View vulnerability reports

Software vulnerabilities are weaknesses that can either cause an accidental system failure or result in malicious activity. For more information, see Vulnerability reports.

This document describes how to set up your VMs using VM Manager and view the vulnerability reports for your operating systems.

Before you begin

  • Review OS Config quotas.
  • Set up VM Manager.
  • If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.

    REST

    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init

    For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Supported operating systems

For the full list of operating systems and versions for which you can get vulnerability reports using VM Manager, see Operating system details.

Required roles and permissions

To get the permissions that you need to view vulnerability reports, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

In addition to these roles, to access Compute Engine resources by using the Google Cloud console, you must have a role that contains the compute.projects.get permission on the project.

View vulnerability reports

To view vulnerability reports, you can use any of the following options:

View vulnerability report using the gcloud CLI or API

Use one of the following methods to view vulnerability reports for your VMs.

Console

To view OS vulnerability reports for a VM by using the Google Cloud console, perform the following steps:

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. Click the name of the instance for which you want to view the OS information. The Instance details page appears.
  3. Click the OS info tab.
    To view OS inventory data, you must enable VM Manager. If Google Cloud console prompts you to enable VM Manager, select one of the following options:
    • Enable for current project: enables VM Manager for all VMs in the selected project
    • Enable for this VM: enables VM Manager only for the selected VM
  4. Review the list of OS vulnerabilities in the OS info tab.

gcloud

  • To view vulnerability reports for VMs in a specific zone, use the os-config vulnerability-reports list command.

    For example, to list all the VMs that have inventory data, run the following command:

    gcloud compute os-config vulnerability-reports list \
       --location=ZONE
    

    Replace ZONE with the zone where the VM is located.

    Example

    gcloud compute os-config vulnerability-reports list \
       --location=us-west2-a
    

    Example output

    INSTANCE_ID         VULNERABILITY_COUNT  UPDATE_TIME
    29255009728795105   2                    2021-04-13T19:10:10.303046Z
    307058717116242358  1                    2021-04-13T19:10:10.303046Z
    
  • To view vulnerability report for a specific VM, run the os-config vulnerability-reports describe command specifying the INSTANCE_ID returned from the previous step or the INSTANCE_NAME.

    gcloud compute os-config vulnerability-reports describe VM_NAME \
       --location=ZONE
    

    Replace the following:

    • VM_NAME: the name for your VM
    • ZONE: the zone where the VM instance is located

    Example

    gcloud compute os-config vulnerability-reports describe vm1-centos \
       --location=us-west2-a
    

    Example output

    ┌───────────────────────────────────────────────────────────────────┐
    │                          Vulnerabilities                          │
    ├──────────────────┬──────────┬───────────────┬─────────────────────┤
    │       CVE        │ SEVERITY │ CVSS_V3_SCORE │     CREATE_TIME     │
    ├──────────────────┼──────────┼───────────────┼─────────────────────┤
    │ CVE-2012-6655    │ LOW      │ 3.3           │ 2021-04-29T22:19:53 │
    │ CVE-2016-1585    │ MEDIUM   │ 9.8           │ 2021-04-29T22:19:53 │
    │ CVE-2016-2781    │ LOW      │ 6.5           │ 2021-04-29T22:19:53 │
    │ CVE-2019-7306    │ LOW      │ 7.5           │ 2021-04-29T22:19:53 │
    │ CVE-2020-13776   │ LOW      │ 6.7           │ 2021-04-29T22:19:53 │
    │ CVE-2021-31879   │ MEDIUM   │ 6.1           │ 2021-05-05T06:11:53 │
    └──────────────────┴──────────┴───────────────┴─────────────────────┘
    name: projects/384587888288/locations/us-west2-a/instances/29255009728795105/vulnerabilityReport
    updateTime: '2021-05-11T22:29:50'
    

REST

  • To view vulnerability reports for VMs in a specific zone, create a GET request to the projects.locations.instances.vulnerabilityReports method.

    GET https://osconfig.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/–/vulnerabilityReports
    

    Replace the following:

    • PROJECT_ID: your project ID
    • ZONE: the zone where the VMs are located
  • To view vulnerability report for a specific VM, create a GET request to the projects.locations.instances.getVulnerabilityReport method.

    GET https://osconfig.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/INSTANCE/vulnerabilityReport
    

    Replace the following:

    • PROJECT_ID: your project ID
    • ZONE: the zone where the VM instance is located
    • INSTANCE: specify either the instance ID or the name for your VM

View vulnerability reports using the Security Command Center dashboard

Security Command Center is Google Cloud's centralized vulnerability and threat reporting service.

If you are a Security Command Center premium tier user, you can access vulnerability report data for the operating systems that are running on VMs across your organization.

On the Findings page in the Security Command Center dashboard, you can review the Common Vulnerabilities and Exposures (CVE) IDs for all identified vulnerabilities that are affecting your operating system.

For information about using the Security Command Center dashboard to access and review operating system vulnerability data, see VM Manager.

View vulnerability reports data from Cloud Asset Inventory

OS inventory management stores and forwards inventory and vulnerability report data to Cloud Asset Inventory. Cloud Asset Inventory is a metadata inventory service that allows you to view, monitor, and analyze assets across Google Cloud. From Cloud Asset Inventory, you can poll the information and view changes in the data.

To access OS inventory and vulnerability report data from Cloud Asset Inventory, you need to complete the following setup:

For more information, see Viewing VM Manager data.

What's next