feat: Add highest_upgradable_cve_severity field to Vulnerability report

Google APIs · copybara-github · commit eef0d65ed2dc · 2025-08-08T14:29:05.000-07:00
docs: A comment for field `update_time` in message `.google.cloud.osconfig.v1.VulnerabilityReport` is changed
docs: A comment for field `filter` in message `.google.cloud.osconfig.v1.ListVulnerabilityReportsRequest` is changed

PiperOrigin-RevId: 792763000
diff --git a/google/cloud/osconfig/v1/vulnerability.proto b/google/cloud/osconfig/v1/vulnerability.proto
@@ -130,18 +130,54 @@ message VulnerabilityReport {
     repeated Item items = 6;
   }
 
+  // Severity levels for vulnerabilities.
+  enum VulnerabilitySeverityLevel {
+    // Default SeverityLevel. This value is unused.
+    VULNERABILITY_SEVERITY_LEVEL_UNSPECIFIED = 0;
+
+    // Vulnerability has no severity level.
+    NONE = 1;
+
+    // Vulnerability severity level is minimal. This is level below the low
+    // severity level.
+    MINIMAL = 2;
+
+    // Vulnerability severity level is low. This is level below the medium
+    // severity level.
+    LOW = 3;
+
+    // Vulnerability severity level is medium. This is level below the high
+    // severity level.
+    MEDIUM = 4;
+
+    // Vulnerability severity level is high. This is level below the critical
+    // severity level.
+    HIGH = 5;
+
+    // Vulnerability severity level is critical. This is the highest severity
+    // level.
+    CRITICAL = 6;
+  }
+
   // Output only. The `vulnerabilityReport` API resource name.
   //
   // Format:
   // `projects/{project_number}/locations/{location}/instances/{instance_id}/vulnerabilityReport`
   string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Output only. List of vulnerabilities affecting the VM.
-  repeated Vulnerability vulnerabilities = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
-
-  // Output only. The timestamp for when the last vulnerability report was generated for the
-  // VM.
-  google.protobuf.Timestamp update_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+  repeated Vulnerability vulnerabilities = 2
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The timestamp for when the last vulnerability report was
+  // generated for the VM.
+  google.protobuf.Timestamp update_time = 3
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Highest level of severity among all the upgradable
+  // vulnerabilities with CVEs attached.
+  VulnerabilitySeverityLevel highest_upgradable_cve_severity = 4
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A request message for getting the vulnerability report for the specified VM.
@@ -185,8 +221,22 @@ message ListVulnerabilityReportsRequest {
   // should continue from.
   string page_token = 3;
 
-  // If provided, this field specifies the criteria that must be met by a
-  // `vulnerabilityReport` API resource to be included in the response.
+  // This field supports filtering by the severity level for the vulnerability.
+  // For a list of severity levels, see [Severity levels for
+  // vulnerabilities](https://cloud.google.com/container-analysis/docs/container-scanning-overview#severity_levels_for_vulnerabilities).
+  //
+  // The filter field follows the rules described in the
+  // [AIP-160](https://google.aip.dev/160) guidelines as follows:
+  //
+  // + **Filter for a specific severity type**:  you can list reports that
+  // contain
+  // vulnerabilities that are classified as medium by specifying
+  // `vulnerabilities.details.severity:MEDIUM`.
+  //
+  // + **Filter for a range of severities** : you can list reports that have
+  // vulnerabilities that are classified as critical or high by specifying
+  // `vulnerabilities.details.severity:HIGH OR
+  // vulnerabilities.details.severity:CRITICAL`
   string filter = 4;
 }
 
