating a source.
@@ -349,8 +329,8 @@ message CreateSourceRequest {
     }
   ];
 
-  // Required. The Source being created, only the display_name and description
-  // will be used. All other fields will be ignored.
+  // Required. The Source being created, only the display_name and description will be
+  // used. All other fields will be ignored.
   Source source = 2 [(google.api.field_behavior) = REQUIRED];
 }
 
@@ -380,8 +360,8 @@ message GetNotificationConfigRequest {
 
 // Request message for getting organization settings.
 message GetOrganizationSettingsRequest {
-  // Required. Name of the organization to get organization settings for. Its
-  // format is "organizations/[organization_id]/organizationSettings".
+  // Required. Name of the organization to get organization settings for. Its format is
+  // "organizations/[organization_id]/organizationSettings".
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -477,9 +457,9 @@ message GroupAssetsRequest {
   // property not existing: `-resource_properties.my_property : ""`
   string filter = 2;
 
-  // Required. Expression that defines what assets fields to use for grouping.
-  // The string value should follow SQL syntax: comma separated list of fields.
-  // For example:
+  // Required. Expression that defines what assets fields to use for grouping. The string
+  // value should follow SQL syntax: comma separated list of fields. For
+  // example:
   // "security_center_properties.resource_project,security_center_properties.project".
   //
   // The following fields are supported when compare_duration is not set:
@@ -624,9 +604,9 @@ message GroupFindingsRequest {
   // property not existing: `-source_properties.my_property : ""`
   string filter = 2;
 
-  // Required. Expression that defines what assets fields to use for grouping
-  // (including `state_change`). The string value should follow SQL syntax:
-  // comma separated list of fields. For example: "parent,resource_name".
+  // Required. Expression that defines what assets fields to use for grouping (including
+  // `state_change`). The string value should follow SQL syntax: comma separated
+  // list of fields. For example: "parent,resource_name".
   //
   // The following fields are supported:
   //
@@ -750,8 +730,8 @@ message ListNotificationConfigsResponse {
 
 // Request message for listing sources.
 message ListSourcesRequest {
-  // Required. Resource name of the parent of sources to list. Its format should
-  // be "organizations/[organization_id]".
+  // Required. Resource name of the parent of sources to list. Its format should be
+  // "organizations/[organization_id]".
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -909,12 +889,10 @@ message ListAssetsRequest {
   // read_time.
   google.protobuf.Duration compare_duration = 5;
 
-  // Optional.
   // A field mask to specify the ListAssetsResult fields to be listed in the
   // response.
   // An empty field mask will list all fields.
-  google.protobuf.FieldMask field_mask = 7
-      [(google.api.field_behavior) = OPTIONAL];
+  google.protobuf.FieldMask field_mask = 7;
 
   // The value returned by the last `ListAssetsResponse`; indicates
   // that this is a continuation of a prior `ListAssets` call, and
@@ -1093,11 +1071,9 @@ message ListFindingsRequest {
   // read_time.
   google.protobuf.Duration compare_duration = 5;
 
-  // Optional.
   // A field mask to specify the Finding fields to be listed in the response.
   // An empty field mask will list all fields.
-  google.protobuf.FieldMask field_mask = 7
-      [(google.api.field_behavior) = OPTIONAL];
+  google.protobuf.FieldMask field_mask = 7;
 
   // The value returned by the last `ListFindingsResponse`; indicates
   // that this is a continuation of a prior `ListFindings` call, and
@@ -1168,7 +1144,7 @@ message ListFindingsResponse {
     StateChange state_change = 2;
 
     // Output only. Resource that is associated with this finding.
-    Resource resource = 3;
+    Resource resource = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
   }
 
   // Findings matching the list request.
@@ -1202,14 +1178,13 @@ message SetFindingStateRequest {
   Finding.State state = 2 [(google.api.field_behavior) = REQUIRED];
 
   // Required. The time at which the updated state takes effect.
-  google.protobuf.Timestamp start_time = 3
-      [(google.api.field_behavior) = REQUIRED];
+  google.protobuf.Timestamp start_time = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
 // Request message for running asset discovery for an organization.
 message RunAssetDiscoveryRequest {
-  // Required. Name of the organization to run asset discovery for. Its format
-  // is "organizations/[organization_id]".
+  // Required. Name of the organization to run asset discovery for. Its format is
+  // "organizations/[organization_id]".
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -1220,8 +1195,8 @@ message RunAssetDiscoveryRequest {
 
 // Request message for updating or creating a finding.
 message UpdateFindingRequest {
-  // Required. The finding resource to update or create if it does not already
-  // exist. parent, security_marks, and update_time will be ignored.
+  // Required. The finding resource to update or create if it does not already exist.
+  // parent, security_marks, and update_time will be ignored.
   //
   // In the case of creation, the finding id portion of the name must be
   // alphanumeric and less than or equal to 32 characters and greater than 0
@@ -1241,8 +1216,7 @@ message UpdateFindingRequest {
 // Request message for updating a notification config.
 message UpdateNotificationConfigRequest {
   // Required. The notification config to update.
-  NotificationConfig notification_config = 1
-      [(google.api.field_behavior) = REQUIRED];
+  NotificationConfig notification_config = 1 [(google.api.field_behavior) = REQUIRED];
 
   // The FieldMask to use when updating the notification config.
   //
@@ -1253,8 +1227,7 @@ message UpdateNotificationConfigRequest {
 // Request message for updating an organization's settings.
 message UpdateOrganizationSettingsRequest {
   // Required. The organization settings resource to update.
-  OrganizationSettings organization_settings = 1
-      [(google.api.field_behavior) = REQUIRED];
+  OrganizationSettings organization_settings = 1 [(google.api.field_behavior) = REQUIRED];
 
   // The FieldMask to use when updating the settings resource.
   //