Package google.cloud.webrisk.v1

Index

WebRiskService

Web Risk API defines an interface to detect malicious URLs on your website and in client applications.

ComputeThreatListDiff

rpc ComputeThreatListDiff(ComputeThreatListDiffRequest) returns (ComputeThreatListDiffResponse)

Gets the most recent threat list diffs. These diffs should be applied to a local database of hashes to keep it up-to-date. If the local database is empty or excessively out-of-date, a complete snapshot of the database will be returned. This Method only updates a single ThreatList at a time. To update multiple ThreatList databases, this method needs to be called once for each list.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SearchHashes

rpc SearchHashes(SearchHashesRequest) returns (SearchHashesResponse)

Gets the full hashes that match the requested hash prefix. This is used after a hash prefix is looked up in a threatList and there is a match. The client side threatList only holds partial hashes so the client must query this method to determine if there is a full hash match of a threat.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SearchUris

rpc SearchUris(SearchUrisRequest) returns (SearchUrisResponse)

This method is used to check whether a URI is on a given threatList. Multiple threatLists may be searched in a single query. The response will list all requested threatLists the URI was found to match. If the URI is not found on any of the requested ThreatList an empty response will be returned.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

SubmitUri

rpc SubmitUri(SubmitUriRequest) returns (Operation)

Submits a URI suspected of containing malicious content to be reviewed. Returns a google.longrunning.Operation which, once the review is complete, is updated with its result. You can use the Pub/Sub API to receive notifications for the returned Operation. If the result verifies the existence of malicious content, the site will be added to the Google's Social Engineering lists in order to protect users that could get exposed to this threat in the future. Only allowlisted projects can use this method during Early Access. Please reach out to Sales or your customer engineer to obtain access.

Authorization Scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CompressionType

The ways in which threat entry sets can be compressed.

Enums
COMPRESSION_TYPE_UNSPECIFIED Unknown.
RAW Raw, uncompressed data.
RICE Rice-Golomb encoded data.

ComputeThreatListDiffRequest

Describes an API diff request.

Fields
threat_type

ThreatType

Required. The threat list to update. Only a single ThreatType should be specified per request. If you want to handle multiple ThreatTypes, you must make one request per ThreatType.

version_token

bytes

The current version token of the client for the requested list (the client version that was received from the last successful diff). If the client does not have a version token (this is the first time calling ComputeThreatListDiff), this may be left empty and a full database snapshot will be returned.

constraints

Constraints

Required. The constraints associated with this request.

Constraints

The constraints for this diff.

Fields
max_diff_entries

int32

The maximum size in number of entries. The diff will not contain more entries than this value. This should be a power of 2 between 2**10 and 2**20. If zero, no diff size limit is set.

max_database_entries

int32

Sets the maximum number of entries that the client is willing to have in the local database. This should be a power of 2 between 2**10 and 2**20. If zero, no database size limit is set.

supported_compressions[]

CompressionType

The compression types supported by the client.

ComputeThreatListDiffResponse

Fields
response_type

ResponseType

The type of response. This may indicate that an action must be taken by the client when the response is received.

additions

ThreatEntryAdditions

A set of entries to add to a local threat type's list.

removals

ThreatEntryRemovals

A set of entries to remove from a local threat type's list. This field may be empty.

new_version_token

bytes

The new opaque client version token. This should be retained by the client and passed into the next call of ComputeThreatListDiff as 'version_token'. A separate version token should be stored and used for each threatList.

checksum

Checksum

The expected SHA256 hash of the client state; that is, of the sorted list of all hashes present in the database after applying the provided diff. If the client state doesn't match the expected state, the client must discard this diff and retry later.

recommended_next_diff

Timestamp

The soonest the client should wait before issuing any diff request. Querying sooner is unlikely to produce a meaningful diff. Waiting longer is acceptable considering the use case. If this field is not set clients may update as soon as they want.

Checksum

The expected state of a client's local database.

Fields
sha256

bytes

The SHA256 hash of the client state; that is, of the sorted list of all hashes present in the database.

ResponseType

The type of response sent to the client.

Enums
RESPONSE_TYPE_UNSPECIFIED Unknown.
DIFF Partial updates are applied to the client's existing local database.
RESET Full updates resets the client's entire local database. This means that either the client had no state, was seriously out-of-date, or the client is believed to be corrupt.

RawHashes

The uncompressed threat entries in hash format. Hashes can be anywhere from 4 to 32 bytes in size. A large majority are 4 bytes, but some hashes are lengthened if they collide with the hash of a popular URI.

Used for sending ThreatEntryAdditons to clients that do not support compression, or when sending non-4-byte hashes to clients that do support compression.

Fields
prefix_size

int32

The number of bytes for each prefix encoded below. This field can be anywhere from 4 (shortest prefix) to 32 (full SHA256 hash). In practice this is almost always 4, except in exceptional circumstances.

raw_hashes

bytes

The hashes, in binary format, concatenated into one long string. Hashes are sorted in lexicographic order. For JSON API users, hashes are base64-encoded.

RawIndices

A set of raw indices to remove from a local list.

Fields
indices[]

int32

The indices to remove from a lexicographically-sorted local list.

RiceDeltaEncoding

The Rice-Golomb encoded data. Used for sending compressed 4-byte hashes or compressed removal indices.

Fields
first_value

int64

The offset of the first entry in the encoded data, or, if only a single integer was encoded, that single integer's value. If the field is empty or missing, assume zero.

rice_parameter

int32

The Golomb-Rice parameter, which is a number between 2 and 28. This field is missing (that is, zero) if num_entries is zero.

entry_count

int32

The number of entries that are delta encoded in the encoded data. If only a single integer was encoded, this will be zero and the single value will be stored in first_value.

encoded_data

bytes

The encoded deltas that are encoded using the Golomb-Rice coder.

SearchHashesRequest

Request to return full hashes matched by the provided hash prefixes.

Fields
hash_prefix

bytes

A hash prefix, consisting of the most significant 4-32 bytes of a SHA256 hash. For JSON requests, this field is base64-encoded. Note that if this parameter is provided by a URI, it must be encoded using the web safe base64 variant (RFC 4648).

threat_types[]

ThreatType

Required. The ThreatLists to search in. Multiple ThreatLists may be specified.

SearchHashesResponse

Fields
threats[]

ThreatHash

The full hashes that matched the requested prefixes. The hash will be populated in the key.

negative_expire_time

Timestamp

For requested entities that did not match the threat list, how long to cache the response until.

ThreatHash

Contains threat information on a matching hash.

Fields
threat_types[]

ThreatType

The ThreatList this threat belongs to. This must contain at least one entry.

hash

bytes

A 32 byte SHA256 hash. This field is in binary format. For JSON requests, hashes are base64-encoded.

expire_time

Timestamp

The cache lifetime for the returned match. Clients must not cache this response past this timestamp to avoid false positives.

SearchUrisRequest

Request to check URI entries against threatLists.

Fields
uri

string

Required. The URI to be checked for matches.

threat_types[]

ThreatType

Required. The ThreatLists to search in. Multiple ThreatLists may be specified.

SearchUrisResponse

Fields
threat

ThreatUri

The threat list matches. This might be empty if the URI is on no list.

ThreatUri

Contains threat information on a matching uri.

Fields
threat_types[]

ThreatType

The ThreatList this threat belongs to.

expire_time

Timestamp

The cache lifetime for the returned match. Clients must not cache this response past this timestamp to avoid false positives.

Submission

Wraps a URI that might be displaying malicious content.

Fields
uri

string

Required. The URI that is being reported for malicious content to be analyzed.

threat_types[]

ThreatType

Output only. ThreatTypes found to be associated with the submitted URI after reviewing it. This might be empty if the URI was not added to any list.

SubmitUriMetadata

Metadata for the Submit URI long-running operation.

Fields
state

State

The state of the operation.

create_time

Timestamp

Creation time of the operation.

update_time

Timestamp

Latest update time of the operation.

State

Enum that represents the state of the long-running operation.

Enums
STATE_UNSPECIFIED Default unspecified state.
RUNNING The operation is currently running.
SUCCEEDED The operation finished with a success status.
CANCELLED The operation was cancelled.
FAILED The operation finished with a failure status.
CLOSED The operation was closed with no action taken.

SubmitUriRequest

Request to send a potentially malicious URI to WebRisk.

Fields
parent

string

Required. The name of the project that is making the submission. This string is in the format "projects/{project_number}".

submission

Submission

Required. The submission that contains the URI to be scanned.

threat_info

ThreatInfo

Provides additional information about the submission.

threat_discovery

ThreatDiscovery

Provides additional information about how the submission was discovered.

ThreatDiscovery

Details about how the threat was discovered.

Fields
platform

Platform

Platform on which the threat was discovered.

region_codes[]

string

CLDR region code of the countries/regions the URI poses a threat ordered from most impact to least impact. Example: "US" for United States.

Platform

Platform types.

Enums
PLATFORM_UNSPECIFIED Default.
ANDROID General Android platform.
IOS General iOS platform.
MACOS General macOS platform.
WINDOWS General Windows platform.

ThreatEntryAdditions

Contains the set of entries to add to a local database. May contain a combination of compressed and raw data in a single response.

Fields
raw_hashes[]

RawHashes

The raw SHA256-formatted entries. Repeated to allow returning sets of hashes with different prefix sizes.

rice_hashes

RiceDeltaEncoding

The encoded 4-byte prefixes of SHA256-formatted entries, using a Golomb-Rice encoding. The hashes are converted to uint32, sorted in ascending order, then delta encoded and stored as encoded_data.

ThreatEntryRemovals

Contains the set of entries to remove from a local database.

Fields
raw_indices

RawIndices

The raw removal indices for a local list.

rice_indices

RiceDeltaEncoding

The encoded local, lexicographically-sorted list indices, using a Golomb-Rice encoding. Used for sending compressed removal indices. The removal indices (uint32) are sorted in ascending order, then delta encoded and stored as encoded_data.

ThreatInfo

Context about the submission including the type of abuse found on the URI and supporting details.

Fields
abuse_type

AbuseType

The type of abuse.

threat_confidence

Confidence

Confidence that the URI is unsafe.

threat_justification

ThreatJustification

Context about why the URI is unsafe.

AbuseType

The abuse type found on the URI.

Enums
ABUSE_TYPE_UNSPECIFIED Default.
MALWARE The URI contains malware.
SOCIAL_ENGINEERING The URI contains social engineering.
UNWANTED_SOFTWARE The URI contains unwanted software.

Confidence

Confidence that a URI is unsafe.

Fields

Union field value.

value can be only one of the following:

score

float

A decimal representation of confidence in the range of 0 to 1 where 0 indicates no confidence and 1 indicates complete confidence.

level

ConfidenceLevel

Enum representation of confidence.

ConfidenceLevel

Enum representation of confidence.

Enums
CONFIDENCE_LEVEL_UNSPECIFIED Default.
LOW Less than 60% confidence that the URI is unsafe.
MEDIUM Between 60% and 80% confidence that the URI is unsafe.
HIGH Greater than 80% confidence that the URI is unsafe.

ThreatJustification

Context about why the URI is unsafe.

Fields
labels[]

JustificationLabel

Labels associated with this URI that explain how it was classified.

comments[]

string

Free-form context on why this URI is unsafe.

JustificationLabel

Labels that explain how the URI was classified.

Enums
JUSTIFICATION_LABEL_UNSPECIFIED Default.
MANUAL_VERIFICATION The submitter manually verified that the submission is unsafe.
USER_REPORT The submitter received the submission from an end user.
AUTOMATED_REPORT The submitter received the submission from an automated system.

ThreatType

The type of threat. This maps directly to the threat list a threat may belong to.

Enums
THREAT_TYPE_UNSPECIFIED No entries should match this threat type. This threat type is unused.
MALWARE Malware targeting any platform.
SOCIAL_ENGINEERING Social engineering targeting any platform.
UNWANTED_SOFTWARE Unwanted software targeting any platform.
SOCIAL_ENGINEERING_EXTENDED_COVERAGE A list of extended coverage social engineering URIs targeting any platform.