Definitions Update assets_query

Author: cibot

alsdkdefs/apis/assets_query/assets_query.v1.yaml

@@ -216,15 +216,25 @@ info:
     on the security group with that key and assets within that security group. These classes are
     identified with `I` and `R` in the table below.
 
+    #### Using CSVs in filters
+    Some filters allow passing a comma-separated list (CSV) of limiting property values, indicating
+    that only remediations/exposures that contain **at least one** of the given values will be
+    returned. This is identified with `C` in the table below.
+
+    #### Using negation in filters
+    Some filters allow prefixing a value (or a comma-separated list (CSV)) with `!`, indicating
+    that only remediations/exposures that **do not** meet the filter criteria will be returned. This
+    is identified with `!` in the table below.
+
     #### The `any` limiting property value
     Some filters allow the limiting property value to be `any`, indicating that only
-    `remediation-items` that apply to the specific filter type will be returned. These are part of
+    remediations/exposures that apply to the specific filter type will be returned. These are part of
     the `any` class of filters. E.g. the filter `"s3-bucket:any"` yields only vulnerabilities on
     s3-buckets. This is identified with `A` in the table below.
 
     #### The `none` limiting property value
     Some filters allow the limiting property value to be `none`, indicating that only
-    `remediation-items` that do not apply to the specific filter type will be returned. These are
+    remediations/exposures that do not apply to the specific filter type will be returned. These are
     part of the `none` class of filters. E.g. the filter `"cve:none"` yields only exposures whose
     vulnerabilities `cve` field isn't set. This is identified with `N` in the table below.
 
@@ -234,48 +244,42 @@ info:
 
     | Type                | Limiting Property | Class<sup>1</sup> | Example | Notes |
     |---------------------|-------------------|-------------------|----------|------|
-    | `acl`               | `key`             | I       | `"acl:/aws/us-east-1/acl/acl-7ada4a1c"` | |
-    | `application`       | `type`            | A, R    | `"application:any"`, `"application:Apache"` | |
-    | `asset-group`       | `key`             | I       | `"asset-group:PCI Assets"` | |
-    | `cloud-trail`       | `key`             | I       | `"cloud-trail:/aws/us-west-2/cloud-trail/trail/Rackspace"` | |
-    | `cve`               | `key`             | A, N, R | `"cve:any"`, `"cve:none"`, `"cve:CVE-2013-1937"` | |
-    | `cwe`               | `key`             | A, N, R | `"cwe:any"`, `"cwe:none"`, `"cwe:CWE-121"` | |
-    | `db-instance`       | `key`             | I       | `"db-instance:/aws/us-east-1/db-instance/db-12345678"` | |
-    | `dns-zone`          | `key`             | A, I    | `"dns-zone:/a/dns-zone/key"` | |
-    | `deployment`        | `key`             | A, I    | `"deployment:/al/12345678/deployment/aws/00001111-2222-3333-4444-555566667777"` | |
-    | `host`              | `key`             | I       | `"host:/aws/us-east-1/host/i-1234567890abcdef0"` | |
-    | `image`             | `key`             | I, R    | `"image:/aws/us-east-1/ami/ami-12345678"` | |
-    | `instance-profile`  | `key`             | A, I    | `"instance-profile:/an/instance-profile/key"` | |
-    | `kms-key`           | `key`             | I       | `"kms-key:/aws/us-east-1/kms-key/1"` | |
-    | `load-balancer`     | `key`             | I, R    | `"load-balancer:/aws/us-east-1/load-balancer/s-12345678"` ||
-    | `redshift-cluster`  | `key`             | I       | `"redshift-cluster:/aws/us-east-1/redshift-cluster/rc-12345678"` | |
-    | `remediation`       | `remediation_id`  | R       | `"remediation:00001111-2222-3333-4444-555566667777"` | |
-    | `region`            | `key`             | I       | `"region:/aws/us-east-1"` | <sup>2</sup> |
-    | `role`              | `key`             | A, I    | `"role:/a/role/key"` | |
-    | `route`             | `key`             | I       | `"route:/aws/eu-west-2/route/rtb-0e738966"` | |
-    | `s3-bucket`         | `key`             | A, I    | `"s3-bucket:any"`, `"s3-bucket:/an/s3-bucket/key"` | |
-    | `sg`                | `key`             | I, R    | `"sg:/aws/us-east-1/sg/s-12345678"` ||
-    | `user`              | `key`             | A, I    | `"user:any"`, `"user:/aws/123456789012/user/jdoe"` | |
-    | `volume`            | `key`             | I       | `"volume:/aws/us-east-1/volume/vol-12345678"` | |
-    | `vulnerability`     | `vulnerability_id`| R       | `"vulnerability:09876543210fedcba0987654321fedcba"` | |
-    | `vulnerability:id`  | `vulnerability_id`| R       | `"vulnerability:id:09876543210fedcba0987654321fedcba"` | |
-    | `vulnerability:key` | `key`             | R       | `"vulnerability:/aws/us-east-1/host/i-1234567890abcdef0/vulnerability/09876543210fedcba0987654321fedcba/tcp/22"` | <sup>3</sup> |
-    | `vpc`               | `key`             | R       | `"vpc:/aws/us-east-1/vpc/vpc-12345678"` | |
+    | `acl`               | `key`             | I             | `"acl:/aws/us-east-1/acl/acl-7ada4a1c"` | |
+    | `application`       | `type`            | A, R          | `"application:any"`, `"application:Apache"` | |
+    | `asset_type`        | `type`            | I             | `"asset_type:host"` | Applies to the `"type"` of the vulnerable asset. Only one `asset_type` filter of a single asset type is supported in a request. This filter must be present in the exposures query request to be included in the response. |
+    | `cloud-trail`       | `key`             | I             | `"cloud-trail:/aws/us-west-2/cloud-trail/trail/Rackspace"` | |
+    | `category`          | `categories`      | !, C, R       | `"category:security"`| Applies to the `"categories"` property of the related vulnerability. |
+    | `cve`               | `cve`             | !, A, C, N, R | `"cve:CVE-2013-1937"` | Applies to the `"cve"` property of the related vulnerability.|
+    | `cwe`               | `cwe`             | !, A, C, N, R | `"cwe:CWE-121"` | Applies to the `"cwe"` property of the related vulnerability. |
+    | `db-instance`       | `key`             | I             | `"db-instance:/aws/us-east-1/db-instance/db-12345678"` | |
+    | `deployment_id`     | `deployment_id`   | I             | `"deployment_id:825283AC-8244-412C-8674-4DBF931E6C16"` | Only one deployment_id filter may be passed per request. |
+    | `dns-zone`          | `key`             | A, I          | `"dns-zone:/a/dns-zone/key"` | |
+    | `deployment`        | `key`             | A, I          | `"deployment:/al/12345678/deployment/aws/00001111-2222-3333-4444-555566667777"` | |
+    | `host`              | `key`             | I             | `"host:/aws/us-east-1/host/i-1234567890abcdef0"` | |
+    | `image`             | `key`             | I, R          | `"image:/aws/us-east-1/ami/ami-12345678"` | |
+    | `instance-profile`  | `key`             | A, I          | `"instance-profile:/an/instance-profile/key"` | |
+    | `kms-key`           | `key`             | I             | `"kms-key:/aws/us-east-1/kms-key/1"` | |
+    | `load-balancer`     | `key`             | I, R          | `"load-balancer:/aws/us-east-1/load-balancer/s-12345678"` ||
+    | `redshift-cluster`  | `key`             | I             | `"redshift-cluster:/aws/us-east-1/redshift-cluster/rc-12345678"` | |
+    | `remediation`       | `remediation_id`  | !, C, R       | `"remediation:00001111-2222-3333-4444-555566667777"` | |
+    | `region`            | `key`             | I             | `"region:/aws/us-east-1"` | <sup>2</sup> |
+    | `role`              | `key`             | A, I          | `"role:/a/role/key"` | |
+    | `route`             | `key`             | I             | `"route:/aws/eu-west-2/route/rtb-0e738966"` | |
+    | `s3-bucket`         | `key`             | A, I          | `"s3-bucket:any"`, `"s3-bucket:/an/s3-bucket/key"` | |
+    | `severity`          | `severity`        | !, C, R       | `"severity:high"` | Applies to the `"severity"` property of the related vulnerability. |
+    | `sg`                | `key`             | I, R          | `"sg:/aws/us-east-1/sg/s-12345678"` | |
+    | `user`              | `key`             | A, I          | `"user:any"`, `"user:/aws/123456789012/user/jdoe"` | |
+    | `volume`            | `key`             | I             | `"volume:/aws/us-east-1/volume/vol-12345678"` | |
+    | `vulnerability`     | `vulnerability_id`| !, C, R       | `"vulnerability:09876543210fedcba0987654321fedcba"` | |
+    | `vulnerability:id`  | `vulnerability_id`| !, C, R       | `"vulnerability:id:09876543210fedcba0987654321fedcba"` | |
+    | `vulnerability:key` | `key`             | !, C, R       | `"vulnerability:key:/aws/us-east-1/host/i-1234567890abcdef0/vulnerability/09876543210fedcba0987654321fedcba/tcp/22"` | <sup>3</sup> |
+    | `vpc`               | `key`             | R             | `"vpc:/aws/us-east-1/vpc/vpc-12345678"` | |
 
     Notes:
-    1. A = `any` allowed, I = identity, R = relational, N = none.
+    1. ! = negation allowed, A = `any` allowed, C = CSV allowed, I = identity, R = relational, N = `none` allowed.
     2. The region filter will also be relational in the near future.
     3. This selects only assets that have the vulnerability specified by the vulnerability key.
        This will only ever return a single remediation on a single asset.
-
-    #### Additional remediations query filters
-
-    | Type                | Example | Notes |
-    |---------------------|---------|-------|
-    |`deployment_id`      | `deployment_id:825283AC-8244-412C-8674-4DBF931E6C16` | |
-    |`category`           | `category:security`, `category:configuration,security`, `category:!security` | |
-    |`severity`           | `severity:high` | |
-    |`asset_type`         | `asset_type:host` | Only one asset_type filter of a single asset type is supported in a request. This filter must be present in the exposures query request to be included in the response. |
 paths:
   /assets_query/v1/{account_id}/assets:
     parameters:

alsdkdefs/apis/assets_query/remediations.v1.yaml

@@ -82,15 +82,25 @@ info:
     on the security group with that key and assets within that security group. These classes are
     identified with `I` and `R` in the table below.
 
+    #### Using CSVs in filters
+    Some filters allow passing a comma-separated list (CSV) of limiting property values, indicating
+    that only remediations/exposures that contain **at least one** of the given values will be
+    returned. This is identified with `C` in the table below.
+
+    #### Using negation in filters
+    Some filters allow prefixing a value (or a comma-separated list (CSV)) with `!`, indicating
+    that only remediations/exposures that **do not** meet the filter criteria will be returned. This
+    is identified with `!` in the table below.
+
     #### The `any` limiting property value
     Some filters allow the limiting property value to be `any`, indicating that only
-    `remediation-items` that apply to the specific filter type will be returned. These are part of
+    remediations/exposures that apply to the specific filter type will be returned. These are part of
     the `any` class of filters. E.g. the filter `"s3-bucket:any"` yields only vulnerabilities on
     s3-buckets. This is identified with `A` in the table below.
 
     #### The `none` limiting property value
     Some filters allow the limiting property value to be `none`, indicating that only
-    `remediation-items` that do not apply to the specific filter type will be returned. These are
+    remediations/exposures that do not apply to the specific filter type will be returned. These are
     part of the `none` class of filters. E.g. the filter `"cve:none"` yields only exposures whose
     vulnerabilities `cve` field isn't set. This is identified with `N` in the table below.
 
@@ -100,47 +110,42 @@ info:
 
     | Type                | Limiting Property | Class<sup>1</sup> | Example | Notes |
     |---------------------|-------------------|-------------------|----------|------|
-    | `acl`               | `key`             | I       | `"acl:/aws/us-east-1/acl/acl-7ada4a1c"` | |
-    | `application`       | `type`            | A, R    | `"application:any"`, `"application:Apache"` | |
-    | `cloud-trail`       | `key`             | I       | `"cloud-trail:/aws/us-west-2/cloud-trail/trail/Rackspace"` | |
-    | `cve`               | `key`             | A, N, R | `"cve:any"`, `"cve:none"`, `"cve:CVE-2013-1937"` | |
-    | `cwe`               | `key`             | A, N, R | `"cwe:any"`, `"cwe:none"`, `"cwe:CWE-121"` | |
-    | `db-instance`       | `key`             | I       | `"db-instance:/aws/us-east-1/db-instance/db-12345678"` | |
-    | `dns-zone`          | `key`             | A, I    | `"dns-zone:/a/dns-zone/key"` | |
-    | `deployment`        | `key`             | A, I    | `"deployment:/al/12345678/deployment/aws/00001111-2222-3333-4444-555566667777"` | |
-    | `host`              | `key`             | I       | `"host:/aws/us-east-1/host/i-1234567890abcdef0"` | |
-    | `image`             | `key`             | I, R    | `"image:/aws/us-east-1/ami/ami-12345678"` | |
-    | `instance-profile`  | `key`             | A, I    | `"instance-profile:/an/instance-profile/key"` | |
-    | `kms-key`           | `key`             | I       | `"kms-key:/aws/us-east-1/kms-key/1"` | |
-    | `load-balancer`     | `key`             | I, R    | `"load-balancer:/aws/us-east-1/load-balancer/s-12345678"` ||
-    | `redshift-cluster`  | `key`             | I       | `"redshift-cluster:/aws/us-east-1/redshift-cluster/rc-12345678"` | |
-    | `remediation`       | `remediation_id`  | R       | `"remediation:00001111-2222-3333-4444-555566667777"` | |
-    | `region`            | `key`             | I       | `"region:/aws/us-east-1"` | <sup>2</sup> |
-    | `role`              | `key`             | A, I    | `"role:/a/role/key"` | |
-    | `route`             | `key`             | I       | `"route:/aws/eu-west-2/route/rtb-0e738966"` | |
-    | `s3-bucket`         | `key`             | A, I    | `"s3-bucket:any"`, `"s3-bucket:/an/s3-bucket/key"` | |
-    | `sg`                | `key`             | I, R    | `"sg:/aws/us-east-1/sg/s-12345678"` ||
-    | `user`              | `key`             | A, I    | `"user:any"`, `"user:/aws/123456789012/user/jdoe"` | |
-    | `volume`            | `key`             | I       | `"volume:/aws/us-east-1/volume/vol-12345678"` | |
-    | `vulnerability`     | `vulnerability_id`| R       | `"vulnerability:09876543210fedcba0987654321fedcba"` | |
-    | `vulnerability:id`  | `vulnerability_id`| R       | `"vulnerability:id:09876543210fedcba0987654321fedcba"` | |
-    | `vulnerability:key` | `key`             | R       | `"vulnerability:/aws/us-east-1/host/i-1234567890abcdef0/vulnerability/09876543210fedcba0987654321fedcba/tcp/22"` | <sup>3</sup> |
-    | `vpc`               | `key`             | R       | `"vpc:/aws/us-east-1/vpc/vpc-12345678"` | |
+    | `acl`               | `key`             | I             | `"acl:/aws/us-east-1/acl/acl-7ada4a1c"` | |
+    | `application`       | `type`            | A, R          | `"application:any"`, `"application:Apache"` | |
+    | `asset_type`        | `type`            | I             | `"asset_type:host"` | Applies to the `"type"` of the vulnerable asset. Only one `asset_type` filter of a single asset type is supported in a request. This filter must be present in the exposures query request to be included in the response. |
+    | `cloud-trail`       | `key`             | I             | `"cloud-trail:/aws/us-west-2/cloud-trail/trail/Rackspace"` | |
+    | `category`          | `categories`      | !, C, R       | `"category:security"`| Applies to the `"categories"` property of the related vulnerability. |
+    | `cve`               | `cve`             | !, A, C, N, R | `"cve:CVE-2013-1937"` | Applies to the `"cve"` property of the related vulnerability.|
+    | `cwe`               | `cwe`             | !, A, C, N, R | `"cwe:CWE-121"` | Applies to the `"cwe"` property of the related vulnerability. |
+    | `db-instance`       | `key`             | I             | `"db-instance:/aws/us-east-1/db-instance/db-12345678"` | |
+    | `deployment_id`     | `deployment_id`   | I             | `"deployment_id:825283AC-8244-412C-8674-4DBF931E6C16"` | Only one deployment_id filter may be passed per request. |
+    | `dns-zone`          | `key`             | A, I          | `"dns-zone:/a/dns-zone/key"` | |
+    | `deployment`        | `key`             | A, I          | `"deployment:/al/12345678/deployment/aws/00001111-2222-3333-4444-555566667777"` | |
+    | `host`              | `key`             | I             | `"host:/aws/us-east-1/host/i-1234567890abcdef0"` | |
+    | `image`             | `key`             | I, R          | `"image:/aws/us-east-1/ami/ami-12345678"` | |
+    | `instance-profile`  | `key`             | A, I          | `"instance-profile:/an/instance-profile/key"` | |
+    | `kms-key`           | `key`             | I             | `"kms-key:/aws/us-east-1/kms-key/1"` | |
+    | `load-balancer`     | `key`             | I, R          | `"load-balancer:/aws/us-east-1/load-balancer/s-12345678"` ||
+    | `redshift-cluster`  | `key`             | I             | `"redshift-cluster:/aws/us-east-1/redshift-cluster/rc-12345678"` | |
+    | `remediation`       | `remediation_id`  | !, C, R       | `"remediation:00001111-2222-3333-4444-555566667777"` | |
+    | `region`            | `key`             | I             | `"region:/aws/us-east-1"` | <sup>2</sup> |
+    | `role`              | `key`             | A, I          | `"role:/a/role/key"` | |
+    | `route`             | `key`             | I             | `"route:/aws/eu-west-2/route/rtb-0e738966"` | |
+    | `s3-bucket`         | `key`             | A, I          | `"s3-bucket:any"`, `"s3-bucket:/an/s3-bucket/key"` | |
+    | `severity`          | `severity`        | !, C, R       | `"severity:high"` | Applies to the `"severity"` property of the related vulnerability. |
+    | `sg`                | `key`             | I, R          | `"sg:/aws/us-east-1/sg/s-12345678"` | |
+    | `user`              | `key`             | A, I          | `"user:any"`, `"user:/aws/123456789012/user/jdoe"` | |
+    | `volume`            | `key`             | I             | `"volume:/aws/us-east-1/volume/vol-12345678"` | |
+    | `vulnerability`     | `vulnerability_id`| !, C, R       | `"vulnerability:09876543210fedcba0987654321fedcba"` | |
+    | `vulnerability:id`  | `vulnerability_id`| !, C, R       | `"vulnerability:id:09876543210fedcba0987654321fedcba"` | |
+    | `vulnerability:key` | `key`             | !, C, R       | `"vulnerability:key:/aws/us-east-1/host/i-1234567890abcdef0/vulnerability/09876543210fedcba0987654321fedcba/tcp/22"` | <sup>3</sup> |
+    | `vpc`               | `key`             | R             | `"vpc:/aws/us-east-1/vpc/vpc-12345678"` | |
 
     Notes:
-    1. A = `any` allowed, I = identity, R = relational, N = none.
+    1. ! = negation allowed, A = `any` allowed, C = CSV allowed, I = identity, R = relational, N = `none` allowed.
     2. The region filter will also be relational in the near future.
     3. This selects only assets that have the vulnerability specified by the vulnerability key.
        This will only ever return a single remediation on a single asset.
-
-    #### Additional remediations query filters
-
-    | Type                | Example | Notes |
-    |---------------------|---------|-------|
-    |`deployment_id`      | `deployment_id:825283AC-8244-412C-8674-4DBF931E6C16` | |
-    |`category`           | `category:security`, `category:configuration,security`, `category:!security` | |
-    |`severity`           | `severity:high` | |
-    |`asset_type`         | `asset_type:host` | Only one asset_type filter of a single asset type is supported in a request. This filter must be present in the exposures query request to be included in the response. |
 paths:
 ############################## COLLECTION HEALTH ##############################