policy/cnspec_policy.proto

// Copyright (c) Mondoo, Inc.
// SPDX-License-Identifier: BUSL-1.1

syntax = "proto3";

package cnspec.policy.v1;
option go_package = "go.mondoo.com/cnspec/v11/policy";

import "llx/llx.proto";
import "explorer/cnquery_explorer.proto";
import "explorer/resources/cnquery_resources_explorer.proto";
import "providers-sdk/v1/inventory/inventory.proto";
import "providers-sdk/v1/upstream/mvd/mvd.proto";

enum GroupType {
  UNCATEGORIZED = 0;
  CHAPTER = 1;
  IMPORT = 2;
  OVERRIDE = 3; // generic overrides to existing checks/controls
  IGNORED = 4; // ignore scoring, snooze it
  DISABLE = 5; // disable execution, turn it off
  PROPERTIES = 6; // modify properties
  OUT_OF_SCOPE = 7; // out of scope, meaning it is not applicable
}

/*
  PolicyGroup specifies and overrides a policy and all its queries and referenced policies.
  - Queries have UUIDs across all policies, so these overrides reach across policies.
  - Policies are targeted via UUID as well and may override their scoring behavior.
  - PolicyGroups can be time-limited
  - PolicyGroups can be limited to a subset of assets
*/
message PolicyGroup {
  repeated PolicyRef policies = 1;
  repeated cnquery.explorer.Mquery checks = 2;
  repeated cnquery.explorer.Mquery queries = 3;
  GroupType type = 4;
  string uid = 5;

  // filter for the assets this applies to
  cnquery.explorer.Filters filters = 20;

  // the timeline during which overrides are active and reminders will be sent
  int64 start_date = 21;
  int64 end_date = 22;
  int64 reminder_date = 23;

  // metadata
  string title = 24;
  PolicyGroupDocs docs = 25;
  repeated cnquery.explorer.Author authors = 26;
  repeated cnquery.explorer.Author reviewers = 27;
  // only applies to GroupType IGNORED/DISABLED
  // Only if status is REJECTED, we ignore the group
  // Which means that unapproved groups get handled as if they were approved
  ReviewStatus review_status = 28;

  int64 created = 32;
  int64 modified = 33;
}

message PolicyRef {
  string mrn = 1;
  string uid = 2;

  // TODO: we are adding support for these overrides later on
  //repeated cnquery.explorer.Property props = 35;
  //cnquery.explorer.Filters filters = 43;

  // Action is used for all policy overrides
  cnquery.explorer.Action action = 41;
  // Impact allows to override the way the score of the policy is aggregated
  cnquery.explorer.Impact impact = 23;
  // ScoringSystem allows overriding the scoring system of the policy
  cnquery.explorer.ScoringSystem scoring_system = 42;
  // timestamp when the policy was last applied
  int64 last_applied = 43;

  // local checksum for the contents of this policy reference
  string checksum = 4;
}

/*
  Policy definition, re-usable or assigned to the user's environment
  - Contains all policies and overrides
  - Can limit to what it supports
*/
message Policy {
  string mrn = 1; // will be filled from UID on upload
  string uid = 36; // uid is only used initially, to generate the MRN
  string name = 2;
  string version = 3;
  string owner_mrn = 8;

  repeated PolicyGroup groups = 11;

  string license = 21;
  PolicyDocs docs = 41;
  string summary = 46;

  cnquery.explorer.ScoringSystem scoring_system = 10;

  repeated cnquery.explorer.Author authors = 30;
  int64 created = 32;
  int64 modified = 33;
  map<string,string> tags = 34;
  repeated cnquery.explorer.Property props = 45;
  repeated RiskFactor risk_factors = 47;

  // checksums are grouped into:
  // local... meaning this policy, not policy dependencies
  // graph... meaning this and all dependent policies
  // content... meaning all the content in the policy, everything there is
  // execution... meaning everything that changes the resolved policy
  string local_content_checksum = 37;
  string graph_content_checksum = 38;
  string local_execution_checksum = 39;
  string graph_execution_checksum = 40;

  // aggregation of all filters applicable to this policy. auto-generated
  cnquery.explorer.Filters computed_filters = 43;

  QueryCounts query_counts = 42;
}

message Policies {
  repeated Policy items = 2;
}

enum QueryAction {
  UNSPECIFIED = 0;
  MODIFY = 1;
  DEACTIVATE = 2;
  ACTIVATE = 3;
}

message QueryCounts {
  int64 scoring_count = 1;
  int64 data_count = 2;
  int64 total_count = 3;
}

message Bundle {
  string owner_mrn = 1;
  repeated Policy policies = 7;
  repeated cnquery.explorer.QueryPack packs = 10;
  repeated cnquery.explorer.Property props = 3;
  repeated cnquery.explorer.Mquery queries = 6;
  repeated Framework frameworks = 8;
  repeated FrameworkMap framework_maps = 9;
  PolicyDocs docs = 5;
  // Migrations for the current bundle, describes changes to its contents
  // from older versions or other collections.
  // Experimental as of v11.x
  repeated MigrationGroup migration_groups = 11;
}

// MigrationGroup contains a set of migrations for a policy collection.
// The policy should generally contain the UID and affected version.
message MigrationGroup {
  Policy policy = 1; // only informational fields will be used (version)
  repeated Migration migrations = 2;
}

// Migration is an action performed on a matching policy.
// This is generally performed to track changes in UIDs from old policies
// to new policies.
message Migration {
  enum Action {
    UNSPECIFIED = 0;
    CREATE = 1;
    REMOVE = 2;
    MODIFY = 3;
  }

  MigrationMatch match = 1;
  MigrationDelta target = 2;
  Action action = 3;
}

message MigrationMatch {
  string uid = 1;
}

message MigrationDelta {
  string uid = 1;
}

enum ScopeType {
  // Scope type has not been set
  UNSCOPED = 0;
  // Scope applies to the entire asset and vulns and security
  ASSET = 1;
  // Scope applies to vulnerabilities on the entire asset
  ASSET_VULNS = 2;
  // Scope applies to certain resources on an asset, but not software
  RESOURCE = 4;
  // Scope applies to certain software (packages/libs), but not resources
  SOFTWARE = 5;
  // Scope applies to both software and resources on an asset
  SOFTWARE_AND_RESOURCE = 6;
}

message SoftwareSelector {
  // Methods to select software. Either:
  // 1. By PURL, omitted fields are treated as glibglob (*)
  string type = 1;
  string namespace = 2;
  string name = 3;
  string version = 4;
  // 2. By MQL package data returned from a query
  string mql_mrn = 5;
}

message ResourceSelector {
  string name = 1;
}

message RiskMagnitude {
  float value = 1;
  bool is_toxic = 2;
}

message RiskFactor {
  string mrn = 1;
  string uid = 36;
  string checksum = 3;

  string title = 24;
  RiskFactorDocs docs = 25;

  // filter for the assets this applies to
  cnquery.explorer.Filters filters = 20;
  repeated cnquery.explorer.Mquery checks = 2;

  ScopeType scope = 70;
  float deprecated_v11_magnitude = 71;
  bool deprecated_v11_is_absolute = 72;
  RiskMagnitude magnitude = 76;
  repeated SoftwareSelector software = 73;
  repeated ResourceSelector resources = 74;
  // Risk Factor indicators are freely configurable. Currently we support:
  //
  // 1. Contextual risks
  //
  // - Internet-facing asset   [internet-facing]
  //   Any assets that are facing the internet may be at risk of being breached
  //
  // - Asset or service in use   [asset-in-use]
  //   Assets or services that are currently being used. If vulnerabilities
  //   are found on an asset in use, their priority is increased. However,
  //   vulnerabilities on an asset not in use may be reduced in priority.
  //
  // - Exploitable vulnerabilities   [exploitable]
  //   Exploitable vulnerabilities are detected on the asset. These are more
  //   likely to lead to a breach.
  //
  // - Code Execution risks   [code-execution]
  //   Vulnerabilities are detected which contain (remote) code executions.
  //   These can cause serious damage to other resources on the asset.
  //
  // - End of life   [eol]
  //   The asset or some of its resources have reach their end of life and
  //   no longer receive security updates. Vulnerability analysis is
  //   unreliable and may not be actionable.
  //
  // - Defensive countermeasures   [defensive]
  //   Defensive countermeasures have been detected on the asset. These may
  //   contain security modules, firewalls, or other mitigations.
  //
  // 2. Downstream exposure
  //
  // - DB access   [db-access]
  //   Databases are downstream exposures that may hold valuable customer data
  //
  // - User risks   [user-risk]
  //   Users, often with elevated privileges, that are at risk
  //
  // - Sensitive data   [sensitive-data]
  //   The asset contains sensitivie data, which an attacker may access if
  //   they manage to breach it.
  //
  // - Credential risks   [credentials]
  //   Credentials are found on the asset that attackers may use to elevate
  //   their privileges or breach other systems.
  //
  // - Containers or Kubernetes   [containers]
  //   Containers or Kuberenetes environments are found ont he asset. Attackers
  //   may expand their attacks to these virtual systems.
  //
  // 3. Misc
  //
  // - Tagged assets   [tagged]
  //   Tagged assets may be increased or decreased in priority, depending on
  //   a users' needs. For example: Critical production infrastructure may
  //   increase the risk of findings.
  //
  // - Other risks   [uncategorized]
  //   This captures any other type of risk factor, that doesn't fit the above
  //   risk categories.
  string indicator = 75;

  cnquery.explorer.Action action = 77;
  map<string,string> tags = 78;
}

message RiskFactorDocs {
  string active = 1;
  string inactive = 2;
}

message PolicyGroupDocs {
  string desc = 1;
  string justification = 2;
}

message PolicyDocs {
  string desc = 1;
}

message Framework {
  string mrn = 1; // will be filled from UID on upload
  string uid = 36; // uid is only used initially to generate the MRN
  string name = 2;
  string version = 3;
  string owner_mrn = 8;

  repeated FrameworkGroup groups = 11;

  string license = 21;
  PolicyDocs docs = 41;
  string summary = 46;

  repeated cnquery.explorer.Author authors = 30;
  int64 created = 32;
  int64 modified = 33;
  map<string,string> tags = 34;

  // references to child frameworks that are applied directly
  repeated FrameworkRef dependencies = 35;

  // checksums are grouped into:
  // local... meaning this policy, not policy dependencies
  // graph... meaning this and all dependent policies
  // content... meaning all the content in the policy, everything there is
  // execution... meaning everything that changes the resolved policy
  string local_content_checksum = 37;
  string graph_content_checksum = 38;
  string local_execution_checksum = 39;
  string graph_execution_checksum = 40;

  // Framework maps describe how frameworks and controls map to
  // checks, policies, and other controls; auto-generated from embedded content.
  // This field is never directly exported back to YAML. Instead
  // framework maps are turned into top-level objects again.
  repeated FrameworkMap framework_maps = 53;
}

message Frameworks {
  repeated Framework items = 2;
}

enum ReviewStatus {
  NOT_REVIEWED = 0;
  APPROVED = 1;
  REJECTED = 2;
}

message FrameworkGroup {
  repeated Control controls = 1;
  GroupType type = 4;
  string uid = 5;

  // the timeline during which overrides are active and reminders will be sent
  int64 start_date = 21;
  // only applies to IGNORE action
  // empty is interpreted as "infinite"
  int64 end_date = 22;
  int64 reminder_date = 23;

  // metadata
  string title = 24;
  PolicyGroupDocs docs = 25;
  repeated cnquery.explorer.Author authors = 26;
  repeated cnquery.explorer.Author reviewers = 27;
  // only applies to GroupType IGNORED/DISABLED
  // Only if status is REJECTED, we ignore the group
  // Which means that unapproved groups get handled as if they were approved
  ReviewStatus review_status = 28;


  int64 created = 32;
  int64 modified = 33;
}

message FrameworkRef {
  string mrn = 1;
  string uid = 2;
  cnquery.explorer.Action action = 41;
}

// Represents evidence for a given compliance framework control.
message Evidence {
  string title = 1;
  string desc = 2;
  string uid = 3;
  string mrn = 4;
  repeated cnquery.explorer.Mquery checks = 21;
  repeated cnquery.explorer.Mquery queries = 22;
  repeated ControlRef controls = 23;
}

message Control {
  string checksum = 3;
  string mrn = 4;
  // UID is only needed on Mquery upload, when the MRN is computed.
  // It is not be persisted.
  string uid = 5;
  string title = 20;
  ControlDocs docs = 21;
  map<string,string> tags = 34;
  // actions applied to this control, only necessary for overrides
  cnquery.explorer.Action action = 41;
  bool manual = 50; // indicates that this is a manual control
  repeated Evidence evidence = 51;
}

message FrameworkMap {
  string mrn = 1;
  string uid = 2;
  repeated cnquery.explorer.ObjectRef framework_dependencies = 3;
  repeated cnquery.explorer.ObjectRef policy_dependencies = 4;
  repeated cnquery.explorer.ObjectRef query_pack_dependencies = 6;

  repeated ControlMap controls = 5;
  cnquery.explorer.ObjectRef framework_owner = 20;
  string local_content_checksum = 21;
  string local_execution_checksum = 22;
}

message ControlMap {
  string uid = 3;
  string mrn = 4;
  repeated ControlRef checks = 7;
  repeated ControlRef policies = 8;
  repeated ControlRef controls = 9;
  repeated ControlRef queries = 10;
}

message ControlDocs {
  string desc = 1;
  repeated cnquery.explorer.MqueryRef refs = 4;
}

message ControlRef {
  string mrn = 1;
  string uid = 2;
  cnquery.explorer.Action action = 41;
}

// **********  Resolution / Execution **************

// Asset is a lean layer of information about an asset
message Asset {
  reserved 20;
  string mrn = 1;
  string name = 18;
  string url = 19;
  cnquery.providers.v1.Platform platform = 21;
}

/*
  Once a policy has been                     , it can easily be retrieved.
  We will store the different ways in which policies are resolved in the DB
  for fast retrieval.
*/
message ResolvedPolicy {
  ExecutionJob execution_job = 2;
  CollectorJob collector_job = 3;
  repeated cnquery.explorer.Mquery filters = 1;
  string graph_execution_checksum = 7;
  string filters_checksum = 20;
  string reporting_job_uuid = 21;
}

/*
  The list of queries that an asset needs to execute
  May be identical amongst multiple individual policies
  - Checksum helps deduplicate this job
  - Queries have a map from query checksum to query query contents
*/
message ExecutionJob {
  string checksum = 1;
  // map of all queries that should be executed, checksum => query
  map<string,ExecutionQuery> queries = 2;
}

/*
  A query which is part of an ExecutionJob
  Reduced to the bare minimum for the execution
*/
message ExecutionQuery {
  string query = 1;
  string checksum = 2;
  // mapping from name => datapoint checksum, which is in the execution job
  map<string,string> properties = 3;
  // list of checksums that we collect as data points
  repeated string datapoints = 4;
  cnquery.llx.CodeBundle code = 5;
}

/*
  The scoring job used by the collector, to know what happens with all
  individual scores that the asset sends.
  - Checksum helps deduplicate this job
  - Every score points to a reporting job
  - For optimization, assets may have multiple scoring jobs
*/
message CollectorJob {
  string checksum = 1;
  // links incoming score/query-checksum to reporting job
  map<string,ReportingJob> reporting_jobs = 2;
  // maps a query checksum (llx) to a list of query objects (uuid)
  map<string,StringArray> reporting_queries = 3;
  // maps a query datapoint checksum (llx) to its type and reporting jobs (uuids)
  map<string,DataQueryInfo> datapoints = 4;
  // maps a query checksum (llx) to a list of risk MRNs it belongs to
  map<string,StringArray> risk_mrns = 5;
  // risk factors with only limited fields necessary for the collector
  map<string,RiskFactor> risk_factors = 6;
}

message StringArray {
  repeated string items = 1;
}

message DataQueryInfo {
  string type = 1;
  repeated string notify = 2;
}

/*
  Reporting jobs help build reports from all the scores they receive
  1. When a query score arrives, it is first reported to the CollectorJob.
  2. It picks the first reportingJob and fills the result in, no additional
     specs need to be called. However, it notifies all other reporting jobs.
  3. Once a notified reporting job runs, it looks at alal the specs and collects
     their values and scores them. Repeat this step for all notified reports.
  - uuid specifies the query or policy
  - spec has all the other results that need to be pulled and their scorings
*/
message ReportingJob {
  // FIXME: DEPRECATED, remove in v10.0 vv
  // This is replaced by the new type field, which now carries more info
  bool deprecated_v8_is_data = 8;
  // ^^

  enum Type {
    UNSPECIFIED = 0;
    CHECK = 1;
    DATA_QUERY = 2;
    CONTROL = 3;
    POLICY = 4;
    FRAMEWORK = 5;
    RISK_FACTOR = 6;
    CHECK_AND_DATA_QUERY = 7;
    EXECUTION_QUERY = 8;
  }

  string checksum = 1;
  string qr_id = 2;
  string uuid = 3;
  repeated string notify = 5;
  cnquery.explorer.ScoringSystem scoring_system = 6;
  map<string,bool> datapoints = 7;
  map<string,cnquery.explorer.Impact> child_jobs = 9;
  Type type = 10;
  // The MRNs of all the checks/queries this reporting job represents
  repeated string mrns = 11;
}

// **********       Reporting         **************

message Report {
  string scoring_mrn = 1;
  string entity_mrn = 2;
  Score score = 3;
  map<string, Score> scores = 4;
  map<string, cnquery.llx.Result> data = 5;
  Stats stats = 6;
  ScoredRiskFactors risks = 7;

  int64 created = 20;
  int64 modified = 21;
  Stats ignored_stats = 22;

  Cvss cvss_score = 30;
  map<string,Cvss> cvss_scores = 31;
  CvssStats cvss_stats = 32;

  string resolved_policy_version = 33;
  string url = 34;
}

message Reports {
  repeated Report reports = 1;
}

message ReportCollection {
  map<string, cnquery.providers.v1.Asset> assets = 1;
  Bundle bundle = 2;
  map<string, Report> reports = 3;
  map<string, string> errors = 4;
  map<string, ResolvedPolicy> resolved_policies = 5;
  map<string, mondoo.mvd.v1.VulnReport> vuln_reports = 6;
}

message FrameworkReport {
  string scoring_mrn = 1;
  string entity_mrn = 2;
  ControlScore score = 3;
  repeated ControlScore controls = 4;
}

message ControlScore {
  string mrn = 1;
  uint32 completion = 2;            // completion of the control in %; 100% = passed
  uint32 compliant = 3;             // # of compliant referenced scores (checks/policies)
  uint32 failed = 4;                // # of failed referenced scores (checks/policies)
  uint32 total = 5;                 // # of referenced scores (checks/policies)
  // total - compliant - failed = remaining exceptions, skipped or disabled
  uint32 asset_count = 6;           // # of assets reporting into this score
  uint32 compliant_assets_count = 9; // # of compliant assets
  uint32 failed_assets_count = 10; // # of non-compliant assets

  repeated ControlScore assets = 7;       // control score for each asset
  repeated ScoreDistribution scores = 8;  // referenced scores (checks/policies)
  uint32 manual = 20;               // # of manual controls that report into this score
}

/*
  Cvss scores are specific to CVEs
*/
message Cvss {
  string id = 1;
  string checksum = 2;
  int32 score = 3;
  string vector = 4;
  string source = 5;
}

message CvssStats {
  uint32 total = 1;
  uint32 critical = 2; // 9.0 <= .. <= 10.0
  uint32 high = 3;     // 7.0 <= .. < 9.0
  uint32 medium = 4;   // 4.0 <= .. < 7.0
  uint32 low = 5;      // 0.0 < .. < 4.0
  uint32 none = 6;     // 0.0
  uint32 unscored = 7; // no value
  uint32 worst = 8;
}

/*
  Scores are numeric values with weith that provide a summary about the asset
*/
message Score {
  uint32 risk_score = 1;
  string qr_id = 2;
  uint32 type = 3;
  uint32 value = 4;
  uint32 weight = 7;
  uint32 score_completion = 5;
  uint32 data_total = 9;
  uint32 data_completion = 6;
  string message = 8;
  // captures the timestamp when the score value was last modified
  int64 value_modified_time = 10;
  // captures when the score first failed (non-100 value)
  // a value of 0 indicates that this field is not set
  int64 failure_time = 11;
  // risk factors that were applied to this score
  ScoredRiskFactors risk_factors = 12;
  // Optional. Source of the score.
  // Deprecated, use sources instead.
  Source source = 13;
  // Optional. The sources which reported this score
  Sources sources = 14;
}

message ScoreDelta {
  uint32 risk_score = 1;
  string qr_id = 2;
  uint32 type = 3;
  uint32 weight = 7;
  int64 time = 10;
}

message ScoredRiskFactor {
  string mrn = 1;
  float risk = 2;
  bool is_toxic = 3;
  bool is_detected = 4;
}

message ScoredRiskFactors {
  repeated ScoredRiskFactor items = 1;
}

message RiskFactorStats {
  string mrn = 1;
  uint64 affected = 2;
  uint64 total = 3;
  string indicator = 4;
  string title = 5;
}

message RiskFactorsStats {
  repeated RiskFactorStats items = 1;
}

message Stats {
  uint32 total = 1;
  uint32 incomplete = 8;
  uint32 skipped = 10;
  uint32 worst = 11;
  uint32 unknown = 12;
  ScoreDistribution failed = 14;
  ScoreDistribution passed = 15;
  ScoreDistribution errors = 16;
}

message ScoreDistribution {
  uint32 total = 1;
  uint32 a = 2;
  uint32 b = 3;
  uint32 c = 4;
  uint32 d = 5;
  uint32 f = 6;
  uint32 error = 7;
  uint32 unrated = 8;
}

message ScoreStats {
  // Assets in the top groups of stats. For the total number of assets in the
  // stats just add up all the categories.
  uint64 assets = 1;
  // Critical findings
  uint64 critical = 3;
  // High risk findings
  uint64 high = 4;
  // Medium risk findings
  uint64 medium = 5;
  // Low risks findings
  uint64 low = 6;
  // Failing findings with no risk
  uint64 none = 15;
  // Passing observations
  uint64 pass = 7;
  // Unknown results
  uint64 unknown = 8;
  // Error results
  uint64 error = 9;
  // Disabled findings
  uint64 disabled = 13;
  // Snoozed findings
  uint64 snoozed = 14;
  // First time a failure was detected
  int64 first_failure_time = 10;
  // Oldest scan in the set of assets observed
  int64 oldest_scan_time = 11;
  // Newest scan in the set of assets observed
  int64 newest_scan_time = 12;
}

message AssetFindingsStats {
  string asset = 1;
  string finding = 2;
  uint32 base_score = 3;
  uint32 risk_score = 4;
  float weight = 5;
  ScoreStats score_stats = 6;
  RiskFactorsStats risk_factors = 7;
}

// **********       Policy Hub        **************

service PolicyHub {
  rpc SetBundle(Bundle) returns (Empty) {}
  rpc ValidateBundle(Bundle) returns (Empty) {}
  rpc GetBundle(Mrn) returns (Bundle) {}
  rpc GetPolicy(Mrn) returns (Policy) {}
  rpc DeletePolicy(Mrn) returns (Empty) {}
  rpc GetPolicyFilters(Mrn) returns (Mqueries) {}
  rpc List(ListReq) returns (Policies) {}
  rpc DefaultPolicies(DefaultPoliciesReq) returns (URLs) {}
  rpc GetFramework(Mrn) returns (Framework) {}
  rpc DeleteFramework(Mrn) returns (Empty) {}
  rpc ListFrameworks(ListReq) returns (Frameworks) {}
}

message Empty {}

// MRNs are used to uniquely identify resources. They are globally unique.
message Mrn {
  string mrn = 1;
}

message Mqueries {
  repeated cnquery.explorer.Mquery items = 2;
}

message ListReq {
  string owner_mrn = 1;
  string name = 2;
}

message DefaultPoliciesReq {
  string kind = 1;
  string platform = 2;
  string runtime = 3;
  string version = 4;
  repeated string family = 5;
}

message URLs {
  repeated string urls = 1;
}


// **********       Policy Resolver        **************

service PolicyResolver {
  rpc Assign(PolicyAssignment) returns (Empty) {}
  rpc Unassign(PolicyAssignment) returns (Empty) {}
  rpc SetProps(cnquery.explorer.PropsReq) returns (cnquery.explorer.Empty) {}

  rpc Resolve(ResolveReq) returns (ResolvedPolicy) {}
  // UpdateAssetJobs is used to update the resolved policy of an asset
  rpc UpdateAssetJobs(UpdateAssetJobsReq) returns (Empty) {}
  // ResolveAndUpdate is used to update the resolved policy of an asset and return it
  rpc ResolveAndUpdateJobs(UpdateAssetJobsReq) returns (ResolvedPolicy) {}
  // GetResolvedPolicy retrieves the current resolved policy for the given asset
  rpc GetResolvedPolicy(Mrn) returns (ResolvedPolicy) {}

  rpc StoreResults(StoreResultsReq) returns (Empty) {}

  rpc GetReport(EntityScoreReq) returns (Report) {}
  rpc GetFrameworkReport(EntityScoreReq) returns (FrameworkReport) {}
  rpc GetScore(EntityScoreReq) returns (Report) {}
  rpc GetResourcesData(cnquery.explorer.resources.EntityResourcesReq) returns (cnquery.explorer.resources.EntityResourcesRes) {}

  rpc SynchronizeAssets(SynchronizeAssetsReq) returns (SynchronizeAssetsResp) {}
  rpc PurgeAssets(PurgeAssetsRequest) returns (PurgeAssetsConfirmation) {}
}

message PolicyAssignment {
  string asset_mrn = 1;
  repeated string policy_mrns = 2;
  repeated string framework_mrns = 4;
  cnquery.explorer.Action action = 3;
  cnquery.explorer.ScoringSystem scoring_system = 5;
}

message PolicyMutationDelta {
  string policy_mrn = 1;
  map<string,PolicyDelta> policy_deltas = 2;
  cnquery.explorer.Action action = 3;
}

message PolicyDelta {
  string policy_mrn = 1;
  enum PolicyAssignmentActionType {
    ADD = 0;
    DELETE = 1;
  }
  PolicyAssignmentActionType action = 2;
  cnquery.explorer.ScoringSystem scoring_system = 3;
}

message ResolveReq {
  string policy_mrn = 1;
  repeated cnquery.explorer.Mquery asset_filters = 2;
}

message UpdateAssetJobsReq {
  string asset_mrn = 1;
  repeated cnquery.explorer.Mquery asset_filters = 2;
}

message StoreResultsReq {
  string asset_mrn = 1;
  repeated Score scores = 2; // in this context, Scores only carry their checksum, not their ID
  // combination of query-checksum + result (which has entrypoint checksum):
  // TODO: remove the string-map, we don't need it anymore; the llx result contains everything we need (the CodeID)
  map<string, cnquery.llx.Result> data = 3;
  map<string, cnquery.llx.ResourceRecording> resources = 4;
  repeated ScoredRiskFactor risks = 5;
  repeated Cvss cvssScores = 20;
  bool is_preprocessed = 21;
  repeated string notify_updates = 22;

  // Determines if this is the last batch of results for the asset
  bool is_last_batch = 23;
}

message EntityScoreReq {
  string entity_mrn = 1;
  string score_mrn = 2;
}

enum ScoreRating {
  unrated = 0;
  aPlus = 1;
  a = 2;
  aMinus = 3;
  bPlus = 4;
  b = 5;
  bMinus = 6;
  cPlus = 7;
  c = 8;
  cMinus = 9;
  dPlus = 10;
  d = 11;
  dMinus = 12;
  failed = 13;
  error = 14;
  skip = 15;
}

message SynchronizeAssetsReq {
  string space_mrn = 1;
  repeated cnquery.providers.v1.Asset list = 2;
}

message SynchronizeAssetsRespAssetDetail {
  string platform_mrn = 1;
  string asset_mrn = 2;
  string url = 3;
  string project_id = 4;
}

message SynchronizeAssetsResp {
  map<string, SynchronizeAssetsRespAssetDetail> details = 1;
}

message PurgeAssetsRequest {
  string spaceMrn = 1;
  repeated string asset_mrns = 2;
  bool purge_all = 3; // if you want to purge all assets in the space
  DateFilter date_filter = 4;
  string managed_by = 5;
  string platform_runtime = 6;

  // Labels to filter on. Only assets with all of these labels will be purged.
  map<string, string> labels = 7;
}

message DateFilter {
  string timestamp = 1; // RFC3339
  Comparison comparison = 2;
  DateFilterField field = 3;
}

enum Comparison {
  GREATER_THAN = 0;
  LESS_THAN = 1;
}

enum DateFilterField {
  FILTER_LAST_UPDATED = 0;
  FILTER_CREATED = 1;
}

message PurgeAssetsConfirmation {
  repeated string asset_mrns = 1;
  map<string, string> errors = 2;
}

// Sources is a list of sources.
// Used to get past marshal/unmarshal limitations of repeated Source fields.
message Sources {
  repeated Source items = 1;
}

// Source is used to identify the source.
message Source {
  // Required. Name of the source
  string name = 1;
  // Optional. URL of the source
  string url = 2;

  // RFC3339 timestamp when this source first detected the score
  string first_detected_at = 3;
  // RFC3339 timestamp when this source last updated the score
  string last_updated_at = 4;
  // RFC3339 timestamp when this source marked the score as fixed
  string fixed_at = 5;

  enum Vendor {
    UNSPECIFIED = 0;
    MONDOO = 1;
    MICROSOFT = 2;
    CROWDSTRIKE = 3;
    SENTINEL_ONE = 4;
  }

  // Optinal. Version of the source scanner
  string version = 6;
  // Optional. Vendor of the source scanner
  Vendor vendor = 7;
}