ContextQMD
Back to Wazuh

Flatbuffer schemas

docs/ref/modules/vulnerability-scanner/flatbuffers.md

4.14.42.6 KB
Original Source

Flatbuffer schemas

The Vulnerability Scanner uses FlatBuffers for two purposes:

  • InventorySync transport: InventorySync sessions are sent as FlatBuffers (Start/DataValue/DataContext/End).
  • CTI feed processing: CVE5 content is processed into local databases with FlatBuffer-aware parsers to reduce JSON overhead during scans.

InventorySync schema (SyncSchema)

The schema is defined in src/shared_modules/utils/flatbuffers/schemas/inventorySync.fbs and is shared across modules that participate in inventory synchronization.

Message sequence

InventorySync sessions follow this pattern:

Start -> StartAck -> DataValue/DataContext -> End -> EndAck

DataClean and ChecksumModule exist in the schema for other synchronization modes, but VD only consumes Start/DataValue/DataContext/End.

Enums

  • Mode: ModuleFull, ModuleDelta, ModuleCheck, MetadataDelta, MetadataCheck, GroupDelta, GroupCheck
  • Option: Sync, VDFirst, VDSync
  • Operation: Upsert, Delete
  • Status: Ok, Error, Offline, ChecksumMismatch

Core tables used by VD

Start

Carries session metadata and the initial OS/agent context used to seed ScanContext.

FieldDescription
moduleModule name sending the session.
modeSynchronization mode.
sizeTotal number of items in the session.
indexList of indices derived from DataValue items in the session.
optionVD mode: VDFirst or VDSync.
architecture, hostname, osname, osplatform, ostype, osversionAgent OS metadata (agent.host.os).
agentversion, agentname, agentidAgent metadata.
groupsAgent groups.
global_versionOptional global version used for inventory state updates.

DataValue

Represents inventory deltas and carries the inventory document as JSON.

FieldDescription
seqSequence number within the session.
sessionSession identifier (from StartAck).
operationUpsert or Delete.
idInventory document identifier (used by VD as item id / detection base).
indexInventory index name.
versionInventory document version.
dataJSON inventory document (host/package schema).

DataContext

Represents inventory context for deltas. It uses the same data JSON schema as DataValue but has no operation or version.

FieldDescription
seqSequence number within the session.
sessionSession identifier (from StartAck).
idInventory document identifier.
indexInventory index name.
dataJSON inventory document (host/package schema).

End

Marks the end of the session and triggers post-processing (including VD runs for VDFirst/VDSync).