Blame - docs/dyn/containeranalysis_v1beta1.projects.notes.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

83

<code><a href="#batchCreate">batchCreate(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

84

<p class="firstline">Creates new notes in batch.</p>

85

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

86

<code><a href="#create">create(parent, body=None, noteId=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

87

<p class="firstline">Creates a new note.</p>

88

89

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

90

<p class="firstline">Deletes the specified note.</p>

91

92

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

93

<p class="firstline">Gets the specified note.</p>

94

95

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

96

<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p>

97

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

98

<code><a href="#list">list(parent, pageToken=None, pageSize=None, filter=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

99

<p class="firstline">Lists notes for the specified project.</p>

100

101

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

102

<p class="firstline">Retrieves the next page of results.</p>

103

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

104

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

105

<p class="firstline">Updates the specified note.</p>

106

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

107

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

108

<p class="firstline">Sets the access control policy on the specified note or occurrence.</p>

109

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

110

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

111

<p class="firstline">Returns the permissions that a caller has on the specified note or</p>

112

<h3>Method Details</h3>

113

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

114

<code class="details" id="batchCreate">batchCreate(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

115

<pre>Creates new notes in batch.

116

117

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

118

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

119

the notes are to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

120

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

121

The object takes the form of:

122

123

{ # Request to create notes in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

124

"notes": { # Required. The notes to create. Max allowed length is 1000.

125

"a_key": { # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

126

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

127

# example, an organization might have one `Authority` for "QA" and one for

128

# "build". This note is intended to act strictly as a grouping mechanism for

129

# the attached occurrences (Attestations). This grouping mechanism also

130

# provides a security boundary, since IAM ACLs gate the ability for a principle

131

# to attach an occurrence to a given note. It also provides a single point of

132

# lookup to find all attached attestation occurrences, even if they don't all

133

# live in the same project.

134

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

135

# authority. Because the name of a note acts as its resource reference, it is

136

# important to disambiguate the canonical name of the Note (which might be a

137

# UUID for security purposes) from "readable" names more suitable for debug

138

# output. Note that these hints should not be used to look up authorities in

139

# security sensitive contexts, such as when looking up attestations to

140

# verify.

141

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

146

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

147

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

148

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

149

# For details, see https://www.first.org/cvss/specification-document

150

"baseScore": 3.14, # The base score is a function of the base metric scores.

151

"scope": "A String",

152

"integrityImpact": "A String",

153

"exploitabilityScore": 3.14,

154

"impactScore": 3.14,

155

"attackComplexity": "A String",

156

"availabilityImpact": "A String",

157

"privilegesRequired": "A String",

158

"userInteraction": "A String",

159

"attackVector": "A String", # Base Metrics

160

# Represents the intrinsic characteristics of a vulnerability that are

161

# constant over time and across user environments.

162

"confidentialityImpact": "A String",

163

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

164

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

165

# upstream timestamp from the underlying information source - e.g. Ubuntu

166

# security tracker.

167

"windowsDetails": [ # Windows details get their own format because the information format and

168

# model don't match a normal detail. Specifically Windows updates are done as

169

# patches, thus Windows vulnerabilities really are a missing package, rather

170

# than a package being at an incorrect version.

171

{

172

"name": "A String", # Required. The name of the vulnerability.

173

"cpeUri": "A String", # Required. The CPE URI in

174

# [cpe format](https://cpe.mitre.org/specification/) in which the

175

# vulnerability manifests. Examples include distro or storage location for

176

# vulnerable jar.

177

"description": "A String", # The description of the vulnerability.

178

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

179

# vulnerability. Note that there may be multiple hotfixes (and thus

180

# multiple KBs) that mitigate a given vulnerability. Currently any listed

181

# kb's presence is considered a fix.

182

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

183

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

184

"url": "A String", # A link to the KB in the Windows update catalog -

185

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

190

"details": [ # All information about the package to specifically identify this

191

# vulnerability. One entry per (version range and cpe_uri) the package

192

# vulnerability has manifested in.

193

{ # Identifies all appearances of this vulnerability in the package for a

194

# specific distro/location. For example: glibc in

195

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

196

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

197

# obsolete details.

198

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

199

# upstream timestamp from the underlying information source - e.g. Ubuntu

200

# security tracker.

201

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

202

# packages etc).

203

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

204

"package": "A String", # Required. The package being described.

205

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

206

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

207

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

208

# name.

209

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

210

# versions.

211

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

212

},

213

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

214

# format. Examples include distro or storage location for vulnerable jar.

215

},

216

"cpeUri": "A String", # Required. The CPE URI in

217

# [cpe format](https://cpe.mitre.org/specification/) in which the

218

# vulnerability manifests. Examples include distro or storage location for

219

# vulnerable jar.

220

"description": "A String", # A vendor-specific description of this note.

221

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

222

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

223

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

224

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

225

# name.

226

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

227

# versions.

228

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

229

},

230

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

231

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

232

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

233

# name.

234

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

235

# versions.

236

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

237

},

238

"package": "A String", # Required. The name of the package where the vulnerability was found.

239

},

240

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

241

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

242

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

243

},

244

"relatedNoteNames": [ # Other notes related to this note.

245

"A String",

246

],

247

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

248

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

249

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

250

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

251

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

252

# `key_id`.

253

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

254

# base-64 encoded.

255

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

256

# findings are valid and unchanged. If `key_type` is empty, this defaults

257

# to PEM encoded public keys.

258

#

259

# This field may be empty if `key_id` references an external key.

260

#

261

# For Cloud Build based signatures, this is a PEM encoded public

262

# key. To verify the Cloud Build signature, place the contents of

263

# this field into a file (public.pem). The signature field is base64-decoded

264

# into its binary representation in signature.bin, and the provenance bytes

265

# from `BuildDetails` are base64-decoded into a binary representation in

266

# signed.bin. OpenSSL can then verify the signature:

267

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

268

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

269

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

270

# CN for a cert), or a reference to an external key (such as a reference to a

271

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

272

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

273

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

274

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

275

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

276

# channels. E.g., glibc (aka libc6) is distributed by many, at various

277

# versions.

278

"name": "A String", # Required. Immutable. The name of the package.

279

"distribution": [ # The various channels by which a package is distributed.

280

{ # This represents a particular channel of distribution for a given package.

281

# E.g., Debian's jessie-backports dpkg mirror.

282

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

283

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

284

"revision": "A String", # The iteration of the package build from the above version.

285

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

286

# name.

287

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

288

# versions.

289

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

290

},

291

"description": "A String", # The distribution channel-specific description of this package.

292

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

293

# denoting the package manager version distributing a package.

294

"url": "A String", # The distribution channel-specific homepage for this package.

295

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

301

# filter in list requests.

302

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

303

# exists in a provider's project. A `Discovery` occurrence is created in a

304

# consumer's project at the start of analysis.

305

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

306

# discovery.

307

},

308

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

309

# a filter in list requests.

310

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

311

# chain step in an in-toto layout. This information goes into a Grafeas note.

312

"expectedProducts": [

313

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

320

"signingKeys": [ # This field contains the public keys that can be used to verify the

321

# signatures on the step metadata.

322

{ # This defines the format used to record keys used in the software supply

323

# chain. An in-toto link is attested using one or more keys defined in the

324

# in-toto layout. An example of this is:

325

# {

326

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

327

# "key_type": "rsa",

328

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

329

# "key_scheme": "rsassa-pss-sha256"

330

# }

331

# The format for in-toto's key definition can be found in section 4.2 of the

332

# in-toto specification.

333

"keyId": "A String", # key_id is an identifier for the signing key.

334

"publicKeyValue": "A String", # This field contains the actual public key.

335

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

336

# and "ecdsa".

337

"keyScheme": "A String", # This field contains the corresponding signature scheme.

338

# Eg: "rsassa-pss-sha256".

339

},

340

],

341

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

342

# need to be used to sign the step's in-toto link.

343

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

344

# artifacts that enter this supply chain step, and exit the supply chain

345

# step, i.e. materials and products of the step.

346

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

357

{ # Metadata for any related URL information.

358

"url": "A String", # Specific URL associated with the resource.

359

"label": "A String", # Label to describe usage of the URL.

360

},

361

],

362

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

363

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

364

# relationship. Linked occurrences are derived from this or an

365

# equivalent image via:

366

# FROM <Basis.resource_url>

367

# Or an equivalent reference, e.g. a tag of the resource_url.

368

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

369

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

370

"A String",

371

],

372

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

373

# representation.

374

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

375

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

376

# Only the name of the final blob is kept.

377

},

378

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

379

# basis of associated occurrence images.

380

},

381

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

382

# list requests.

383

"longDescription": "A String", # A detailed description of this note.

384

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

385

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

401

402

{ # Response for creating notes in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

403

"notes": [ # The notes that were created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

404

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

405

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

406

# example, an organization might have one `Authority` for "QA" and one for

407

# "build". This note is intended to act strictly as a grouping mechanism for

408

# the attached occurrences (Attestations). This grouping mechanism also

409

# provides a security boundary, since IAM ACLs gate the ability for a principle

410

# to attach an occurrence to a given note. It also provides a single point of

411

# lookup to find all attached attestation occurrences, even if they don't all

412

# live in the same project.

413

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

414

# authority. Because the name of a note acts as its resource reference, it is

415

# important to disambiguate the canonical name of the Note (which might be a

416

# UUID for security purposes) from "readable" names more suitable for debug

417

# output. Note that these hints should not be used to look up authorities in

418

# security sensitive contexts, such as when looking up attestations to

419

# verify.

420

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

425

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

426

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

427

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

428

# For details, see https://www.first.org/cvss/specification-document

429

"baseScore": 3.14, # The base score is a function of the base metric scores.

430

"scope": "A String",

431

"integrityImpact": "A String",

432

"exploitabilityScore": 3.14,

433

"impactScore": 3.14,

434

"attackComplexity": "A String",

435

"availabilityImpact": "A String",

436

"privilegesRequired": "A String",

437

"userInteraction": "A String",

438

"attackVector": "A String", # Base Metrics

439

# Represents the intrinsic characteristics of a vulnerability that are

440

# constant over time and across user environments.

441

"confidentialityImpact": "A String",

442

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

443

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

444

# upstream timestamp from the underlying information source - e.g. Ubuntu

445

# security tracker.

446

"windowsDetails": [ # Windows details get their own format because the information format and

447

# model don't match a normal detail. Specifically Windows updates are done as

448

# patches, thus Windows vulnerabilities really are a missing package, rather

449

# than a package being at an incorrect version.

450

{

451

"name": "A String", # Required. The name of the vulnerability.

452

"cpeUri": "A String", # Required. The CPE URI in

453

# [cpe format](https://cpe.mitre.org/specification/) in which the

454

# vulnerability manifests. Examples include distro or storage location for

455

# vulnerable jar.

456

"description": "A String", # The description of the vulnerability.

457

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

458

# vulnerability. Note that there may be multiple hotfixes (and thus

459

# multiple KBs) that mitigate a given vulnerability. Currently any listed

460

# kb's presence is considered a fix.

461

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

462

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

463

"url": "A String", # A link to the KB in the Windows update catalog -

464

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

469

"details": [ # All information about the package to specifically identify this

470

# vulnerability. One entry per (version range and cpe_uri) the package

471

# vulnerability has manifested in.

472

{ # Identifies all appearances of this vulnerability in the package for a

473

# specific distro/location. For example: glibc in

474

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

475

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

476

# obsolete details.

477

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

478

# upstream timestamp from the underlying information source - e.g. Ubuntu

479

# security tracker.

480

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

481

# packages etc).

482

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

483

"package": "A String", # Required. The package being described.

484

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

485

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

486

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

487

# name.

488

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

489

# versions.

490

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

491

},

492

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

493

# format. Examples include distro or storage location for vulnerable jar.

494

},

495

"cpeUri": "A String", # Required. The CPE URI in

496

# [cpe format](https://cpe.mitre.org/specification/) in which the

497

# vulnerability manifests. Examples include distro or storage location for

498

# vulnerable jar.

499

"description": "A String", # A vendor-specific description of this note.

500

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

501

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

502

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

503

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

504

# name.

505

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

506

# versions.

507

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

508

},

509

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

510

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

511

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

512

# name.

513

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

514

# versions.

515

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

516

},

517

"package": "A String", # Required. The name of the package where the vulnerability was found.

518

},

519

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

520

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

521

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

522

},

523

"relatedNoteNames": [ # Other notes related to this note.

524

"A String",

525

],

526

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

527

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

528

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

529

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

530

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

531

# `key_id`.

532

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

533

# base-64 encoded.

534

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

535

# findings are valid and unchanged. If `key_type` is empty, this defaults

536

# to PEM encoded public keys.

537

#

538

# This field may be empty if `key_id` references an external key.

539

#

540

# For Cloud Build based signatures, this is a PEM encoded public

541

# key. To verify the Cloud Build signature, place the contents of

542

# this field into a file (public.pem). The signature field is base64-decoded

543

# into its binary representation in signature.bin, and the provenance bytes

544

# from `BuildDetails` are base64-decoded into a binary representation in

545

# signed.bin. OpenSSL can then verify the signature:

546

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

547

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

548

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

549

# CN for a cert), or a reference to an external key (such as a reference to a

550

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

551

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

552

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

553

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

554

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

555

# channels. E.g., glibc (aka libc6) is distributed by many, at various

556

# versions.

557

"name": "A String", # Required. Immutable. The name of the package.

558

"distribution": [ # The various channels by which a package is distributed.

559

{ # This represents a particular channel of distribution for a given package.

560

# E.g., Debian's jessie-backports dpkg mirror.

561

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

562

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

563

"revision": "A String", # The iteration of the package build from the above version.

564

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

565

# name.

566

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

567

# versions.

568

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

569

},

570

"description": "A String", # The distribution channel-specific description of this package.

571

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

572

# denoting the package manager version distributing a package.

573

"url": "A String", # The distribution channel-specific homepage for this package.

574

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

580

# filter in list requests.

581

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

582

# exists in a provider's project. A `Discovery` occurrence is created in a

583

# consumer's project at the start of analysis.

584

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

585

# discovery.

586

},

587

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

588

# a filter in list requests.

589

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

590

# chain step in an in-toto layout. This information goes into a Grafeas note.

591

"expectedProducts": [

592

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

599

"signingKeys": [ # This field contains the public keys that can be used to verify the

600

# signatures on the step metadata.

601

{ # This defines the format used to record keys used in the software supply

602

# chain. An in-toto link is attested using one or more keys defined in the

603

# in-toto layout. An example of this is:

604

# {

605

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

606

# "key_type": "rsa",

607

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

608

# "key_scheme": "rsassa-pss-sha256"

609

# }

610

# The format for in-toto's key definition can be found in section 4.2 of the

611

# in-toto specification.

612

"keyId": "A String", # key_id is an identifier for the signing key.

613

"publicKeyValue": "A String", # This field contains the actual public key.

614

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

615

# and "ecdsa".

616

"keyScheme": "A String", # This field contains the corresponding signature scheme.

617

# Eg: "rsassa-pss-sha256".

618

},

619

],

620

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

621

# need to be used to sign the step's in-toto link.

622

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

623

# artifacts that enter this supply chain step, and exit the supply chain

624

# step, i.e. materials and products of the step.

625

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

636

{ # Metadata for any related URL information.

637

"url": "A String", # Specific URL associated with the resource.

638

"label": "A String", # Label to describe usage of the URL.

639

},

640

],

641

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

642

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

643

# relationship. Linked occurrences are derived from this or an

644

# equivalent image via:

645

# FROM <Basis.resource_url>

646

# Or an equivalent reference, e.g. a tag of the resource_url.

647

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

648

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

649

"A String",

650

],

651

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

652

# representation.

653

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

654

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

655

# Only the name of the final blob is kept.

656

},

657

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

658

# basis of associated occurrence images.

659

},

660

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

661

# list requests.

662

"longDescription": "A String", # A detailed description of this note.

663

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

664

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

675

<code class="details" id="create">create(parent, body=None, noteId=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

676

<pre>Creates a new note.

677

678

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

679

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

680

the note is to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

681

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

682

The object takes the form of:

683

684

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

685

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

686

# example, an organization might have one `Authority` for "QA" and one for

687

# "build". This note is intended to act strictly as a grouping mechanism for

688

# the attached occurrences (Attestations). This grouping mechanism also

689

# provides a security boundary, since IAM ACLs gate the ability for a principle

690

# to attach an occurrence to a given note. It also provides a single point of

691

# lookup to find all attached attestation occurrences, even if they don't all

692

# live in the same project.

693

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

694

# authority. Because the name of a note acts as its resource reference, it is

695

# important to disambiguate the canonical name of the Note (which might be a

696

# UUID for security purposes) from "readable" names more suitable for debug

697

# output. Note that these hints should not be used to look up authorities in

698

# security sensitive contexts, such as when looking up attestations to

699

# verify.

700

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

705

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

706

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

707

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

708

# For details, see https://www.first.org/cvss/specification-document

709

"baseScore": 3.14, # The base score is a function of the base metric scores.

710

"scope": "A String",

711

"integrityImpact": "A String",

712

"exploitabilityScore": 3.14,

713

"impactScore": 3.14,

714

"attackComplexity": "A String",

715

"availabilityImpact": "A String",

716

"privilegesRequired": "A String",

717

"userInteraction": "A String",

718

"attackVector": "A String", # Base Metrics

719

# Represents the intrinsic characteristics of a vulnerability that are

720

# constant over time and across user environments.

721

"confidentialityImpact": "A String",

722

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

723

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

724

# upstream timestamp from the underlying information source - e.g. Ubuntu

725

# security tracker.

726

"windowsDetails": [ # Windows details get their own format because the information format and

727

# model don't match a normal detail. Specifically Windows updates are done as

728

# patches, thus Windows vulnerabilities really are a missing package, rather

729

# than a package being at an incorrect version.

730

{

731

"name": "A String", # Required. The name of the vulnerability.

732

"cpeUri": "A String", # Required. The CPE URI in

733

# [cpe format](https://cpe.mitre.org/specification/) in which the

734

# vulnerability manifests. Examples include distro or storage location for

735

# vulnerable jar.

736

"description": "A String", # The description of the vulnerability.

737

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

738

# vulnerability. Note that there may be multiple hotfixes (and thus

739

# multiple KBs) that mitigate a given vulnerability. Currently any listed

740

# kb's presence is considered a fix.

741

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

742

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

743

"url": "A String", # A link to the KB in the Windows update catalog -

744

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

749

"details": [ # All information about the package to specifically identify this

750

# vulnerability. One entry per (version range and cpe_uri) the package

751

# vulnerability has manifested in.

752

{ # Identifies all appearances of this vulnerability in the package for a

753

# specific distro/location. For example: glibc in

754

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

755

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

756

# obsolete details.

757

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

758

# upstream timestamp from the underlying information source - e.g. Ubuntu

759

# security tracker.

760

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

761

# packages etc).

762

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

763

"package": "A String", # Required. The package being described.

764

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

765

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

766

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

767

# name.

768

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

769

# versions.

770

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

771

},

772

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

773

# format. Examples include distro or storage location for vulnerable jar.

774

},

775

"cpeUri": "A String", # Required. The CPE URI in

776

# [cpe format](https://cpe.mitre.org/specification/) in which the

777

# vulnerability manifests. Examples include distro or storage location for

778

# vulnerable jar.

779

"description": "A String", # A vendor-specific description of this note.

780

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

781

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

782

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

783

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

784

# name.

785

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

786

# versions.

787

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

788

},

789

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

790

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

791

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

792

# name.

793

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

794

# versions.

795

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

796

},

797

"package": "A String", # Required. The name of the package where the vulnerability was found.

798

},

799

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

800

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

801

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

802

},

803

"relatedNoteNames": [ # Other notes related to this note.

804

"A String",

805

],

806

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

807

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

808

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

809

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

810

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

811

# `key_id`.

812

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

813

# base-64 encoded.

814

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

815

# findings are valid and unchanged. If `key_type` is empty, this defaults

816

# to PEM encoded public keys.

817

#

818

# This field may be empty if `key_id` references an external key.

819

#

820

# For Cloud Build based signatures, this is a PEM encoded public

821

# key. To verify the Cloud Build signature, place the contents of

822

# this field into a file (public.pem). The signature field is base64-decoded

823

# into its binary representation in signature.bin, and the provenance bytes

824

# from `BuildDetails` are base64-decoded into a binary representation in

825

# signed.bin. OpenSSL can then verify the signature:

826

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

827

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

828

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

829

# CN for a cert), or a reference to an external key (such as a reference to a

830

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

831

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

832

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

833

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

834

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

835

# channels. E.g., glibc (aka libc6) is distributed by many, at various

836

# versions.

837

"name": "A String", # Required. Immutable. The name of the package.

838

"distribution": [ # The various channels by which a package is distributed.

839

{ # This represents a particular channel of distribution for a given package.

840

# E.g., Debian's jessie-backports dpkg mirror.

841

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

842

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

843

"revision": "A String", # The iteration of the package build from the above version.

844

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

845

# name.

846

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

847

# versions.

848

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

849

},

850

"description": "A String", # The distribution channel-specific description of this package.

851

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

852

# denoting the package manager version distributing a package.

853

"url": "A String", # The distribution channel-specific homepage for this package.

854

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

860

# filter in list requests.

861

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

862

# exists in a provider's project. A `Discovery` occurrence is created in a

863

# consumer's project at the start of analysis.

864

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

865

# discovery.

866

},

867

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

868

# a filter in list requests.

869

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

870

# chain step in an in-toto layout. This information goes into a Grafeas note.

871

"expectedProducts": [

872

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

879

"signingKeys": [ # This field contains the public keys that can be used to verify the

880

# signatures on the step metadata.

881

{ # This defines the format used to record keys used in the software supply

882

# chain. An in-toto link is attested using one or more keys defined in the

883

# in-toto layout. An example of this is:

884

# {

885

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

886

# "key_type": "rsa",

887

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

888

# "key_scheme": "rsassa-pss-sha256"

889

# }

890

# The format for in-toto's key definition can be found in section 4.2 of the

891

# in-toto specification.

892

"keyId": "A String", # key_id is an identifier for the signing key.

893

"publicKeyValue": "A String", # This field contains the actual public key.

894

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

895

# and "ecdsa".

896

"keyScheme": "A String", # This field contains the corresponding signature scheme.

897

# Eg: "rsassa-pss-sha256".

898

},

899

],

900

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

901

# need to be used to sign the step's in-toto link.

902

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

903

# artifacts that enter this supply chain step, and exit the supply chain

904

# step, i.e. materials and products of the step.

905

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

916

{ # Metadata for any related URL information.

917

"url": "A String", # Specific URL associated with the resource.

918

"label": "A String", # Label to describe usage of the URL.

919

},

920

],

921

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

922

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

923

# relationship. Linked occurrences are derived from this or an

924

# equivalent image via:

925

# FROM <Basis.resource_url>

926

# Or an equivalent reference, e.g. a tag of the resource_url.

927

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

928

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

929

"A String",

930

],

931

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

932

# representation.

933

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

934

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

935

# Only the name of the final blob is kept.

936

},

937

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

938

# basis of associated occurrence images.

939

},

940

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

941

# list requests.

942

"longDescription": "A String", # A detailed description of this note.

943

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

944

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

949

}

950

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

951

noteId: string, Required. The ID to use for this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

952

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

959

960

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

961

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

962

# example, an organization might have one `Authority` for "QA" and one for

963

# "build". This note is intended to act strictly as a grouping mechanism for

964

# the attached occurrences (Attestations). This grouping mechanism also

965

# provides a security boundary, since IAM ACLs gate the ability for a principle

966

# to attach an occurrence to a given note. It also provides a single point of

967

# lookup to find all attached attestation occurrences, even if they don't all

968

# live in the same project.

969

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

970

# authority. Because the name of a note acts as its resource reference, it is

971

# important to disambiguate the canonical name of the Note (which might be a

972

# UUID for security purposes) from "readable" names more suitable for debug

973

# output. Note that these hints should not be used to look up authorities in

974

# security sensitive contexts, such as when looking up attestations to

975

# verify.

976

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

981

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

982

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

983

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

984

# For details, see https://www.first.org/cvss/specification-document

985

"baseScore": 3.14, # The base score is a function of the base metric scores.

986

"scope": "A String",

987

"integrityImpact": "A String",

988

"exploitabilityScore": 3.14,

989

"impactScore": 3.14,

990

"attackComplexity": "A String",

991

"availabilityImpact": "A String",

992

"privilegesRequired": "A String",

993

"userInteraction": "A String",

994

"attackVector": "A String", # Base Metrics

995

# Represents the intrinsic characteristics of a vulnerability that are

996

# constant over time and across user environments.

997

"confidentialityImpact": "A String",

998

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

999

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1000

# upstream timestamp from the underlying information source - e.g. Ubuntu

1001

# security tracker.

1002

"windowsDetails": [ # Windows details get their own format because the information format and

1003

# model don't match a normal detail. Specifically Windows updates are done as

1004

# patches, thus Windows vulnerabilities really are a missing package, rather

1005

# than a package being at an incorrect version.

1006

{

1007

"name": "A String", # Required. The name of the vulnerability.

1008

"cpeUri": "A String", # Required. The CPE URI in

1009

# [cpe format](https://cpe.mitre.org/specification/) in which the

1010

# vulnerability manifests. Examples include distro or storage location for

1011

# vulnerable jar.

1012

"description": "A String", # The description of the vulnerability.

1013

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1014

# vulnerability. Note that there may be multiple hotfixes (and thus

1015

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1016

# kb's presence is considered a fix.

1017

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1018

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1019

"url": "A String", # A link to the KB in the Windows update catalog -

1020

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1025

"details": [ # All information about the package to specifically identify this

1026

# vulnerability. One entry per (version range and cpe_uri) the package

1027

# vulnerability has manifested in.

1028

{ # Identifies all appearances of this vulnerability in the package for a

1029

# specific distro/location. For example: glibc in

1030

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1031

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1032

# obsolete details.

1033

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1034

# upstream timestamp from the underlying information source - e.g. Ubuntu

1035

# security tracker.

1036

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1037

# packages etc).

1038

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1039

"package": "A String", # Required. The package being described.

1040

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1041

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1042

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1043

# name.

1044

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1045

# versions.

1046

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1047

},

1048

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1049

# format. Examples include distro or storage location for vulnerable jar.

1050

},

1051

"cpeUri": "A String", # Required. The CPE URI in

1052

# [cpe format](https://cpe.mitre.org/specification/) in which the

1053

# vulnerability manifests. Examples include distro or storage location for

1054

# vulnerable jar.

1055

"description": "A String", # A vendor-specific description of this note.

1056

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

1057

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1058

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1059

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1060

# name.

1061

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1062

# versions.

1063

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1064

},

1065

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1066

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1067

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1068

# name.

1069

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1070

# versions.

1071

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1072

},

1073

"package": "A String", # Required. The name of the package where the vulnerability was found.

1074

},

1075

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1076

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1077

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1078

},

1079

"relatedNoteNames": [ # Other notes related to this note.

1080

"A String",

1081

],

1082

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1083

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1084

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1085

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1086

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1087

# `key_id`.

1088

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1089

# base-64 encoded.

1090

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1091

# findings are valid and unchanged. If `key_type` is empty, this defaults

1092

# to PEM encoded public keys.

1093

#

1094

# This field may be empty if `key_id` references an external key.

1095

#

1096

# For Cloud Build based signatures, this is a PEM encoded public

1097

# key. To verify the Cloud Build signature, place the contents of

1098

# this field into a file (public.pem). The signature field is base64-decoded

1099

# into its binary representation in signature.bin, and the provenance bytes

1100

# from `BuildDetails` are base64-decoded into a binary representation in

1101

# signed.bin. OpenSSL can then verify the signature:

1102

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1103

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1104

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1105

# CN for a cert), or a reference to an external key (such as a reference to a

1106

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1107

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1108

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1109

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1110

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

1111

# channels. E.g., glibc (aka libc6) is distributed by many, at various

1112

# versions.

1113

"name": "A String", # Required. Immutable. The name of the package.

1114

"distribution": [ # The various channels by which a package is distributed.

1115

{ # This represents a particular channel of distribution for a given package.

1116

# E.g., Debian's jessie-backports dpkg mirror.

1117

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

1118

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

1119

"revision": "A String", # The iteration of the package build from the above version.

1120

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1121

# name.

1122

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1123

# versions.

1124

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1125

},

1126

"description": "A String", # The distribution channel-specific description of this package.

1127

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

1128

# denoting the package manager version distributing a package.

1129

"url": "A String", # The distribution channel-specific homepage for this package.

1130

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

1136

# filter in list requests.

1137

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

1138

# exists in a provider's project. A `Discovery` occurrence is created in a

1139

# consumer's project at the start of analysis.

1140

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

1141

# discovery.

1142

},

1143

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1144

# a filter in list requests.

1145

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

1146

# chain step in an in-toto layout. This information goes into a Grafeas note.

1147

"expectedProducts": [

1148

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

1155

"signingKeys": [ # This field contains the public keys that can be used to verify the

1156

# signatures on the step metadata.

1157

{ # This defines the format used to record keys used in the software supply

1158

# chain. An in-toto link is attested using one or more keys defined in the

1159

# in-toto layout. An example of this is:

1160

# {

1161

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1162

# "key_type": "rsa",

1163

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1164

# "key_scheme": "rsassa-pss-sha256"

1165

# }

1166

# The format for in-toto's key definition can be found in section 4.2 of the

1167

# in-toto specification.

1168

"keyId": "A String", # key_id is an identifier for the signing key.

1169

"publicKeyValue": "A String", # This field contains the actual public key.

1170

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1171

# and "ecdsa".

1172

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1173

# Eg: "rsassa-pss-sha256".

1174

},

1175

],

1176

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1177

# need to be used to sign the step's in-toto link.

1178

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

1179

# artifacts that enter this supply chain step, and exit the supply chain

1180

# step, i.e. materials and products of the step.

1181

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

1192

{ # Metadata for any related URL information.

1193

"url": "A String", # Specific URL associated with the resource.

1194

"label": "A String", # Label to describe usage of the URL.

1195

},

1196

],

1197

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1198

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1199

# relationship. Linked occurrences are derived from this or an

1200

# equivalent image via:

1201

# FROM <Basis.resource_url>

1202

# Or an equivalent reference, e.g. a tag of the resource_url.

1203

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

1204

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1205

"A String",

1206

],

1207

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1208

# representation.

1209

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1210

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1211

# Only the name of the final blob is kept.

1212

},

1213

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1214

# basis of associated occurrence images.

1215

},

1216

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1217

# list requests.

1218

"longDescription": "A String", # A detailed description of this note.

1219

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

1220

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

1230

<pre>Deletes the specified note.

1231

1232

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1233

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1234

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

1235

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1242

1243

{ # A generic empty message that you can re-use to avoid defining duplicated

1244

# empty messages in your APIs. A typical example is to use it as the request

1245

# or the response type of an API method. For instance:

1246

#

1247

# service Foo {

1248

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

1249

# }

1250

#

1251

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

1257

<pre>Gets the specified note.

1258

1259

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1260

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1261

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

1262

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1269

1270

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1271

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

1272

# example, an organization might have one `Authority` for "QA" and one for

1273

# "build". This note is intended to act strictly as a grouping mechanism for

1274

# the attached occurrences (Attestations). This grouping mechanism also

1275

# provides a security boundary, since IAM ACLs gate the ability for a principle

1276

# to attach an occurrence to a given note. It also provides a single point of

1277

# lookup to find all attached attestation occurrences, even if they don't all

1278

# live in the same project.

1279

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

1280

# authority. Because the name of a note acts as its resource reference, it is

1281

# important to disambiguate the canonical name of the Note (which might be a

1282

# UUID for security purposes) from "readable" names more suitable for debug

1283

# output. Note that these hints should not be used to look up authorities in

1284

# security sensitive contexts, such as when looking up attestations to

1285

# verify.

1286

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

1291

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

1292

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1293

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

1294

# For details, see https://www.first.org/cvss/specification-document

1295

"baseScore": 3.14, # The base score is a function of the base metric scores.

1296

"scope": "A String",

1297

"integrityImpact": "A String",

1298

"exploitabilityScore": 3.14,

1299

"impactScore": 3.14,

1300

"attackComplexity": "A String",

1301

"availabilityImpact": "A String",

1302

"privilegesRequired": "A String",

1303

"userInteraction": "A String",

1304

"attackVector": "A String", # Base Metrics

1305

# Represents the intrinsic characteristics of a vulnerability that are

1306

# constant over time and across user environments.

1307

"confidentialityImpact": "A String",

1308

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1309

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1310

# upstream timestamp from the underlying information source - e.g. Ubuntu

1311

# security tracker.

1312

"windowsDetails": [ # Windows details get their own format because the information format and

1313

# model don't match a normal detail. Specifically Windows updates are done as

1314

# patches, thus Windows vulnerabilities really are a missing package, rather

1315

# than a package being at an incorrect version.

1316

{

1317

"name": "A String", # Required. The name of the vulnerability.

1318

"cpeUri": "A String", # Required. The CPE URI in

1319

# [cpe format](https://cpe.mitre.org/specification/) in which the

1320

# vulnerability manifests. Examples include distro or storage location for

1321

# vulnerable jar.

1322

"description": "A String", # The description of the vulnerability.

1323

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1324

# vulnerability. Note that there may be multiple hotfixes (and thus

1325

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1326

# kb's presence is considered a fix.

1327

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1328

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1329

"url": "A String", # A link to the KB in the Windows update catalog -

1330

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1335

"details": [ # All information about the package to specifically identify this

1336

# vulnerability. One entry per (version range and cpe_uri) the package

1337

# vulnerability has manifested in.

1338

{ # Identifies all appearances of this vulnerability in the package for a

1339

# specific distro/location. For example: glibc in

1340

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1341

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1342

# obsolete details.

1343

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1344

# upstream timestamp from the underlying information source - e.g. Ubuntu

1345

# security tracker.

1346

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1347

# packages etc).

1348

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1349

"package": "A String", # Required. The package being described.

1350

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1351

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1352

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1353

# name.

1354

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1355

# versions.

1356

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1357

},

1358

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1359

# format. Examples include distro or storage location for vulnerable jar.

1360

},

1361

"cpeUri": "A String", # Required. The CPE URI in

1362

# [cpe format](https://cpe.mitre.org/specification/) in which the

1363

# vulnerability manifests. Examples include distro or storage location for

1364

# vulnerable jar.

1365

"description": "A String", # A vendor-specific description of this note.

1366

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

1367

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1368

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1369

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1370

# name.

1371

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1372

# versions.

1373

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1374

},

1375

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1376

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1377

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1378

# name.

1379

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1380

# versions.

1381

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1382

},

1383

"package": "A String", # Required. The name of the package where the vulnerability was found.

1384

},

1385

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1386

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1387

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1388

},

1389

"relatedNoteNames": [ # Other notes related to this note.

1390

"A String",

1391

],

1392

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1393

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1394

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1395

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1396

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1397

# `key_id`.

1398

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1399

# base-64 encoded.

1400

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1401

# findings are valid and unchanged. If `key_type` is empty, this defaults

1402

# to PEM encoded public keys.

1403

#

1404

# This field may be empty if `key_id` references an external key.

1405

#

1406

# For Cloud Build based signatures, this is a PEM encoded public

1407

# key. To verify the Cloud Build signature, place the contents of

1408

# this field into a file (public.pem). The signature field is base64-decoded

1409

# into its binary representation in signature.bin, and the provenance bytes

1410

# from `BuildDetails` are base64-decoded into a binary representation in

1411

# signed.bin. OpenSSL can then verify the signature:

1412

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1413

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1414

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1415

# CN for a cert), or a reference to an external key (such as a reference to a

1416

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1417

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1418

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1419

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1420

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

1421

# channels. E.g., glibc (aka libc6) is distributed by many, at various

1422

# versions.

1423

"name": "A String", # Required. Immutable. The name of the package.

1424

"distribution": [ # The various channels by which a package is distributed.

1425

{ # This represents a particular channel of distribution for a given package.

1426

# E.g., Debian's jessie-backports dpkg mirror.

1427

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

1428

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

1429

"revision": "A String", # The iteration of the package build from the above version.

1430

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1431

# name.

1432

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1433

# versions.

1434

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1435

},

1436

"description": "A String", # The distribution channel-specific description of this package.

1437

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

1438

# denoting the package manager version distributing a package.

1439

"url": "A String", # The distribution channel-specific homepage for this package.

1440

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

1446

# filter in list requests.

1447

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

1448

# exists in a provider's project. A `Discovery` occurrence is created in a

1449

# consumer's project at the start of analysis.

1450

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

1451

# discovery.

1452

},

1453

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1454

# a filter in list requests.

1455

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

1456

# chain step in an in-toto layout. This information goes into a Grafeas note.

1457

"expectedProducts": [

1458

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

1465

"signingKeys": [ # This field contains the public keys that can be used to verify the

1466

# signatures on the step metadata.

1467

{ # This defines the format used to record keys used in the software supply

1468

# chain. An in-toto link is attested using one or more keys defined in the

1469

# in-toto layout. An example of this is:

1470

# {

1471

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1472

# "key_type": "rsa",

1473

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1474

# "key_scheme": "rsassa-pss-sha256"

1475

# }

1476

# The format for in-toto's key definition can be found in section 4.2 of the

1477

# in-toto specification.

1478

"keyId": "A String", # key_id is an identifier for the signing key.

1479

"publicKeyValue": "A String", # This field contains the actual public key.

1480

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1481

# and "ecdsa".

1482

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1483

# Eg: "rsassa-pss-sha256".

1484

},

1485

],

1486

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1487

# need to be used to sign the step's in-toto link.

1488

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

1489

# artifacts that enter this supply chain step, and exit the supply chain

1490

# step, i.e. materials and products of the step.

1491

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

1502

{ # Metadata for any related URL information.

1503

"url": "A String", # Specific URL associated with the resource.

1504

"label": "A String", # Label to describe usage of the URL.

1505

},

1506

],

1507

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1508

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1509

# relationship. Linked occurrences are derived from this or an

1510

# equivalent image via:

1511

# FROM <Basis.resource_url>

1512

# Or an equivalent reference, e.g. a tag of the resource_url.

1513

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

1514

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1515

"A String",

1516

],

1517

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1518

# representation.

1519

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1520

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1521

# Only the name of the final blob is kept.

1522

},

1523

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1524

# basis of associated occurrence images.

1525

},

1526

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1527

# list requests.

1528

"longDescription": "A String", # A detailed description of this note.

1529

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

1530

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

1540

<pre>Gets the access control policy for a note or an occurrence resource.

1541

Requires `containeranalysis.notes.setIamPolicy` or

1542

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

1543

a note or occurrence, respectively.

1544

1545

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

1546

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

1551

See the operation documentation for the appropriate value for this field. (required)

1552

body: object, The request body.

1553

The object takes the form of:

1554

1555

{ # Request message for `GetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1556

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1557

# `GetIamPolicy`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1558

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1559

#

1560

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

1561

# rejected.

1562

#

1563

# Requests for policies with any conditional bindings must specify version 3.

1564

# Policies without any conditional bindings may specify any valid value or

1565

# leave the field unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1566

#

1567

# To learn which resources support conditions in their IAM policies, see the

1568

# [IAM

1569

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1570

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1571

}

1572

1573

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1580

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1581

{ # An Identity and Access Management (IAM) policy, which specifies access

1582

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1583

#

1584

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1585

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1586

# `members` to a single `role`. Members can be user accounts, service accounts,

1587

# Google groups, and domains (such as G Suite). A `role` is a named list of

1588

# permissions; each `role` can be an IAM predefined role or a user-created

1589

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1590

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1591

# For some types of Google Cloud resources, a `binding` can also specify a

1592

# `condition`, which is a logical expression that allows access to a resource

1593

# only if the expression evaluates to `true`. A condition can add constraints

1594

# based on attributes of the request, the resource, or both. To learn which

1595

# resources support conditions in their IAM policies, see the

1596

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1597

#

1598

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1599

#

1600

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1601

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1602

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1603

# "role": "roles/resourcemanager.organizationAdmin",

1604

# "members": [

1605

# "user:mike@example.com",

1606

# "group:admins@example.com",

1607

# "domain:google.com",

1608

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1609

# ]

1610

# },

1611

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1612

# "role": "roles/resourcemanager.organizationViewer",

1613

# "members": [

1614

# "user:eve@example.com"

1615

# ],

1616

# "condition": {

1617

# "title": "expirable access",

1618

# "description": "Does not grant access after Sep 2020",

1619

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1620

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1621

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1622

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1623

# "etag": "BwWWja0YfJA=",

1624

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1625

# }

1626

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1627

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

1632

# - group:admins@example.com

1633

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1634

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1635

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1636

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1637

# - user:eve@example.com

1638

# role: roles/resourcemanager.organizationViewer

1639

# condition:

1640

# title: expirable access

1641

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1642

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1643

# - etag: BwWWja0YfJA=

1644

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1645

#

1646

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1647

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1648

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1649

# prevent simultaneous updates of a policy from overwriting each other.

1650

# It is strongly suggested that systems make use of the `etag` in the

1651

# read-modify-write cycle to perform policy updates in order to avoid race

1652

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1653

# systems are expected to put that etag in the request to `setIamPolicy` to

1654

# ensure that their change will be applied to the same version of the policy.

1655

#

1656

# **Important:** If you use IAM Conditions, you must include the `etag` field

1657

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1658

# you to overwrite a version `3` policy with a version `1` policy, and all of

1659

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1660

"version": 42, # Specifies the format of the policy.

1661

#

1662

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1663

# are rejected.

1664

#

1665

# Any operation that affects conditional role bindings must specify version

1666

# `3`. This requirement applies to the following operations:

1667

#

1668

# * Getting a policy that includes a conditional role binding

1669

# * Adding a conditional role binding to a policy

1670

# * Changing a conditional role binding in a policy

1671

# * Removing any role binding, with or without a condition, from a policy

1672

# that includes conditions

1673

#

1674

# **Important:** If you use IAM Conditions, you must include the `etag` field

1675

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1676

# you to overwrite a version `3` policy with a version `1` policy, and all of

1677

# the conditions in the version `3` policy are lost.

1678

#

1679

# If a policy does not include any conditions, operations on that policy may

1680

# specify any valid version or leave the field unset.

1681

#

1682

# To learn which resources support conditions in their IAM policies, see the

1683

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1684

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1685

# `condition` that determines how and when the `bindings` are applied. Each

1686

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1687

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1688

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1689

#

1690

# If the condition evaluates to `true`, then this binding applies to the

1691

# current request.

1692

#

1693

# If the condition evaluates to `false`, then this binding does not apply to

1694

# the current request. However, a different role binding might grant the same

1695

# role to one or more of the members in this binding.

1696

#

1697

# To learn which resources support conditions in their IAM policies, see the

1698

# [IAM

1699

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1700

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1701

# are documented at https://github.com/google/cel-spec.

1702

#

1703

# Example (Comparison):

1704

#

1705

# title: "Summary size limit"

1706

# description: "Determines if a summary is less than 100 chars"

1707

# expression: "document.summary.size() < 100"

1708

#

1709

# Example (Equality):

1710

#

1711

# title: "Requestor is owner"

1712

# description: "Determines if requestor is the document owner"

1713

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1718

# description: "Determine whether the document should be publicly visible"

1719

# expression: "document.type != 'private' && document.type != 'internal'"

1720

#

1721

# Example (Data Manipulation):

1722

#

1723

# title: "Notification string"

1724

# description: "Create a notification string with a timestamp."

1725

# expression: "'New message received at ' + string(document.create_time)"

1726

#

1727

# The exact variables and functions that may be referenced within an expression

1728

# are determined by the service that evaluates it. See the service

1729

# documentation for additional information.

1730

"description": "A String", # Optional. Description of the expression. This is a longer text which

1731

# describes the expression, e.g. when hovered over it in a UI.

1732

"expression": "A String", # Textual representation of an expression in Common Expression Language

1733

# syntax.

1734

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1735

# its purpose. This can be used e.g. in UIs which allow to enter the

1736

# expression.

1737

"location": "A String", # Optional. String indicating the location of the expression for error

1738

# reporting, e.g. a file name and a position in the file.

1739

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1740

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1741

# `members` can have the following values:

1742

#

1743

# * `allUsers`: A special identifier that represents anyone who is

1744

# on the internet; with or without a Google account.

1745

#

1746

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1747

# who is authenticated with a Google account or a service account.

1748

#

1749

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1750

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1751

#

1752

#

1753

# * `serviceAccount:{emailid}`: An email address that represents a service

1754

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1755

#

1756

# * `group:{emailid}`: An email address that represents a Google group.

1757

# For example, `admins@example.com`.

1758

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1759

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1760

# identifier) representing a user that has been recently deleted. For

1761

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1762

# recovered, this value reverts to `user:{emailid}` and the recovered user

1763

# retains the role in the binding.

1764

#

1765

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1766

# unique identifier) representing a service account that has been recently

1767

# deleted. For example,

1768

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1769

# If the service account is undeleted, this value reverts to

1770

# `serviceAccount:{emailid}` and the undeleted service account retains the

1771

# role in the binding.

1772

#

1773

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1774

# identifier) representing a Google group that has been recently

1775

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1776

# the group is recovered, this value reverts to `group:{emailid}` and the

1777

# recovered group retains the role in the binding.

1778

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1779

#

1780

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1781

# users of that domain. For example, `google.com` or `example.com`.

1782

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1783

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1784

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1785

"role": "A String", # Role that is assigned to `members`.

1786

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1787

},

1788

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1793

<code class="details" id="list">list(parent, pageToken=None, pageSize=None, filter=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1794

<pre>Lists notes for the specified project.

1795

1796

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1797

parent: string, Required. The name of the project to list notes for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1798

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1799

pageToken: string, Token to provide to skip to a particular spot in the list.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1800

pageSize: integer, Number of notes to return in the list. Must be positive. Max allowed page

1801

size is 1000. If not specified, page size defaults to 20.

1802

filter: string, The filter expression.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1803

x__xgafv: string, V1 error format.

1804

Allowed values

1805

1 - v1 error format

1806

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1807

1808

Returns:

1809

An object of the form:

1810

1811

{ # Response for listing notes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1812

"notes": [ # The notes requested.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1813

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1814

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

1815

# example, an organization might have one `Authority` for "QA" and one for

1816

# "build". This note is intended to act strictly as a grouping mechanism for

1817

# the attached occurrences (Attestations). This grouping mechanism also

1818

# provides a security boundary, since IAM ACLs gate the ability for a principle

1819

# to attach an occurrence to a given note. It also provides a single point of

1820

# lookup to find all attached attestation occurrences, even if they don't all

1821

# live in the same project.

1822

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

1823

# authority. Because the name of a note acts as its resource reference, it is

1824

# important to disambiguate the canonical name of the Note (which might be a

1825

# UUID for security purposes) from "readable" names more suitable for debug

1826

# output. Note that these hints should not be used to look up authorities in

1827

# security sensitive contexts, such as when looking up attestations to

1828

# verify.

1829

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

1834

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

1835

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1836

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

1837

# For details, see https://www.first.org/cvss/specification-document

1838

"baseScore": 3.14, # The base score is a function of the base metric scores.

1839

"scope": "A String",

1840

"integrityImpact": "A String",

1841

"exploitabilityScore": 3.14,

1842

"impactScore": 3.14,

1843

"attackComplexity": "A String",

1844

"availabilityImpact": "A String",

1845

"privilegesRequired": "A String",

1846

"userInteraction": "A String",

1847

"attackVector": "A String", # Base Metrics

1848

# Represents the intrinsic characteristics of a vulnerability that are

1849

# constant over time and across user environments.

1850

"confidentialityImpact": "A String",

1851

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1852

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1853

# upstream timestamp from the underlying information source - e.g. Ubuntu

1854

# security tracker.

1855

"windowsDetails": [ # Windows details get their own format because the information format and

1856

# model don't match a normal detail. Specifically Windows updates are done as

1857

# patches, thus Windows vulnerabilities really are a missing package, rather

1858

# than a package being at an incorrect version.

1859

{

1860

"name": "A String", # Required. The name of the vulnerability.

1861

"cpeUri": "A String", # Required. The CPE URI in

1862

# [cpe format](https://cpe.mitre.org/specification/) in which the

1863

# vulnerability manifests. Examples include distro or storage location for

1864

# vulnerable jar.

1865

"description": "A String", # The description of the vulnerability.

1866

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1867

# vulnerability. Note that there may be multiple hotfixes (and thus

1868

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1869

# kb's presence is considered a fix.

1870

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1871

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1872

"url": "A String", # A link to the KB in the Windows update catalog -

1873

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1878

"details": [ # All information about the package to specifically identify this

1879

# vulnerability. One entry per (version range and cpe_uri) the package

1880

# vulnerability has manifested in.

1881

{ # Identifies all appearances of this vulnerability in the package for a

1882

# specific distro/location. For example: glibc in

1883

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1884

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1885

# obsolete details.

1886

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1887

# upstream timestamp from the underlying information source - e.g. Ubuntu

1888

# security tracker.

1889

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1890

# packages etc).

1891

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1892

"package": "A String", # Required. The package being described.

1893

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1894

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1895

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1896

# name.

1897

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1898

# versions.

1899

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1900

},

1901

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1902

# format. Examples include distro or storage location for vulnerable jar.

1903

},

1904

"cpeUri": "A String", # Required. The CPE URI in

1905

# [cpe format](https://cpe.mitre.org/specification/) in which the

1906

# vulnerability manifests. Examples include distro or storage location for

1907

# vulnerable jar.

1908

"description": "A String", # A vendor-specific description of this note.

1909

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

1910

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1911

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1912

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1913

# name.

1914

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1915

# versions.

1916

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1917

},

1918

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1919

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1920

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1921

# name.

1922

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1923

# versions.

1924

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1925

},

1926

"package": "A String", # Required. The name of the package where the vulnerability was found.

1927

},

1928

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1929

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1930

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1931

},

1932

"relatedNoteNames": [ # Other notes related to this note.

1933

"A String",

1934

],

1935

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1936

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1937

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1938

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1939

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1940

# `key_id`.

1941

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1942

# base-64 encoded.

1943

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1944

# findings are valid and unchanged. If `key_type` is empty, this defaults

1945

# to PEM encoded public keys.

1946

#

1947

# This field may be empty if `key_id` references an external key.

1948

#

1949

# For Cloud Build based signatures, this is a PEM encoded public

1950

# key. To verify the Cloud Build signature, place the contents of

1951

# this field into a file (public.pem). The signature field is base64-decoded

1952

# into its binary representation in signature.bin, and the provenance bytes

1953

# from `BuildDetails` are base64-decoded into a binary representation in

1954

# signed.bin. OpenSSL can then verify the signature:

1955

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1956

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1957

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1958

# CN for a cert), or a reference to an external key (such as a reference to a

1959

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1960

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1961

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1962

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

1963

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

1964

# channels. E.g., glibc (aka libc6) is distributed by many, at various

1965

# versions.

1966

"name": "A String", # Required. Immutable. The name of the package.

1967

"distribution": [ # The various channels by which a package is distributed.

1968

{ # This represents a particular channel of distribution for a given package.

1969

# E.g., Debian's jessie-backports dpkg mirror.

1970

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

1971

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

1972

"revision": "A String", # The iteration of the package build from the above version.

1973

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1974

# name.

1975

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1976

# versions.

1977

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1978

},

1979

"description": "A String", # The distribution channel-specific description of this package.

1980

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

1981

# denoting the package manager version distributing a package.

1982

"url": "A String", # The distribution channel-specific homepage for this package.

1983

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

1989

# filter in list requests.

1990

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

1991

# exists in a provider's project. A `Discovery` occurrence is created in a

1992

# consumer's project at the start of analysis.

1993

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

1994

# discovery.

1995

},

1996

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1997

# a filter in list requests.

1998

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

1999

# chain step in an in-toto layout. This information goes into a Grafeas note.

2000

"expectedProducts": [

2001

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

2008

"signingKeys": [ # This field contains the public keys that can be used to verify the

2009

# signatures on the step metadata.

2010

{ # This defines the format used to record keys used in the software supply

2011

# chain. An in-toto link is attested using one or more keys defined in the

2012

# in-toto layout. An example of this is:

2013

# {

2014

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

2015

# "key_type": "rsa",

2016

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

2017

# "key_scheme": "rsassa-pss-sha256"

2018

# }

2019

# The format for in-toto's key definition can be found in section 4.2 of the

2020

# in-toto specification.

2021

"keyId": "A String", # key_id is an identifier for the signing key.

2022

"publicKeyValue": "A String", # This field contains the actual public key.

2023

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

2024

# and "ecdsa".

2025

"keyScheme": "A String", # This field contains the corresponding signature scheme.

2026

# Eg: "rsassa-pss-sha256".

2027

},

2028

],

2029

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

2030

# need to be used to sign the step's in-toto link.

2031

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

2032

# artifacts that enter this supply chain step, and exit the supply chain

2033

# step, i.e. materials and products of the step.

2034

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

2045

{ # Metadata for any related URL information.

2046

"url": "A String", # Specific URL associated with the resource.

2047

"label": "A String", # Label to describe usage of the URL.

2048

},

2049

],

2050

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

2051

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

2052

# relationship. Linked occurrences are derived from this or an

2053

# equivalent image via:

2054

# FROM <Basis.resource_url>

2055

# Or an equivalent reference, e.g. a tag of the resource_url.

2056

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

2057

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2058

"A String",

2059

],

2060

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2061

# representation.

2062

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2063

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2064

# Only the name of the final blob is kept.

2065

},

2066

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

2067

# basis of associated occurrence images.

2068

},

2069

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

2070

# list requests.

2071

"longDescription": "A String", # A detailed description of this note.

2072

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2073

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2078

},

2079

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2080

"nextPageToken": "A String", # The next pagination token in the list response. It should be used as

2081

# `page_token` for the following request. An empty value means no more

2082

# results.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

2088

<pre>Retrieves the next page of results.

2089

2090

Args:

2091

previous_request: The request for the previous page. (required)

2092

previous_response: The response from the request for the previous page. (required)

2093

2094

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2095

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2096

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2101

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2102

<pre>Updates the specified note.

2103

2104

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2105

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2106

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2107

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2108

The object takes the form of:

2109

2110

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2111

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

2112

# example, an organization might have one `Authority` for "QA" and one for

2113

# "build". This note is intended to act strictly as a grouping mechanism for

2114

# the attached occurrences (Attestations). This grouping mechanism also

2115

# provides a security boundary, since IAM ACLs gate the ability for a principle

2116

# to attach an occurrence to a given note. It also provides a single point of

2117

# lookup to find all attached attestation occurrences, even if they don't all

2118

# live in the same project.

2119

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

2120

# authority. Because the name of a note acts as its resource reference, it is

2121

# important to disambiguate the canonical name of the Note (which might be a

2122

# UUID for security purposes) from "readable" names more suitable for debug

2123

# output. Note that these hints should not be used to look up authorities in

2124

# security sensitive contexts, such as when looking up attestations to

2125

# verify.

2126

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

2131

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

2132

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2133

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2134

# For details, see https://www.first.org/cvss/specification-document

2135

"baseScore": 3.14, # The base score is a function of the base metric scores.

2136

"scope": "A String",

2137

"integrityImpact": "A String",

2138

"exploitabilityScore": 3.14,

2139

"impactScore": 3.14,

2140

"attackComplexity": "A String",

2141

"availabilityImpact": "A String",

2142

"privilegesRequired": "A String",

2143

"userInteraction": "A String",

2144

"attackVector": "A String", # Base Metrics

2145

# Represents the intrinsic characteristics of a vulnerability that are

2146

# constant over time and across user environments.

2147

"confidentialityImpact": "A String",

2148

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2149

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2150

# upstream timestamp from the underlying information source - e.g. Ubuntu

2151

# security tracker.

2152

"windowsDetails": [ # Windows details get their own format because the information format and

2153

# model don't match a normal detail. Specifically Windows updates are done as

2154

# patches, thus Windows vulnerabilities really are a missing package, rather

2155

# than a package being at an incorrect version.

2156

{

2157

"name": "A String", # Required. The name of the vulnerability.

2158

"cpeUri": "A String", # Required. The CPE URI in

2159

# [cpe format](https://cpe.mitre.org/specification/) in which the

2160

# vulnerability manifests. Examples include distro or storage location for

2161

# vulnerable jar.

2162

"description": "A String", # The description of the vulnerability.

2163

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

2164

# vulnerability. Note that there may be multiple hotfixes (and thus

2165

# multiple KBs) that mitigate a given vulnerability. Currently any listed

2166

# kb's presence is considered a fix.

2167

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2168

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2169

"url": "A String", # A link to the KB in the Windows update catalog -

2170

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2175

"details": [ # All information about the package to specifically identify this

2176

# vulnerability. One entry per (version range and cpe_uri) the package

2177

# vulnerability has manifested in.

2178

{ # Identifies all appearances of this vulnerability in the package for a

2179

# specific distro/location. For example: glibc in

2180

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

2181

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

2182

# obsolete details.

2183

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2184

# upstream timestamp from the underlying information source - e.g. Ubuntu

2185

# security tracker.

2186

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

2187

# packages etc).

2188

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

2189

"package": "A String", # Required. The package being described.

2190

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2191

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2192

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2193

# name.

2194

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2195

# versions.

2196

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2197

},

2198

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2199

# format. Examples include distro or storage location for vulnerable jar.

2200

},

2201

"cpeUri": "A String", # Required. The CPE URI in

2202

# [cpe format](https://cpe.mitre.org/specification/) in which the

2203

# vulnerability manifests. Examples include distro or storage location for

2204

# vulnerable jar.

2205

"description": "A String", # A vendor-specific description of this note.

2206

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2207

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2208

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2209

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2210

# name.

2211

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2212

# versions.

2213

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2214

},

2215

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2216

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2217

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2218

# name.

2219

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2220

# versions.

2221

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2222

},

2223

"package": "A String", # Required. The name of the package where the vulnerability was found.

2224

},

2225

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2226

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2227

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2228

},

2229

"relatedNoteNames": [ # Other notes related to this note.

2230

"A String",

2231

],

2232

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2233

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2234

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2235

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2236

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

2237

# `key_id`.

2238

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

2239

# base-64 encoded.

2240

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2241

# findings are valid and unchanged. If `key_type` is empty, this defaults

2242

# to PEM encoded public keys.

2243

#

2244

# This field may be empty if `key_id` references an external key.

2245

#

2246

# For Cloud Build based signatures, this is a PEM encoded public

2247

# key. To verify the Cloud Build signature, place the contents of

2248

# this field into a file (public.pem). The signature field is base64-decoded

2249

# into its binary representation in signature.bin, and the provenance bytes

2250

# from `BuildDetails` are base64-decoded into a binary representation in

2251

# signed.bin. OpenSSL can then verify the signature:

2252

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2253

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2254

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

2255

# CN for a cert), or a reference to an external key (such as a reference to a

2256

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2257

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2258

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2259

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2260

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

2261

# channels. E.g., glibc (aka libc6) is distributed by many, at various

2262

# versions.

2263

"name": "A String", # Required. Immutable. The name of the package.

2264

"distribution": [ # The various channels by which a package is distributed.

2265

{ # This represents a particular channel of distribution for a given package.

2266

# E.g., Debian's jessie-backports dpkg mirror.

2267

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

2268

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

2269

"revision": "A String", # The iteration of the package build from the above version.

2270

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2271

# name.

2272

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2273

# versions.

2274

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2275

},

2276

"description": "A String", # The distribution channel-specific description of this package.

2277

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

2278

# denoting the package manager version distributing a package.

2279

"url": "A String", # The distribution channel-specific homepage for this package.

2280

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

2286

# filter in list requests.

2287

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

2288

# exists in a provider's project. A `Discovery` occurrence is created in a

2289

# consumer's project at the start of analysis.

2290

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

2291

# discovery.

2292

},

2293

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

2294

# a filter in list requests.

2295

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

2296

# chain step in an in-toto layout. This information goes into a Grafeas note.

2297

"expectedProducts": [

2298

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

2305

"signingKeys": [ # This field contains the public keys that can be used to verify the

2306

# signatures on the step metadata.

2307

{ # This defines the format used to record keys used in the software supply

2308

# chain. An in-toto link is attested using one or more keys defined in the

2309

# in-toto layout. An example of this is:

2310

# {

2311

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

2312

# "key_type": "rsa",

2313

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

2314

# "key_scheme": "rsassa-pss-sha256"

2315

# }

2316

# The format for in-toto's key definition can be found in section 4.2 of the

2317

# in-toto specification.

2318

"keyId": "A String", # key_id is an identifier for the signing key.

2319

"publicKeyValue": "A String", # This field contains the actual public key.

2320

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

2321

# and "ecdsa".

2322

"keyScheme": "A String", # This field contains the corresponding signature scheme.

2323

# Eg: "rsassa-pss-sha256".

2324

},

2325

],

2326

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

2327

# need to be used to sign the step's in-toto link.

2328

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

2329

# artifacts that enter this supply chain step, and exit the supply chain

2330

# step, i.e. materials and products of the step.

2331

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

2342

{ # Metadata for any related URL information.

2343

"url": "A String", # Specific URL associated with the resource.

2344

"label": "A String", # Label to describe usage of the URL.

2345

},

2346

],

2347

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

2348

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

2349

# relationship. Linked occurrences are derived from this or an

2350

# equivalent image via:

2351

# FROM <Basis.resource_url>

2352

# Or an equivalent reference, e.g. a tag of the resource_url.

2353

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

2354

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2355

"A String",

2356

],

2357

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2358

# representation.

2359

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2360

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2361

# Only the name of the final blob is kept.

2362

},

2363

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

2364

# basis of associated occurrence images.

2365

},

2366

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

2367

# list requests.

2368

"longDescription": "A String", # A detailed description of this note.

2369

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2370

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2375

}

2376

2377

updateMask: string, The fields to update.

2378

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2385

2386

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2387

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

2388

# example, an organization might have one `Authority` for "QA" and one for

2389

# "build". This note is intended to act strictly as a grouping mechanism for

2390

# the attached occurrences (Attestations). This grouping mechanism also

2391

# provides a security boundary, since IAM ACLs gate the ability for a principle

2392

# to attach an occurrence to a given note. It also provides a single point of

2393

# lookup to find all attached attestation occurrences, even if they don't all

2394

# live in the same project.

2395

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

2396

# authority. Because the name of a note acts as its resource reference, it is

2397

# important to disambiguate the canonical name of the Note (which might be a

2398

# UUID for security purposes) from "readable" names more suitable for debug

2399

# output. Note that these hints should not be used to look up authorities in

2400

# security sensitive contexts, such as when looking up attestations to

2401

# verify.

2402

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

2407

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

2408

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2409

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2410

# For details, see https://www.first.org/cvss/specification-document

2411

"baseScore": 3.14, # The base score is a function of the base metric scores.

2412

"scope": "A String",

2413

"integrityImpact": "A String",

2414

"exploitabilityScore": 3.14,

2415

"impactScore": 3.14,

2416

"attackComplexity": "A String",

2417

"availabilityImpact": "A String",

2418

"privilegesRequired": "A String",

2419

"userInteraction": "A String",

2420

"attackVector": "A String", # Base Metrics

2421

# Represents the intrinsic characteristics of a vulnerability that are

2422

# constant over time and across user environments.

2423

"confidentialityImpact": "A String",

2424

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2425

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2426

# upstream timestamp from the underlying information source - e.g. Ubuntu

2427

# security tracker.

2428

"windowsDetails": [ # Windows details get their own format because the information format and

2429

# model don't match a normal detail. Specifically Windows updates are done as

2430

# patches, thus Windows vulnerabilities really are a missing package, rather

2431

# than a package being at an incorrect version.

2432

{

2433

"name": "A String", # Required. The name of the vulnerability.

2434

"cpeUri": "A String", # Required. The CPE URI in

2435

# [cpe format](https://cpe.mitre.org/specification/) in which the

2436

# vulnerability manifests. Examples include distro or storage location for

2437

# vulnerable jar.

2438

"description": "A String", # The description of the vulnerability.

2439

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

2440

# vulnerability. Note that there may be multiple hotfixes (and thus

2441

# multiple KBs) that mitigate a given vulnerability. Currently any listed

2442

# kb's presence is considered a fix.

2443

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2444

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2445

"url": "A String", # A link to the KB in the Windows update catalog -

2446

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2451

"details": [ # All information about the package to specifically identify this

2452

# vulnerability. One entry per (version range and cpe_uri) the package

2453

# vulnerability has manifested in.

2454

{ # Identifies all appearances of this vulnerability in the package for a

2455

# specific distro/location. For example: glibc in

2456

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

2457

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

2458

# obsolete details.

2459

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2460

# upstream timestamp from the underlying information source - e.g. Ubuntu

2461

# security tracker.

2462

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

2463

# packages etc).

2464

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

2465

"package": "A String", # Required. The package being described.

2466

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2467

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2468

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2469

# name.

2470

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2471

# versions.

2472

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2473

},

2474

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2475

# format. Examples include distro or storage location for vulnerable jar.

2476

},

2477

"cpeUri": "A String", # Required. The CPE URI in

2478

# [cpe format](https://cpe.mitre.org/specification/) in which the

2479

# vulnerability manifests. Examples include distro or storage location for

2480

# vulnerable jar.

2481

"description": "A String", # A vendor-specific description of this note.

2482

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2483

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2484

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2485

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2486

# name.

2487

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2488

# versions.

2489

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2490

},

2491

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2492

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2493

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2494

# name.

2495

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2496

# versions.

2497

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2498

},

2499

"package": "A String", # Required. The name of the package where the vulnerability was found.

2500

},

2501

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2502

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2503

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2504

},

2505

"relatedNoteNames": [ # Other notes related to this note.

2506

"A String",

2507

],

2508

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2509

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2510

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2511

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2512

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

2513

# `key_id`.

2514

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

2515

# base-64 encoded.

2516

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2517

# findings are valid and unchanged. If `key_type` is empty, this defaults

2518

# to PEM encoded public keys.

2519

#

2520

# This field may be empty if `key_id` references an external key.

2521

#

2522

# For Cloud Build based signatures, this is a PEM encoded public

2523

# key. To verify the Cloud Build signature, place the contents of

2524

# this field into a file (public.pem). The signature field is base64-decoded

2525

# into its binary representation in signature.bin, and the provenance bytes

2526

# from `BuildDetails` are base64-decoded into a binary representation in

2527

# signed.bin. OpenSSL can then verify the signature:

2528

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2529

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2530

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

2531

# CN for a cert), or a reference to an external key (such as a reference to a

2532

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2533

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2534

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2535

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2536

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

2537

# channels. E.g., glibc (aka libc6) is distributed by many, at various

2538

# versions.

2539

"name": "A String", # Required. Immutable. The name of the package.

2540

"distribution": [ # The various channels by which a package is distributed.

2541

{ # This represents a particular channel of distribution for a given package.

2542

# E.g., Debian's jessie-backports dpkg mirror.

2543

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

2544

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

2545

"revision": "A String", # The iteration of the package build from the above version.

2546

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2547

# name.

2548

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2549

# versions.

2550

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2551

},

2552

"description": "A String", # The distribution channel-specific description of this package.

2553

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

2554

# denoting the package manager version distributing a package.

2555

"url": "A String", # The distribution channel-specific homepage for this package.

2556

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

2562

# filter in list requests.

2563

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

2564

# exists in a provider's project. A `Discovery` occurrence is created in a

2565

# consumer's project at the start of analysis.

2566

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

2567

# discovery.

2568

},

2569

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

2570

# a filter in list requests.

2571

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

2572

# chain step in an in-toto layout. This information goes into a Grafeas note.

2573

"expectedProducts": [

2574

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

2581

"signingKeys": [ # This field contains the public keys that can be used to verify the

2582

# signatures on the step metadata.

2583

{ # This defines the format used to record keys used in the software supply

2584

# chain. An in-toto link is attested using one or more keys defined in the

2585

# in-toto layout. An example of this is:

2586

# {

2587

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

2588

# "key_type": "rsa",

2589

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

2590

# "key_scheme": "rsassa-pss-sha256"

2591

# }

2592

# The format for in-toto's key definition can be found in section 4.2 of the

2593

# in-toto specification.

2594

"keyId": "A String", # key_id is an identifier for the signing key.

2595

"publicKeyValue": "A String", # This field contains the actual public key.

2596

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

2597

# and "ecdsa".

2598

"keyScheme": "A String", # This field contains the corresponding signature scheme.

2599

# Eg: "rsassa-pss-sha256".

2600

},

2601

],

2602

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

2603

# need to be used to sign the step's in-toto link.

2604

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

2605

# artifacts that enter this supply chain step, and exit the supply chain

2606

# step, i.e. materials and products of the step.

2607

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

2618

{ # Metadata for any related URL information.

2619

"url": "A String", # Specific URL associated with the resource.

2620

"label": "A String", # Label to describe usage of the URL.

2621

},

2622

],

2623

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

2624

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

2625

# relationship. Linked occurrences are derived from this or an

2626

# equivalent image via:

2627

# FROM <Basis.resource_url>

2628

# Or an equivalent reference, e.g. a tag of the resource_url.

2629

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

2630

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2631

"A String",

2632

],

2633

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2634

# representation.

2635

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2636

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2637

# Only the name of the final blob is kept.

2638

},

2639

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

2640

# basis of associated occurrence images.

2641

},

2642

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

2643

# list requests.

2644

"longDescription": "A String", # A detailed description of this note.

2645

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2646

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2655

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2656

<pre>Sets the access control policy on the specified note or occurrence.

2657

Requires `containeranalysis.notes.setIamPolicy` or

2658

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

2659

a note or an occurrence, respectively.

2660

2661

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

2662

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being specified.

2667

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2668

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2669

The object takes the form of:

2670

2671

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2672

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2673

# the policy is limited to a few 10s of KB. An empty policy is a

2674

# valid policy but certain Cloud Platform services (such as Projects)

2675

# might reject them.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2676

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2677

#

2678

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2679

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2680

# `members` to a single `role`. Members can be user accounts, service accounts,

2681

# Google groups, and domains (such as G Suite). A `role` is a named list of

2682

# permissions; each `role` can be an IAM predefined role or a user-created

2683

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2684

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2685

# For some types of Google Cloud resources, a `binding` can also specify a

2686

# `condition`, which is a logical expression that allows access to a resource

2687

# only if the expression evaluates to `true`. A condition can add constraints

2688

# based on attributes of the request, the resource, or both. To learn which

2689

# resources support conditions in their IAM policies, see the

2690

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2691

#

2692

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2693

#

2694

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2695

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2696

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2697

# "role": "roles/resourcemanager.organizationAdmin",

2698

# "members": [

2699

# "user:mike@example.com",

2700

# "group:admins@example.com",

2701

# "domain:google.com",

2702

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2703

# ]

2704

# },

2705

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2706

# "role": "roles/resourcemanager.organizationViewer",

2707

# "members": [

2708

# "user:eve@example.com"

2709

# ],

2710

# "condition": {

2711

# "title": "expirable access",

2712

# "description": "Does not grant access after Sep 2020",

2713

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2714

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2715

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2716

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2717

# "etag": "BwWWja0YfJA=",

2718

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2719

# }

2720

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2721

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2726

# - group:admins@example.com

2727

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2728

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2729

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2730

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2731

# - user:eve@example.com

2732

# role: roles/resourcemanager.organizationViewer

2733

# condition:

2734

# title: expirable access

2735

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2736

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2737

# - etag: BwWWja0YfJA=

2738

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2739

#

2740

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2741

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2742

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2743

# prevent simultaneous updates of a policy from overwriting each other.

2744

# It is strongly suggested that systems make use of the `etag` in the

2745

# read-modify-write cycle to perform policy updates in order to avoid race

2746

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2747

# systems are expected to put that etag in the request to `setIamPolicy` to

2748

# ensure that their change will be applied to the same version of the policy.

2749

#

2750

# **Important:** If you use IAM Conditions, you must include the `etag` field

2751

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2752

# you to overwrite a version `3` policy with a version `1` policy, and all of

2753

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2754

"version": 42, # Specifies the format of the policy.

2755

#

2756

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2757

# are rejected.

2758

#

2759

# Any operation that affects conditional role bindings must specify version

2760

# `3`. This requirement applies to the following operations:

2761

#

2762

# * Getting a policy that includes a conditional role binding

2763

# * Adding a conditional role binding to a policy

2764

# * Changing a conditional role binding in a policy

2765

# * Removing any role binding, with or without a condition, from a policy

2766

# that includes conditions

2767

#

2768

# **Important:** If you use IAM Conditions, you must include the `etag` field

2769

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2770

# you to overwrite a version `3` policy with a version `1` policy, and all of

2771

# the conditions in the version `3` policy are lost.

2772

#

2773

# If a policy does not include any conditions, operations on that policy may

2774

# specify any valid version or leave the field unset.

2775

#

2776

# To learn which resources support conditions in their IAM policies, see the

2777

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2778

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2779

# `condition` that determines how and when the `bindings` are applied. Each

2780

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2781

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2782

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

2783

#

2784

# If the condition evaluates to `true`, then this binding applies to the

2785

# current request.

2786

#

2787

# If the condition evaluates to `false`, then this binding does not apply to

2788

# the current request. However, a different role binding might grant the same

2789

# role to one or more of the members in this binding.

2790

#

2791

# To learn which resources support conditions in their IAM policies, see the

2792

# [IAM

2793

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2794

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

2795

# are documented at https://github.com/google/cel-spec.

2796

#

2797

# Example (Comparison):

2798

#

2799

# title: "Summary size limit"

2800

# description: "Determines if a summary is less than 100 chars"

2801

# expression: "document.summary.size() < 100"

2802

#

2803

# Example (Equality):

2804

#

2805

# title: "Requestor is owner"

2806

# description: "Determines if requestor is the document owner"

2807

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

2812

# description: "Determine whether the document should be publicly visible"

2813

# expression: "document.type != 'private' && document.type != 'internal'"

2814

#

2815

# Example (Data Manipulation):

2816

#

2817

# title: "Notification string"

2818

# description: "Create a notification string with a timestamp."

2819

# expression: "'New message received at ' + string(document.create_time)"

2820

#

2821

# The exact variables and functions that may be referenced within an expression

2822

# are determined by the service that evaluates it. See the service

2823

# documentation for additional information.

2824

"description": "A String", # Optional. Description of the expression. This is a longer text which

2825

# describes the expression, e.g. when hovered over it in a UI.

2826

"expression": "A String", # Textual representation of an expression in Common Expression Language

2827

# syntax.

2828

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

2829

# its purpose. This can be used e.g. in UIs which allow to enter the

2830

# expression.

2831

"location": "A String", # Optional. String indicating the location of the expression for error

2832

# reporting, e.g. a file name and a position in the file.

2833

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2834

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2835

# `members` can have the following values:

2836

#

2837

# * `allUsers`: A special identifier that represents anyone who is

2838

# on the internet; with or without a Google account.

2839

#

2840

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2841

# who is authenticated with a Google account or a service account.

2842

#

2843

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2844

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2845

#

2846

#

2847

# * `serviceAccount:{emailid}`: An email address that represents a service

2848

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2849

#

2850

# * `group:{emailid}`: An email address that represents a Google group.

2851

# For example, `admins@example.com`.

2852

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2853

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

2854

# identifier) representing a user that has been recently deleted. For

2855

# example, `alice@example.com?uid=123456789012345678901`. If the user is

2856

# recovered, this value reverts to `user:{emailid}` and the recovered user

2857

# retains the role in the binding.

2858

#

2859

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

2860

# unique identifier) representing a service account that has been recently

2861

# deleted. For example,

2862

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

2863

# If the service account is undeleted, this value reverts to

2864

# `serviceAccount:{emailid}` and the undeleted service account retains the

2865

# role in the binding.

2866

#

2867

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

2868

# identifier) representing a Google group that has been recently

2869

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

2870

# the group is recovered, this value reverts to `group:{emailid}` and the

2871

# recovered group retains the role in the binding.

2872

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2873

#

2874

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

2875

# users of that domain. For example, `google.com` or `example.com`.

2876

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2877

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2878

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2879

"role": "A String", # Role that is assigned to `members`.

2880

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2881

},

2882

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2883

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2884

}

2885

2886

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2893

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2894

{ # An Identity and Access Management (IAM) policy, which specifies access

2895

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2896

#

2897

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2898

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2899

# `members` to a single `role`. Members can be user accounts, service accounts,

2900

# Google groups, and domains (such as G Suite). A `role` is a named list of

2901

# permissions; each `role` can be an IAM predefined role or a user-created

2902

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2903

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2904

# For some types of Google Cloud resources, a `binding` can also specify a

2905

# `condition`, which is a logical expression that allows access to a resource

2906

# only if the expression evaluates to `true`. A condition can add constraints

2907

# based on attributes of the request, the resource, or both. To learn which

2908

# resources support conditions in their IAM policies, see the

2909

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2910

#

2911

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2912

#

2913

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2914

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2915

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2916

# "role": "roles/resourcemanager.organizationAdmin",

2917

# "members": [

2918

# "user:mike@example.com",

2919

# "group:admins@example.com",

2920

# "domain:google.com",

2921

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2922

# ]

2923

# },

2924

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2925

# "role": "roles/resourcemanager.organizationViewer",

2926

# "members": [

2927

# "user:eve@example.com"

2928

# ],

2929

# "condition": {

2930

# "title": "expirable access",

2931

# "description": "Does not grant access after Sep 2020",

2932

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2933

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2934

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2935

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2936

# "etag": "BwWWja0YfJA=",

2937

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2938

# }

2939

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2940

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2945

# - group:admins@example.com

2946

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2947

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2948

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2949

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2950

# - user:eve@example.com

2951

# role: roles/resourcemanager.organizationViewer

2952

# condition:

2953

# title: expirable access

2954

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2955

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2956

# - etag: BwWWja0YfJA=

2957

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2958

#

2959

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2960

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

2961

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2962

# prevent simultaneous updates of a policy from overwriting each other.

2963

# It is strongly suggested that systems make use of the `etag` in the

2964

# read-modify-write cycle to perform policy updates in order to avoid race

2965

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2966

# systems are expected to put that etag in the request to `setIamPolicy` to

2967

# ensure that their change will be applied to the same version of the policy.

2968

#

2969

# **Important:** If you use IAM Conditions, you must include the `etag` field

2970

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2971

# you to overwrite a version `3` policy with a version `1` policy, and all of

2972

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2973

"version": 42, # Specifies the format of the policy.

2974

#

2975

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2976

# are rejected.

2977

#

2978

# Any operation that affects conditional role bindings must specify version

2979

# `3`. This requirement applies to the following operations:

2980

#

2981

# * Getting a policy that includes a conditional role binding

2982

# * Adding a conditional role binding to a policy

2983

# * Changing a conditional role binding in a policy

2984

# * Removing any role binding, with or without a condition, from a policy

2985

# that includes conditions

2986

#

2987

# **Important:** If you use IAM Conditions, you must include the `etag` field

2988

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2989

# you to overwrite a version `3` policy with a version `1` policy, and all of

2990

# the conditions in the version `3` policy are lost.

2991

#

2992

# If a policy does not include any conditions, operations on that policy may

2993

# specify any valid version or leave the field unset.

2994

#

2995

# To learn which resources support conditions in their IAM policies, see the

2996

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2997

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2998

# `condition` that determines how and when the `bindings` are applied. Each

2999

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3000

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame^]

3001

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

3002

#

3003

# If the condition evaluates to `true`, then this binding applies to the

3004

# current request.

3005

#

3006

# If the condition evaluates to `false`, then this binding does not apply to

3007

# the current request. However, a different role binding might grant the same

3008

# role to one or more of the members in this binding.

3009

#

3010

# To learn which resources support conditions in their IAM policies, see the

3011

# [IAM

3012

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

3013

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

3014

# are documented at https://github.com/google/cel-spec.

3015

#

3016

# Example (Comparison):

3017

#

3018

# title: "Summary size limit"

3019

# description: "Determines if a summary is less than 100 chars"

3020

# expression: "document.summary.size() < 100"

3021

#

3022

# Example (Equality):

3023

#

3024

# title: "Requestor is owner"

3025

# description: "Determines if requestor is the document owner"

3026

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

3031

# description: "Determine whether the document should be publicly visible"

3032

# expression: "document.type != 'private' && document.type != 'internal'"

3033

#

3034

# Example (Data Manipulation):

3035

#

3036

# title: "Notification string"

3037

# description: "Create a notification string with a timestamp."

3038

# expression: "'New message received at ' + string(document.create_time)"

3039

#

3040

# The exact variables and functions that may be referenced within an expression

3041

# are determined by the service that evaluates it. See the service

3042

# documentation for additional information.

3043

"description": "A String", # Optional. Description of the expression. This is a longer text which

3044

# describes the expression, e.g. when hovered over it in a UI.

3045

"expression": "A String", # Textual representation of an expression in Common Expression Language

3046

# syntax.

3047

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

3048

# its purpose. This can be used e.g. in UIs which allow to enter the

3049

# expression.

3050

"location": "A String", # Optional. String indicating the location of the expression for error

3051

# reporting, e.g. a file name and a position in the file.

3052

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3053

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3054

# `members` can have the following values:

3055

#

3056

# * `allUsers`: A special identifier that represents anyone who is

3057

# on the internet; with or without a Google account.

3058

#

3059

# * `allAuthenticatedUsers`: A special identifier that represents anyone

3060

# who is authenticated with a Google account or a service account.

3061

#

3062

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3063

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3064

#

3065

#

3066

# * `serviceAccount:{emailid}`: An email address that represents a service

3067

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

3068

#

3069

# * `group:{emailid}`: An email address that represents a Google group.

3070

# For example, `admins@example.com`.

3071

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3072

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

3073

# identifier) representing a user that has been recently deleted. For

3074

# example, `alice@example.com?uid=123456789012345678901`. If the user is

3075

# recovered, this value reverts to `user:{emailid}` and the recovered user

3076

# retains the role in the binding.

3077

#

3078

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

3079

# unique identifier) representing a service account that has been recently

3080

# deleted. For example,

3081

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

3082

# If the service account is undeleted, this value reverts to

3083

# `serviceAccount:{emailid}` and the undeleted service account retains the

3084

# role in the binding.

3085

#

3086

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

3087

# identifier) representing a Google group that has been recently

3088

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

3089

# the group is recovered, this value reverts to `group:{emailid}` and the

3090

# recovered group retains the role in the binding.

3091

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3092

#

3093

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

3094

# users of that domain. For example, `google.com` or `example.com`.

3095

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3096

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3097

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3098

"role": "A String", # Role that is assigned to `members`.

3099

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3100

},

3101

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3106

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3107

<pre>Returns the permissions that a caller has on the specified note or

3108

occurrence. Requires list permission on the project (for example,

3109

`containeranalysis.notes.list`).

3110

3111

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

3112

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy detail is being requested.

3117

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3118

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3119

The object takes the form of:

3120

3121

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3122

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

3123

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3124

# information see

3125

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3126

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3137

3138

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3139

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3140

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3141

"A String",

Bu Sun Kim