Blame - docs/dyn/containeranalysis_v1beta1.projects.notes.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

83

<code><a href="#batchCreate">batchCreate(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

84

<p class="firstline">Creates new notes in batch.</p>

85

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

86

<code><a href="#create">create(parent, body=None, noteId=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

87

<p class="firstline">Creates a new note.</p>

88

89

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

90

<p class="firstline">Deletes the specified note.</p>

91

92

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

93

<p class="firstline">Gets the specified note.</p>

94

95

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

96

<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p>

97

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

98

<code><a href="#list">list(parent, pageToken=None, pageSize=None, filter=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

99

<p class="firstline">Lists notes for the specified project.</p>

100

101

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

102

<p class="firstline">Retrieves the next page of results.</p>

103

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

104

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

105

<p class="firstline">Updates the specified note.</p>

106

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

107

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

108

<p class="firstline">Sets the access control policy on the specified note or occurrence.</p>

109

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

110

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

111

<p class="firstline">Returns the permissions that a caller has on the specified note or</p>

112

<h3>Method Details</h3>

113

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

114

<code class="details" id="batchCreate">batchCreate(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

115

<pre>Creates new notes in batch.

116

117

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

118

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

119

the notes are to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

120

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

121

The object takes the form of:

122

123

{ # Request to create notes in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

124

"notes": { # Required. The notes to create. Max allowed length is 1000.

125

"a_key": { # A type of analysis that can be done for a resource.

126

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

127

# channels. E.g., glibc (aka libc6) is distributed by many, at various

128

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

129

"name": "A String", # Required. Immutable. The name of the package.

130

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

131

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

132

# E.g., Debian's jessie-backports dpkg mirror.

133

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

134

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

135

# name.

136

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

137

# versions.

138

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

139

"revision": "A String", # The iteration of the package build from the above version.

140

},

141

"description": "A String", # The distribution channel-specific description of this package.

142

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

143

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

144

"url": "A String", # The distribution channel-specific homepage for this package.

145

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

146

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

147

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

148

},

149

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

150

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

151

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

152

# filter in list requests.

153

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

154

# a filter in list requests.

155

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

156

# exists in a provider's project. A `Discovery` occurrence is created in a

157

# consumer's project at the start of analysis.

158

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

159

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

160

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

161

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

162

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

163

"url": "A String", # Specific URL associated with the resource.

164

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

165

},

166

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

167

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

168

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

169

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

170

# artifacts that enter this supply chain step, and exit the supply chain

171

# step, i.e. materials and products of the step.

172

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

173

"artifactRule": [

174

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

175

],

176

},

177

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

178

"expectedCommand": [ # This field contains the expected command used to perform the step.

179

"A String",

180

],

181

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

182

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

183

"artifactRule": [

184

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

185

],

186

},

187

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

188

"stepName": "A String", # This field identifies the name of the step in the supply chain.

189

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

190

# signatures on the step metadata.

191

{ # This defines the format used to record keys used in the software supply

192

# chain. An in-toto link is attested using one or more keys defined in the

193

# in-toto layout. An example of this is:

194

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

195

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

196

# "key_type": "rsa",

197

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

198

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

199

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

200

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

201

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

202

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

203

# and "ecdsa".

204

"keyScheme": "A String", # This field contains the corresponding signature scheme.

205

# Eg: "rsassa-pss-sha256".

206

"keyId": "A String", # key_id is an identifier for the signing key.

207

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

208

},

209

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

210

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

211

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

212

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

213

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

214

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

215

# relationship. Linked occurrences are derived from this or an

216

# equivalent image via:

217

# FROM <Basis.resource_url>

218

# Or an equivalent reference, e.g. a tag of the resource_url.

219

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

220

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

221

# representation.

222

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

223

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

224

# Only the name of the final blob is kept.

225

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

230

# basis of associated occurrence images.

231

},

232

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

233

# list requests.

234

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

235

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

240

"shortDescription": "A String", # A one sentence description of this note.

241

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

242

# example, an organization might have one `Authority` for "QA" and one for

243

# "build". This note is intended to act strictly as a grouping mechanism for

244

# the attached occurrences (Attestations). This grouping mechanism also

245

# provides a security boundary, since IAM ACLs gate the ability for a principle

246

# to attach an occurrence to a given note. It also provides a single point of

247

# lookup to find all attached attestation occurrences, even if they don't all

248

# live in the same project.

249

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

250

# authority. Because the name of a note acts as its resource reference, it is

251

# important to disambiguate the canonical name of the Note (which might be a

252

# UUID for security purposes) from "readable" names more suitable for debug

253

# output. Note that these hints should not be used to look up authorities in

254

# security sensitive contexts, such as when looking up attestations to

255

# verify.

256

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

261

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

262

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

263

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

264

# upstream timestamp from the underlying information source - e.g. Ubuntu

265

# security tracker.

266

"windowsDetails": [ # Windows details get their own format because the information format and

267

# model don't match a normal detail. Specifically Windows updates are done as

268

# patches, thus Windows vulnerabilities really are a missing package, rather

269

# than a package being at an incorrect version.

270

{

271

"name": "A String", # Required. The name of the vulnerability.

272

"cpeUri": "A String", # Required. The CPE URI in

273

# [cpe format](https://cpe.mitre.org/specification/) in which the

274

# vulnerability manifests. Examples include distro or storage location for

275

# vulnerable jar.

276

"description": "A String", # The description of the vulnerability.

277

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

278

# vulnerability. Note that there may be multiple hotfixes (and thus

279

# multiple KBs) that mitigate a given vulnerability. Currently any listed

280

# kb's presence is considered a fix.

281

{

282

"url": "A String", # A link to the KB in the Windows update catalog -

283

# https://www.catalog.update.microsoft.com/

284

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

290

"details": [ # All information about the package to specifically identify this

291

# vulnerability. One entry per (version range and cpe_uri) the package

292

# vulnerability has manifested in.

293

{ # Identifies all appearances of this vulnerability in the package for a

294

# specific distro/location. For example: glibc in

295

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

296

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

297

# obsolete details.

298

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

299

# upstream timestamp from the underlying information source - e.g. Ubuntu

300

# security tracker.

301

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

302

# packages etc).

303

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

304

"package": "A String", # Required. The package being described.

305

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

306

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

307

# name.

308

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

309

# versions.

310

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

311

"revision": "A String", # The iteration of the package build from the above version.

312

},

313

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

314

# format. Examples include distro or storage location for vulnerable jar.

315

},

316

"cpeUri": "A String", # Required. The CPE URI in

317

# [cpe format](https://cpe.mitre.org/specification/) in which the

318

# vulnerability manifests. Examples include distro or storage location for

319

# vulnerable jar.

320

"description": "A String", # A vendor-specific description of this note.

321

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

322

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

323

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

324

# name.

325

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

326

# versions.

327

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

328

"revision": "A String", # The iteration of the package build from the above version.

329

},

330

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

331

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

332

# name.

333

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

334

# versions.

335

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

336

"revision": "A String", # The iteration of the package build from the above version.

337

},

338

"package": "A String", # Required. The name of the package where the vulnerability was found.

339

},

340

],

341

"cvssScore": 3.14, # The CVSS score for this vulnerability.

342

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

343

# For details, see https://www.first.org/cvss/specification-document

344

"scope": "A String",

345

"integrityImpact": "A String",

346

"exploitabilityScore": 3.14,

347

"impactScore": 3.14,

348

"attackComplexity": "A String",

349

"availabilityImpact": "A String",

350

"privilegesRequired": "A String",

351

"userInteraction": "A String",

352

"attackVector": "A String", # Base Metrics

353

# Represents the intrinsic characteristics of a vulnerability that are

354

# constant over time and across user environments.

355

"confidentialityImpact": "A String",

356

"baseScore": 3.14, # The base score is a function of the base metric scores.

357

},

358

},

359

"relatedNoteNames": [ # Other notes related to this note.

360

"A String",

361

],

362

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

363

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

364

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

365

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

366

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

367

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

368

# `key_id`.

369

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

370

# base-64 encoded.

371

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

372

# findings are valid and unchanged. If `key_type` is empty, this defaults

373

# to PEM encoded public keys.

374

#

375

# This field may be empty if `key_id` references an external key.

376

#

377

# For Cloud Build based signatures, this is a PEM encoded public

378

# key. To verify the Cloud Build signature, place the contents of

379

# this field into a file (public.pem). The signature field is base64-decoded

380

# into its binary representation in signature.bin, and the provenance bytes

381

# from `BuildDetails` are base64-decoded into a binary representation in

382

# signed.bin. OpenSSL can then verify the signature:

383

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

384

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

385

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

386

# CN for a cert), or a reference to an external key (such as a reference to a

387

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

388

},

389

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

401

402

{ # Response for creating notes in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

403

"notes": [ # The notes that were created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

404

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

405

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

406

# channels. E.g., glibc (aka libc6) is distributed by many, at various

407

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

408

"name": "A String", # Required. Immutable. The name of the package.

409

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

410

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

411

# E.g., Debian's jessie-backports dpkg mirror.

412

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

413

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

414

# name.

415

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

416

# versions.

417

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

418

"revision": "A String", # The iteration of the package build from the above version.

419

},

420

"description": "A String", # The distribution channel-specific description of this package.

421

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

422

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

423

"url": "A String", # The distribution channel-specific homepage for this package.

424

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

425

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

426

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

427

},

428

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

429

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

430

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

431

# filter in list requests.

432

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

433

# a filter in list requests.

434

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

435

# exists in a provider's project. A `Discovery` occurrence is created in a

436

# consumer's project at the start of analysis.

437

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

438

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

439

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

440

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

441

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

442

"url": "A String", # Specific URL associated with the resource.

443

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

444

},

445

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

446

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

447

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

448

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

449

# artifacts that enter this supply chain step, and exit the supply chain

450

# step, i.e. materials and products of the step.

451

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

452

"artifactRule": [

453

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

454

],

455

},

456

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

457

"expectedCommand": [ # This field contains the expected command used to perform the step.

458

"A String",

459

],

460

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

461

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

462

"artifactRule": [

463

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

464

],

465

},

466

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

467

"stepName": "A String", # This field identifies the name of the step in the supply chain.

468

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

469

# signatures on the step metadata.

470

{ # This defines the format used to record keys used in the software supply

471

# chain. An in-toto link is attested using one or more keys defined in the

472

# in-toto layout. An example of this is:

473

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

474

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

475

# "key_type": "rsa",

476

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

477

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

478

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

479

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

480

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

481

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

482

# and "ecdsa".

483

"keyScheme": "A String", # This field contains the corresponding signature scheme.

484

# Eg: "rsassa-pss-sha256".

485

"keyId": "A String", # key_id is an identifier for the signing key.

486

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

487

},

488

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

489

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

490

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

491

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

492

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

493

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

494

# relationship. Linked occurrences are derived from this or an

495

# equivalent image via:

496

# FROM <Basis.resource_url>

497

# Or an equivalent reference, e.g. a tag of the resource_url.

498

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

499

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

500

# representation.

501

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

502

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

503

# Only the name of the final blob is kept.

504

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

509

# basis of associated occurrence images.

510

},

511

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

512

# list requests.

513

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

514

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

519

"shortDescription": "A String", # A one sentence description of this note.

520

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

521

# example, an organization might have one `Authority` for "QA" and one for

522

# "build". This note is intended to act strictly as a grouping mechanism for

523

# the attached occurrences (Attestations). This grouping mechanism also

524

# provides a security boundary, since IAM ACLs gate the ability for a principle

525

# to attach an occurrence to a given note. It also provides a single point of

526

# lookup to find all attached attestation occurrences, even if they don't all

527

# live in the same project.

528

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

529

# authority. Because the name of a note acts as its resource reference, it is

530

# important to disambiguate the canonical name of the Note (which might be a

531

# UUID for security purposes) from "readable" names more suitable for debug

532

# output. Note that these hints should not be used to look up authorities in

533

# security sensitive contexts, such as when looking up attestations to

534

# verify.

535

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

540

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

541

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

542

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

543

# upstream timestamp from the underlying information source - e.g. Ubuntu

544

# security tracker.

545

"windowsDetails": [ # Windows details get their own format because the information format and

546

# model don't match a normal detail. Specifically Windows updates are done as

547

# patches, thus Windows vulnerabilities really are a missing package, rather

548

# than a package being at an incorrect version.

549

{

550

"name": "A String", # Required. The name of the vulnerability.

551

"cpeUri": "A String", # Required. The CPE URI in

552

# [cpe format](https://cpe.mitre.org/specification/) in which the

553

# vulnerability manifests. Examples include distro or storage location for

554

# vulnerable jar.

555

"description": "A String", # The description of the vulnerability.

556

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

557

# vulnerability. Note that there may be multiple hotfixes (and thus

558

# multiple KBs) that mitigate a given vulnerability. Currently any listed

559

# kb's presence is considered a fix.

560

{

561

"url": "A String", # A link to the KB in the Windows update catalog -

562

# https://www.catalog.update.microsoft.com/

563

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

569

"details": [ # All information about the package to specifically identify this

570

# vulnerability. One entry per (version range and cpe_uri) the package

571

# vulnerability has manifested in.

572

{ # Identifies all appearances of this vulnerability in the package for a

573

# specific distro/location. For example: glibc in

574

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

575

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

576

# obsolete details.

577

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

578

# upstream timestamp from the underlying information source - e.g. Ubuntu

579

# security tracker.

580

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

581

# packages etc).

582

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

583

"package": "A String", # Required. The package being described.

584

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

585

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

586

# name.

587

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

588

# versions.

589

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

590

"revision": "A String", # The iteration of the package build from the above version.

591

},

592

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

593

# format. Examples include distro or storage location for vulnerable jar.

594

},

595

"cpeUri": "A String", # Required. The CPE URI in

596

# [cpe format](https://cpe.mitre.org/specification/) in which the

597

# vulnerability manifests. Examples include distro or storage location for

598

# vulnerable jar.

599

"description": "A String", # A vendor-specific description of this note.

600

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

601

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

602

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

603

# name.

604

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

605

# versions.

606

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

607

"revision": "A String", # The iteration of the package build from the above version.

608

},

609

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

610

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

611

# name.

612

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

613

# versions.

614

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

615

"revision": "A String", # The iteration of the package build from the above version.

616

},

617

"package": "A String", # Required. The name of the package where the vulnerability was found.

618

},

619

],

620

"cvssScore": 3.14, # The CVSS score for this vulnerability.

621

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

622

# For details, see https://www.first.org/cvss/specification-document

623

"scope": "A String",

624

"integrityImpact": "A String",

625

"exploitabilityScore": 3.14,

626

"impactScore": 3.14,

627

"attackComplexity": "A String",

628

"availabilityImpact": "A String",

629

"privilegesRequired": "A String",

630

"userInteraction": "A String",

631

"attackVector": "A String", # Base Metrics

632

# Represents the intrinsic characteristics of a vulnerability that are

633

# constant over time and across user environments.

634

"confidentialityImpact": "A String",

635

"baseScore": 3.14, # The base score is a function of the base metric scores.

636

},

637

},

638

"relatedNoteNames": [ # Other notes related to this note.

639

"A String",

640

],

641

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

642

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

643

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

644

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

645

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

646

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

647

# `key_id`.

648

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

649

# base-64 encoded.

650

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

651

# findings are valid and unchanged. If `key_type` is empty, this defaults

652

# to PEM encoded public keys.

653

#

654

# This field may be empty if `key_id` references an external key.

655

#

656

# For Cloud Build based signatures, this is a PEM encoded public

657

# key. To verify the Cloud Build signature, place the contents of

658

# this field into a file (public.pem). The signature field is base64-decoded

659

# into its binary representation in signature.bin, and the provenance bytes

660

# from `BuildDetails` are base64-decoded into a binary representation in

661

# signed.bin. OpenSSL can then verify the signature:

662

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

663

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

664

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

665

# CN for a cert), or a reference to an external key (such as a reference to a

666

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

667

},

668

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

675

<code class="details" id="create">create(parent, body=None, noteId=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

676

<pre>Creates a new note.

677

678

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

679

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

680

the note is to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

681

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

682

The object takes the form of:

683

684

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

685

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

686

# channels. E.g., glibc (aka libc6) is distributed by many, at various

687

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

688

"name": "A String", # Required. Immutable. The name of the package.

689

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

690

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

691

# E.g., Debian's jessie-backports dpkg mirror.

692

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

693

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

694

# name.

695

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

696

# versions.

697

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

698

"revision": "A String", # The iteration of the package build from the above version.

699

},

700

"description": "A String", # The distribution channel-specific description of this package.

701

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

702

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

703

"url": "A String", # The distribution channel-specific homepage for this package.

704

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

705

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

706

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

707

},

708

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

709

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

710

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

711

# filter in list requests.

712

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

713

# a filter in list requests.

714

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

715

# exists in a provider's project. A `Discovery` occurrence is created in a

716

# consumer's project at the start of analysis.

717

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

718

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

719

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

720

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

721

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

722

"url": "A String", # Specific URL associated with the resource.

723

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

724

},

725

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

726

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

727

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

728

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

729

# artifacts that enter this supply chain step, and exit the supply chain

730

# step, i.e. materials and products of the step.

731

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

732

"artifactRule": [

733

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

734

],

735

},

736

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

737

"expectedCommand": [ # This field contains the expected command used to perform the step.

738

"A String",

739

],

740

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

741

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

742

"artifactRule": [

743

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

744

],

745

},

746

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

747

"stepName": "A String", # This field identifies the name of the step in the supply chain.

748

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

749

# signatures on the step metadata.

750

{ # This defines the format used to record keys used in the software supply

751

# chain. An in-toto link is attested using one or more keys defined in the

752

# in-toto layout. An example of this is:

753

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

754

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

755

# "key_type": "rsa",

756

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

757

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

758

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

759

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

760

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

761

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

762

# and "ecdsa".

763

"keyScheme": "A String", # This field contains the corresponding signature scheme.

764

# Eg: "rsassa-pss-sha256".

765

"keyId": "A String", # key_id is an identifier for the signing key.

766

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

767

},

768

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

769

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

770

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

771

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

772

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

773

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

774

# relationship. Linked occurrences are derived from this or an

775

# equivalent image via:

776

# FROM <Basis.resource_url>

777

# Or an equivalent reference, e.g. a tag of the resource_url.

778

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

779

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

780

# representation.

781

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

782

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

783

# Only the name of the final blob is kept.

784

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

789

# basis of associated occurrence images.

790

},

791

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

792

# list requests.

793

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

794

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

799

"shortDescription": "A String", # A one sentence description of this note.

800

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

801

# example, an organization might have one `Authority` for "QA" and one for

802

# "build". This note is intended to act strictly as a grouping mechanism for

803

# the attached occurrences (Attestations). This grouping mechanism also

804

# provides a security boundary, since IAM ACLs gate the ability for a principle

805

# to attach an occurrence to a given note. It also provides a single point of

806

# lookup to find all attached attestation occurrences, even if they don't all

807

# live in the same project.

808

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

809

# authority. Because the name of a note acts as its resource reference, it is

810

# important to disambiguate the canonical name of the Note (which might be a

811

# UUID for security purposes) from "readable" names more suitable for debug

812

# output. Note that these hints should not be used to look up authorities in

813

# security sensitive contexts, such as when looking up attestations to

814

# verify.

815

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

820

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

821

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

822

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

823

# upstream timestamp from the underlying information source - e.g. Ubuntu

824

# security tracker.

825

"windowsDetails": [ # Windows details get their own format because the information format and

826

# model don't match a normal detail. Specifically Windows updates are done as

827

# patches, thus Windows vulnerabilities really are a missing package, rather

828

# than a package being at an incorrect version.

829

{

830

"name": "A String", # Required. The name of the vulnerability.

831

"cpeUri": "A String", # Required. The CPE URI in

832

# [cpe format](https://cpe.mitre.org/specification/) in which the

833

# vulnerability manifests. Examples include distro or storage location for

834

# vulnerable jar.

835

"description": "A String", # The description of the vulnerability.

836

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

837

# vulnerability. Note that there may be multiple hotfixes (and thus

838

# multiple KBs) that mitigate a given vulnerability. Currently any listed

839

# kb's presence is considered a fix.

840

{

841

"url": "A String", # A link to the KB in the Windows update catalog -

842

# https://www.catalog.update.microsoft.com/

843

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

849

"details": [ # All information about the package to specifically identify this

850

# vulnerability. One entry per (version range and cpe_uri) the package

851

# vulnerability has manifested in.

852

{ # Identifies all appearances of this vulnerability in the package for a

853

# specific distro/location. For example: glibc in

854

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

855

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

856

# obsolete details.

857

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

858

# upstream timestamp from the underlying information source - e.g. Ubuntu

859

# security tracker.

860

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

861

# packages etc).

862

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

863

"package": "A String", # Required. The package being described.

864

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

865

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

866

# name.

867

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

868

# versions.

869

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

870

"revision": "A String", # The iteration of the package build from the above version.

871

},

872

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

873

# format. Examples include distro or storage location for vulnerable jar.

874

},

875

"cpeUri": "A String", # Required. The CPE URI in

876

# [cpe format](https://cpe.mitre.org/specification/) in which the

877

# vulnerability manifests. Examples include distro or storage location for

878

# vulnerable jar.

879

"description": "A String", # A vendor-specific description of this note.

880

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

881

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

882

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

883

# name.

884

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

885

# versions.

886

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

887

"revision": "A String", # The iteration of the package build from the above version.

888

},

889

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

890

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

891

# name.

892

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

893

# versions.

894

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

895

"revision": "A String", # The iteration of the package build from the above version.

896

},

897

"package": "A String", # Required. The name of the package where the vulnerability was found.

898

},

899

],

900

"cvssScore": 3.14, # The CVSS score for this vulnerability.

901

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

902

# For details, see https://www.first.org/cvss/specification-document

903

"scope": "A String",

904

"integrityImpact": "A String",

905

"exploitabilityScore": 3.14,

906

"impactScore": 3.14,

907

"attackComplexity": "A String",

908

"availabilityImpact": "A String",

909

"privilegesRequired": "A String",

910

"userInteraction": "A String",

911

"attackVector": "A String", # Base Metrics

912

# Represents the intrinsic characteristics of a vulnerability that are

913

# constant over time and across user environments.

914

"confidentialityImpact": "A String",

915

"baseScore": 3.14, # The base score is a function of the base metric scores.

916

},

917

},

918

"relatedNoteNames": [ # Other notes related to this note.

919

"A String",

920

],

921

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

922

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

923

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

924

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

925

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

926

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

927

# `key_id`.

928

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

929

# base-64 encoded.

930

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

931

# findings are valid and unchanged. If `key_type` is empty, this defaults

932

# to PEM encoded public keys.

933

#

934

# This field may be empty if `key_id` references an external key.

935

#

936

# For Cloud Build based signatures, this is a PEM encoded public

937

# key. To verify the Cloud Build signature, place the contents of

938

# this field into a file (public.pem). The signature field is base64-decoded

939

# into its binary representation in signature.bin, and the provenance bytes

940

# from `BuildDetails` are base64-decoded into a binary representation in

941

# signed.bin. OpenSSL can then verify the signature:

942

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

943

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

944

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

945

# CN for a cert), or a reference to an external key (such as a reference to a

946

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

947

},

948

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

949

}

950

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

951

noteId: string, Required. The ID to use for this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

952

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

959

960

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

961

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

962

# channels. E.g., glibc (aka libc6) is distributed by many, at various

963

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

964

"name": "A String", # Required. Immutable. The name of the package.

965

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

966

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

967

# E.g., Debian's jessie-backports dpkg mirror.

968

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

969

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

970

# name.

971

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

972

# versions.

973

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

974

"revision": "A String", # The iteration of the package build from the above version.

975

},

976

"description": "A String", # The distribution channel-specific description of this package.

977

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

978

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

979

"url": "A String", # The distribution channel-specific homepage for this package.

980

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

981

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

982

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

983

},

984

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

985

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

986

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

987

# filter in list requests.

988

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

989

# a filter in list requests.

990

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

991

# exists in a provider's project. A `Discovery` occurrence is created in a

992

# consumer's project at the start of analysis.

993

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

994

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

995

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

996

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

997

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

998

"url": "A String", # Specific URL associated with the resource.

999

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1000

},

1001

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1002

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1003

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1004

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1005

# artifacts that enter this supply chain step, and exit the supply chain

1006

# step, i.e. materials and products of the step.

1007

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1008

"artifactRule": [

1009

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1010

],

1011

},

1012

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1013

"expectedCommand": [ # This field contains the expected command used to perform the step.

1014

"A String",

1015

],

1016

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1017

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1018

"artifactRule": [

1019

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1020

],

1021

},

1022

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1023

"stepName": "A String", # This field identifies the name of the step in the supply chain.

1024

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1025

# signatures on the step metadata.

1026

{ # This defines the format used to record keys used in the software supply

1027

# chain. An in-toto link is attested using one or more keys defined in the

1028

# in-toto layout. An example of this is:

1029

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1030

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1031

# "key_type": "rsa",

1032

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1033

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1034

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1035

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1036

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1037

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1038

# and "ecdsa".

1039

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1040

# Eg: "rsassa-pss-sha256".

1041

"keyId": "A String", # key_id is an identifier for the signing key.

1042

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1043

},

1044

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1045

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1046

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1047

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1048

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1049

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1050

# relationship. Linked occurrences are derived from this or an

1051

# equivalent image via:

1052

# FROM <Basis.resource_url>

1053

# Or an equivalent reference, e.g. a tag of the resource_url.

1054

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

1055

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1056

# representation.

1057

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1058

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1059

# Only the name of the final blob is kept.

1060

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1065

# basis of associated occurrence images.

1066

},

1067

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1068

# list requests.

1069

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

1070

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

1075

"shortDescription": "A String", # A one sentence description of this note.

1076

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

1077

# example, an organization might have one `Authority` for "QA" and one for

1078

# "build". This note is intended to act strictly as a grouping mechanism for

1079

# the attached occurrences (Attestations). This grouping mechanism also

1080

# provides a security boundary, since IAM ACLs gate the ability for a principle

1081

# to attach an occurrence to a given note. It also provides a single point of

1082

# lookup to find all attached attestation occurrences, even if they don't all

1083

# live in the same project.

1084

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

1085

# authority. Because the name of a note acts as its resource reference, it is

1086

# important to disambiguate the canonical name of the Note (which might be a

1087

# UUID for security purposes) from "readable" names more suitable for debug

1088

# output. Note that these hints should not be used to look up authorities in

1089

# security sensitive contexts, such as when looking up attestations to

1090

# verify.

1091

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

1096

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

1097

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

1098

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1099

# upstream timestamp from the underlying information source - e.g. Ubuntu

1100

# security tracker.

1101

"windowsDetails": [ # Windows details get their own format because the information format and

1102

# model don't match a normal detail. Specifically Windows updates are done as

1103

# patches, thus Windows vulnerabilities really are a missing package, rather

1104

# than a package being at an incorrect version.

1105

{

1106

"name": "A String", # Required. The name of the vulnerability.

1107

"cpeUri": "A String", # Required. The CPE URI in

1108

# [cpe format](https://cpe.mitre.org/specification/) in which the

1109

# vulnerability manifests. Examples include distro or storage location for

1110

# vulnerable jar.

1111

"description": "A String", # The description of the vulnerability.

1112

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1113

# vulnerability. Note that there may be multiple hotfixes (and thus

1114

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1115

# kb's presence is considered a fix.

1116

{

1117

"url": "A String", # A link to the KB in the Windows update catalog -

1118

# https://www.catalog.update.microsoft.com/

1119

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

1125

"details": [ # All information about the package to specifically identify this

1126

# vulnerability. One entry per (version range and cpe_uri) the package

1127

# vulnerability has manifested in.

1128

{ # Identifies all appearances of this vulnerability in the package for a

1129

# specific distro/location. For example: glibc in

1130

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1131

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1132

# obsolete details.

1133

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1134

# upstream timestamp from the underlying information source - e.g. Ubuntu

1135

# security tracker.

1136

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1137

# packages etc).

1138

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1139

"package": "A String", # Required. The package being described.

1140

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1141

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1142

# name.

1143

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1144

# versions.

1145

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1146

"revision": "A String", # The iteration of the package build from the above version.

1147

},

1148

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1149

# format. Examples include distro or storage location for vulnerable jar.

1150

},

1151

"cpeUri": "A String", # Required. The CPE URI in

1152

# [cpe format](https://cpe.mitre.org/specification/) in which the

1153

# vulnerability manifests. Examples include distro or storage location for

1154

# vulnerable jar.

1155

"description": "A String", # A vendor-specific description of this note.

1156

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

1157

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

1158

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1159

# name.

1160

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1161

# versions.

1162

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1163

"revision": "A String", # The iteration of the package build from the above version.

1164

},

1165

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

1166

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1167

# name.

1168

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1169

# versions.

1170

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1171

"revision": "A String", # The iteration of the package build from the above version.

1172

},

1173

"package": "A String", # Required. The name of the package where the vulnerability was found.

1174

},

1175

],

1176

"cvssScore": 3.14, # The CVSS score for this vulnerability.

1177

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

1178

# For details, see https://www.first.org/cvss/specification-document

1179

"scope": "A String",

1180

"integrityImpact": "A String",

1181

"exploitabilityScore": 3.14,

1182

"impactScore": 3.14,

1183

"attackComplexity": "A String",

1184

"availabilityImpact": "A String",

1185

"privilegesRequired": "A String",

1186

"userInteraction": "A String",

1187

"attackVector": "A String", # Base Metrics

1188

# Represents the intrinsic characteristics of a vulnerability that are

1189

# constant over time and across user environments.

1190

"confidentialityImpact": "A String",

1191

"baseScore": 3.14, # The base score is a function of the base metric scores.

1192

},

1193

},

1194

"relatedNoteNames": [ # Other notes related to this note.

1195

"A String",

1196

],

1197

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1198

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1199

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

1200

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1201

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1202

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1203

# `key_id`.

1204

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1205

# base-64 encoded.

1206

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1207

# findings are valid and unchanged. If `key_type` is empty, this defaults

1208

# to PEM encoded public keys.

1209

#

1210

# This field may be empty if `key_id` references an external key.

1211

#

1212

# For Cloud Build based signatures, this is a PEM encoded public

1213

# key. To verify the Cloud Build signature, place the contents of

1214

# this field into a file (public.pem). The signature field is base64-decoded

1215

# into its binary representation in signature.bin, and the provenance bytes

1216

# from `BuildDetails` are base64-decoded into a binary representation in

1217

# signed.bin. OpenSSL can then verify the signature:

1218

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1219

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1220

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1221

# CN for a cert), or a reference to an external key (such as a reference to a

1222

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1223

},

1224

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

1230

<pre>Deletes the specified note.

1231

1232

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1233

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1234

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

1235

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1242

1243

{ # A generic empty message that you can re-use to avoid defining duplicated

1244

# empty messages in your APIs. A typical example is to use it as the request

1245

# or the response type of an API method. For instance:

1246

#

1247

# service Foo {

1248

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

1249

# }

1250

#

1251

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

1257

<pre>Gets the specified note.

1258

1259

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1260

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1261

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

1262

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1269

1270

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1271

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1272

# channels. E.g., glibc (aka libc6) is distributed by many, at various

1273

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1274

"name": "A String", # Required. Immutable. The name of the package.

1275

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1276

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1277

# E.g., Debian's jessie-backports dpkg mirror.

1278

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

1279

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1280

# name.

1281

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1282

# versions.

1283

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1284

"revision": "A String", # The iteration of the package build from the above version.

1285

},

1286

"description": "A String", # The distribution channel-specific description of this package.

1287

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1288

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1289

"url": "A String", # The distribution channel-specific homepage for this package.

1290

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1291

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1292

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1293

},

1294

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1295

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1296

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

1297

# filter in list requests.

1298

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1299

# a filter in list requests.

1300

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

1301

# exists in a provider's project. A `Discovery` occurrence is created in a

1302

# consumer's project at the start of analysis.

1303

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

1304

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1305

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1306

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1307

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1308

"url": "A String", # Specific URL associated with the resource.

1309

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1310

},

1311

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1312

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1313

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1314

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1315

# artifacts that enter this supply chain step, and exit the supply chain

1316

# step, i.e. materials and products of the step.

1317

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1318

"artifactRule": [

1319

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1320

],

1321

},

1322

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1323

"expectedCommand": [ # This field contains the expected command used to perform the step.

1324

"A String",

1325

],

1326

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1327

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1328

"artifactRule": [

1329

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1330

],

1331

},

1332

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1333

"stepName": "A String", # This field identifies the name of the step in the supply chain.

1334

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1335

# signatures on the step metadata.

1336

{ # This defines the format used to record keys used in the software supply

1337

# chain. An in-toto link is attested using one or more keys defined in the

1338

# in-toto layout. An example of this is:

1339

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1340

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1341

# "key_type": "rsa",

1342

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1343

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1344

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1345

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1346

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1347

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1348

# and "ecdsa".

1349

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1350

# Eg: "rsassa-pss-sha256".

1351

"keyId": "A String", # key_id is an identifier for the signing key.

1352

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1353

},

1354

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1355

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1356

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1357

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1358

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1359

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1360

# relationship. Linked occurrences are derived from this or an

1361

# equivalent image via:

1362

# FROM <Basis.resource_url>

1363

# Or an equivalent reference, e.g. a tag of the resource_url.

1364

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

1365

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1366

# representation.

1367

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1368

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1369

# Only the name of the final blob is kept.

1370

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1375

# basis of associated occurrence images.

1376

},

1377

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1378

# list requests.

1379

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

1380

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

1385

"shortDescription": "A String", # A one sentence description of this note.

1386

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

1387

# example, an organization might have one `Authority` for "QA" and one for

1388

# "build". This note is intended to act strictly as a grouping mechanism for

1389

# the attached occurrences (Attestations). This grouping mechanism also

1390

# provides a security boundary, since IAM ACLs gate the ability for a principle

1391

# to attach an occurrence to a given note. It also provides a single point of

1392

# lookup to find all attached attestation occurrences, even if they don't all

1393

# live in the same project.

1394

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

1395

# authority. Because the name of a note acts as its resource reference, it is

1396

# important to disambiguate the canonical name of the Note (which might be a

1397

# UUID for security purposes) from "readable" names more suitable for debug

1398

# output. Note that these hints should not be used to look up authorities in

1399

# security sensitive contexts, such as when looking up attestations to

1400

# verify.

1401

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

1406

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

1407

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

1408

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1409

# upstream timestamp from the underlying information source - e.g. Ubuntu

1410

# security tracker.

1411

"windowsDetails": [ # Windows details get their own format because the information format and

1412

# model don't match a normal detail. Specifically Windows updates are done as

1413

# patches, thus Windows vulnerabilities really are a missing package, rather

1414

# than a package being at an incorrect version.

1415

{

1416

"name": "A String", # Required. The name of the vulnerability.

1417

"cpeUri": "A String", # Required. The CPE URI in

1418

# [cpe format](https://cpe.mitre.org/specification/) in which the

1419

# vulnerability manifests. Examples include distro or storage location for

1420

# vulnerable jar.

1421

"description": "A String", # The description of the vulnerability.

1422

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1423

# vulnerability. Note that there may be multiple hotfixes (and thus

1424

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1425

# kb's presence is considered a fix.

1426

{

1427

"url": "A String", # A link to the KB in the Windows update catalog -

1428

# https://www.catalog.update.microsoft.com/

1429

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

1435

"details": [ # All information about the package to specifically identify this

1436

# vulnerability. One entry per (version range and cpe_uri) the package

1437

# vulnerability has manifested in.

1438

{ # Identifies all appearances of this vulnerability in the package for a

1439

# specific distro/location. For example: glibc in

1440

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1441

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1442

# obsolete details.

1443

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1444

# upstream timestamp from the underlying information source - e.g. Ubuntu

1445

# security tracker.

1446

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1447

# packages etc).

1448

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1449

"package": "A String", # Required. The package being described.

1450

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1451

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1452

# name.

1453

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1454

# versions.

1455

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1456

"revision": "A String", # The iteration of the package build from the above version.

1457

},

1458

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1459

# format. Examples include distro or storage location for vulnerable jar.

1460

},

1461

"cpeUri": "A String", # Required. The CPE URI in

1462

# [cpe format](https://cpe.mitre.org/specification/) in which the

1463

# vulnerability manifests. Examples include distro or storage location for

1464

# vulnerable jar.

1465

"description": "A String", # A vendor-specific description of this note.

1466

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

1467

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

1468

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1469

# name.

1470

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1471

# versions.

1472

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1473

"revision": "A String", # The iteration of the package build from the above version.

1474

},

1475

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

1476

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1477

# name.

1478

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1479

# versions.

1480

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1481

"revision": "A String", # The iteration of the package build from the above version.

1482

},

1483

"package": "A String", # Required. The name of the package where the vulnerability was found.

1484

},

1485

],

1486

"cvssScore": 3.14, # The CVSS score for this vulnerability.

1487

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

1488

# For details, see https://www.first.org/cvss/specification-document

1489

"scope": "A String",

1490

"integrityImpact": "A String",

1491

"exploitabilityScore": 3.14,

1492

"impactScore": 3.14,

1493

"attackComplexity": "A String",

1494

"availabilityImpact": "A String",

1495

"privilegesRequired": "A String",

1496

"userInteraction": "A String",

1497

"attackVector": "A String", # Base Metrics

1498

# Represents the intrinsic characteristics of a vulnerability that are

1499

# constant over time and across user environments.

1500

"confidentialityImpact": "A String",

1501

"baseScore": 3.14, # The base score is a function of the base metric scores.

1502

},

1503

},

1504

"relatedNoteNames": [ # Other notes related to this note.

1505

"A String",

1506

],

1507

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1508

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1509

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

1510

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1511

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1512

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1513

# `key_id`.

1514

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1515

# base-64 encoded.

1516

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1517

# findings are valid and unchanged. If `key_type` is empty, this defaults

1518

# to PEM encoded public keys.

1519

#

1520

# This field may be empty if `key_id` references an external key.

1521

#

1522

# For Cloud Build based signatures, this is a PEM encoded public

1523

# key. To verify the Cloud Build signature, place the contents of

1524

# this field into a file (public.pem). The signature field is base64-decoded

1525

# into its binary representation in signature.bin, and the provenance bytes

1526

# from `BuildDetails` are base64-decoded into a binary representation in

1527

# signed.bin. OpenSSL can then verify the signature:

1528

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1529

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1530

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1531

# CN for a cert), or a reference to an external key (such as a reference to a

1532

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1533

},

1534

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

1540

<pre>Gets the access control policy for a note or an occurrence resource.

1541

Requires `containeranalysis.notes.setIamPolicy` or

1542

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

1543

a note or occurrence, respectively.

1544

1545

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

1546

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

1551

See the operation documentation for the appropriate value for this field. (required)

1552

body: object, The request body.

1553

The object takes the form of:

1554

1555

{ # Request message for `GetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1556

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1557

# `GetIamPolicy`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1558

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1559

#

1560

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

1561

# rejected.

1562

#

1563

# Requests for policies with any conditional bindings must specify version 3.

1564

# Policies without any conditional bindings may specify any valid value or

1565

# leave the field unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1566

#

1567

# To learn which resources support conditions in their IAM policies, see the

1568

# [IAM

1569

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1570

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1571

}

1572

1573

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1580

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1581

{ # An Identity and Access Management (IAM) policy, which specifies access

1582

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1583

#

1584

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1585

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1586

# `members` to a single `role`. Members can be user accounts, service accounts,

1587

# Google groups, and domains (such as G Suite). A `role` is a named list of

1588

# permissions; each `role` can be an IAM predefined role or a user-created

1589

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1590

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1591

# For some types of Google Cloud resources, a `binding` can also specify a

1592

# `condition`, which is a logical expression that allows access to a resource

1593

# only if the expression evaluates to `true`. A condition can add constraints

1594

# based on attributes of the request, the resource, or both. To learn which

1595

# resources support conditions in their IAM policies, see the

1596

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1597

#

1598

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1599

#

1600

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1601

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1602

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1603

# "role": "roles/resourcemanager.organizationAdmin",

1604

# "members": [

1605

# "user:mike@example.com",

1606

# "group:admins@example.com",

1607

# "domain:google.com",

1608

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1609

# ]

1610

# },

1611

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1612

# "role": "roles/resourcemanager.organizationViewer",

1613

# "members": [

1614

# "user:eve@example.com"

1615

# ],

1616

# "condition": {

1617

# "title": "expirable access",

1618

# "description": "Does not grant access after Sep 2020",

1619

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1620

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1621

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1622

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1623

# "etag": "BwWWja0YfJA=",

1624

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1625

# }

1626

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1627

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

1632

# - group:admins@example.com

1633

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1634

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1635

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1636

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1637

# - user:eve@example.com

1638

# role: roles/resourcemanager.organizationViewer

1639

# condition:

1640

# title: expirable access

1641

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1642

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1643

# - etag: BwWWja0YfJA=

1644

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1645

#

1646

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1647

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1648

"version": 42, # Specifies the format of the policy.

1649

#

1650

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1651

# are rejected.

1652

#

1653

# Any operation that affects conditional role bindings must specify version

1654

# `3`. This requirement applies to the following operations:

1655

#

1656

# * Getting a policy that includes a conditional role binding

1657

# * Adding a conditional role binding to a policy

1658

# * Changing a conditional role binding in a policy

1659

# * Removing any role binding, with or without a condition, from a policy

1660

# that includes conditions

1661

#

1662

# **Important:** If you use IAM Conditions, you must include the `etag` field

1663

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1664

# you to overwrite a version `3` policy with a version `1` policy, and all of

1665

# the conditions in the version `3` policy are lost.

1666

#

1667

# If a policy does not include any conditions, operations on that policy may

1668

# specify any valid version or leave the field unset.

1669

#

1670

# To learn which resources support conditions in their IAM policies, see the

1671

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1672

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1673

# `condition` that determines how and when the `bindings` are applied. Each

1674

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1675

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1676

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1677

# `members` can have the following values:

1678

#

1679

# * `allUsers`: A special identifier that represents anyone who is

1680

# on the internet; with or without a Google account.

1681

#

1682

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1683

# who is authenticated with a Google account or a service account.

1684

#

1685

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1686

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1687

#

1688

#

1689

# * `serviceAccount:{emailid}`: An email address that represents a service

1690

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1691

#

1692

# * `group:{emailid}`: An email address that represents a Google group.

1693

# For example, `admins@example.com`.

1694

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1695

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1696

# identifier) representing a user that has been recently deleted. For

1697

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1698

# recovered, this value reverts to `user:{emailid}` and the recovered user

1699

# retains the role in the binding.

1700

#

1701

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1702

# unique identifier) representing a service account that has been recently

1703

# deleted. For example,

1704

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1705

# If the service account is undeleted, this value reverts to

1706

# `serviceAccount:{emailid}` and the undeleted service account retains the

1707

# role in the binding.

1708

#

1709

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1710

# identifier) representing a Google group that has been recently

1711

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1712

# the group is recovered, this value reverts to `group:{emailid}` and the

1713

# recovered group retains the role in the binding.

1714

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1715

#

1716

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1717

# users of that domain. For example, `google.com` or `example.com`.

1718

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1719

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1720

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1721

"role": "A String", # Role that is assigned to `members`.

1722

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

1723

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1724

#

1725

# If the condition evaluates to `true`, then this binding applies to the

1726

# current request.

1727

#

1728

# If the condition evaluates to `false`, then this binding does not apply to

1729

# the current request. However, a different role binding might grant the same

1730

# role to one or more of the members in this binding.

1731

#

1732

# To learn which resources support conditions in their IAM policies, see the

1733

# [IAM

1734

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1735

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1736

# are documented at https://github.com/google/cel-spec.

1737

#

1738

# Example (Comparison):

1739

#

1740

# title: "Summary size limit"

1741

# description: "Determines if a summary is less than 100 chars"

1742

# expression: "document.summary.size() < 100"

1743

#

1744

# Example (Equality):

1745

#

1746

# title: "Requestor is owner"

1747

# description: "Determines if requestor is the document owner"

1748

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1753

# description: "Determine whether the document should be publicly visible"

1754

# expression: "document.type != 'private' && document.type != 'internal'"

1755

#

1756

# Example (Data Manipulation):

1757

#

1758

# title: "Notification string"

1759

# description: "Create a notification string with a timestamp."

1760

# expression: "'New message received at ' + string(document.create_time)"

1761

#

1762

# The exact variables and functions that may be referenced within an expression

1763

# are determined by the service that evaluates it. See the service

1764

# documentation for additional information.

1765

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1766

# its purpose. This can be used e.g. in UIs which allow to enter the

1767

# expression.

1768

"location": "A String", # Optional. String indicating the location of the expression for error

1769

# reporting, e.g. a file name and a position in the file.

1770

"description": "A String", # Optional. Description of the expression. This is a longer text which

1771

# describes the expression, e.g. when hovered over it in a UI.

1772

"expression": "A String", # Textual representation of an expression in Common Expression Language

1773

# syntax.

1774

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1775

},

1776

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1777

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1778

# prevent simultaneous updates of a policy from overwriting each other.

1779

# It is strongly suggested that systems make use of the `etag` in the

1780

# read-modify-write cycle to perform policy updates in order to avoid race

1781

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1782

# systems are expected to put that etag in the request to `setIamPolicy` to

1783

# ensure that their change will be applied to the same version of the policy.

1784

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1785

# **Important:** If you use IAM Conditions, you must include the `etag` field

1786

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1787

# you to overwrite a version `3` policy with a version `1` policy, and all of

1788

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1793

<code class="details" id="list">list(parent, pageToken=None, pageSize=None, filter=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1794

<pre>Lists notes for the specified project.

1795

1796

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1797

parent: string, Required. The name of the project to list notes for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1798

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1799

pageToken: string, Token to provide to skip to a particular spot in the list.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1800

pageSize: integer, Number of notes to return in the list. Must be positive. Max allowed page

1801

size is 1000. If not specified, page size defaults to 20.

1802

filter: string, The filter expression.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1803

x__xgafv: string, V1 error format.

1804

Allowed values

1805

1 - v1 error format

1806

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1807

1808

Returns:

1809

An object of the form:

1810

1811

{ # Response for listing notes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1812

"nextPageToken": "A String", # The next pagination token in the list response. It should be used as

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1813

# `page_token` for the following request. An empty value means no more

1814

# results.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1815

"notes": [ # The notes requested.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1816

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1817

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1818

# channels. E.g., glibc (aka libc6) is distributed by many, at various

1819

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1820

"name": "A String", # Required. Immutable. The name of the package.

1821

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1822

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1823

# E.g., Debian's jessie-backports dpkg mirror.

1824

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

1825

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1826

# name.

1827

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1828

# versions.

1829

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1830

"revision": "A String", # The iteration of the package build from the above version.

1831

},

1832

"description": "A String", # The distribution channel-specific description of this package.

1833

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1834

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1835

"url": "A String", # The distribution channel-specific homepage for this package.

1836

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1837

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1838

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1839

},

1840

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1841

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1842

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

1843

# filter in list requests.

1844

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1845

# a filter in list requests.

1846

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

1847

# exists in a provider's project. A `Discovery` occurrence is created in a

1848

# consumer's project at the start of analysis.

1849

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

1850

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1851

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1852

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1853

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1854

"url": "A String", # Specific URL associated with the resource.

1855

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1856

},

1857

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1858

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1859

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1860

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1861

# artifacts that enter this supply chain step, and exit the supply chain

1862

# step, i.e. materials and products of the step.

1863

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1864

"artifactRule": [

1865

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1866

],

1867

},

1868

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1869

"expectedCommand": [ # This field contains the expected command used to perform the step.

1870

"A String",

1871

],

1872

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1873

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1874

"artifactRule": [

1875

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1876

],

1877

},

1878

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1879

"stepName": "A String", # This field identifies the name of the step in the supply chain.

1880

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1881

# signatures on the step metadata.

1882

{ # This defines the format used to record keys used in the software supply

1883

# chain. An in-toto link is attested using one or more keys defined in the

1884

# in-toto layout. An example of this is:

1885

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1886

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1887

# "key_type": "rsa",

1888

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1889

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1890

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1891

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1892

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1893

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1894

# and "ecdsa".

1895

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1896

# Eg: "rsassa-pss-sha256".

1897

"keyId": "A String", # key_id is an identifier for the signing key.

1898

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1899

},

1900

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1901

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1902

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1903

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1904

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1905

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1906

# relationship. Linked occurrences are derived from this or an

1907

# equivalent image via:

1908

# FROM <Basis.resource_url>

1909

# Or an equivalent reference, e.g. a tag of the resource_url.

1910

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

1911

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1912

# representation.

1913

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1914

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1915

# Only the name of the final blob is kept.

1916

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1921

# basis of associated occurrence images.

1922

},

1923

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1924

# list requests.

1925

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

1926

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

1931

"shortDescription": "A String", # A one sentence description of this note.

1932

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

1933

# example, an organization might have one `Authority` for "QA" and one for

1934

# "build". This note is intended to act strictly as a grouping mechanism for

1935

# the attached occurrences (Attestations). This grouping mechanism also

1936

# provides a security boundary, since IAM ACLs gate the ability for a principle

1937

# to attach an occurrence to a given note. It also provides a single point of

1938

# lookup to find all attached attestation occurrences, even if they don't all

1939

# live in the same project.

1940

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

1941

# authority. Because the name of a note acts as its resource reference, it is

1942

# important to disambiguate the canonical name of the Note (which might be a

1943

# UUID for security purposes) from "readable" names more suitable for debug

1944

# output. Note that these hints should not be used to look up authorities in

1945

# security sensitive contexts, such as when looking up attestations to

1946

# verify.

1947

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

1952

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

1953

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

1954

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1955

# upstream timestamp from the underlying information source - e.g. Ubuntu

1956

# security tracker.

1957

"windowsDetails": [ # Windows details get their own format because the information format and

1958

# model don't match a normal detail. Specifically Windows updates are done as

1959

# patches, thus Windows vulnerabilities really are a missing package, rather

1960

# than a package being at an incorrect version.

1961

{

1962

"name": "A String", # Required. The name of the vulnerability.

1963

"cpeUri": "A String", # Required. The CPE URI in

1964

# [cpe format](https://cpe.mitre.org/specification/) in which the

1965

# vulnerability manifests. Examples include distro or storage location for

1966

# vulnerable jar.

1967

"description": "A String", # The description of the vulnerability.

1968

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1969

# vulnerability. Note that there may be multiple hotfixes (and thus

1970

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1971

# kb's presence is considered a fix.

1972

{

1973

"url": "A String", # A link to the KB in the Windows update catalog -

1974

# https://www.catalog.update.microsoft.com/

1975

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

1981

"details": [ # All information about the package to specifically identify this

1982

# vulnerability. One entry per (version range and cpe_uri) the package

1983

# vulnerability has manifested in.

1984

{ # Identifies all appearances of this vulnerability in the package for a

1985

# specific distro/location. For example: glibc in

1986

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1987

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1988

# obsolete details.

1989

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1990

# upstream timestamp from the underlying information source - e.g. Ubuntu

1991

# security tracker.

1992

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1993

# packages etc).

1994

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1995

"package": "A String", # Required. The package being described.

1996

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1997

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1998

# name.

1999

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2000

# versions.

2001

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2002

"revision": "A String", # The iteration of the package build from the above version.

2003

},

2004

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2005

# format. Examples include distro or storage location for vulnerable jar.

2006

},

2007

"cpeUri": "A String", # Required. The CPE URI in

2008

# [cpe format](https://cpe.mitre.org/specification/) in which the

2009

# vulnerability manifests. Examples include distro or storage location for

2010

# vulnerable jar.

2011

"description": "A String", # A vendor-specific description of this note.

2012

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2013

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

2014

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2015

# name.

2016

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2017

# versions.

2018

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2019

"revision": "A String", # The iteration of the package build from the above version.

2020

},

2021

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

2022

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2023

# name.

2024

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2025

# versions.

2026

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2027

"revision": "A String", # The iteration of the package build from the above version.

2028

},

2029

"package": "A String", # Required. The name of the package where the vulnerability was found.

2030

},

2031

],

2032

"cvssScore": 3.14, # The CVSS score for this vulnerability.

2033

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2034

# For details, see https://www.first.org/cvss/specification-document

2035

"scope": "A String",

2036

"integrityImpact": "A String",

2037

"exploitabilityScore": 3.14,

2038

"impactScore": 3.14,

2039

"attackComplexity": "A String",

2040

"availabilityImpact": "A String",

2041

"privilegesRequired": "A String",

2042

"userInteraction": "A String",

2043

"attackVector": "A String", # Base Metrics

2044

# Represents the intrinsic characteristics of a vulnerability that are

2045

# constant over time and across user environments.

2046

"confidentialityImpact": "A String",

2047

"baseScore": 3.14, # The base score is a function of the base metric scores.

2048

},

2049

},

2050

"relatedNoteNames": [ # Other notes related to this note.

2051

"A String",

2052

],

2053

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2054

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2055

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

2056

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2057

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2058

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

2059

# `key_id`.

2060

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

2061

# base-64 encoded.

2062

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2063

# findings are valid and unchanged. If `key_type` is empty, this defaults

2064

# to PEM encoded public keys.

2065

#

2066

# This field may be empty if `key_id` references an external key.

2067

#

2068

# For Cloud Build based signatures, this is a PEM encoded public

2069

# key. To verify the Cloud Build signature, place the contents of

2070

# this field into a file (public.pem). The signature field is base64-decoded

2071

# into its binary representation in signature.bin, and the provenance bytes

2072

# from `BuildDetails` are base64-decoded into a binary representation in

2073

# signed.bin. OpenSSL can then verify the signature:

2074

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2075

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2076

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

2077

# CN for a cert), or a reference to an external key (such as a reference to a

2078

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2079

},

2080

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

2088

<pre>Retrieves the next page of results.

2089

2090

Args:

2091

previous_request: The request for the previous page. (required)

2092

previous_response: The response from the request for the previous page. (required)

2093

2094

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2095

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2096

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2101

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2102

<pre>Updates the specified note.

2103

2104

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2105

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2106

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2107

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2108

The object takes the form of:

2109

2110

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2111

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2112

# channels. E.g., glibc (aka libc6) is distributed by many, at various

2113

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2114

"name": "A String", # Required. Immutable. The name of the package.

2115

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2116

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2117

# E.g., Debian's jessie-backports dpkg mirror.

2118

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

2119

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2120

# name.

2121

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2122

# versions.

2123

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2124

"revision": "A String", # The iteration of the package build from the above version.

2125

},

2126

"description": "A String", # The distribution channel-specific description of this package.

2127

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2128

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2129

"url": "A String", # The distribution channel-specific homepage for this package.

2130

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2131

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2132

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2133

},

2134

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2135

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2136

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

2137

# filter in list requests.

2138

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

2139

# a filter in list requests.

2140

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

2141

# exists in a provider's project. A `Discovery` occurrence is created in a

2142

# consumer's project at the start of analysis.

2143

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

2144

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2145

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2146

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2147

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2148

"url": "A String", # Specific URL associated with the resource.

2149

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2150

},

2151

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2152

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2153

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2154

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2155

# artifacts that enter this supply chain step, and exit the supply chain

2156

# step, i.e. materials and products of the step.

2157

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2158

"artifactRule": [

2159

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2160

],

2161

},

2162

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2163

"expectedCommand": [ # This field contains the expected command used to perform the step.

2164

"A String",

2165

],

2166

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2167

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2168

"artifactRule": [

2169

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2170

],

2171

},

2172

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2173

"stepName": "A String", # This field identifies the name of the step in the supply chain.

2174

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2175

# signatures on the step metadata.

2176

{ # This defines the format used to record keys used in the software supply

2177

# chain. An in-toto link is attested using one or more keys defined in the

2178

# in-toto layout. An example of this is:

2179

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2180

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

2181

# "key_type": "rsa",

2182

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

2183

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2184

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2185

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2186

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2187

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

2188

# and "ecdsa".

2189

"keyScheme": "A String", # This field contains the corresponding signature scheme.

2190

# Eg: "rsassa-pss-sha256".

2191

"keyId": "A String", # key_id is an identifier for the signing key.

2192

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2193

},

2194

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2195

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

2196

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2197

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2198

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

2199

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

2200

# relationship. Linked occurrences are derived from this or an

2201

# equivalent image via:

2202

# FROM <Basis.resource_url>

2203

# Or an equivalent reference, e.g. a tag of the resource_url.

2204

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

2205

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2206

# representation.

2207

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2208

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2209

# Only the name of the final blob is kept.

2210

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

2215

# basis of associated occurrence images.

2216

},

2217

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

2218

# list requests.

2219

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2220

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

2225

"shortDescription": "A String", # A one sentence description of this note.

2226

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

2227

# example, an organization might have one `Authority` for "QA" and one for

2228

# "build". This note is intended to act strictly as a grouping mechanism for

2229

# the attached occurrences (Attestations). This grouping mechanism also

2230

# provides a security boundary, since IAM ACLs gate the ability for a principle

2231

# to attach an occurrence to a given note. It also provides a single point of

2232

# lookup to find all attached attestation occurrences, even if they don't all

2233

# live in the same project.

2234

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

2235

# authority. Because the name of a note acts as its resource reference, it is

2236

# important to disambiguate the canonical name of the Note (which might be a

2237

# UUID for security purposes) from "readable" names more suitable for debug

2238

# output. Note that these hints should not be used to look up authorities in

2239

# security sensitive contexts, such as when looking up attestations to

2240

# verify.

2241

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

2246

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

2247

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

2248

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2249

# upstream timestamp from the underlying information source - e.g. Ubuntu

2250

# security tracker.

2251

"windowsDetails": [ # Windows details get their own format because the information format and

2252

# model don't match a normal detail. Specifically Windows updates are done as

2253

# patches, thus Windows vulnerabilities really are a missing package, rather

2254

# than a package being at an incorrect version.

2255

{

2256

"name": "A String", # Required. The name of the vulnerability.

2257

"cpeUri": "A String", # Required. The CPE URI in

2258

# [cpe format](https://cpe.mitre.org/specification/) in which the

2259

# vulnerability manifests. Examples include distro or storage location for

2260

# vulnerable jar.

2261

"description": "A String", # The description of the vulnerability.

2262

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

2263

# vulnerability. Note that there may be multiple hotfixes (and thus

2264

# multiple KBs) that mitigate a given vulnerability. Currently any listed

2265

# kb's presence is considered a fix.

2266

{

2267

"url": "A String", # A link to the KB in the Windows update catalog -

2268

# https://www.catalog.update.microsoft.com/

2269

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

2275

"details": [ # All information about the package to specifically identify this

2276

# vulnerability. One entry per (version range and cpe_uri) the package

2277

# vulnerability has manifested in.

2278

{ # Identifies all appearances of this vulnerability in the package for a

2279

# specific distro/location. For example: glibc in

2280

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

2281

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

2282

# obsolete details.

2283

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2284

# upstream timestamp from the underlying information source - e.g. Ubuntu

2285

# security tracker.

2286

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

2287

# packages etc).

2288

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

2289

"package": "A String", # Required. The package being described.

2290

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2291

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2292

# name.

2293

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2294

# versions.

2295

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2296

"revision": "A String", # The iteration of the package build from the above version.

2297

},

2298

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2299

# format. Examples include distro or storage location for vulnerable jar.

2300

},

2301

"cpeUri": "A String", # Required. The CPE URI in

2302

# [cpe format](https://cpe.mitre.org/specification/) in which the

2303

# vulnerability manifests. Examples include distro or storage location for

2304

# vulnerable jar.

2305

"description": "A String", # A vendor-specific description of this note.

2306

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2307

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

2308

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2309

# name.

2310

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2311

# versions.

2312

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2313

"revision": "A String", # The iteration of the package build from the above version.

2314

},

2315

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

2316

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2317

# name.

2318

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2319

# versions.

2320

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2321

"revision": "A String", # The iteration of the package build from the above version.

2322

},

2323

"package": "A String", # Required. The name of the package where the vulnerability was found.

2324

},

2325

],

2326

"cvssScore": 3.14, # The CVSS score for this vulnerability.

2327

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2328

# For details, see https://www.first.org/cvss/specification-document

2329

"scope": "A String",

2330

"integrityImpact": "A String",

2331

"exploitabilityScore": 3.14,

2332

"impactScore": 3.14,

2333

"attackComplexity": "A String",

2334

"availabilityImpact": "A String",

2335

"privilegesRequired": "A String",

2336

"userInteraction": "A String",

2337

"attackVector": "A String", # Base Metrics

2338

# Represents the intrinsic characteristics of a vulnerability that are

2339

# constant over time and across user environments.

2340

"confidentialityImpact": "A String",

2341

"baseScore": 3.14, # The base score is a function of the base metric scores.

2342

},

2343

},

2344

"relatedNoteNames": [ # Other notes related to this note.

2345

"A String",

2346

],

2347

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2348

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2349

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

2350

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2351

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2352

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

2353

# `key_id`.

2354

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

2355

# base-64 encoded.

2356

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2357

# findings are valid and unchanged. If `key_type` is empty, this defaults

2358

# to PEM encoded public keys.

2359

#

2360

# This field may be empty if `key_id` references an external key.

2361

#

2362

# For Cloud Build based signatures, this is a PEM encoded public

2363

# key. To verify the Cloud Build signature, place the contents of

2364

# this field into a file (public.pem). The signature field is base64-decoded

2365

# into its binary representation in signature.bin, and the provenance bytes

2366

# from `BuildDetails` are base64-decoded into a binary representation in

2367

# signed.bin. OpenSSL can then verify the signature:

2368

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2369

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2370

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

2371

# CN for a cert), or a reference to an external key (such as a reference to a

2372

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2373

},

2374

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2375

}

2376

2377

updateMask: string, The fields to update.

2378

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2385

2386

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2387

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2388

# channels. E.g., glibc (aka libc6) is distributed by many, at various

2389

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2390

"name": "A String", # Required. Immutable. The name of the package.

2391

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2392

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2393

# E.g., Debian's jessie-backports dpkg mirror.

2394

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

2395

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2396

# name.

2397

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2398

# versions.

2399

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2400

"revision": "A String", # The iteration of the package build from the above version.

2401

},

2402

"description": "A String", # The distribution channel-specific description of this package.

2403

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2404

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2405

"url": "A String", # The distribution channel-specific homepage for this package.

2406

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2407

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2408

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2409

},

2410

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2411

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2412

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

2413

# filter in list requests.

2414

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

2415

# a filter in list requests.

2416

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

2417

# exists in a provider's project. A `Discovery` occurrence is created in a

2418

# consumer's project at the start of analysis.

2419

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

2420

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2421

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2422

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2423

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2424

"url": "A String", # Specific URL associated with the resource.

2425

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2426

},

2427

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2428

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2429

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2430

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2431

# artifacts that enter this supply chain step, and exit the supply chain

2432

# step, i.e. materials and products of the step.

2433

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2434

"artifactRule": [

2435

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2436

],

2437

},

2438

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2439

"expectedCommand": [ # This field contains the expected command used to perform the step.

2440

"A String",

2441

],

2442

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2443

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2444

"artifactRule": [

2445

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2446

],

2447

},

2448

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2449

"stepName": "A String", # This field identifies the name of the step in the supply chain.

2450

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2451

# signatures on the step metadata.

2452

{ # This defines the format used to record keys used in the software supply

2453

# chain. An in-toto link is attested using one or more keys defined in the

2454

# in-toto layout. An example of this is:

2455

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2456

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

2457

# "key_type": "rsa",

2458

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

2459

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2460

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2461

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2462

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2463

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

2464

# and "ecdsa".

2465

"keyScheme": "A String", # This field contains the corresponding signature scheme.

2466

# Eg: "rsassa-pss-sha256".

2467

"keyId": "A String", # key_id is an identifier for the signing key.

2468

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2469

},

2470

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2471

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

2472

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2473

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2474

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

2475

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

2476

# relationship. Linked occurrences are derived from this or an

2477

# equivalent image via:

2478

# FROM <Basis.resource_url>

2479

# Or an equivalent reference, e.g. a tag of the resource_url.

2480

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

2481

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2482

# representation.

2483

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2484

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2485

# Only the name of the final blob is kept.

2486

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

2491

# basis of associated occurrence images.

2492

},

2493

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

2494

# list requests.

2495

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2496

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

2501

"shortDescription": "A String", # A one sentence description of this note.

2502

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

2503

# example, an organization might have one `Authority` for "QA" and one for

2504

# "build". This note is intended to act strictly as a grouping mechanism for

2505

# the attached occurrences (Attestations). This grouping mechanism also

2506

# provides a security boundary, since IAM ACLs gate the ability for a principle

2507

# to attach an occurrence to a given note. It also provides a single point of

2508

# lookup to find all attached attestation occurrences, even if they don't all

2509

# live in the same project.

2510

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

2511

# authority. Because the name of a note acts as its resource reference, it is

2512

# important to disambiguate the canonical name of the Note (which might be a

2513

# UUID for security purposes) from "readable" names more suitable for debug

2514

# output. Note that these hints should not be used to look up authorities in

2515

# security sensitive contexts, such as when looking up attestations to

2516

# verify.

2517

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

2522

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

2523

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

2524

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2525

# upstream timestamp from the underlying information source - e.g. Ubuntu

2526

# security tracker.

2527

"windowsDetails": [ # Windows details get their own format because the information format and

2528

# model don't match a normal detail. Specifically Windows updates are done as

2529

# patches, thus Windows vulnerabilities really are a missing package, rather

2530

# than a package being at an incorrect version.

2531

{

2532

"name": "A String", # Required. The name of the vulnerability.

2533

"cpeUri": "A String", # Required. The CPE URI in

2534

# [cpe format](https://cpe.mitre.org/specification/) in which the

2535

# vulnerability manifests. Examples include distro or storage location for

2536

# vulnerable jar.

2537

"description": "A String", # The description of the vulnerability.

2538

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

2539

# vulnerability. Note that there may be multiple hotfixes (and thus

2540

# multiple KBs) that mitigate a given vulnerability. Currently any listed

2541

# kb's presence is considered a fix.

2542

{

2543

"url": "A String", # A link to the KB in the Windows update catalog -

2544

# https://www.catalog.update.microsoft.com/

2545

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

2551

"details": [ # All information about the package to specifically identify this

2552

# vulnerability. One entry per (version range and cpe_uri) the package

2553

# vulnerability has manifested in.

2554

{ # Identifies all appearances of this vulnerability in the package for a

2555

# specific distro/location. For example: glibc in

2556

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

2557

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

2558

# obsolete details.

2559

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2560

# upstream timestamp from the underlying information source - e.g. Ubuntu

2561

# security tracker.

2562

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

2563

# packages etc).

2564

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

2565

"package": "A String", # Required. The package being described.

2566

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2567

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2568

# name.

2569

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2570

# versions.

2571

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2572

"revision": "A String", # The iteration of the package build from the above version.

2573

},

2574

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2575

# format. Examples include distro or storage location for vulnerable jar.

2576

},

2577

"cpeUri": "A String", # Required. The CPE URI in

2578

# [cpe format](https://cpe.mitre.org/specification/) in which the

2579

# vulnerability manifests. Examples include distro or storage location for

2580

# vulnerable jar.

2581

"description": "A String", # A vendor-specific description of this note.

2582

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2583

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

2584

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2585

# name.

2586

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2587

# versions.

2588

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2589

"revision": "A String", # The iteration of the package build from the above version.

2590

},

2591

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

2592

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2593

# name.

2594

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2595

# versions.

2596

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2597

"revision": "A String", # The iteration of the package build from the above version.

2598

},

2599

"package": "A String", # Required. The name of the package where the vulnerability was found.

2600

},

2601

],

2602

"cvssScore": 3.14, # The CVSS score for this vulnerability.

2603

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2604

# For details, see https://www.first.org/cvss/specification-document

2605

"scope": "A String",

2606

"integrityImpact": "A String",

2607

"exploitabilityScore": 3.14,

2608

"impactScore": 3.14,

2609

"attackComplexity": "A String",

2610

"availabilityImpact": "A String",

2611

"privilegesRequired": "A String",

2612

"userInteraction": "A String",

2613

"attackVector": "A String", # Base Metrics

2614

# Represents the intrinsic characteristics of a vulnerability that are

2615

# constant over time and across user environments.

2616

"confidentialityImpact": "A String",

2617

"baseScore": 3.14, # The base score is a function of the base metric scores.

2618

},

2619

},

2620

"relatedNoteNames": [ # Other notes related to this note.

2621

"A String",

2622

],

2623

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2624

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2625

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

2626

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2627

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2628

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

2629

# `key_id`.

2630

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

2631

# base-64 encoded.

2632

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2633

# findings are valid and unchanged. If `key_type` is empty, this defaults

2634

# to PEM encoded public keys.

2635

#

2636

# This field may be empty if `key_id` references an external key.

2637

#

2638

# For Cloud Build based signatures, this is a PEM encoded public

2639

# key. To verify the Cloud Build signature, place the contents of

2640

# this field into a file (public.pem). The signature field is base64-decoded

2641

# into its binary representation in signature.bin, and the provenance bytes

2642

# from `BuildDetails` are base64-decoded into a binary representation in

2643

# signed.bin. OpenSSL can then verify the signature:

2644

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2645

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2646

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

2647

# CN for a cert), or a reference to an external key (such as a reference to a

2648

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2649

},

2650

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2655

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2656

<pre>Sets the access control policy on the specified note or occurrence.

2657

Requires `containeranalysis.notes.setIamPolicy` or

2658

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

2659

a note or an occurrence, respectively.

2660

2661

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

2662

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being specified.

2667

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2668

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2669

The object takes the form of:

2670

2671

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2672

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2673

# the policy is limited to a few 10s of KB. An empty policy is a

2674

# valid policy but certain Cloud Platform services (such as Projects)

2675

# might reject them.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2676

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2677

#

2678

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2679

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2680

# `members` to a single `role`. Members can be user accounts, service accounts,

2681

# Google groups, and domains (such as G Suite). A `role` is a named list of

2682

# permissions; each `role` can be an IAM predefined role or a user-created

2683

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2684

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2685

# For some types of Google Cloud resources, a `binding` can also specify a

2686

# `condition`, which is a logical expression that allows access to a resource

2687

# only if the expression evaluates to `true`. A condition can add constraints

2688

# based on attributes of the request, the resource, or both. To learn which

2689

# resources support conditions in their IAM policies, see the

2690

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2691

#

2692

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2693

#

2694

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2695

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2696

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2697

# "role": "roles/resourcemanager.organizationAdmin",

2698

# "members": [

2699

# "user:mike@example.com",

2700

# "group:admins@example.com",

2701

# "domain:google.com",

2702

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2703

# ]

2704

# },

2705

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2706

# "role": "roles/resourcemanager.organizationViewer",

2707

# "members": [

2708

# "user:eve@example.com"

2709

# ],

2710

# "condition": {

2711

# "title": "expirable access",

2712

# "description": "Does not grant access after Sep 2020",

2713

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2714

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2715

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2716

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2717

# "etag": "BwWWja0YfJA=",

2718

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2719

# }

2720

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2721

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2726

# - group:admins@example.com

2727

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2728

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2729

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2730

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2731

# - user:eve@example.com

2732

# role: roles/resourcemanager.organizationViewer

2733

# condition:

2734

# title: expirable access

2735

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2736

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2737

# - etag: BwWWja0YfJA=

2738

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2739

#

2740

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2741

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2742

"version": 42, # Specifies the format of the policy.

2743

#

2744

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2745

# are rejected.

2746

#

2747

# Any operation that affects conditional role bindings must specify version

2748

# `3`. This requirement applies to the following operations:

2749

#

2750

# * Getting a policy that includes a conditional role binding

2751

# * Adding a conditional role binding to a policy

2752

# * Changing a conditional role binding in a policy

2753

# * Removing any role binding, with or without a condition, from a policy

2754

# that includes conditions

2755

#

2756

# **Important:** If you use IAM Conditions, you must include the `etag` field

2757

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2758

# you to overwrite a version `3` policy with a version `1` policy, and all of

2759

# the conditions in the version `3` policy are lost.

2760

#

2761

# If a policy does not include any conditions, operations on that policy may

2762

# specify any valid version or leave the field unset.

2763

#

2764

# To learn which resources support conditions in their IAM policies, see the

2765

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2766

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2767

# `condition` that determines how and when the `bindings` are applied. Each

2768

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2769

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2770

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2771

# `members` can have the following values:

2772

#

2773

# * `allUsers`: A special identifier that represents anyone who is

2774

# on the internet; with or without a Google account.

2775

#

2776

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2777

# who is authenticated with a Google account or a service account.

2778

#

2779

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2780

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2781

#

2782

#

2783

# * `serviceAccount:{emailid}`: An email address that represents a service

2784

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2785

#

2786

# * `group:{emailid}`: An email address that represents a Google group.

2787

# For example, `admins@example.com`.

2788

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2789

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

2790

# identifier) representing a user that has been recently deleted. For

2791

# example, `alice@example.com?uid=123456789012345678901`. If the user is

2792

# recovered, this value reverts to `user:{emailid}` and the recovered user

2793

# retains the role in the binding.

2794

#

2795

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

2796

# unique identifier) representing a service account that has been recently

2797

# deleted. For example,

2798

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

2799

# If the service account is undeleted, this value reverts to

2800

# `serviceAccount:{emailid}` and the undeleted service account retains the

2801

# role in the binding.

2802

#

2803

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

2804

# identifier) representing a Google group that has been recently

2805

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

2806

# the group is recovered, this value reverts to `group:{emailid}` and the

2807

# recovered group retains the role in the binding.

2808

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2809

#

2810

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

2811

# users of that domain. For example, `google.com` or `example.com`.

2812

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2813

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2814

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2815

"role": "A String", # Role that is assigned to `members`.

2816

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

2817

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

2818

#

2819

# If the condition evaluates to `true`, then this binding applies to the

2820

# current request.

2821

#

2822

# If the condition evaluates to `false`, then this binding does not apply to

2823

# the current request. However, a different role binding might grant the same

2824

# role to one or more of the members in this binding.

2825

#

2826

# To learn which resources support conditions in their IAM policies, see the

2827

# [IAM

2828

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2829

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

2830

# are documented at https://github.com/google/cel-spec.

2831

#

2832

# Example (Comparison):

2833

#

2834

# title: "Summary size limit"

2835

# description: "Determines if a summary is less than 100 chars"

2836

# expression: "document.summary.size() < 100"

2837

#

2838

# Example (Equality):

2839

#

2840

# title: "Requestor is owner"

2841

# description: "Determines if requestor is the document owner"

2842

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

2847

# description: "Determine whether the document should be publicly visible"

2848

# expression: "document.type != 'private' && document.type != 'internal'"

2849

#

2850

# Example (Data Manipulation):

2851

#

2852

# title: "Notification string"

2853

# description: "Create a notification string with a timestamp."

2854

# expression: "'New message received at ' + string(document.create_time)"

2855

#

2856

# The exact variables and functions that may be referenced within an expression

2857

# are determined by the service that evaluates it. See the service

2858

# documentation for additional information.

2859

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

2860

# its purpose. This can be used e.g. in UIs which allow to enter the

2861

# expression.

2862

"location": "A String", # Optional. String indicating the location of the expression for error

2863

# reporting, e.g. a file name and a position in the file.

2864

"description": "A String", # Optional. Description of the expression. This is a longer text which

2865

# describes the expression, e.g. when hovered over it in a UI.

2866

"expression": "A String", # Textual representation of an expression in Common Expression Language

2867

# syntax.

2868

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2869

},

2870

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2871

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2872

# prevent simultaneous updates of a policy from overwriting each other.

2873

# It is strongly suggested that systems make use of the `etag` in the

2874

# read-modify-write cycle to perform policy updates in order to avoid race

2875

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2876

# systems are expected to put that etag in the request to `setIamPolicy` to

2877

# ensure that their change will be applied to the same version of the policy.

2878

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2879

# **Important:** If you use IAM Conditions, you must include the `etag` field

2880

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2881

# you to overwrite a version `3` policy with a version `1` policy, and all of

2882

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2883

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2884

}

2885

2886

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2893

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2894

{ # An Identity and Access Management (IAM) policy, which specifies access

2895

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2896

#

2897

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2898

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2899

# `members` to a single `role`. Members can be user accounts, service accounts,

2900

# Google groups, and domains (such as G Suite). A `role` is a named list of

2901

# permissions; each `role` can be an IAM predefined role or a user-created

2902

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2903

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2904

# For some types of Google Cloud resources, a `binding` can also specify a

2905

# `condition`, which is a logical expression that allows access to a resource

2906

# only if the expression evaluates to `true`. A condition can add constraints

2907

# based on attributes of the request, the resource, or both. To learn which

2908

# resources support conditions in their IAM policies, see the

2909

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2910

#

2911

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2912

#

2913

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2914

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2915

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2916

# "role": "roles/resourcemanager.organizationAdmin",

2917

# "members": [

2918

# "user:mike@example.com",

2919

# "group:admins@example.com",

2920

# "domain:google.com",

2921

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2922

# ]

2923

# },

2924

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2925

# "role": "roles/resourcemanager.organizationViewer",

2926

# "members": [

2927

# "user:eve@example.com"

2928

# ],

2929

# "condition": {

2930

# "title": "expirable access",

2931

# "description": "Does not grant access after Sep 2020",

2932

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2933

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2934

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2935

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2936

# "etag": "BwWWja0YfJA=",

2937

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2938

# }

2939

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2940

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2945

# - group:admins@example.com

2946

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2947

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2948

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2949

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2950

# - user:eve@example.com

2951

# role: roles/resourcemanager.organizationViewer

2952

# condition:

2953

# title: expirable access

2954

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2955

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2956

# - etag: BwWWja0YfJA=

2957

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2958

#

2959

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2960

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2961

"version": 42, # Specifies the format of the policy.

2962

#

2963

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2964

# are rejected.

2965

#

2966

# Any operation that affects conditional role bindings must specify version

2967

# `3`. This requirement applies to the following operations:

2968

#

2969

# * Getting a policy that includes a conditional role binding

2970

# * Adding a conditional role binding to a policy

2971

# * Changing a conditional role binding in a policy

2972

# * Removing any role binding, with or without a condition, from a policy

2973

# that includes conditions

2974

#

2975

# **Important:** If you use IAM Conditions, you must include the `etag` field

2976

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2977

# you to overwrite a version `3` policy with a version `1` policy, and all of

2978

# the conditions in the version `3` policy are lost.

2979

#

2980

# If a policy does not include any conditions, operations on that policy may

2981

# specify any valid version or leave the field unset.

2982

#

2983

# To learn which resources support conditions in their IAM policies, see the

2984

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2985

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2986

# `condition` that determines how and when the `bindings` are applied. Each

2987

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2988

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2989

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2990

# `members` can have the following values:

2991

#

2992

# * `allUsers`: A special identifier that represents anyone who is

2993

# on the internet; with or without a Google account.

2994

#

2995

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2996

# who is authenticated with a Google account or a service account.

2997

#

2998

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2999

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3000

#

3001

#

3002

# * `serviceAccount:{emailid}`: An email address that represents a service

3003

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

3004

#

3005

# * `group:{emailid}`: An email address that represents a Google group.

3006

# For example, `admins@example.com`.

3007

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3008

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

3009

# identifier) representing a user that has been recently deleted. For

3010

# example, `alice@example.com?uid=123456789012345678901`. If the user is

3011

# recovered, this value reverts to `user:{emailid}` and the recovered user

3012

# retains the role in the binding.

3013

#

3014

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

3015

# unique identifier) representing a service account that has been recently

3016

# deleted. For example,

3017

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

3018

# If the service account is undeleted, this value reverts to

3019

# `serviceAccount:{emailid}` and the undeleted service account retains the

3020

# role in the binding.

3021

#

3022

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

3023

# identifier) representing a Google group that has been recently

3024

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

3025

# the group is recovered, this value reverts to `group:{emailid}` and the

3026

# recovered group retains the role in the binding.

3027

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3028

#

3029

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

3030

# users of that domain. For example, `google.com` or `example.com`.

3031

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3032

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3033

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3034

"role": "A String", # Role that is assigned to `members`.

3035

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

3036

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

3037

#

3038

# If the condition evaluates to `true`, then this binding applies to the

3039

# current request.

3040

#

3041

# If the condition evaluates to `false`, then this binding does not apply to

3042

# the current request. However, a different role binding might grant the same

3043

# role to one or more of the members in this binding.

3044

#

3045

# To learn which resources support conditions in their IAM policies, see the

3046

# [IAM

3047

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

3048

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

3049

# are documented at https://github.com/google/cel-spec.

3050

#

3051

# Example (Comparison):

3052

#

3053

# title: "Summary size limit"

3054

# description: "Determines if a summary is less than 100 chars"

3055

# expression: "document.summary.size() < 100"

3056

#

3057

# Example (Equality):

3058

#

3059

# title: "Requestor is owner"

3060

# description: "Determines if requestor is the document owner"

3061

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

3066

# description: "Determine whether the document should be publicly visible"

3067

# expression: "document.type != 'private' && document.type != 'internal'"

3068

#

3069

# Example (Data Manipulation):

3070

#

3071

# title: "Notification string"

3072

# description: "Create a notification string with a timestamp."

3073

# expression: "'New message received at ' + string(document.create_time)"

3074

#

3075

# The exact variables and functions that may be referenced within an expression

3076

# are determined by the service that evaluates it. See the service

3077

# documentation for additional information.

3078

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

3079

# its purpose. This can be used e.g. in UIs which allow to enter the

3080

# expression.

3081

"location": "A String", # Optional. String indicating the location of the expression for error

3082

# reporting, e.g. a file name and a position in the file.

3083

"description": "A String", # Optional. Description of the expression. This is a longer text which

3084

# describes the expression, e.g. when hovered over it in a UI.

3085

"expression": "A String", # Textual representation of an expression in Common Expression Language

3086

# syntax.

3087

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3088

},

3089

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3090

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3091

# prevent simultaneous updates of a policy from overwriting each other.

3092

# It is strongly suggested that systems make use of the `etag` in the

3093

# read-modify-write cycle to perform policy updates in order to avoid race

3094

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

3095

# systems are expected to put that etag in the request to `setIamPolicy` to

3096

# ensure that their change will be applied to the same version of the policy.

3097

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3098

# **Important:** If you use IAM Conditions, you must include the `etag` field

3099

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

3100

# you to overwrite a version `3` policy with a version `1` policy, and all of

3101

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3106

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3107

<pre>Returns the permissions that a caller has on the specified note or

3108

occurrence. Requires list permission on the project (for example,

3109

`containeranalysis.notes.list`).

3110

3111

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

3112

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy detail is being requested.

3117

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3118

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3119

The object takes the form of:

3120

3121

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3122

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

3123

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3124

# information see

3125

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3126

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3137

3138

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3139

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3140

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3141

"A String",

Bu Sun Kim