Blame - docs/dyn/containeranalysis_v1beta1.projects.occurrences.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

78

<code><a href="#batchCreate">batchCreate(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Creates new occurrences in batch.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

82

<p class="firstline">Creates a new occurrence.</p>

83

84

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

85

<p class="firstline">Deletes the specified occurrence. For example, use this method to delete an</p>

86

87

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

88

<p class="firstline">Gets the specified occurrence.</p>

89

90

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

91

<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p>

92

93

<code><a href="#getNotes">getNotes(name, x__xgafv=None)</a></code></p>

94

<p class="firstline">Gets the note attached to the specified occurrence. Consumer projects can</p>

95

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

96

<code><a href="#getVulnerabilitySummary">getVulnerabilitySummary(parent, filter=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

97

<p class="firstline">Gets a summary of the number and severity of occurrences.</p>

98

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

99

<code><a href="#list">list(parent, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

100

<p class="firstline">Lists occurrences for the specified project.</p>

101

102

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

103

<p class="firstline">Retrieves the next page of results.</p>

104

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

105

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

106

<p class="firstline">Updates the specified occurrence.</p>

107

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

108

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

109

<p class="firstline">Sets the access control policy on the specified note or occurrence.</p>

110

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

111

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

112

<p class="firstline">Returns the permissions that a caller has on the specified note or</p>

113

<h3>Method Details</h3>

114

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

115

<code class="details" id="batchCreate">batchCreate(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

116

<pre>Creates new occurrences in batch.

117

118

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

119

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

120

the occurrences are to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

121

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

122

The object takes the form of:

123

124

{ # Request to create occurrences in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

125

"occurrences": [ # Required. The occurrences to create. Max allowed length is 1000.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

126

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

127

"updateTime": "A String", # Output only. The time this occurrence was last updated.

128

"remediation": "A String", # A description of actions that can be taken to remedy the note.

129

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

130

# signatures and the in-toto link itself. This is used for occurrences of a

131

# Grafeas in-toto note.

132

"signed": { # This corresponds to an in-toto link.

133

"command": [ # This field contains the full command executed for the step. This can also

134

# be empty if links are generated for operations that aren't directly mapped

135

# to a specific command. Each term in the command is an independent string

136

# in the list. An example of a command in the in-toto metadata field is:

137

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

138

"A String",

139

],

140

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

141

# are not the actual result of the step.

142

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

148

# environment. It is suggested for this field to contain information that

149

# details environment variables, filesystem information, and the present

150

# working directory. The recommended structure of this field is:

151

# "environment": {

152

# "custom_values": {

153

# "variables": "<ENV>",

154

# "filesystem": "<FS>",

155

# "workdir": "<CWD>",

156

# "<ANY OTHER RELEVANT FIELDS>": "..."

157

# }

158

# }

159

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

165

# for the operation performed. The key of the map is the path of the artifact

166

# and the structure contains the recorded hash information. An example is:

167

# "materials": [

168

# {

169

# "resource_uri": "foo/bar",

170

# "hashes": {

171

# "sha256": "ebebf...",

172

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

178

"sha256": "A String",

179

},

180

"resourceUri": "A String",

181

},

182

],

183

"products": [ # Products are the supply chain artifacts generated as a result of the step.

184

# The structure is identical to that of materials.

185

{

186

"hashes": { # Defines a hash object for use in Materials and Products.

187

"sha256": "A String",

188

},

189

"resourceUri": "A String",

190

},

191

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

192

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

193

"signatures": [

194

{ # A signature object consists of the KeyID used and the signature itself.

195

"sig": "A String",

196

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

197

},

198

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

199

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

200

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

201

# note.

202

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

203

# relationship. This image would be produced from a Dockerfile with FROM

204

# <DockerImage.Basis in attached Note>.

205

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

206

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

207

# representation.

208

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

209

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

210

# Only the name of the final blob is kept.

211

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

212

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

213

],

214

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

215

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

216

# "distance" and is ordered with [distance] being the layer immediately

217

# following the base image and [1] being the final layer.

218

{ # Layer holds metadata specific to a layer of a Docker image.

219

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

220

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

221

},

222

],

223

"distance": 42, # Output only. The number of layers by which this image differs from the

224

# associated image basis.

225

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

226

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

227

},

228

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

229

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

230

# specified. This field can be used as a filter in list requests.

231

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

232

"name": "A String", # Deprecated, do not use. Use uri instead.

233

#

234

# The name of the resource. For example, the name of a Docker image -

235

# "Debian".

236

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

237

#

238

# The hash of the resource content. For example, the Docker digest.

239

"type": "A String", # Required. The type of hash that was performed.

240

"value": "A String", # Required. The hash value.

241

},

242

"uri": "A String", # Required. The unique URI of the resource. For example,

243

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

244

},

245

"name": "A String", # Output only. The name of the occurrence in the form of

246

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

247

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

248

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

249

# attestation can be verified using the attached signature. If the verifier

250

# trusts the public key of the signer, then verifying the signature is

251

# sufficient to establish trust. In this circumstance, the authority to which

252

# this attestation is attached is primarily useful for look-up (how to find

253

# this attestation if you already know the authority and artifact to be

254

# verified) and intent (which authority was this attestation intended to sign

255

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

256

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

257

# supports `ATTACHED` signatures, where the payload that is signed is included

258

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

259

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

260

# The verifier must ensure that the provided type is one that the verifier

261

# supports, and that the attestation payload is a valid instantiation of that

262

# type (for example by validating a JSON schema).

263

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

264

# (GPG) or equivalent. Since this message only supports attached signatures,

265

# the payload that was signed must be attached. While the signature format

266

# supported is dependent on the verification implementation, currently only

267

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

268

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

269

# --output=signature.gpg payload.json` will create the signature content

270

# expected in this field in `signature.gpg` for the `payload.json`

271

# attestation payload.

272

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

273

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

274

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

275

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

276

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

277

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

278

# In gpg, the full fingerprint can be retrieved from the `fpr` field

279

# returned when calling --list-keys with --with-colons. For example:

280

# ```

281

# gpg --with-colons --with-fingerprint --force-v4-certs \

282

# --list-keys attester@example.com

283

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

284

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

285

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

286

# ```

287

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

288

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

289

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

290

# This attestation must define the `serialized_payload` that the `signatures`

291

# verify and any metadata necessary to interpret that plaintext. The

292

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

293

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

294

# should consider this attestation message verified if at least one

295

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

296

# for more details on signature structure and verification.

297

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

298

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

299

# Typically this means that the verifier has been configured with a map from

300

# `public_key_id` to public key material (and any required parameters, e.g.

301

# signing algorithm).

302

#

303

# In particular, verification implementations MUST NOT treat the signature

304

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

305

# DOES NOT validate or authenticate a public key; it only provides a mechanism

306

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

307

# a trusted channel. Verification implementations MUST reject signatures in any

308

# of the following circumstances:

309

# * The `public_key_id` is not recognized by the verifier.

310

# * The public key that `public_key_id` refers to does not verify the

311

# signature with respect to the payload.

312

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

313

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

314

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

315

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

316

# provided payload (e.g. a `payload` field on the proto message that holds

317

# this Signature, or the canonical serialization of the proto message that

318

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

319

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

320

# * The `public_key_id` is required.

321

# * The `public_key_id` MUST be an RFC3986 conformant URI.

322

# * When possible, the `public_key_id` SHOULD be an immutable reference,

323

# such as a cryptographic digest.

324

#

325

# Examples of valid `public_key_id`s:

326

#

327

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

328

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

329

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

330

# details on this scheme.

331

#

332

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

333

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

334

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

335

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

336

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

337

# The payload that this signature verifies MUST be unambiguously provided

338

# with the Signature during verification. A wrapper message might provide

339

# the payload explicitly. Alternatively, a message might have a canonical

340

# serialization that can always be unambiguously computed to derive the

341

# payload.

342

},

343

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

344

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

345

# The encoding and semantic meaning of this payload must match what is set in

346

# `content_type`.

347

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

348

# The verifier must ensure that the provided type is one that the verifier

349

# supports, and that the attestation payload is a valid instantiation of that

350

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

351

},

352

},

353

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

354

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

355

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

356

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

357

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

358

# available, and note provider assigned severity when distro has not yet

359

# assigned a severity for this vulnerability.

360

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

361

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

362

# scale of 0-10 where 0 indicates low severity and 10 indicates high

363

# severity.

364

"relatedUrls": [ # Output only. URLs related to this vulnerability.

365

{ # Metadata for any related URL information.

366

"url": "A String", # Specific URL associated with the resource.

367

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

368

},

369

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

370

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

371

# packages etc)

372

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

373

# within the associated resource.

374

{ # This message wraps a location affected by a vulnerability and its

375

# associated fix (if one is available).

376

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

377

"package": "A String", # Required. The package being described.

378

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

379

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

380

# name.

381

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

382

# versions.

383

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

384

"revision": "A String", # The iteration of the package build from the above version.

385

},

386

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

387

# format. Examples include distro or storage location for vulnerable jar.

388

},

389

"severityName": "A String", # Deprecated, use Details.effective_severity instead

390

# The severity (e.g., distro assigned severity) for this vulnerability.

391

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

392

"package": "A String", # Required. The package being described.

393

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

394

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

395

# name.

396

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

397

# versions.

398

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

399

"revision": "A String", # The iteration of the package build from the above version.

400

},

401

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

402

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

403

},

404

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

405

],

406

},

407

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

408

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

409

# system.

410

"location": [ # Required. All of the places within the filesystem versions of this package

411

# have been found.

412

{ # An occurrence of a particular package installation found within a system's

413

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

414

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

415

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

416

# name.

417

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

418

# versions.

419

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

420

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

421

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

422

"path": "A String", # The path from which we gathered that this package/version is installed.

423

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

424

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

425

},

426

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

427

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

428

},

429

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

430

"build": { # Details of a build occurrence. # Describes a verifiable build.

431

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

432

# build signature in the corresponding build note. After verifying the

433

# signature, `provenance_bytes` can be unmarshalled and compared to the

434

# provenance to confirm that it is unchanged. A base64-encoded string

435

# representation of the provenance bytes is used for the signature in order

436

# to interoperate with openssl which expects this format for signature

437

# verification.

438

#

439

# The serialized form is captured both to avoid ambiguity in how the

440

# provenance is marshalled to json as well to prevent incompatibilities with

441

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

442

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

443

# details about the build from source to completion.

444

"logsUri": "A String", # URI where any logs for this provenance were written.

445

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

446

# user's e-mail address at the time the build was initiated; this address may

447

# not represent the same end-user for all time.

448

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

449

"commands": [ # Commands requested by the build.

450

{ # Command describes a step performed as part of the build pipeline.

451

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

452

# command is packaged as a Docker container, as presented to `docker pull`.

453

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

454

# this command as a dependency.

455

"dir": "A String", # Working directory (relative to project source root) used when running this

456

# command.

457

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

458

"A String",

459

],

460

"env": [ # Environment variables set before running this command.

461

"A String",

462

],

463

"args": [ # Command-line arguments used when executing this command.

464

"A String",

465

],

466

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

467

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

468

"builtArtifacts": [ # Output of the build.

469

{ # Artifact describes a build product.

470

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

471

# like `gcr.io/projectID/imagename@sha256:123456`.

472

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

473

# the case of a container build, the name used to push the container image to

474

# Google Container Registry, as presented to `docker push`. Note that a

475

# single Artifact ID can have multiple names, for example if two tags are

476

# applied to one image.

477

"A String",

478

],

479

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

484

"buildOptions": { # Special options applied to this build. This is a catch-all field where

485

# build providers can enter any desired additional details.

486

"a_key": "A String",

487

},

488

"endTime": "A String", # Time at which execution of the build was finished.

489

"startTime": "A String", # Time at which execution of the build was started.

490

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

491

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

492

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

493

# location.

494

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

495

# these locations, in the case where the source repository had multiple

496

# remotes or submodules. This list will not include the context specified in

497

# the context field.

498

{ # A SourceContext is a reference to a tree of files. A SourceContext together

499

# with a path point to a unique revision of a single file or directory.

500

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

501

# Source Repo.

502

"revisionId": "A String", # A revision ID.

503

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

504

"uid": "A String", # A server-assigned, globally unique identifier.

505

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

506

# winged-cargo-31) and a repo name within that project.

507

"projectId": "A String", # The ID of the project.

508

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

509

},

510

},

511

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

512

"name": "A String", # The alias name.

513

"kind": "A String", # The alias kind.

514

},

515

},

516

"labels": { # Labels with user defined metadata.

517

"a_key": "A String",

518

},

519

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

520

# repository (e.g., GitHub).

521

"revisionId": "A String", # Git commit hash.

522

"url": "A String", # Git repository URL.

523

},

524

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

525

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

526

# "project/subproject" is a valid project name. The "repo name" is the

527

# hostURI/project.

528

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

529

"name": "A String", # The alias name.

530

"kind": "A String", # The alias kind.

531

},

532

"hostUri": "A String", # The URI of a running Gerrit instance.

533

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

538

# source integrity was maintained in the build.

539

#

540

# The keys to this map are file paths used as build source and the values

541

# contain the hash values for those files.

542

#

543

# If the build source came in a single package such as a gzipped tarfile

544

# (.tar.gz), the FileHash will be for the single path to that file.

545

"a_key": { # Container message for hashes of byte content of files, used in source

546

# messages to verify integrity of source input to the build.

547

"fileHash": [ # Required. Collection of file hashes.

548

{ # Container message for hash values.

549

"type": "A String", # Required. The type of hash that was performed.

550

"value": "A String", # Required. The hash value.

551

},

552

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

553

},

554

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

555

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

556

# with a path point to a unique revision of a single file or directory.

557

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

558

# Source Repo.

559

"revisionId": "A String", # A revision ID.

560

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

561

"uid": "A String", # A server-assigned, globally unique identifier.

562

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

563

# winged-cargo-31) and a repo name within that project.

564

"projectId": "A String", # The ID of the project.

565

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

566

},

567

},

568

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

569

"name": "A String", # The alias name.

570

"kind": "A String", # The alias kind.

571

},

572

},

573

"labels": { # Labels with user defined metadata.

574

"a_key": "A String",

575

},

576

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

577

# repository (e.g., GitHub).

578

"revisionId": "A String", # Git commit hash.

579

"url": "A String", # Git repository URL.

580

},

581

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

582

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

583

# "project/subproject" is a valid project name. The "repo name" is the

584

# hostURI/project.

585

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

586

"name": "A String", # The alias name.

587

"kind": "A String", # The alias kind.

588

},

589

"hostUri": "A String", # The URI of a running Gerrit instance.

590

"revisionId": "A String", # A revision (commit) ID.

591

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

592

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

593

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

594

"createTime": "A String", # Time at which the build was created.

595

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

596

},

597

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

598

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

599

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

600

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

601

# details to show to the user. The LocalizedMessage is output only and

602

# populated by the API.

603

# different programming environments, including REST APIs and RPC APIs. It is

604

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

605

# three pieces of data: error code, error message, and error details.

606

#

607

# You can find out more about this error model and how to work with it in the

608

# [API Design Guide](https://cloud.google.com/apis/design/errors).

609

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

610

"message": "A String", # A developer-facing error message, which should be in English. Any

611

# user-facing error message should be localized and sent in the

612

# google.rpc.Status.details field, or localized by the client.

613

"details": [ # A list of messages that carry the error details. There is a common set of

614

# message types for APIs to use.

615

{

616

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

621

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

622

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

623

# Deprecated, do not use.

624

},

625

},

626

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

627

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

628

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

629

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

630

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

631

"undeployTime": "A String", # End of the lifetime of this deployment.

632

"platform": "A String", # Platform hosting this deployment.

633

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

634

"address": "A String", # Address of the runtime element hosting this deployment.

635

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

636

# the deployable field with the same name.

637

"A String",

638

],

639

"userEmail": "A String", # Identity of the user that triggered this deployment.

640

"config": "A String", # Configuration used to create this deployment.

641

},

642

},

643

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

655

656

{ # Response for creating occurrences in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

657

"occurrences": [ # The occurrences that were created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

658

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

659

"updateTime": "A String", # Output only. The time this occurrence was last updated.

660

"remediation": "A String", # A description of actions that can be taken to remedy the note.

661

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

662

# signatures and the in-toto link itself. This is used for occurrences of a

663

# Grafeas in-toto note.

664

"signed": { # This corresponds to an in-toto link.

665

"command": [ # This field contains the full command executed for the step. This can also

666

# be empty if links are generated for operations that aren't directly mapped

667

# to a specific command. Each term in the command is an independent string

668

# in the list. An example of a command in the in-toto metadata field is:

669

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

670

"A String",

671

],

672

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

673

# are not the actual result of the step.

674

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

680

# environment. It is suggested for this field to contain information that

681

# details environment variables, filesystem information, and the present

682

# working directory. The recommended structure of this field is:

683

# "environment": {

684

# "custom_values": {

685

# "variables": "<ENV>",

686

# "filesystem": "<FS>",

687

# "workdir": "<CWD>",

688

# "<ANY OTHER RELEVANT FIELDS>": "..."

689

# }

690

# }

691

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

697

# for the operation performed. The key of the map is the path of the artifact

698

# and the structure contains the recorded hash information. An example is:

699

# "materials": [

700

# {

701

# "resource_uri": "foo/bar",

702

# "hashes": {

703

# "sha256": "ebebf...",

704

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

710

"sha256": "A String",

711

},

712

"resourceUri": "A String",

713

},

714

],

715

"products": [ # Products are the supply chain artifacts generated as a result of the step.

716

# The structure is identical to that of materials.

717

{

718

"hashes": { # Defines a hash object for use in Materials and Products.

719

"sha256": "A String",

720

},

721

"resourceUri": "A String",

722

},

723

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

724

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

725

"signatures": [

726

{ # A signature object consists of the KeyID used and the signature itself.

727

"sig": "A String",

728

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

729

},

730

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

731

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

732

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

733

# note.

734

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

735

# relationship. This image would be produced from a Dockerfile with FROM

736

# <DockerImage.Basis in attached Note>.

737

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

738

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

739

# representation.

740

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

741

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

742

# Only the name of the final blob is kept.

743

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

744

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

745

],

746

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

747

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

748

# "distance" and is ordered with [distance] being the layer immediately

749

# following the base image and [1] being the final layer.

750

{ # Layer holds metadata specific to a layer of a Docker image.

751

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

752

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

753

},

754

],

755

"distance": 42, # Output only. The number of layers by which this image differs from the

756

# associated image basis.

757

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

758

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

759

},

760

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

761

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

762

# specified. This field can be used as a filter in list requests.

763

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

764

"name": "A String", # Deprecated, do not use. Use uri instead.

765

#

766

# The name of the resource. For example, the name of a Docker image -

767

# "Debian".

768

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

769

#

770

# The hash of the resource content. For example, the Docker digest.

771

"type": "A String", # Required. The type of hash that was performed.

772

"value": "A String", # Required. The hash value.

773

},

774

"uri": "A String", # Required. The unique URI of the resource. For example,

775

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

776

},

777

"name": "A String", # Output only. The name of the occurrence in the form of

778

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

779

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

780

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

781

# attestation can be verified using the attached signature. If the verifier

782

# trusts the public key of the signer, then verifying the signature is

783

# sufficient to establish trust. In this circumstance, the authority to which

784

# this attestation is attached is primarily useful for look-up (how to find

785

# this attestation if you already know the authority and artifact to be

786

# verified) and intent (which authority was this attestation intended to sign

787

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

788

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

789

# supports `ATTACHED` signatures, where the payload that is signed is included

790

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

791

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

792

# The verifier must ensure that the provided type is one that the verifier

793

# supports, and that the attestation payload is a valid instantiation of that

794

# type (for example by validating a JSON schema).

795

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

796

# (GPG) or equivalent. Since this message only supports attached signatures,

797

# the payload that was signed must be attached. While the signature format

798

# supported is dependent on the verification implementation, currently only

799

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

800

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

801

# --output=signature.gpg payload.json` will create the signature content

802

# expected in this field in `signature.gpg` for the `payload.json`

803

# attestation payload.

804

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

805

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

806

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

807

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

808

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

809

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

810

# In gpg, the full fingerprint can be retrieved from the `fpr` field

811

# returned when calling --list-keys with --with-colons. For example:

812

# ```

813

# gpg --with-colons --with-fingerprint --force-v4-certs \

814

# --list-keys attester@example.com

815

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

816

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

817

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

818

# ```

819

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

820

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

821

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

822

# This attestation must define the `serialized_payload` that the `signatures`

823

# verify and any metadata necessary to interpret that plaintext. The

824

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

825

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

826

# should consider this attestation message verified if at least one

827

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

828

# for more details on signature structure and verification.

829

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

830

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

831

# Typically this means that the verifier has been configured with a map from

832

# `public_key_id` to public key material (and any required parameters, e.g.

833

# signing algorithm).

834

#

835

# In particular, verification implementations MUST NOT treat the signature

836

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

837

# DOES NOT validate or authenticate a public key; it only provides a mechanism

838

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

839

# a trusted channel. Verification implementations MUST reject signatures in any

840

# of the following circumstances:

841

# * The `public_key_id` is not recognized by the verifier.

842

# * The public key that `public_key_id` refers to does not verify the

843

# signature with respect to the payload.

844

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

845

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

846

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

847

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

848

# provided payload (e.g. a `payload` field on the proto message that holds

849

# this Signature, or the canonical serialization of the proto message that

850

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

851

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

852

# * The `public_key_id` is required.

853

# * The `public_key_id` MUST be an RFC3986 conformant URI.

854

# * When possible, the `public_key_id` SHOULD be an immutable reference,

855

# such as a cryptographic digest.

856

#

857

# Examples of valid `public_key_id`s:

858

#

859

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

860

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

861

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

862

# details on this scheme.

863

#

864

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

865

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

866

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

867

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

868

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

869

# The payload that this signature verifies MUST be unambiguously provided

870

# with the Signature during verification. A wrapper message might provide

871

# the payload explicitly. Alternatively, a message might have a canonical

872

# serialization that can always be unambiguously computed to derive the

873

# payload.

874

},

875

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

876

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

877

# The encoding and semantic meaning of this payload must match what is set in

878

# `content_type`.

879

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

880

# The verifier must ensure that the provided type is one that the verifier

881

# supports, and that the attestation payload is a valid instantiation of that

882

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

883

},

884

},

885

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

886

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

887

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

888

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

889

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

890

# available, and note provider assigned severity when distro has not yet

891

# assigned a severity for this vulnerability.

892

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

893

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

894

# scale of 0-10 where 0 indicates low severity and 10 indicates high

895

# severity.

896

"relatedUrls": [ # Output only. URLs related to this vulnerability.

897

{ # Metadata for any related URL information.

898

"url": "A String", # Specific URL associated with the resource.

899

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

900

},

901

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

902

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

903

# packages etc)

904

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

905

# within the associated resource.

906

{ # This message wraps a location affected by a vulnerability and its

907

# associated fix (if one is available).

908

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

909

"package": "A String", # Required. The package being described.

910

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

911

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

912

# name.

913

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

914

# versions.

915

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

916

"revision": "A String", # The iteration of the package build from the above version.

917

},

918

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

919

# format. Examples include distro or storage location for vulnerable jar.

920

},

921

"severityName": "A String", # Deprecated, use Details.effective_severity instead

922

# The severity (e.g., distro assigned severity) for this vulnerability.

923

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

924

"package": "A String", # Required. The package being described.

925

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

926

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

927

# name.

928

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

929

# versions.

930

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

931

"revision": "A String", # The iteration of the package build from the above version.

932

},

933

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

934

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

935

},

936

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

937

],

938

},

939

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

940

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

941

# system.

942

"location": [ # Required. All of the places within the filesystem versions of this package

943

# have been found.

944

{ # An occurrence of a particular package installation found within a system's

945

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

946

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

947

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

948

# name.

949

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

950

# versions.

951

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

952

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

953

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

954

"path": "A String", # The path from which we gathered that this package/version is installed.

955

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

956

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

957

},

958

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

959

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

960

},

961

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

962

"build": { # Details of a build occurrence. # Describes a verifiable build.

963

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

964

# build signature in the corresponding build note. After verifying the

965

# signature, `provenance_bytes` can be unmarshalled and compared to the

966

# provenance to confirm that it is unchanged. A base64-encoded string

967

# representation of the provenance bytes is used for the signature in order

968

# to interoperate with openssl which expects this format for signature

969

# verification.

970

#

971

# The serialized form is captured both to avoid ambiguity in how the

972

# provenance is marshalled to json as well to prevent incompatibilities with

973

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

974

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

975

# details about the build from source to completion.

976

"logsUri": "A String", # URI where any logs for this provenance were written.

977

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

978

# user's e-mail address at the time the build was initiated; this address may

979

# not represent the same end-user for all time.

980

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

981

"commands": [ # Commands requested by the build.

982

{ # Command describes a step performed as part of the build pipeline.

983

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

984

# command is packaged as a Docker container, as presented to `docker pull`.

985

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

986

# this command as a dependency.

987

"dir": "A String", # Working directory (relative to project source root) used when running this

988

# command.

989

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

990

"A String",

991

],

992

"env": [ # Environment variables set before running this command.

993

"A String",

994

],

995

"args": [ # Command-line arguments used when executing this command.

996

"A String",

997

],

998

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

999

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1000

"builtArtifacts": [ # Output of the build.

1001

{ # Artifact describes a build product.

1002

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

1003

# like `gcr.io/projectID/imagename@sha256:123456`.

1004

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

1005

# the case of a container build, the name used to push the container image to

1006

# Google Container Registry, as presented to `docker push`. Note that a

1007

# single Artifact ID can have multiple names, for example if two tags are

1008

# applied to one image.

1009

"A String",

1010

],

1011

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

1016

"buildOptions": { # Special options applied to this build. This is a catch-all field where

1017

# build providers can enter any desired additional details.

1018

"a_key": "A String",

1019

},

1020

"endTime": "A String", # Time at which execution of the build was finished.

1021

"startTime": "A String", # Time at which execution of the build was started.

1022

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

1023

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

1024

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

1025

# location.

1026

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

1027

# these locations, in the case where the source repository had multiple

1028

# remotes or submodules. This list will not include the context specified in

1029

# the context field.

1030

{ # A SourceContext is a reference to a tree of files. A SourceContext together

1031

# with a path point to a unique revision of a single file or directory.

1032

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1033

# Source Repo.

1034

"revisionId": "A String", # A revision ID.

1035

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1036

"uid": "A String", # A server-assigned, globally unique identifier.

1037

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1038

# winged-cargo-31) and a repo name within that project.

1039

"projectId": "A String", # The ID of the project.

1040

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1041

},

1042

},

1043

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1044

"name": "A String", # The alias name.

1045

"kind": "A String", # The alias kind.

1046

},

1047

},

1048

"labels": { # Labels with user defined metadata.

1049

"a_key": "A String",

1050

},

1051

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1052

# repository (e.g., GitHub).

1053

"revisionId": "A String", # Git commit hash.

1054

"url": "A String", # Git repository URL.

1055

},

1056

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1057

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1058

# "project/subproject" is a valid project name. The "repo name" is the

1059

# hostURI/project.

1060

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1061

"name": "A String", # The alias name.

1062

"kind": "A String", # The alias kind.

1063

},

1064

"hostUri": "A String", # The URI of a running Gerrit instance.

1065

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

1070

# source integrity was maintained in the build.

1071

#

1072

# The keys to this map are file paths used as build source and the values

1073

# contain the hash values for those files.

1074

#

1075

# If the build source came in a single package such as a gzipped tarfile

1076

# (.tar.gz), the FileHash will be for the single path to that file.

1077

"a_key": { # Container message for hashes of byte content of files, used in source

1078

# messages to verify integrity of source input to the build.

1079

"fileHash": [ # Required. Collection of file hashes.

1080

{ # Container message for hash values.

1081

"type": "A String", # Required. The type of hash that was performed.

1082

"value": "A String", # Required. The hash value.

1083

},

1084

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1085

},

1086

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1087

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

1088

# with a path point to a unique revision of a single file or directory.

1089

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1090

# Source Repo.

1091

"revisionId": "A String", # A revision ID.

1092

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1093

"uid": "A String", # A server-assigned, globally unique identifier.

1094

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1095

# winged-cargo-31) and a repo name within that project.

1096

"projectId": "A String", # The ID of the project.

1097

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1098

},

1099

},

1100

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1101

"name": "A String", # The alias name.

1102

"kind": "A String", # The alias kind.

1103

},

1104

},

1105

"labels": { # Labels with user defined metadata.

1106

"a_key": "A String",

1107

},

1108

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1109

# repository (e.g., GitHub).

1110

"revisionId": "A String", # Git commit hash.

1111

"url": "A String", # Git repository URL.

1112

},

1113

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1114

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1115

# "project/subproject" is a valid project name. The "repo name" is the

1116

# hostURI/project.

1117

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1118

"name": "A String", # The alias name.

1119

"kind": "A String", # The alias kind.

1120

},

1121

"hostUri": "A String", # The URI of a running Gerrit instance.

1122

"revisionId": "A String", # A revision (commit) ID.

1123

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1124

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1125

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1126

"createTime": "A String", # Time at which the build was created.

1127

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1128

},

1129

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1130

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

1131

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

1132

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

1133

# details to show to the user. The LocalizedMessage is output only and

1134

# populated by the API.

1135

# different programming environments, including REST APIs and RPC APIs. It is

1136

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1137

# three pieces of data: error code, error message, and error details.

1138

#

1139

# You can find out more about this error model and how to work with it in the

1140

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1141

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1142

"message": "A String", # A developer-facing error message, which should be in English. Any

1143

# user-facing error message should be localized and sent in the

1144

# google.rpc.Status.details field, or localized by the client.

1145

"details": [ # A list of messages that carry the error details. There is a common set of

1146

# message types for APIs to use.

1147

{

1148

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

1153

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

1154

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

1155

# Deprecated, do not use.

1156

},

1157

},

1158

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1159

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

1160

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1161

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

1162

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

1163

"undeployTime": "A String", # End of the lifetime of this deployment.

1164

"platform": "A String", # Platform hosting this deployment.

1165

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

1166

"address": "A String", # Address of the runtime element hosting this deployment.

1167

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

1168

# the deployable field with the same name.

1169

"A String",

1170

],

1171

"userEmail": "A String", # Identity of the user that triggered this deployment.

1172

"config": "A String", # Configuration used to create this deployment.

1173

},

1174

},

1175

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1182

<code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1183

<pre>Creates a new occurrence.

1184

1185

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1186

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1187

the occurrence is to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1188

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1189

The object takes the form of:

1190

1191

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1192

"updateTime": "A String", # Output only. The time this occurrence was last updated.

1193

"remediation": "A String", # A description of actions that can be taken to remedy the note.

1194

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

1195

# signatures and the in-toto link itself. This is used for occurrences of a

1196

# Grafeas in-toto note.

1197

"signed": { # This corresponds to an in-toto link.

1198

"command": [ # This field contains the full command executed for the step. This can also

1199

# be empty if links are generated for operations that aren't directly mapped

1200

# to a specific command. Each term in the command is an independent string

1201

# in the list. An example of a command in the in-toto metadata field is:

1202

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

1203

"A String",

1204

],

1205

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

1206

# are not the actual result of the step.

1207

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

1213

# environment. It is suggested for this field to contain information that

1214

# details environment variables, filesystem information, and the present

1215

# working directory. The recommended structure of this field is:

1216

# "environment": {

1217

# "custom_values": {

1218

# "variables": "<ENV>",

1219

# "filesystem": "<FS>",

1220

# "workdir": "<CWD>",

1221

# "<ANY OTHER RELEVANT FIELDS>": "..."

1222

# }

1223

# }

1224

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

1230

# for the operation performed. The key of the map is the path of the artifact

1231

# and the structure contains the recorded hash information. An example is:

1232

# "materials": [

1233

# {

1234

# "resource_uri": "foo/bar",

1235

# "hashes": {

1236

# "sha256": "ebebf...",

1237

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

1243

"sha256": "A String",

1244

},

1245

"resourceUri": "A String",

1246

},

1247

],

1248

"products": [ # Products are the supply chain artifacts generated as a result of the step.

1249

# The structure is identical to that of materials.

1250

{

1251

"hashes": { # Defines a hash object for use in Materials and Products.

1252

"sha256": "A String",

1253

},

1254

"resourceUri": "A String",

1255

},

1256

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1257

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1258

"signatures": [

1259

{ # A signature object consists of the KeyID used and the signature itself.

1260

"sig": "A String",

1261

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1262

},

1263

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1264

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1265

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

1266

# note.

1267

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

1268

# relationship. This image would be produced from a Dockerfile with FROM

1269

# <DockerImage.Basis in attached Note>.

1270

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

1271

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1272

# representation.

1273

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1274

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1275

# Only the name of the final blob is kept.

1276

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1277

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1278

],

1279

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1280

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

1281

# "distance" and is ordered with [distance] being the layer immediately

1282

# following the base image and [1] being the final layer.

1283

{ # Layer holds metadata specific to a layer of a Docker image.

1284

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

1285

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

1286

},

1287

],

1288

"distance": 42, # Output only. The number of layers by which this image differs from the

1289

# associated image basis.

1290

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

1291

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1292

},

1293

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1294

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

1295

# specified. This field can be used as a filter in list requests.

1296

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

1297

"name": "A String", # Deprecated, do not use. Use uri instead.

1298

#

1299

# The name of the resource. For example, the name of a Docker image -

1300

# "Debian".

1301

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

1302

#

1303

# The hash of the resource content. For example, the Docker digest.

1304

"type": "A String", # Required. The type of hash that was performed.

1305

"value": "A String", # Required. The hash value.

1306

},

1307

"uri": "A String", # Required. The unique URI of the resource. For example,

1308

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

1309

},

1310

"name": "A String", # Output only. The name of the occurrence in the form of

1311

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

1312

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

1313

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1314

# attestation can be verified using the attached signature. If the verifier

1315

# trusts the public key of the signer, then verifying the signature is

1316

# sufficient to establish trust. In this circumstance, the authority to which

1317

# this attestation is attached is primarily useful for look-up (how to find

1318

# this attestation if you already know the authority and artifact to be

1319

# verified) and intent (which authority was this attestation intended to sign

1320

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1321

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1322

# supports `ATTACHED` signatures, where the payload that is signed is included

1323

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1324

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1325

# The verifier must ensure that the provided type is one that the verifier

1326

# supports, and that the attestation payload is a valid instantiation of that

1327

# type (for example by validating a JSON schema).

1328

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

1329

# (GPG) or equivalent. Since this message only supports attached signatures,

1330

# the payload that was signed must be attached. While the signature format

1331

# supported is dependent on the verification implementation, currently only

1332

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

1333

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

1334

# --output=signature.gpg payload.json` will create the signature content

1335

# expected in this field in `signature.gpg` for the `payload.json`

1336

# attestation payload.

1337

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1338

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

1339

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

1340

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1341

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1342

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

1343

# In gpg, the full fingerprint can be retrieved from the `fpr` field

1344

# returned when calling --list-keys with --with-colons. For example:

1345

# ```

1346

# gpg --with-colons --with-fingerprint --force-v4-certs \

1347

# --list-keys attester@example.com

1348

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1349

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1350

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

1351

# ```

1352

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1353

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1354

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1355

# This attestation must define the `serialized_payload` that the `signatures`

1356

# verify and any metadata necessary to interpret that plaintext. The

1357

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1358

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1359

# should consider this attestation message verified if at least one

1360

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

1361

# for more details on signature structure and verification.

1362

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

1363

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

1364

# Typically this means that the verifier has been configured with a map from

1365

# `public_key_id` to public key material (and any required parameters, e.g.

1366

# signing algorithm).

1367

#

1368

# In particular, verification implementations MUST NOT treat the signature

1369

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

1370

# DOES NOT validate or authenticate a public key; it only provides a mechanism

1371

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

1372

# a trusted channel. Verification implementations MUST reject signatures in any

1373

# of the following circumstances:

1374

# * The `public_key_id` is not recognized by the verifier.

1375

# * The public key that `public_key_id` refers to does not verify the

1376

# signature with respect to the payload.

1377

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1378

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1379

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1380

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1381

# provided payload (e.g. a `payload` field on the proto message that holds

1382

# this Signature, or the canonical serialization of the proto message that

1383

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1384

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1385

# * The `public_key_id` is required.

1386

# * The `public_key_id` MUST be an RFC3986 conformant URI.

1387

# * When possible, the `public_key_id` SHOULD be an immutable reference,

1388

# such as a cryptographic digest.

1389

#

1390

# Examples of valid `public_key_id`s:

1391

#

1392

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1393

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1394

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

1395

# details on this scheme.

1396

#

1397

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

1398

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1399

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

1400

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

1401

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1402

# The payload that this signature verifies MUST be unambiguously provided

1403

# with the Signature during verification. A wrapper message might provide

1404

# the payload explicitly. Alternatively, a message might have a canonical

1405

# serialization that can always be unambiguously computed to derive the

1406

# payload.

1407

},

1408

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1409

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

1410

# The encoding and semantic meaning of this payload must match what is set in

1411

# `content_type`.

1412

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1413

# The verifier must ensure that the provided type is one that the verifier

1414

# supports, and that the attestation payload is a valid instantiation of that

1415

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1416

},

1417

},

1418

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1419

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

1420

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

1421

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

1422

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

1423

# available, and note provider assigned severity when distro has not yet

1424

# assigned a severity for this vulnerability.

1425

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

1426

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

1427

# scale of 0-10 where 0 indicates low severity and 10 indicates high

1428

# severity.

1429

"relatedUrls": [ # Output only. URLs related to this vulnerability.

1430

{ # Metadata for any related URL information.

1431

"url": "A String", # Specific URL associated with the resource.

1432

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1433

},

1434

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1435

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

1436

# packages etc)

1437

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

1438

# within the associated resource.

1439

{ # This message wraps a location affected by a vulnerability and its

1440

# associated fix (if one is available).

1441

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

1442

"package": "A String", # Required. The package being described.

1443

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1444

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1445

# name.

1446

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1447

# versions.

1448

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1449

"revision": "A String", # The iteration of the package build from the above version.

1450

},

1451

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1452

# format. Examples include distro or storage location for vulnerable jar.

1453

},

1454

"severityName": "A String", # Deprecated, use Details.effective_severity instead

1455

# The severity (e.g., distro assigned severity) for this vulnerability.

1456

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

1457

"package": "A String", # Required. The package being described.

1458

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1459

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1460

# name.

1461

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1462

# versions.

1463

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1464

"revision": "A String", # The iteration of the package build from the above version.

1465

},

1466

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1467

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1468

},

1469

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1470

],

1471

},

1472

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

1473

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

1474

# system.

1475

"location": [ # Required. All of the places within the filesystem versions of this package

1476

# have been found.

1477

{ # An occurrence of a particular package installation found within a system's

1478

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

1479

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

1480

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1481

# name.

1482

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1483

# versions.

1484

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1485

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1486

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1487

"path": "A String", # The path from which we gathered that this package/version is installed.

1488

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

1489

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1490

},

1491

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1492

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1493

},

1494

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1495

"build": { # Details of a build occurrence. # Describes a verifiable build.

1496

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1497

# build signature in the corresponding build note. After verifying the

1498

# signature, `provenance_bytes` can be unmarshalled and compared to the

1499

# provenance to confirm that it is unchanged. A base64-encoded string

1500

# representation of the provenance bytes is used for the signature in order

1501

# to interoperate with openssl which expects this format for signature

1502

# verification.

1503

#

1504

# The serialized form is captured both to avoid ambiguity in how the

1505

# provenance is marshalled to json as well to prevent incompatibilities with

1506

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1507

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

1508

# details about the build from source to completion.

1509

"logsUri": "A String", # URI where any logs for this provenance were written.

1510

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

1511

# user's e-mail address at the time the build was initiated; this address may

1512

# not represent the same end-user for all time.

1513

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

1514

"commands": [ # Commands requested by the build.

1515

{ # Command describes a step performed as part of the build pipeline.

1516

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

1517

# command is packaged as a Docker container, as presented to `docker pull`.

1518

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

1519

# this command as a dependency.

1520

"dir": "A String", # Working directory (relative to project source root) used when running this

1521

# command.

1522

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

1523

"A String",

1524

],

1525

"env": [ # Environment variables set before running this command.

1526

"A String",

1527

],

1528

"args": [ # Command-line arguments used when executing this command.

1529

"A String",

1530

],

1531

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1532

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1533

"builtArtifacts": [ # Output of the build.

1534

{ # Artifact describes a build product.

1535

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

1536

# like `gcr.io/projectID/imagename@sha256:123456`.

1537

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

1538

# the case of a container build, the name used to push the container image to

1539

# Google Container Registry, as presented to `docker push`. Note that a

1540

# single Artifact ID can have multiple names, for example if two tags are

1541

# applied to one image.

1542

"A String",

1543

],

1544

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

1549

"buildOptions": { # Special options applied to this build. This is a catch-all field where

1550

# build providers can enter any desired additional details.

1551

"a_key": "A String",

1552

},

1553

"endTime": "A String", # Time at which execution of the build was finished.

1554

"startTime": "A String", # Time at which execution of the build was started.

1555

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

1556

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

1557

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

1558

# location.

1559

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

1560

# these locations, in the case where the source repository had multiple

1561

# remotes or submodules. This list will not include the context specified in

1562

# the context field.

1563

{ # A SourceContext is a reference to a tree of files. A SourceContext together

1564

# with a path point to a unique revision of a single file or directory.

1565

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1566

# Source Repo.

1567

"revisionId": "A String", # A revision ID.

1568

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1569

"uid": "A String", # A server-assigned, globally unique identifier.

1570

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1571

# winged-cargo-31) and a repo name within that project.

1572

"projectId": "A String", # The ID of the project.

1573

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1574

},

1575

},

1576

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1577

"name": "A String", # The alias name.

1578

"kind": "A String", # The alias kind.

1579

},

1580

},

1581

"labels": { # Labels with user defined metadata.

1582

"a_key": "A String",

1583

},

1584

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1585

# repository (e.g., GitHub).

1586

"revisionId": "A String", # Git commit hash.

1587

"url": "A String", # Git repository URL.

1588

},

1589

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1590

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1591

# "project/subproject" is a valid project name. The "repo name" is the

1592

# hostURI/project.

1593

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1594

"name": "A String", # The alias name.

1595

"kind": "A String", # The alias kind.

1596

},

1597

"hostUri": "A String", # The URI of a running Gerrit instance.

1598

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

1603

# source integrity was maintained in the build.

1604

#

1605

# The keys to this map are file paths used as build source and the values

1606

# contain the hash values for those files.

1607

#

1608

# If the build source came in a single package such as a gzipped tarfile

1609

# (.tar.gz), the FileHash will be for the single path to that file.

1610

"a_key": { # Container message for hashes of byte content of files, used in source

1611

# messages to verify integrity of source input to the build.

1612

"fileHash": [ # Required. Collection of file hashes.

1613

{ # Container message for hash values.

1614

"type": "A String", # Required. The type of hash that was performed.

1615

"value": "A String", # Required. The hash value.

1616

},

1617

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1618

},

1619

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1620

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

1621

# with a path point to a unique revision of a single file or directory.

1622

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1623

# Source Repo.

1624

"revisionId": "A String", # A revision ID.

1625

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1626

"uid": "A String", # A server-assigned, globally unique identifier.

1627

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1628

# winged-cargo-31) and a repo name within that project.

1629

"projectId": "A String", # The ID of the project.

1630

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1631

},

1632

},

1633

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1634

"name": "A String", # The alias name.

1635

"kind": "A String", # The alias kind.

1636

},

1637

},

1638

"labels": { # Labels with user defined metadata.

1639

"a_key": "A String",

1640

},

1641

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1642

# repository (e.g., GitHub).

1643

"revisionId": "A String", # Git commit hash.

1644

"url": "A String", # Git repository URL.

1645

},

1646

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1647

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1648

# "project/subproject" is a valid project name. The "repo name" is the

1649

# hostURI/project.

1650

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1651

"name": "A String", # The alias name.

1652

"kind": "A String", # The alias kind.

1653

},

1654

"hostUri": "A String", # The URI of a running Gerrit instance.

1655

"revisionId": "A String", # A revision (commit) ID.

1656

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1657

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1658

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1659

"createTime": "A String", # Time at which the build was created.

1660

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1661

},

1662

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1663

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

1664

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

1665

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

1666

# details to show to the user. The LocalizedMessage is output only and

1667

# populated by the API.

1668

# different programming environments, including REST APIs and RPC APIs. It is

1669

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1670

# three pieces of data: error code, error message, and error details.

1671

#

1672

# You can find out more about this error model and how to work with it in the

1673

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1674

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1675

"message": "A String", # A developer-facing error message, which should be in English. Any

1676

# user-facing error message should be localized and sent in the

1677

# google.rpc.Status.details field, or localized by the client.

1678

"details": [ # A list of messages that carry the error details. There is a common set of

1679

# message types for APIs to use.

1680

{

1681

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

1686

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

1687

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

1688

# Deprecated, do not use.

1689

},

1690

},

1691

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1692

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

1693

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1694

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

1695

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

1696

"undeployTime": "A String", # End of the lifetime of this deployment.

1697

"platform": "A String", # Platform hosting this deployment.

1698

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

1699

"address": "A String", # Address of the runtime element hosting this deployment.

1700

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

1701

# the deployable field with the same name.

1702

"A String",

1703

],

1704

"userEmail": "A String", # Identity of the user that triggered this deployment.

1705

"config": "A String", # Configuration used to create this deployment.

1706

},

1707

},

1708

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1709

}

1710

1711

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1718

1719

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1720

"updateTime": "A String", # Output only. The time this occurrence was last updated.

1721

"remediation": "A String", # A description of actions that can be taken to remedy the note.

1722

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

1723

# signatures and the in-toto link itself. This is used for occurrences of a

1724

# Grafeas in-toto note.

1725

"signed": { # This corresponds to an in-toto link.

1726

"command": [ # This field contains the full command executed for the step. This can also

1727

# be empty if links are generated for operations that aren't directly mapped

1728

# to a specific command. Each term in the command is an independent string

1729

# in the list. An example of a command in the in-toto metadata field is:

1730

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

1731

"A String",

1732

],

1733

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

1734

# are not the actual result of the step.

1735

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

1741

# environment. It is suggested for this field to contain information that

1742

# details environment variables, filesystem information, and the present

1743

# working directory. The recommended structure of this field is:

1744

# "environment": {

1745

# "custom_values": {

1746

# "variables": "<ENV>",

1747

# "filesystem": "<FS>",

1748

# "workdir": "<CWD>",

1749

# "<ANY OTHER RELEVANT FIELDS>": "..."

1750

# }

1751

# }

1752

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

1758

# for the operation performed. The key of the map is the path of the artifact

1759

# and the structure contains the recorded hash information. An example is:

1760

# "materials": [

1761

# {

1762

# "resource_uri": "foo/bar",

1763

# "hashes": {

1764

# "sha256": "ebebf...",

1765

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

1771

"sha256": "A String",

1772

},

1773

"resourceUri": "A String",

1774

},

1775

],

1776

"products": [ # Products are the supply chain artifacts generated as a result of the step.

1777

# The structure is identical to that of materials.

1778

{

1779

"hashes": { # Defines a hash object for use in Materials and Products.

1780

"sha256": "A String",

1781

},

1782

"resourceUri": "A String",

1783

},

1784

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1785

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1786

"signatures": [

1787

{ # A signature object consists of the KeyID used and the signature itself.

1788

"sig": "A String",

1789

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1790

},

1791

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1792

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1793

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

1794

# note.

1795

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

1796

# relationship. This image would be produced from a Dockerfile with FROM

1797

# <DockerImage.Basis in attached Note>.

1798

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

1799

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1800

# representation.

1801

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1802

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1803

# Only the name of the final blob is kept.

1804

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1805

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1806

],

1807

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1808

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

1809

# "distance" and is ordered with [distance] being the layer immediately

1810

# following the base image and [1] being the final layer.

1811

{ # Layer holds metadata specific to a layer of a Docker image.

1812

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

1813

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

1814

},

1815

],

1816

"distance": 42, # Output only. The number of layers by which this image differs from the

1817

# associated image basis.

1818

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

1819

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1820

},

1821

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1822

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

1823

# specified. This field can be used as a filter in list requests.

1824

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

1825

"name": "A String", # Deprecated, do not use. Use uri instead.

1826

#

1827

# The name of the resource. For example, the name of a Docker image -

1828

# "Debian".

1829

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

1830

#

1831

# The hash of the resource content. For example, the Docker digest.

1832

"type": "A String", # Required. The type of hash that was performed.

1833

"value": "A String", # Required. The hash value.

1834

},

1835

"uri": "A String", # Required. The unique URI of the resource. For example,

1836

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

1837

},

1838

"name": "A String", # Output only. The name of the occurrence in the form of

1839

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

1840

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

1841

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1842

# attestation can be verified using the attached signature. If the verifier

1843

# trusts the public key of the signer, then verifying the signature is

1844

# sufficient to establish trust. In this circumstance, the authority to which

1845

# this attestation is attached is primarily useful for look-up (how to find

1846

# this attestation if you already know the authority and artifact to be

1847

# verified) and intent (which authority was this attestation intended to sign

1848

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1849

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1850

# supports `ATTACHED` signatures, where the payload that is signed is included

1851

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1852

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1853

# The verifier must ensure that the provided type is one that the verifier

1854

# supports, and that the attestation payload is a valid instantiation of that

1855

# type (for example by validating a JSON schema).

1856

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

1857

# (GPG) or equivalent. Since this message only supports attached signatures,

1858

# the payload that was signed must be attached. While the signature format

1859

# supported is dependent on the verification implementation, currently only

1860

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

1861

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

1862

# --output=signature.gpg payload.json` will create the signature content

1863

# expected in this field in `signature.gpg` for the `payload.json`

1864

# attestation payload.

1865

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1866

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

1867

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

1868

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1869

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1870

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

1871

# In gpg, the full fingerprint can be retrieved from the `fpr` field

1872

# returned when calling --list-keys with --with-colons. For example:

1873

# ```

1874

# gpg --with-colons --with-fingerprint --force-v4-certs \

1875

# --list-keys attester@example.com

1876

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1877

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1878

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

1879

# ```

1880

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1881

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1882

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1883

# This attestation must define the `serialized_payload` that the `signatures`

1884

# verify and any metadata necessary to interpret that plaintext. The

1885

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1886

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1887

# should consider this attestation message verified if at least one

1888

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

1889

# for more details on signature structure and verification.

1890

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

1891

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

1892

# Typically this means that the verifier has been configured with a map from

1893

# `public_key_id` to public key material (and any required parameters, e.g.

1894

# signing algorithm).

1895

#

1896

# In particular, verification implementations MUST NOT treat the signature

1897

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

1898

# DOES NOT validate or authenticate a public key; it only provides a mechanism

1899

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

1900

# a trusted channel. Verification implementations MUST reject signatures in any

1901

# of the following circumstances:

1902

# * The `public_key_id` is not recognized by the verifier.

1903

# * The public key that `public_key_id` refers to does not verify the

1904

# signature with respect to the payload.

1905

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1906

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1907

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1908

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1909

# provided payload (e.g. a `payload` field on the proto message that holds

1910

# this Signature, or the canonical serialization of the proto message that

1911

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1912

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1913

# * The `public_key_id` is required.

1914

# * The `public_key_id` MUST be an RFC3986 conformant URI.

1915

# * When possible, the `public_key_id` SHOULD be an immutable reference,

1916

# such as a cryptographic digest.

1917

#

1918

# Examples of valid `public_key_id`s:

1919

#

1920

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1921

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1922

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

1923

# details on this scheme.

1924

#

1925

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

1926

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1927

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

1928

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

1929

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1930

# The payload that this signature verifies MUST be unambiguously provided

1931

# with the Signature during verification. A wrapper message might provide

1932

# the payload explicitly. Alternatively, a message might have a canonical

1933

# serialization that can always be unambiguously computed to derive the

1934

# payload.

1935

},

1936

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1937

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

1938

# The encoding and semantic meaning of this payload must match what is set in

1939

# `content_type`.

1940

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1941

# The verifier must ensure that the provided type is one that the verifier

1942

# supports, and that the attestation payload is a valid instantiation of that

1943

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1944

},

1945

},

1946

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1947

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

1948

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

1949

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

1950

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

1951

# available, and note provider assigned severity when distro has not yet

1952

# assigned a severity for this vulnerability.

1953

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

1954

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

1955

# scale of 0-10 where 0 indicates low severity and 10 indicates high

1956

# severity.

1957

"relatedUrls": [ # Output only. URLs related to this vulnerability.

1958

{ # Metadata for any related URL information.

1959

"url": "A String", # Specific URL associated with the resource.

1960

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1961

},

1962

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1963

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

1964

# packages etc)

1965

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

1966

# within the associated resource.

1967

{ # This message wraps a location affected by a vulnerability and its

1968

# associated fix (if one is available).

1969

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

1970

"package": "A String", # Required. The package being described.

1971

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1972

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1973

# name.

1974

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1975

# versions.

1976

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1977

"revision": "A String", # The iteration of the package build from the above version.

1978

},

1979

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1980

# format. Examples include distro or storage location for vulnerable jar.

1981

},

1982

"severityName": "A String", # Deprecated, use Details.effective_severity instead

1983

# The severity (e.g., distro assigned severity) for this vulnerability.

1984

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

1985

"package": "A String", # Required. The package being described.

1986

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1987

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1988

# name.

1989

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1990

# versions.

1991

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1992

"revision": "A String", # The iteration of the package build from the above version.

1993

},

1994

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1995

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1996

},

1997

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

1998

],

1999

},

2000

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

2001

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

2002

# system.

2003

"location": [ # Required. All of the places within the filesystem versions of this package

2004

# have been found.

2005

{ # An occurrence of a particular package installation found within a system's

2006

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

2007

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

2008

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2009

# name.

2010

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2011

# versions.

2012

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2013

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2014

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2015

"path": "A String", # The path from which we gathered that this package/version is installed.

2016

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

2017

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2018

},

2019

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2020

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2021

},

2022

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2023

"build": { # Details of a build occurrence. # Describes a verifiable build.

2024

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2025

# build signature in the corresponding build note. After verifying the

2026

# signature, `provenance_bytes` can be unmarshalled and compared to the

2027

# provenance to confirm that it is unchanged. A base64-encoded string

2028

# representation of the provenance bytes is used for the signature in order

2029

# to interoperate with openssl which expects this format for signature

2030

# verification.

2031

#

2032

# The serialized form is captured both to avoid ambiguity in how the

2033

# provenance is marshalled to json as well to prevent incompatibilities with

2034

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2035

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

2036

# details about the build from source to completion.

2037

"logsUri": "A String", # URI where any logs for this provenance were written.

2038

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

2039

# user's e-mail address at the time the build was initiated; this address may

2040

# not represent the same end-user for all time.

2041

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

2042

"commands": [ # Commands requested by the build.

2043

{ # Command describes a step performed as part of the build pipeline.

2044

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

2045

# command is packaged as a Docker container, as presented to `docker pull`.

2046

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

2047

# this command as a dependency.

2048

"dir": "A String", # Working directory (relative to project source root) used when running this

2049

# command.

2050

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

2051

"A String",

2052

],

2053

"env": [ # Environment variables set before running this command.

2054

"A String",

2055

],

2056

"args": [ # Command-line arguments used when executing this command.

2057

"A String",

2058

],

2059

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2060

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2061

"builtArtifacts": [ # Output of the build.

2062

{ # Artifact describes a build product.

2063

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

2064

# like `gcr.io/projectID/imagename@sha256:123456`.

2065

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

2066

# the case of a container build, the name used to push the container image to

2067

# Google Container Registry, as presented to `docker push`. Note that a

2068

# single Artifact ID can have multiple names, for example if two tags are

2069

# applied to one image.

2070

"A String",

2071

],

2072

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

2077

"buildOptions": { # Special options applied to this build. This is a catch-all field where

2078

# build providers can enter any desired additional details.

2079

"a_key": "A String",

2080

},

2081

"endTime": "A String", # Time at which execution of the build was finished.

2082

"startTime": "A String", # Time at which execution of the build was started.

2083

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

2084

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

2085

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

2086

# location.

2087

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

2088

# these locations, in the case where the source repository had multiple

2089

# remotes or submodules. This list will not include the context specified in

2090

# the context field.

2091

{ # A SourceContext is a reference to a tree of files. A SourceContext together

2092

# with a path point to a unique revision of a single file or directory.

2093

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2094

# Source Repo.

2095

"revisionId": "A String", # A revision ID.

2096

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2097

"uid": "A String", # A server-assigned, globally unique identifier.

2098

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2099

# winged-cargo-31) and a repo name within that project.

2100

"projectId": "A String", # The ID of the project.

2101

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2102

},

2103

},

2104

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2105

"name": "A String", # The alias name.

2106

"kind": "A String", # The alias kind.

2107

},

2108

},

2109

"labels": { # Labels with user defined metadata.

2110

"a_key": "A String",

2111

},

2112

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2113

# repository (e.g., GitHub).

2114

"revisionId": "A String", # Git commit hash.

2115

"url": "A String", # Git repository URL.

2116

},

2117

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2118

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2119

# "project/subproject" is a valid project name. The "repo name" is the

2120

# hostURI/project.

2121

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2122

"name": "A String", # The alias name.

2123

"kind": "A String", # The alias kind.

2124

},

2125

"hostUri": "A String", # The URI of a running Gerrit instance.

2126

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

2131

# source integrity was maintained in the build.

2132

#

2133

# The keys to this map are file paths used as build source and the values

2134

# contain the hash values for those files.

2135

#

2136

# If the build source came in a single package such as a gzipped tarfile

2137

# (.tar.gz), the FileHash will be for the single path to that file.

2138

"a_key": { # Container message for hashes of byte content of files, used in source

2139

# messages to verify integrity of source input to the build.

2140

"fileHash": [ # Required. Collection of file hashes.

2141

{ # Container message for hash values.

2142

"type": "A String", # Required. The type of hash that was performed.

2143

"value": "A String", # Required. The hash value.

2144

},

2145

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2146

},

2147

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2148

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

2149

# with a path point to a unique revision of a single file or directory.

2150

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2151

# Source Repo.

2152

"revisionId": "A String", # A revision ID.

2153

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2154

"uid": "A String", # A server-assigned, globally unique identifier.

2155

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2156

# winged-cargo-31) and a repo name within that project.

2157

"projectId": "A String", # The ID of the project.

2158

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2159

},

2160

},

2161

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2162

"name": "A String", # The alias name.

2163

"kind": "A String", # The alias kind.

2164

},

2165

},

2166

"labels": { # Labels with user defined metadata.

2167

"a_key": "A String",

2168

},

2169

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2170

# repository (e.g., GitHub).

2171

"revisionId": "A String", # Git commit hash.

2172

"url": "A String", # Git repository URL.

2173

},

2174

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2175

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2176

# "project/subproject" is a valid project name. The "repo name" is the

2177

# hostURI/project.

2178

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2179

"name": "A String", # The alias name.

2180

"kind": "A String", # The alias kind.

2181

},

2182

"hostUri": "A String", # The URI of a running Gerrit instance.

2183

"revisionId": "A String", # A revision (commit) ID.

2184

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2185

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2186

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2187

"createTime": "A String", # Time at which the build was created.

2188

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2189

},

2190

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2191

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

2192

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

2193

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

2194

# details to show to the user. The LocalizedMessage is output only and

2195

# populated by the API.

2196

# different programming environments, including REST APIs and RPC APIs. It is

2197

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

2198

# three pieces of data: error code, error message, and error details.

2199

#

2200

# You can find out more about this error model and how to work with it in the

2201

# [API Design Guide](https://cloud.google.com/apis/design/errors).

2202

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

2203

"message": "A String", # A developer-facing error message, which should be in English. Any

2204

# user-facing error message should be localized and sent in the

2205

# google.rpc.Status.details field, or localized by the client.

2206

"details": [ # A list of messages that carry the error details. There is a common set of

2207

# message types for APIs to use.

2208

{

2209

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

2214

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

2215

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

2216

# Deprecated, do not use.

2217

},

2218

},

2219

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2220

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

2221

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2222

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

2223

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

2224

"undeployTime": "A String", # End of the lifetime of this deployment.

2225

"platform": "A String", # Platform hosting this deployment.

2226

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

2227

"address": "A String", # Address of the runtime element hosting this deployment.

2228

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

2229

# the deployable field with the same name.

2230

"A String",

2231

],

2232

"userEmail": "A String", # Identity of the user that triggered this deployment.

2233

"config": "A String", # Configuration used to create this deployment.

2234

},

2235

},

2236

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

2242

<pre>Deletes the specified occurrence. For example, use this method to delete an

2243

occurrence when the occurrence is no longer applicable for the given

2244

resource.

2245

2246

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2247

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2248

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

2249

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2256

2257

{ # A generic empty message that you can re-use to avoid defining duplicated

2258

# empty messages in your APIs. A typical example is to use it as the request

2259

# or the response type of an API method. For instance:

2260

#

2261

# service Foo {

2262

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

2263

# }

2264

#

2265

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

2271

<pre>Gets the specified occurrence.

2272

2273

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2274

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2275

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

2276

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2283

2284

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2285

"updateTime": "A String", # Output only. The time this occurrence was last updated.

2286

"remediation": "A String", # A description of actions that can be taken to remedy the note.

2287

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

2288

# signatures and the in-toto link itself. This is used for occurrences of a

2289

# Grafeas in-toto note.

2290

"signed": { # This corresponds to an in-toto link.

2291

"command": [ # This field contains the full command executed for the step. This can also

2292

# be empty if links are generated for operations that aren't directly mapped

2293

# to a specific command. Each term in the command is an independent string

2294

# in the list. An example of a command in the in-toto metadata field is:

2295

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

2296

"A String",

2297

],

2298

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

2299

# are not the actual result of the step.

2300

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

2306

# environment. It is suggested for this field to contain information that

2307

# details environment variables, filesystem information, and the present

2308

# working directory. The recommended structure of this field is:

2309

# "environment": {

2310

# "custom_values": {

2311

# "variables": "<ENV>",

2312

# "filesystem": "<FS>",

2313

# "workdir": "<CWD>",

2314

# "<ANY OTHER RELEVANT FIELDS>": "..."

2315

# }

2316

# }

2317

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

2323

# for the operation performed. The key of the map is the path of the artifact

2324

# and the structure contains the recorded hash information. An example is:

2325

# "materials": [

2326

# {

2327

# "resource_uri": "foo/bar",

2328

# "hashes": {

2329

# "sha256": "ebebf...",

2330

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

2336

"sha256": "A String",

2337

},

2338

"resourceUri": "A String",

2339

},

2340

],

2341

"products": [ # Products are the supply chain artifacts generated as a result of the step.

2342

# The structure is identical to that of materials.

2343

{

2344

"hashes": { # Defines a hash object for use in Materials and Products.

2345

"sha256": "A String",

2346

},

2347

"resourceUri": "A String",

2348

},

2349

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2350

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2351

"signatures": [

2352

{ # A signature object consists of the KeyID used and the signature itself.

2353

"sig": "A String",

2354

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2355

},

2356

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2357

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2358

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

2359

# note.

2360

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

2361

# relationship. This image would be produced from a Dockerfile with FROM

2362

# <DockerImage.Basis in attached Note>.

2363

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

2364

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2365

# representation.

2366

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2367

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2368

# Only the name of the final blob is kept.

2369

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2370

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2371

],

2372

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2373

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

2374

# "distance" and is ordered with [distance] being the layer immediately

2375

# following the base image and [1] being the final layer.

2376

{ # Layer holds metadata specific to a layer of a Docker image.

2377

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

2378

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

2379

},

2380

],

2381

"distance": 42, # Output only. The number of layers by which this image differs from the

2382

# associated image basis.

2383

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

2384

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2385

},

2386

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2387

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

2388

# specified. This field can be used as a filter in list requests.

2389

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

2390

"name": "A String", # Deprecated, do not use. Use uri instead.

2391

#

2392

# The name of the resource. For example, the name of a Docker image -

2393

# "Debian".

2394

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

2395

#

2396

# The hash of the resource content. For example, the Docker digest.

2397

"type": "A String", # Required. The type of hash that was performed.

2398

"value": "A String", # Required. The hash value.

2399

},

2400

"uri": "A String", # Required. The unique URI of the resource. For example,

2401

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

2402

},

2403

"name": "A String", # Output only. The name of the occurrence in the form of

2404

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

2405

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

2406

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2407

# attestation can be verified using the attached signature. If the verifier

2408

# trusts the public key of the signer, then verifying the signature is

2409

# sufficient to establish trust. In this circumstance, the authority to which

2410

# this attestation is attached is primarily useful for look-up (how to find

2411

# this attestation if you already know the authority and artifact to be

2412

# verified) and intent (which authority was this attestation intended to sign

2413

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2414

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2415

# supports `ATTACHED` signatures, where the payload that is signed is included

2416

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2417

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

2418

# The verifier must ensure that the provided type is one that the verifier

2419

# supports, and that the attestation payload is a valid instantiation of that

2420

# type (for example by validating a JSON schema).

2421

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

2422

# (GPG) or equivalent. Since this message only supports attached signatures,

2423

# the payload that was signed must be attached. While the signature format

2424

# supported is dependent on the verification implementation, currently only

2425

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

2426

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

2427

# --output=signature.gpg payload.json` will create the signature content

2428

# expected in this field in `signature.gpg` for the `payload.json`

2429

# attestation payload.

2430

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2431

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

2432

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

2433

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2434

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2435

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

2436

# In gpg, the full fingerprint can be retrieved from the `fpr` field

2437

# returned when calling --list-keys with --with-colons. For example:

2438

# ```

2439

# gpg --with-colons --with-fingerprint --force-v4-certs \

2440

# --list-keys attester@example.com

2441

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2442

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2443

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

2444

# ```

2445

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2446

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2447

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2448

# This attestation must define the `serialized_payload` that the `signatures`

2449

# verify and any metadata necessary to interpret that plaintext. The

2450

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2451

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2452

# should consider this attestation message verified if at least one

2453

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

2454

# for more details on signature structure and verification.

2455

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

2456

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

2457

# Typically this means that the verifier has been configured with a map from

2458

# `public_key_id` to public key material (and any required parameters, e.g.

2459

# signing algorithm).

2460

#

2461

# In particular, verification implementations MUST NOT treat the signature

2462

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

2463

# DOES NOT validate or authenticate a public key; it only provides a mechanism

2464

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

2465

# a trusted channel. Verification implementations MUST reject signatures in any

2466

# of the following circumstances:

2467

# * The `public_key_id` is not recognized by the verifier.

2468

# * The public key that `public_key_id` refers to does not verify the

2469

# signature with respect to the payload.

2470

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2471

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2472

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2473

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2474

# provided payload (e.g. a `payload` field on the proto message that holds

2475

# this Signature, or the canonical serialization of the proto message that

2476

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2477

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2478

# * The `public_key_id` is required.

2479

# * The `public_key_id` MUST be an RFC3986 conformant URI.

2480

# * When possible, the `public_key_id` SHOULD be an immutable reference,

2481

# such as a cryptographic digest.

2482

#

2483

# Examples of valid `public_key_id`s:

2484

#

2485

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2486

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2487

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

2488

# details on this scheme.

2489

#

2490

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

2491

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2492

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

2493

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

2494

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2495

# The payload that this signature verifies MUST be unambiguously provided

2496

# with the Signature during verification. A wrapper message might provide

2497

# the payload explicitly. Alternatively, a message might have a canonical

2498

# serialization that can always be unambiguously computed to derive the

2499

# payload.

2500

},

2501

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2502

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

2503

# The encoding and semantic meaning of this payload must match what is set in

2504

# `content_type`.

2505

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2506

# The verifier must ensure that the provided type is one that the verifier

2507

# supports, and that the attestation payload is a valid instantiation of that

2508

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2509

},

2510

},

2511

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2512

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

2513

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

2514

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

2515

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

2516

# available, and note provider assigned severity when distro has not yet

2517

# assigned a severity for this vulnerability.

2518

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

2519

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

2520

# scale of 0-10 where 0 indicates low severity and 10 indicates high

2521

# severity.

2522

"relatedUrls": [ # Output only. URLs related to this vulnerability.

2523

{ # Metadata for any related URL information.

2524

"url": "A String", # Specific URL associated with the resource.

2525

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2526

},

2527

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2528

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

2529

# packages etc)

2530

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

2531

# within the associated resource.

2532

{ # This message wraps a location affected by a vulnerability and its

2533

# associated fix (if one is available).

2534

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

2535

"package": "A String", # Required. The package being described.

2536

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2537

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2538

# name.

2539

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2540

# versions.

2541

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2542

"revision": "A String", # The iteration of the package build from the above version.

2543

},

2544

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2545

# format. Examples include distro or storage location for vulnerable jar.

2546

},

2547

"severityName": "A String", # Deprecated, use Details.effective_severity instead

2548

# The severity (e.g., distro assigned severity) for this vulnerability.

2549

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

2550

"package": "A String", # Required. The package being described.

2551

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2552

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2553

# name.

2554

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2555

# versions.

2556

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2557

"revision": "A String", # The iteration of the package build from the above version.

2558

},

2559

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2560

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2561

},

2562

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2563

],

2564

},

2565

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

2566

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

2567

# system.

2568

"location": [ # Required. All of the places within the filesystem versions of this package

2569

# have been found.

2570

{ # An occurrence of a particular package installation found within a system's

2571

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

2572

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

2573

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2574

# name.

2575

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2576

# versions.

2577

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2578

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2579

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2580

"path": "A String", # The path from which we gathered that this package/version is installed.

2581

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

2582

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2583

},

2584

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2585

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2586

},

2587

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2588

"build": { # Details of a build occurrence. # Describes a verifiable build.

2589

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2590

# build signature in the corresponding build note. After verifying the

2591

# signature, `provenance_bytes` can be unmarshalled and compared to the

2592

# provenance to confirm that it is unchanged. A base64-encoded string

2593

# representation of the provenance bytes is used for the signature in order

2594

# to interoperate with openssl which expects this format for signature

2595

# verification.

2596

#

2597

# The serialized form is captured both to avoid ambiguity in how the

2598

# provenance is marshalled to json as well to prevent incompatibilities with

2599

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2600

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

2601

# details about the build from source to completion.

2602

"logsUri": "A String", # URI where any logs for this provenance were written.

2603

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

2604

# user's e-mail address at the time the build was initiated; this address may

2605

# not represent the same end-user for all time.

2606

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

2607

"commands": [ # Commands requested by the build.

2608

{ # Command describes a step performed as part of the build pipeline.

2609

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

2610

# command is packaged as a Docker container, as presented to `docker pull`.

2611

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

2612

# this command as a dependency.

2613

"dir": "A String", # Working directory (relative to project source root) used when running this

2614

# command.

2615

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

2616

"A String",

2617

],

2618

"env": [ # Environment variables set before running this command.

2619

"A String",

2620

],

2621

"args": [ # Command-line arguments used when executing this command.

2622

"A String",

2623

],

2624

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2625

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2626

"builtArtifacts": [ # Output of the build.

2627

{ # Artifact describes a build product.

2628

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

2629

# like `gcr.io/projectID/imagename@sha256:123456`.

2630

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

2631

# the case of a container build, the name used to push the container image to

2632

# Google Container Registry, as presented to `docker push`. Note that a

2633

# single Artifact ID can have multiple names, for example if two tags are

2634

# applied to one image.

2635

"A String",

2636

],

2637

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

2642

"buildOptions": { # Special options applied to this build. This is a catch-all field where

2643

# build providers can enter any desired additional details.

2644

"a_key": "A String",

2645

},

2646

"endTime": "A String", # Time at which execution of the build was finished.

2647

"startTime": "A String", # Time at which execution of the build was started.

2648

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

2649

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

2650

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

2651

# location.

2652

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

2653

# these locations, in the case where the source repository had multiple

2654

# remotes or submodules. This list will not include the context specified in

2655

# the context field.

2656

{ # A SourceContext is a reference to a tree of files. A SourceContext together

2657

# with a path point to a unique revision of a single file or directory.

2658

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2659

# Source Repo.

2660

"revisionId": "A String", # A revision ID.

2661

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2662

"uid": "A String", # A server-assigned, globally unique identifier.

2663

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2664

# winged-cargo-31) and a repo name within that project.

2665

"projectId": "A String", # The ID of the project.

2666

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2667

},

2668

},

2669

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2670

"name": "A String", # The alias name.

2671

"kind": "A String", # The alias kind.

2672

},

2673

},

2674

"labels": { # Labels with user defined metadata.

2675

"a_key": "A String",

2676

},

2677

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2678

# repository (e.g., GitHub).

2679

"revisionId": "A String", # Git commit hash.

2680

"url": "A String", # Git repository URL.

2681

},

2682

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2683

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2684

# "project/subproject" is a valid project name. The "repo name" is the

2685

# hostURI/project.

2686

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2687

"name": "A String", # The alias name.

2688

"kind": "A String", # The alias kind.

2689

},

2690

"hostUri": "A String", # The URI of a running Gerrit instance.

2691

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

2696

# source integrity was maintained in the build.

2697

#

2698

# The keys to this map are file paths used as build source and the values

2699

# contain the hash values for those files.

2700

#

2701

# If the build source came in a single package such as a gzipped tarfile

2702

# (.tar.gz), the FileHash will be for the single path to that file.

2703

"a_key": { # Container message for hashes of byte content of files, used in source

2704

# messages to verify integrity of source input to the build.

2705

"fileHash": [ # Required. Collection of file hashes.

2706

{ # Container message for hash values.

2707

"type": "A String", # Required. The type of hash that was performed.

2708

"value": "A String", # Required. The hash value.

2709

},

2710

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2711

},

2712

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2713

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

2714

# with a path point to a unique revision of a single file or directory.

2715

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2716

# Source Repo.

2717

"revisionId": "A String", # A revision ID.

2718

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2719

"uid": "A String", # A server-assigned, globally unique identifier.

2720

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2721

# winged-cargo-31) and a repo name within that project.

2722

"projectId": "A String", # The ID of the project.

2723

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2724

},

2725

},

2726

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2727

"name": "A String", # The alias name.

2728

"kind": "A String", # The alias kind.

2729

},

2730

},

2731

"labels": { # Labels with user defined metadata.

2732

"a_key": "A String",

2733

},

2734

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2735

# repository (e.g., GitHub).

2736

"revisionId": "A String", # Git commit hash.

2737

"url": "A String", # Git repository URL.

2738

},

2739

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2740

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2741

# "project/subproject" is a valid project name. The "repo name" is the

2742

# hostURI/project.

2743

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2744

"name": "A String", # The alias name.

2745

"kind": "A String", # The alias kind.

2746

},

2747

"hostUri": "A String", # The URI of a running Gerrit instance.

2748

"revisionId": "A String", # A revision (commit) ID.

2749

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2750

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2751

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2752

"createTime": "A String", # Time at which the build was created.

2753

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2754

},

2755

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2756

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

2757

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

2758

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

2759

# details to show to the user. The LocalizedMessage is output only and

2760

# populated by the API.

2761

# different programming environments, including REST APIs and RPC APIs. It is

2762

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

2763

# three pieces of data: error code, error message, and error details.

2764

#

2765

# You can find out more about this error model and how to work with it in the

2766

# [API Design Guide](https://cloud.google.com/apis/design/errors).

2767

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

2768

"message": "A String", # A developer-facing error message, which should be in English. Any

2769

# user-facing error message should be localized and sent in the

2770

# google.rpc.Status.details field, or localized by the client.

2771

"details": [ # A list of messages that carry the error details. There is a common set of

2772

# message types for APIs to use.

2773

{

2774

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

2779

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

2780

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

2781

# Deprecated, do not use.

2782

},

2783

},

2784

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2785

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

2786

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2787

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

2788

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

2789

"undeployTime": "A String", # End of the lifetime of this deployment.

2790

"platform": "A String", # Platform hosting this deployment.

2791

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

2792

"address": "A String", # Address of the runtime element hosting this deployment.

2793

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

2794

# the deployable field with the same name.

2795

"A String",

2796

],

2797

"userEmail": "A String", # Identity of the user that triggered this deployment.

2798

"config": "A String", # Configuration used to create this deployment.

2799

},

2800

},

2801

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

2807

<pre>Gets the access control policy for a note or an occurrence resource.

2808

Requires `containeranalysis.notes.setIamPolicy` or

2809

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

2810

a note or occurrence, respectively.

2811

2812

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

2813

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

2818

See the operation documentation for the appropriate value for this field. (required)

2819

body: object, The request body.

2820

The object takes the form of:

2821

2822

{ # Request message for `GetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2823

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2824

# `GetIamPolicy`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2825

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2826

#

2827

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

2828

# rejected.

2829

#

2830

# Requests for policies with any conditional bindings must specify version 3.

2831

# Policies without any conditional bindings may specify any valid value or

2832

# leave the field unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2833

#

2834

# To learn which resources support conditions in their IAM policies, see the

2835

# [IAM

2836

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2837

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2838

}

2839

2840

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2847

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2848

{ # An Identity and Access Management (IAM) policy, which specifies access

2849

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2850

#

2851

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2852

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2853

# `members` to a single `role`. Members can be user accounts, service accounts,

2854

# Google groups, and domains (such as G Suite). A `role` is a named list of

2855

# permissions; each `role` can be an IAM predefined role or a user-created

2856

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2857

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2858

# For some types of Google Cloud resources, a `binding` can also specify a

2859

# `condition`, which is a logical expression that allows access to a resource

2860

# only if the expression evaluates to `true`. A condition can add constraints

2861

# based on attributes of the request, the resource, or both. To learn which

2862

# resources support conditions in their IAM policies, see the

2863

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2864

#

2865

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2866

#

2867

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2868

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2869

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2870

# "role": "roles/resourcemanager.organizationAdmin",

2871

# "members": [

2872

# "user:mike@example.com",

2873

# "group:admins@example.com",

2874

# "domain:google.com",

2875

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2876

# ]

2877

# },

2878

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2879

# "role": "roles/resourcemanager.organizationViewer",

2880

# "members": [

2881

# "user:eve@example.com"

2882

# ],

2883

# "condition": {

2884

# "title": "expirable access",

2885

# "description": "Does not grant access after Sep 2020",

2886

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2887

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2888

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2889

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2890

# "etag": "BwWWja0YfJA=",

2891

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2892

# }

2893

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2894

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2899

# - group:admins@example.com

2900

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2901

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2902

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2903

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2904

# - user:eve@example.com

2905

# role: roles/resourcemanager.organizationViewer

2906

# condition:

2907

# title: expirable access

2908

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2909

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2910

# - etag: BwWWja0YfJA=

2911

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2912

#

2913

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2914

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2915

"version": 42, # Specifies the format of the policy.

2916

#

2917

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2918

# are rejected.

2919

#

2920

# Any operation that affects conditional role bindings must specify version

2921

# `3`. This requirement applies to the following operations:

2922

#

2923

# * Getting a policy that includes a conditional role binding

2924

# * Adding a conditional role binding to a policy

2925

# * Changing a conditional role binding in a policy

2926

# * Removing any role binding, with or without a condition, from a policy

2927

# that includes conditions

2928

#

2929

# **Important:** If you use IAM Conditions, you must include the `etag` field

2930

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2931

# you to overwrite a version `3` policy with a version `1` policy, and all of

2932

# the conditions in the version `3` policy are lost.

2933

#

2934

# If a policy does not include any conditions, operations on that policy may

2935

# specify any valid version or leave the field unset.

2936

#

2937

# To learn which resources support conditions in their IAM policies, see the

2938

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2939

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2940

# `condition` that determines how and when the `bindings` are applied. Each

2941

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2942

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2943

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2944

# `members` can have the following values:

2945

#

2946

# * `allUsers`: A special identifier that represents anyone who is

2947

# on the internet; with or without a Google account.

2948

#

2949

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2950

# who is authenticated with a Google account or a service account.

2951

#

2952

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2953

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2954

#

2955

#

2956

# * `serviceAccount:{emailid}`: An email address that represents a service

2957

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2958

#

2959

# * `group:{emailid}`: An email address that represents a Google group.

2960

# For example, `admins@example.com`.

2961

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2962

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

2963

# identifier) representing a user that has been recently deleted. For

2964

# example, `alice@example.com?uid=123456789012345678901`. If the user is

2965

# recovered, this value reverts to `user:{emailid}` and the recovered user

2966

# retains the role in the binding.

2967

#

2968

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

2969

# unique identifier) representing a service account that has been recently

2970

# deleted. For example,

2971

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

2972

# If the service account is undeleted, this value reverts to

2973

# `serviceAccount:{emailid}` and the undeleted service account retains the

2974

# role in the binding.

2975

#

2976

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

2977

# identifier) representing a Google group that has been recently

2978

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

2979

# the group is recovered, this value reverts to `group:{emailid}` and the

2980

# recovered group retains the role in the binding.

2981

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2982

#

2983

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

2984

# users of that domain. For example, `google.com` or `example.com`.

2985

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2986

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2987

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

2988

"role": "A String", # Role that is assigned to `members`.

2989

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

2990

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

2991

#

2992

# If the condition evaluates to `true`, then this binding applies to the

2993

# current request.

2994

#

2995

# If the condition evaluates to `false`, then this binding does not apply to

2996

# the current request. However, a different role binding might grant the same

2997

# role to one or more of the members in this binding.

2998

#

2999

# To learn which resources support conditions in their IAM policies, see the

3000

# [IAM

3001

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

3002

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

3003

# are documented at https://github.com/google/cel-spec.

3004

#

3005

# Example (Comparison):

3006

#

3007

# title: "Summary size limit"

3008

# description: "Determines if a summary is less than 100 chars"

3009

# expression: "document.summary.size() < 100"

3010

#

3011

# Example (Equality):

3012

#

3013

# title: "Requestor is owner"

3014

# description: "Determines if requestor is the document owner"

3015

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

3020

# description: "Determine whether the document should be publicly visible"

3021

# expression: "document.type != 'private' && document.type != 'internal'"

3022

#

3023

# Example (Data Manipulation):

3024

#

3025

# title: "Notification string"

3026

# description: "Create a notification string with a timestamp."

3027

# expression: "'New message received at ' + string(document.create_time)"

3028

#

3029

# The exact variables and functions that may be referenced within an expression

3030

# are determined by the service that evaluates it. See the service

3031

# documentation for additional information.

3032

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

3033

# its purpose. This can be used e.g. in UIs which allow to enter the

3034

# expression.

3035

"location": "A String", # Optional. String indicating the location of the expression for error

3036

# reporting, e.g. a file name and a position in the file.

3037

"description": "A String", # Optional. Description of the expression. This is a longer text which

3038

# describes the expression, e.g. when hovered over it in a UI.

3039

"expression": "A String", # Textual representation of an expression in Common Expression Language

3040

# syntax.

3041

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3042

},

3043

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3044

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3045

# prevent simultaneous updates of a policy from overwriting each other.

3046

# It is strongly suggested that systems make use of the `etag` in the

3047

# read-modify-write cycle to perform policy updates in order to avoid race

3048

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

3049

# systems are expected to put that etag in the request to `setIamPolicy` to

3050

# ensure that their change will be applied to the same version of the policy.

3051

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3052

# **Important:** If you use IAM Conditions, you must include the `etag` field

3053

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

3054

# you to overwrite a version `3` policy with a version `1` policy, and all of

3055

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getNotes">getNotes(name, x__xgafv=None)</code>

3061

<pre>Gets the note attached to the specified occurrence. Consumer projects can

3062

use this method to get a note that belongs to a provider project.

3063

3064

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3065

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3066

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

3067

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3074

3075

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3076

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3077

# channels. E.g., glibc (aka libc6) is distributed by many, at various

3078

# versions.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3079

"name": "A String", # Required. Immutable. The name of the package.

3080

"distribution": [ # The various channels by which a package is distributed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3081

{ # This represents a particular channel of distribution for a given package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3082

# E.g., Debian's jessie-backports dpkg mirror.

3083

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

3084

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3085

# name.

3086

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3087

# versions.

3088

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3089

"revision": "A String", # The iteration of the package build from the above version.

3090

},

3091

"description": "A String", # The distribution channel-specific description of this package.

3092

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3093

# denoting the package manager version distributing a package.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3094

"url": "A String", # The distribution channel-specific homepage for this package.

3095

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3096

# built.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3097

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3098

},

3099

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3100

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3101

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

3102

# filter in list requests.

3103

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

3104

# a filter in list requests.

3105

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

3106

# exists in a provider's project. A `Discovery` occurrence is created in a

3107

# consumer's project at the start of analysis.

3108

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

3109

# discovery.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3110

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3111

"relatedUrl": [ # URLs associated with this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3112

{ # Metadata for any related URL information.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3113

"url": "A String", # Specific URL associated with the resource.

3114

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3115

},

3116

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3117

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3118

# chain step in an in-toto layout. This information goes into a Grafeas note.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3119

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3120

# artifacts that enter this supply chain step, and exit the supply chain

3121

# step, i.e. materials and products of the step.

3122

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3123

"artifactRule": [

3124

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3125

],

3126

},

3127

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3128

"expectedCommand": [ # This field contains the expected command used to perform the step.

3129

"A String",

3130

],

3131

"expectedProducts": [

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3132

{ # Defines an object to declare an in-toto artifact rule

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3133

"artifactRule": [

3134

"A String",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3135

],

3136

},

3137

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3138

"stepName": "A String", # This field identifies the name of the step in the supply chain.

3139

"signingKeys": [ # This field contains the public keys that can be used to verify the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3140

# signatures on the step metadata.

3141

{ # This defines the format used to record keys used in the software supply

3142

# chain. An in-toto link is attested using one or more keys defined in the

3143

# in-toto layout. An example of this is:

3144

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3145

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

3146

# "key_type": "rsa",

3147

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

3148

# "key_scheme": "rsassa-pss-sha256"

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3149

# }

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3150

# The format for in-toto's key definition can be found in section 4.2 of the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3151

# in-toto specification.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3152

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

3153

# and "ecdsa".

3154

"keyScheme": "A String", # This field contains the corresponding signature scheme.

3155

# Eg: "rsassa-pss-sha256".

3156

"keyId": "A String", # key_id is an identifier for the signing key.

3157

"publicKeyValue": "A String", # This field contains the actual public key.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3158

},

3159

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3160

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

3161

# need to be used to sign the step's in-toto link.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3162

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3163

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

3164

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

3165

# relationship. Linked occurrences are derived from this or an

3166

# equivalent image via:

3167

# FROM <Basis.resource_url>

3168

# Or an equivalent reference, e.g. a tag of the resource_url.

3169

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

3170

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

3171

# representation.

3172

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

3173

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

3174

# Only the name of the final blob is kept.

3175

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

"A String",

],

},

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

3180

# basis of associated occurrence images.

3181

},

3182

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

3183

# list requests.

3184

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

3185

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"longDescription": "A String", # A detailed description of this note.

3190

"shortDescription": "A String", # A one sentence description of this note.

3191

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

3192

# example, an organization might have one `Authority` for "QA" and one for

3193

# "build". This note is intended to act strictly as a grouping mechanism for

3194

# the attached occurrences (Attestations). This grouping mechanism also

3195

# provides a security boundary, since IAM ACLs gate the ability for a principle

3196

# to attach an occurrence to a given note. It also provides a single point of

3197

# lookup to find all attached attestation occurrences, even if they don't all

3198

# live in the same project.

3199

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

3200

# authority. Because the name of a note acts as its resource reference, it is

3201

# important to disambiguate the canonical name of the Note (which might be a

3202

# UUID for security purposes) from "readable" names more suitable for debug

3203

# output. Note that these hints should not be used to look up authorities in

3204

# security sensitive contexts, such as when looking up attestations to

3205

# verify.

3206

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

3211

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

3212

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

3213

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

3214

# upstream timestamp from the underlying information source - e.g. Ubuntu

3215

# security tracker.

3216

"windowsDetails": [ # Windows details get their own format because the information format and

3217

# model don't match a normal detail. Specifically Windows updates are done as

3218

# patches, thus Windows vulnerabilities really are a missing package, rather

3219

# than a package being at an incorrect version.

3220

{

3221

"name": "A String", # Required. The name of the vulnerability.

3222

"cpeUri": "A String", # Required. The CPE URI in

3223

# [cpe format](https://cpe.mitre.org/specification/) in which the

3224

# vulnerability manifests. Examples include distro or storage location for

3225

# vulnerable jar.

3226

"description": "A String", # The description of the vulnerability.

3227

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

3228

# vulnerability. Note that there may be multiple hotfixes (and thus

3229

# multiple KBs) that mitigate a given vulnerability. Currently any listed

3230

# kb's presence is considered a fix.

3231

{

3232

"url": "A String", # A link to the KB in the Windows update catalog -

3233

# https://www.catalog.update.microsoft.com/

3234

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

},

],

},

],

"severity": "A String", # Note provider assigned impact of the vulnerability.

3240

"details": [ # All information about the package to specifically identify this

3241

# vulnerability. One entry per (version range and cpe_uri) the package

3242

# vulnerability has manifested in.

3243

{ # Identifies all appearances of this vulnerability in the package for a

3244

# specific distro/location. For example: glibc in

3245

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

3246

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

3247

# obsolete details.

3248

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

3249

# upstream timestamp from the underlying information source - e.g. Ubuntu

3250

# security tracker.

3251

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

3252

# packages etc).

3253

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

3254

"package": "A String", # Required. The package being described.

3255

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3256

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3257

# name.

3258

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3259

# versions.

3260

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3261

"revision": "A String", # The iteration of the package build from the above version.

3262

},

3263

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3264

# format. Examples include distro or storage location for vulnerable jar.

3265

},

3266

"cpeUri": "A String", # Required. The CPE URI in

3267

# [cpe format](https://cpe.mitre.org/specification/) in which the

3268

# vulnerability manifests. Examples include distro or storage location for

3269

# vulnerable jar.

3270

"description": "A String", # A vendor-specific description of this note.

3271

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

3272

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

3273

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3274

# name.

3275

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3276

# versions.

3277

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3278

"revision": "A String", # The iteration of the package build from the above version.

3279

},

3280

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

3281

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3282

# name.

3283

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3284

# versions.

3285

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3286

"revision": "A String", # The iteration of the package build from the above version.

3287

},

3288

"package": "A String", # Required. The name of the package where the vulnerability was found.

3289

},

3290

],

3291

"cvssScore": 3.14, # The CVSS score for this vulnerability.

3292

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

3293

# For details, see https://www.first.org/cvss/specification-document

3294

"scope": "A String",

3295

"integrityImpact": "A String",

3296

"exploitabilityScore": 3.14,

3297

"impactScore": 3.14,

3298

"attackComplexity": "A String",

3299

"availabilityImpact": "A String",

3300

"privilegesRequired": "A String",

3301

"userInteraction": "A String",

3302

"attackVector": "A String", # Base Metrics

3303

# Represents the intrinsic characteristics of a vulnerability that are

3304

# constant over time and across user environments.

3305

"confidentialityImpact": "A String",

3306

"baseScore": 3.14, # The base score is a function of the base metric scores.

3307

},

3308

},

3309

"relatedNoteNames": [ # Other notes related to this note.

3310

"A String",

3311

],

3312

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3313

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3314

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

3315

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3316

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3317

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

3318

# `key_id`.

3319

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

3320

# base-64 encoded.

3321

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3322

# findings are valid and unchanged. If `key_type` is empty, this defaults

3323

# to PEM encoded public keys.

3324

#

3325

# This field may be empty if `key_id` references an external key.

3326

#

3327

# For Cloud Build based signatures, this is a PEM encoded public

3328

# key. To verify the Cloud Build signature, place the contents of

3329

# this field into a file (public.pem). The signature field is base64-decoded

3330

# into its binary representation in signature.bin, and the provenance bytes

3331

# from `BuildDetails` are base64-decoded into a binary representation in

3332

# signed.bin. OpenSSL can then verify the signature:

3333

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3334

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3335

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

3336

# CN for a cert), or a reference to an external key (such as a reference to a

3337

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3338

},

3339

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3344

<code class="details" id="getVulnerabilitySummary">getVulnerabilitySummary(parent, filter=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3345

<pre>Gets a summary of the number and severity of occurrences.

3346

3347

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3348

parent: string, Required. The name of the project to get a vulnerability summary for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3349

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3350

filter: string, The filter expression.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3351

x__xgafv: string, V1 error format.

3352

Allowed values

3353

1 - v1 error format

3354

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3355

3356

Returns:

3357

An object of the form:

3358

3359

{ # A summary of how many vulnerability occurrences there are per resource and

3360

# severity type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3361

"counts": [ # A listing by resource of the number of fixable and total vulnerabilities.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3362

{ # Per resource and severity counts of fixable and total vulnerabilities.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3363

"fixableCount": "A String", # The number of fixable vulnerabilities associated with this resource.

3364

"resource": { # An entity that can have metadata. For example, a Docker image. # The affected resource.

3365

"name": "A String", # Deprecated, do not use. Use uri instead.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3366

#

3367

# The name of the resource. For example, the name of a Docker image -

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3368

# "Debian".

3369

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

3370

#

3371

# The hash of the resource content. For example, the Docker digest.

3372

"type": "A String", # Required. The type of hash that was performed.

3373

"value": "A String", # Required. The hash value.

3374

},

3375

"uri": "A String", # Required. The unique URI of the resource. For example,

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3376

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3377

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3378

"severity": "A String", # The severity for this count. SEVERITY_UNSPECIFIED indicates total across

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3379

# all severities.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3380

"totalCount": "A String", # The total number of vulnerabilities associated with this resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3387

<code class="details" id="list">list(parent, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3388

<pre>Lists occurrences for the specified project.

3389

3390

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3391

parent: string, Required. The name of the project to list occurrences for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3392

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3393

filter: string, The filter expression.

3394

pageToken: string, Token to provide to skip to a particular spot in the list.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3395

pageSize: integer, Number of occurrences to return in the list. Must be positive. Max allowed

3396

page size is 1000. If not specified, page size defaults to 20.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3397

x__xgafv: string, V1 error format.

3398

Allowed values

3399

1 - v1 error format

3400

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3401

3402

Returns:

3403

An object of the form:

3404

3405

{ # Response for listing occurrences.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3406

"nextPageToken": "A String", # The next pagination token in the list response. It should be used as

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3407

# `page_token` for the following request. An empty value means no more

3408

# results.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3409

"occurrences": [ # The occurrences requested.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3410

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3411

"updateTime": "A String", # Output only. The time this occurrence was last updated.

3412

"remediation": "A String", # A description of actions that can be taken to remedy the note.

3413

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

3414

# signatures and the in-toto link itself. This is used for occurrences of a

3415

# Grafeas in-toto note.

3416

"signed": { # This corresponds to an in-toto link.

3417

"command": [ # This field contains the full command executed for the step. This can also

3418

# be empty if links are generated for operations that aren't directly mapped

3419

# to a specific command. Each term in the command is an independent string

3420

# in the list. An example of a command in the in-toto metadata field is:

3421

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

3422

"A String",

3423

],

3424

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

3425

# are not the actual result of the step.

3426

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

3432

# environment. It is suggested for this field to contain information that

3433

# details environment variables, filesystem information, and the present

3434

# working directory. The recommended structure of this field is:

3435

# "environment": {

3436

# "custom_values": {

3437

# "variables": "<ENV>",

3438

# "filesystem": "<FS>",

3439

# "workdir": "<CWD>",

3440

# "<ANY OTHER RELEVANT FIELDS>": "..."

3441

# }

3442

# }

3443

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

3449

# for the operation performed. The key of the map is the path of the artifact

3450

# and the structure contains the recorded hash information. An example is:

3451

# "materials": [

3452

# {

3453

# "resource_uri": "foo/bar",

3454

# "hashes": {

3455

# "sha256": "ebebf...",

3456

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

3462

"sha256": "A String",

3463

},

3464

"resourceUri": "A String",

3465

},

3466

],

3467

"products": [ # Products are the supply chain artifacts generated as a result of the step.

3468

# The structure is identical to that of materials.

3469

{

3470

"hashes": { # Defines a hash object for use in Materials and Products.

3471

"sha256": "A String",

3472

},

3473

"resourceUri": "A String",

3474

},

3475

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3476

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3477

"signatures": [

3478

{ # A signature object consists of the KeyID used and the signature itself.

3479

"sig": "A String",

3480

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3481

},

3482

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3483

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3484

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

3485

# note.

3486

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

3487

# relationship. This image would be produced from a Dockerfile with FROM

3488

# <DockerImage.Basis in attached Note>.

3489

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

3490

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

3491

# representation.

3492

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

3493

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

3494

# Only the name of the final blob is kept.

3495

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

3496

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3497

],

3498

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3499

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

3500

# "distance" and is ordered with [distance] being the layer immediately

3501

# following the base image and [1] being the final layer.

3502

{ # Layer holds metadata specific to a layer of a Docker image.

3503

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

3504

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

3505

},

3506

],

3507

"distance": 42, # Output only. The number of layers by which this image differs from the

3508

# associated image basis.

3509

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

3510

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3511

},

3512

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3513

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

3514

# specified. This field can be used as a filter in list requests.

3515

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

3516

"name": "A String", # Deprecated, do not use. Use uri instead.

3517

#

3518

# The name of the resource. For example, the name of a Docker image -

3519

# "Debian".

3520

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

3521

#

3522

# The hash of the resource content. For example, the Docker digest.

3523

"type": "A String", # Required. The type of hash that was performed.

3524

"value": "A String", # Required. The hash value.

3525

},

3526

"uri": "A String", # Required. The unique URI of the resource. For example,

3527

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

3528

},

3529

"name": "A String", # Output only. The name of the occurrence in the form of

3530

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

3531

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

3532

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3533

# attestation can be verified using the attached signature. If the verifier

3534

# trusts the public key of the signer, then verifying the signature is

3535

# sufficient to establish trust. In this circumstance, the authority to which

3536

# this attestation is attached is primarily useful for look-up (how to find

3537

# this attestation if you already know the authority and artifact to be

3538

# verified) and intent (which authority was this attestation intended to sign

3539

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3540

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3541

# supports `ATTACHED` signatures, where the payload that is signed is included

3542

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3543

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

3544

# The verifier must ensure that the provided type is one that the verifier

3545

# supports, and that the attestation payload is a valid instantiation of that

3546

# type (for example by validating a JSON schema).

3547

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

3548

# (GPG) or equivalent. Since this message only supports attached signatures,

3549

# the payload that was signed must be attached. While the signature format

3550

# supported is dependent on the verification implementation, currently only

3551

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

3552

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

3553

# --output=signature.gpg payload.json` will create the signature content

3554

# expected in this field in `signature.gpg` for the `payload.json`

3555

# attestation payload.

3556

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3557

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

3558

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

3559

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3560

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3561

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

3562

# In gpg, the full fingerprint can be retrieved from the `fpr` field

3563

# returned when calling --list-keys with --with-colons. For example:

3564

# ```

3565

# gpg --with-colons --with-fingerprint --force-v4-certs \

3566

# --list-keys attester@example.com

3567

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3568

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3569

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

3570

# ```

3571

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3572

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3573

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3574

# This attestation must define the `serialized_payload` that the `signatures`

3575

# verify and any metadata necessary to interpret that plaintext. The

3576

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3577

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3578

# should consider this attestation message verified if at least one

3579

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

3580

# for more details on signature structure and verification.

3581

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

3582

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

3583

# Typically this means that the verifier has been configured with a map from

3584

# `public_key_id` to public key material (and any required parameters, e.g.

3585

# signing algorithm).

3586

#

3587

# In particular, verification implementations MUST NOT treat the signature

3588

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

3589

# DOES NOT validate or authenticate a public key; it only provides a mechanism

3590

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

3591

# a trusted channel. Verification implementations MUST reject signatures in any

3592

# of the following circumstances:

3593

# * The `public_key_id` is not recognized by the verifier.

3594

# * The public key that `public_key_id` refers to does not verify the

3595

# signature with respect to the payload.

3596

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3597

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3598

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3599

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3600

# provided payload (e.g. a `payload` field on the proto message that holds

3601

# this Signature, or the canonical serialization of the proto message that

3602

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3603

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3604

# * The `public_key_id` is required.

3605

# * The `public_key_id` MUST be an RFC3986 conformant URI.

3606

# * When possible, the `public_key_id` SHOULD be an immutable reference,

3607

# such as a cryptographic digest.

3608

#

3609

# Examples of valid `public_key_id`s:

3610

#

3611

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3612

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3613

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

3614

# details on this scheme.

3615

#

3616

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

3617

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3618

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

3619

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

3620

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3621

# The payload that this signature verifies MUST be unambiguously provided

3622

# with the Signature during verification. A wrapper message might provide

3623

# the payload explicitly. Alternatively, a message might have a canonical

3624

# serialization that can always be unambiguously computed to derive the

3625

# payload.

3626

},

3627

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3628

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

3629

# The encoding and semantic meaning of this payload must match what is set in

3630

# `content_type`.

3631

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3632

# The verifier must ensure that the provided type is one that the verifier

3633

# supports, and that the attestation payload is a valid instantiation of that

3634

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3635

},

3636

},

3637

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3638

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

3639

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

3640

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

3641

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

3642

# available, and note provider assigned severity when distro has not yet

3643

# assigned a severity for this vulnerability.

3644

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

3645

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

3646

# scale of 0-10 where 0 indicates low severity and 10 indicates high

3647

# severity.

3648

"relatedUrls": [ # Output only. URLs related to this vulnerability.

3649

{ # Metadata for any related URL information.

3650

"url": "A String", # Specific URL associated with the resource.

3651

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3652

},

3653

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3654

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

3655

# packages etc)

3656

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

3657

# within the associated resource.

3658

{ # This message wraps a location affected by a vulnerability and its

3659

# associated fix (if one is available).

3660

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

3661

"package": "A String", # Required. The package being described.

3662

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3663

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3664

# name.

3665

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3666

# versions.

3667

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3668

"revision": "A String", # The iteration of the package build from the above version.

3669

},

3670

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3671

# format. Examples include distro or storage location for vulnerable jar.

3672

},

3673

"severityName": "A String", # Deprecated, use Details.effective_severity instead

3674

# The severity (e.g., distro assigned severity) for this vulnerability.

3675

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

3676

"package": "A String", # Required. The package being described.

3677

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3678

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3679

# name.

3680

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3681

# versions.

3682

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3683

"revision": "A String", # The iteration of the package build from the above version.

3684

},

3685

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3686

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3687

},

3688

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3689

],

3690

},

3691

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

3692

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

3693

# system.

3694

"location": [ # Required. All of the places within the filesystem versions of this package

3695

# have been found.

3696

{ # An occurrence of a particular package installation found within a system's

3697

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

3698

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

3699

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3700

# name.

3701

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3702

# versions.

3703

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3704

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3705

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3706

"path": "A String", # The path from which we gathered that this package/version is installed.

3707

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

3708

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3709

},

3710

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3711

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3712

},

3713

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3714

"build": { # Details of a build occurrence. # Describes a verifiable build.

3715

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3716

# build signature in the corresponding build note. After verifying the

3717

# signature, `provenance_bytes` can be unmarshalled and compared to the

3718

# provenance to confirm that it is unchanged. A base64-encoded string

3719

# representation of the provenance bytes is used for the signature in order

3720

# to interoperate with openssl which expects this format for signature

3721

# verification.

3722

#

3723

# The serialized form is captured both to avoid ambiguity in how the

3724

# provenance is marshalled to json as well to prevent incompatibilities with

3725

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3726

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

3727

# details about the build from source to completion.

3728

"logsUri": "A String", # URI where any logs for this provenance were written.

3729

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

3730

# user's e-mail address at the time the build was initiated; this address may

3731

# not represent the same end-user for all time.

3732

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

3733

"commands": [ # Commands requested by the build.

3734

{ # Command describes a step performed as part of the build pipeline.

3735

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

3736

# command is packaged as a Docker container, as presented to `docker pull`.

3737

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

3738

# this command as a dependency.

3739

"dir": "A String", # Working directory (relative to project source root) used when running this

3740

# command.

3741

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

3742

"A String",

3743

],

3744

"env": [ # Environment variables set before running this command.

3745

"A String",

3746

],

3747

"args": [ # Command-line arguments used when executing this command.

3748

"A String",

3749

],

3750

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3751

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3752

"builtArtifacts": [ # Output of the build.

3753

{ # Artifact describes a build product.

3754

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

3755

# like `gcr.io/projectID/imagename@sha256:123456`.

3756

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

3757

# the case of a container build, the name used to push the container image to

3758

# Google Container Registry, as presented to `docker push`. Note that a

3759

# single Artifact ID can have multiple names, for example if two tags are

3760

# applied to one image.

3761

"A String",

3762

],

3763

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

3768

"buildOptions": { # Special options applied to this build. This is a catch-all field where

3769

# build providers can enter any desired additional details.

3770

"a_key": "A String",

3771

},

3772

"endTime": "A String", # Time at which execution of the build was finished.

3773

"startTime": "A String", # Time at which execution of the build was started.

3774

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

3775

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

3776

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

3777

# location.

3778

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

3779

# these locations, in the case where the source repository had multiple

3780

# remotes or submodules. This list will not include the context specified in

3781

# the context field.

3782

{ # A SourceContext is a reference to a tree of files. A SourceContext together

3783

# with a path point to a unique revision of a single file or directory.

3784

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

3785

# Source Repo.

3786

"revisionId": "A String", # A revision ID.

3787

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

3788

"uid": "A String", # A server-assigned, globally unique identifier.

3789

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

3790

# winged-cargo-31) and a repo name within that project.

3791

"projectId": "A String", # The ID of the project.

3792

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

3793

},

3794

},

3795

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3796

"name": "A String", # The alias name.

3797

"kind": "A String", # The alias kind.

3798

},

3799

},

3800

"labels": { # Labels with user defined metadata.

3801

"a_key": "A String",

3802

},

3803

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

3804

# repository (e.g., GitHub).

3805

"revisionId": "A String", # Git commit hash.

3806

"url": "A String", # Git repository URL.

3807

},

3808

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

3809

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

3810

# "project/subproject" is a valid project name. The "repo name" is the

3811

# hostURI/project.

3812

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3813

"name": "A String", # The alias name.

3814

"kind": "A String", # The alias kind.

3815

},

3816

"hostUri": "A String", # The URI of a running Gerrit instance.

3817

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

3822

# source integrity was maintained in the build.

3823

#

3824

# The keys to this map are file paths used as build source and the values

3825

# contain the hash values for those files.

3826

#

3827

# If the build source came in a single package such as a gzipped tarfile

3828

# (.tar.gz), the FileHash will be for the single path to that file.

3829

"a_key": { # Container message for hashes of byte content of files, used in source

3830

# messages to verify integrity of source input to the build.

3831

"fileHash": [ # Required. Collection of file hashes.

3832

{ # Container message for hash values.

3833

"type": "A String", # Required. The type of hash that was performed.

3834

"value": "A String", # Required. The hash value.

3835

},

3836

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3837

},

3838

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3839

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

3840

# with a path point to a unique revision of a single file or directory.

3841

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

3842

# Source Repo.

3843

"revisionId": "A String", # A revision ID.

3844

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

3845

"uid": "A String", # A server-assigned, globally unique identifier.

3846

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

3847

# winged-cargo-31) and a repo name within that project.

3848

"projectId": "A String", # The ID of the project.

3849

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

3850

},

3851

},

3852

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3853

"name": "A String", # The alias name.

3854

"kind": "A String", # The alias kind.

3855

},

3856

},

3857

"labels": { # Labels with user defined metadata.

3858

"a_key": "A String",

3859

},

3860

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

3861

# repository (e.g., GitHub).

3862

"revisionId": "A String", # Git commit hash.

3863

"url": "A String", # Git repository URL.

3864

},

3865

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

3866

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

3867

# "project/subproject" is a valid project name. The "repo name" is the

3868

# hostURI/project.

3869

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3870

"name": "A String", # The alias name.

3871

"kind": "A String", # The alias kind.

3872

},

3873

"hostUri": "A String", # The URI of a running Gerrit instance.

3874

"revisionId": "A String", # A revision (commit) ID.

3875

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3876

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3877

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3878

"createTime": "A String", # Time at which the build was created.

3879

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3880

},

3881

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3882

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

3883

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

3884

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

3885

# details to show to the user. The LocalizedMessage is output only and

3886

# populated by the API.

3887

# different programming environments, including REST APIs and RPC APIs. It is

3888

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

3889

# three pieces of data: error code, error message, and error details.

3890

#

3891

# You can find out more about this error model and how to work with it in the

3892

# [API Design Guide](https://cloud.google.com/apis/design/errors).

3893

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

3894

"message": "A String", # A developer-facing error message, which should be in English. Any

3895

# user-facing error message should be localized and sent in the

3896

# google.rpc.Status.details field, or localized by the client.

3897

"details": [ # A list of messages that carry the error details. There is a common set of

3898

# message types for APIs to use.

3899

{

3900

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

3905

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

3906

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

3907

# Deprecated, do not use.

3908

},

3909

},

3910

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3911

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

3912

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3913

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

3914

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

3915

"undeployTime": "A String", # End of the lifetime of this deployment.

3916

"platform": "A String", # Platform hosting this deployment.

3917

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

3918

"address": "A String", # Address of the runtime element hosting this deployment.

3919

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

3920

# the deployable field with the same name.

3921

"A String",

3922

],

3923

"userEmail": "A String", # Identity of the user that triggered this deployment.

3924

"config": "A String", # Configuration used to create this deployment.

3925

},

3926

},

3927

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

3935

<pre>Retrieves the next page of results.

3936

3937

Args:

3938

previous_request: The request for the previous page. (required)

3939

previous_response: The response from the request for the previous page. (required)

3940

3941

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3942

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3943

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3948

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3949

<pre>Updates the specified occurrence.

3950

3951

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3952

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3953

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3954

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3955

The object takes the form of:

3956

3957

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

3958

"updateTime": "A String", # Output only. The time this occurrence was last updated.

3959

"remediation": "A String", # A description of actions that can be taken to remedy the note.

3960

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

3961

# signatures and the in-toto link itself. This is used for occurrences of a

3962

# Grafeas in-toto note.

3963

"signed": { # This corresponds to an in-toto link.

3964

"command": [ # This field contains the full command executed for the step. This can also

3965

# be empty if links are generated for operations that aren't directly mapped

3966

# to a specific command. Each term in the command is an independent string

3967

# in the list. An example of a command in the in-toto metadata field is:

3968

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

3969

"A String",

3970

],

3971

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

3972

# are not the actual result of the step.

3973

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

3979

# environment. It is suggested for this field to contain information that

3980

# details environment variables, filesystem information, and the present

3981

# working directory. The recommended structure of this field is:

3982

# "environment": {

3983

# "custom_values": {

3984

# "variables": "<ENV>",

3985

# "filesystem": "<FS>",

3986

# "workdir": "<CWD>",

3987

# "<ANY OTHER RELEVANT FIELDS>": "..."

3988

# }

3989

# }

3990

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

3996

# for the operation performed. The key of the map is the path of the artifact

3997

# and the structure contains the recorded hash information. An example is:

3998

# "materials": [

3999

# {

4000

# "resource_uri": "foo/bar",

4001

# "hashes": {

4002

# "sha256": "ebebf...",

4003

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

4009

"sha256": "A String",

4010

},

4011

"resourceUri": "A String",

4012

},

4013

],

4014

"products": [ # Products are the supply chain artifacts generated as a result of the step.

4015

# The structure is identical to that of materials.

4016

{

4017

"hashes": { # Defines a hash object for use in Materials and Products.

4018

"sha256": "A String",

4019

},

4020

"resourceUri": "A String",

4021

},

4022

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4023

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4024

"signatures": [

4025

{ # A signature object consists of the KeyID used and the signature itself.

4026

"sig": "A String",

4027

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4028

},

4029

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4030

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4031

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

4032

# note.

4033

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

4034

# relationship. This image would be produced from a Dockerfile with FROM

4035

# <DockerImage.Basis in attached Note>.

4036

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

4037

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

4038

# representation.

4039

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

4040

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

4041

# Only the name of the final blob is kept.

4042

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

4043

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4044

],

4045

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4046

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

4047

# "distance" and is ordered with [distance] being the layer immediately

4048

# following the base image and [1] being the final layer.

4049

{ # Layer holds metadata specific to a layer of a Docker image.

4050

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

4051

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

4052

},

4053

],

4054

"distance": 42, # Output only. The number of layers by which this image differs from the

4055

# associated image basis.

4056

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

4057

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4058

},

4059

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4060

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

4061

# specified. This field can be used as a filter in list requests.

4062

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

4063

"name": "A String", # Deprecated, do not use. Use uri instead.

4064

#

4065

# The name of the resource. For example, the name of a Docker image -

4066

# "Debian".

4067

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

4068

#

4069

# The hash of the resource content. For example, the Docker digest.

4070

"type": "A String", # Required. The type of hash that was performed.

4071

"value": "A String", # Required. The hash value.

4072

},

4073

"uri": "A String", # Required. The unique URI of the resource. For example,

4074

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

4075

},

4076

"name": "A String", # Output only. The name of the occurrence in the form of

4077

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

4078

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

4079

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4080

# attestation can be verified using the attached signature. If the verifier

4081

# trusts the public key of the signer, then verifying the signature is

4082

# sufficient to establish trust. In this circumstance, the authority to which

4083

# this attestation is attached is primarily useful for look-up (how to find

4084

# this attestation if you already know the authority and artifact to be

4085

# verified) and intent (which authority was this attestation intended to sign

4086

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4087

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4088

# supports `ATTACHED` signatures, where the payload that is signed is included

4089

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4090

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4091

# The verifier must ensure that the provided type is one that the verifier

4092

# supports, and that the attestation payload is a valid instantiation of that

4093

# type (for example by validating a JSON schema).

4094

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

4095

# (GPG) or equivalent. Since this message only supports attached signatures,

4096

# the payload that was signed must be attached. While the signature format

4097

# supported is dependent on the verification implementation, currently only

4098

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

4099

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

4100

# --output=signature.gpg payload.json` will create the signature content

4101

# expected in this field in `signature.gpg` for the `payload.json`

4102

# attestation payload.

4103

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4104

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

4105

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

4106

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4107

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4108

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

4109

# In gpg, the full fingerprint can be retrieved from the `fpr` field

4110

# returned when calling --list-keys with --with-colons. For example:

4111

# ```

4112

# gpg --with-colons --with-fingerprint --force-v4-certs \

4113

# --list-keys attester@example.com

4114

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4115

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4116

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

4117

# ```

4118

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4119

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4120

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4121

# This attestation must define the `serialized_payload` that the `signatures`

4122

# verify and any metadata necessary to interpret that plaintext. The

4123

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4124

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4125

# should consider this attestation message verified if at least one

4126

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

4127

# for more details on signature structure and verification.

4128

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

4129

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

4130

# Typically this means that the verifier has been configured with a map from

4131

# `public_key_id` to public key material (and any required parameters, e.g.

4132

# signing algorithm).

4133

#

4134

# In particular, verification implementations MUST NOT treat the signature

4135

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

4136

# DOES NOT validate or authenticate a public key; it only provides a mechanism

4137

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

4138

# a trusted channel. Verification implementations MUST reject signatures in any

4139

# of the following circumstances:

4140

# * The `public_key_id` is not recognized by the verifier.

4141

# * The public key that `public_key_id` refers to does not verify the

4142

# signature with respect to the payload.

4143

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4144

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4145

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4146

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4147

# provided payload (e.g. a `payload` field on the proto message that holds

4148

# this Signature, or the canonical serialization of the proto message that

4149

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4150

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4151

# * The `public_key_id` is required.

4152

# * The `public_key_id` MUST be an RFC3986 conformant URI.

4153

# * When possible, the `public_key_id` SHOULD be an immutable reference,

4154

# such as a cryptographic digest.

4155

#

4156

# Examples of valid `public_key_id`s:

4157

#

4158

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4159

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4160

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

4161

# details on this scheme.

4162

#

4163

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

4164

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4165

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

4166

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

4167

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4168

# The payload that this signature verifies MUST be unambiguously provided

4169

# with the Signature during verification. A wrapper message might provide

4170

# the payload explicitly. Alternatively, a message might have a canonical

4171

# serialization that can always be unambiguously computed to derive the

4172

# payload.

4173

},

4174

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4175

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

4176

# The encoding and semantic meaning of this payload must match what is set in

4177

# `content_type`.

4178

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4179

# The verifier must ensure that the provided type is one that the verifier

4180

# supports, and that the attestation payload is a valid instantiation of that

4181

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4182

},

4183

},

4184

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4185

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

4186

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

4187

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

4188

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

4189

# available, and note provider assigned severity when distro has not yet

4190

# assigned a severity for this vulnerability.

4191

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

4192

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

4193

# scale of 0-10 where 0 indicates low severity and 10 indicates high

4194

# severity.

4195

"relatedUrls": [ # Output only. URLs related to this vulnerability.

4196

{ # Metadata for any related URL information.

4197

"url": "A String", # Specific URL associated with the resource.

4198

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4199

},

4200

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4201

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

4202

# packages etc)

4203

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

4204

# within the associated resource.

4205

{ # This message wraps a location affected by a vulnerability and its

4206

# associated fix (if one is available).

4207

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

4208

"package": "A String", # Required. The package being described.

4209

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4210

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4211

# name.

4212

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4213

# versions.

4214

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4215

"revision": "A String", # The iteration of the package build from the above version.

4216

},

4217

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4218

# format. Examples include distro or storage location for vulnerable jar.

4219

},

4220

"severityName": "A String", # Deprecated, use Details.effective_severity instead

4221

# The severity (e.g., distro assigned severity) for this vulnerability.

4222

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

4223

"package": "A String", # Required. The package being described.

4224

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4225

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4226

# name.

4227

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4228

# versions.

4229

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4230

"revision": "A String", # The iteration of the package build from the above version.

4231

},

4232

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4233

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4234

},

4235

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4236

],

4237

},

4238

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

4239

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

4240

# system.

4241

"location": [ # Required. All of the places within the filesystem versions of this package

4242

# have been found.

4243

{ # An occurrence of a particular package installation found within a system's

4244

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

4245

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

4246

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4247

# name.

4248

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4249

# versions.

4250

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4251

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4252

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4253

"path": "A String", # The path from which we gathered that this package/version is installed.

4254

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

4255

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4256

},

4257

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4258

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4259

},

4260

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4261

"build": { # Details of a build occurrence. # Describes a verifiable build.

4262

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4263

# build signature in the corresponding build note. After verifying the

4264

# signature, `provenance_bytes` can be unmarshalled and compared to the

4265

# provenance to confirm that it is unchanged. A base64-encoded string

4266

# representation of the provenance bytes is used for the signature in order

4267

# to interoperate with openssl which expects this format for signature

4268

# verification.

4269

#

4270

# The serialized form is captured both to avoid ambiguity in how the

4271

# provenance is marshalled to json as well to prevent incompatibilities with

4272

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4273

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

4274

# details about the build from source to completion.

4275

"logsUri": "A String", # URI where any logs for this provenance were written.

4276

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

4277

# user's e-mail address at the time the build was initiated; this address may

4278

# not represent the same end-user for all time.

4279

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

4280

"commands": [ # Commands requested by the build.

4281

{ # Command describes a step performed as part of the build pipeline.

4282

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

4283

# command is packaged as a Docker container, as presented to `docker pull`.

4284

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

4285

# this command as a dependency.

4286

"dir": "A String", # Working directory (relative to project source root) used when running this

4287

# command.

4288

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

4289

"A String",

4290

],

4291

"env": [ # Environment variables set before running this command.

4292

"A String",

4293

],

4294

"args": [ # Command-line arguments used when executing this command.

4295

"A String",

4296

],

4297

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4298

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4299

"builtArtifacts": [ # Output of the build.

4300

{ # Artifact describes a build product.

4301

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

4302

# like `gcr.io/projectID/imagename@sha256:123456`.

4303

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

4304

# the case of a container build, the name used to push the container image to

4305

# Google Container Registry, as presented to `docker push`. Note that a

4306

# single Artifact ID can have multiple names, for example if two tags are

4307

# applied to one image.

4308

"A String",

4309

],

4310

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

4315

"buildOptions": { # Special options applied to this build. This is a catch-all field where

4316

# build providers can enter any desired additional details.

4317

"a_key": "A String",

4318

},

4319

"endTime": "A String", # Time at which execution of the build was finished.

4320

"startTime": "A String", # Time at which execution of the build was started.

4321

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

4322

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

4323

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

4324

# location.

4325

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

4326

# these locations, in the case where the source repository had multiple

4327

# remotes or submodules. This list will not include the context specified in

4328

# the context field.

4329

{ # A SourceContext is a reference to a tree of files. A SourceContext together

4330

# with a path point to a unique revision of a single file or directory.

4331

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4332

# Source Repo.

4333

"revisionId": "A String", # A revision ID.

4334

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4335

"uid": "A String", # A server-assigned, globally unique identifier.

4336

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4337

# winged-cargo-31) and a repo name within that project.

4338

"projectId": "A String", # The ID of the project.

4339

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4340

},

4341

},

4342

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4343

"name": "A String", # The alias name.

4344

"kind": "A String", # The alias kind.

4345

},

4346

},

4347

"labels": { # Labels with user defined metadata.

4348

"a_key": "A String",

4349

},

4350

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4351

# repository (e.g., GitHub).

4352

"revisionId": "A String", # Git commit hash.

4353

"url": "A String", # Git repository URL.

4354

},

4355

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4356

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4357

# "project/subproject" is a valid project name. The "repo name" is the

4358

# hostURI/project.

4359

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4360

"name": "A String", # The alias name.

4361

"kind": "A String", # The alias kind.

4362

},

4363

"hostUri": "A String", # The URI of a running Gerrit instance.

4364

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

4369

# source integrity was maintained in the build.

4370

#

4371

# The keys to this map are file paths used as build source and the values

4372

# contain the hash values for those files.

4373

#

4374

# If the build source came in a single package such as a gzipped tarfile

4375

# (.tar.gz), the FileHash will be for the single path to that file.

4376

"a_key": { # Container message for hashes of byte content of files, used in source

4377

# messages to verify integrity of source input to the build.

4378

"fileHash": [ # Required. Collection of file hashes.

4379

{ # Container message for hash values.

4380

"type": "A String", # Required. The type of hash that was performed.

4381

"value": "A String", # Required. The hash value.

4382

},

4383

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4384

},

4385

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4386

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

4387

# with a path point to a unique revision of a single file or directory.

4388

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4389

# Source Repo.

4390

"revisionId": "A String", # A revision ID.

4391

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4392

"uid": "A String", # A server-assigned, globally unique identifier.

4393

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4394

# winged-cargo-31) and a repo name within that project.

4395

"projectId": "A String", # The ID of the project.

4396

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4397

},

4398

},

4399

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4400

"name": "A String", # The alias name.

4401

"kind": "A String", # The alias kind.

4402

},

4403

},

4404

"labels": { # Labels with user defined metadata.

4405

"a_key": "A String",

4406

},

4407

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4408

# repository (e.g., GitHub).

4409

"revisionId": "A String", # Git commit hash.

4410

"url": "A String", # Git repository URL.

4411

},

4412

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4413

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4414

# "project/subproject" is a valid project name. The "repo name" is the

4415

# hostURI/project.

4416

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4417

"name": "A String", # The alias name.

4418

"kind": "A String", # The alias kind.

4419

},

4420

"hostUri": "A String", # The URI of a running Gerrit instance.

4421

"revisionId": "A String", # A revision (commit) ID.

4422

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4423

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4424

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4425

"createTime": "A String", # Time at which the build was created.

4426

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4427

},

4428

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4429

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

4430

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

4431

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

4432

# details to show to the user. The LocalizedMessage is output only and

4433

# populated by the API.

4434

# different programming environments, including REST APIs and RPC APIs. It is

4435

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

4436

# three pieces of data: error code, error message, and error details.

4437

#

4438

# You can find out more about this error model and how to work with it in the

4439

# [API Design Guide](https://cloud.google.com/apis/design/errors).

4440

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

4441

"message": "A String", # A developer-facing error message, which should be in English. Any

4442

# user-facing error message should be localized and sent in the

4443

# google.rpc.Status.details field, or localized by the client.

4444

"details": [ # A list of messages that carry the error details. There is a common set of

4445

# message types for APIs to use.

4446

{

4447

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

4452

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

4453

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

4454

# Deprecated, do not use.

4455

},

4456

},

4457

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4458

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

4459

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4460

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

4461

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

4462

"undeployTime": "A String", # End of the lifetime of this deployment.

4463

"platform": "A String", # Platform hosting this deployment.

4464

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

4465

"address": "A String", # Address of the runtime element hosting this deployment.

4466

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

4467

# the deployable field with the same name.

4468

"A String",

4469

],

4470

"userEmail": "A String", # Identity of the user that triggered this deployment.

4471

"config": "A String", # Configuration used to create this deployment.

4472

},

4473

},

4474

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4475

}

4476

4477

updateMask: string, The fields to update.

4478

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4485

4486

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4487

"updateTime": "A String", # Output only. The time this occurrence was last updated.

4488

"remediation": "A String", # A description of actions that can be taken to remedy the note.

4489

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

4490

# signatures and the in-toto link itself. This is used for occurrences of a

4491

# Grafeas in-toto note.

4492

"signed": { # This corresponds to an in-toto link.

4493

"command": [ # This field contains the full command executed for the step. This can also

4494

# be empty if links are generated for operations that aren't directly mapped

4495

# to a specific command. Each term in the command is an independent string

4496

# in the list. An example of a command in the in-toto metadata field is:

4497

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

4498

"A String",

4499

],

4500

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

4501

# are not the actual result of the step.

4502

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

4508

# environment. It is suggested for this field to contain information that

4509

# details environment variables, filesystem information, and the present

4510

# working directory. The recommended structure of this field is:

4511

# "environment": {

4512

# "custom_values": {

4513

# "variables": "<ENV>",

4514

# "filesystem": "<FS>",

4515

# "workdir": "<CWD>",

4516

# "<ANY OTHER RELEVANT FIELDS>": "..."

4517

# }

4518

# }

4519

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

4525

# for the operation performed. The key of the map is the path of the artifact

4526

# and the structure contains the recorded hash information. An example is:

4527

# "materials": [

4528

# {

4529

# "resource_uri": "foo/bar",

4530

# "hashes": {

4531

# "sha256": "ebebf...",

4532

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

4538

"sha256": "A String",

4539

},

4540

"resourceUri": "A String",

4541

},

4542

],

4543

"products": [ # Products are the supply chain artifacts generated as a result of the step.

4544

# The structure is identical to that of materials.

4545

{

4546

"hashes": { # Defines a hash object for use in Materials and Products.

4547

"sha256": "A String",

4548

},

4549

"resourceUri": "A String",

4550

},

4551

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4552

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4553

"signatures": [

4554

{ # A signature object consists of the KeyID used and the signature itself.

4555

"sig": "A String",

4556

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4557

},

4558

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4559

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4560

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

4561

# note.

4562

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

4563

# relationship. This image would be produced from a Dockerfile with FROM

4564

# <DockerImage.Basis in attached Note>.

4565

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

4566

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

4567

# representation.

4568

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

4569

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

4570

# Only the name of the final blob is kept.

4571

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

4572

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4573

],

4574

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4575

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

4576

# "distance" and is ordered with [distance] being the layer immediately

4577

# following the base image and [1] being the final layer.

4578

{ # Layer holds metadata specific to a layer of a Docker image.

4579

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

4580

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

4581

},

4582

],

4583

"distance": 42, # Output only. The number of layers by which this image differs from the

4584

# associated image basis.

4585

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

4586

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4587

},

4588

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4589

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

4590

# specified. This field can be used as a filter in list requests.

4591

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

4592

"name": "A String", # Deprecated, do not use. Use uri instead.

4593

#

4594

# The name of the resource. For example, the name of a Docker image -

4595

# "Debian".

4596

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

4597

#

4598

# The hash of the resource content. For example, the Docker digest.

4599

"type": "A String", # Required. The type of hash that was performed.

4600

"value": "A String", # Required. The hash value.

4601

},

4602

"uri": "A String", # Required. The unique URI of the resource. For example,

4603

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

4604

},

4605

"name": "A String", # Output only. The name of the occurrence in the form of

4606

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

4607

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

4608

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4609

# attestation can be verified using the attached signature. If the verifier

4610

# trusts the public key of the signer, then verifying the signature is

4611

# sufficient to establish trust. In this circumstance, the authority to which

4612

# this attestation is attached is primarily useful for look-up (how to find

4613

# this attestation if you already know the authority and artifact to be

4614

# verified) and intent (which authority was this attestation intended to sign

4615

# for).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4616

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4617

# supports `ATTACHED` signatures, where the payload that is signed is included

4618

# alongside the signature itself in the same file.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4619

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4620

# The verifier must ensure that the provided type is one that the verifier

4621

# supports, and that the attestation payload is a valid instantiation of that

4622

# type (for example by validating a JSON schema).

4623

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

4624

# (GPG) or equivalent. Since this message only supports attached signatures,

4625

# the payload that was signed must be attached. While the signature format

4626

# supported is dependent on the verification implementation, currently only

4627

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

4628

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

4629

# --output=signature.gpg payload.json` will create the signature content

4630

# expected in this field in `signature.gpg` for the `payload.json`

4631

# attestation payload.

4632

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4633

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

4634

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

4635

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4636

# Implementations may choose to acknowledge "LONG", "SHORT", or other

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4637

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

4638

# In gpg, the full fingerprint can be retrieved from the `fpr` field

4639

# returned when calling --list-keys with --with-colons. For example:

4640

# ```

4641

# gpg --with-colons --with-fingerprint --force-v4-certs \

4642

# --list-keys attester@example.com

4643

# tru::1:1513631572:0:3:1:5

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4644

# pub:...<SNIP>...

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4645

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

4646

# ```

4647

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4648

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4649

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4650

# This attestation must define the `serialized_payload` that the `signatures`

4651

# verify and any metadata necessary to interpret that plaintext. The

4652

# signatures should always be over the `serialized_payload` bytestring.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4653

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4654

# should consider this attestation message verified if at least one

4655

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

4656

# for more details on signature structure and verification.

4657

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

4658

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

4659

# Typically this means that the verifier has been configured with a map from

4660

# `public_key_id` to public key material (and any required parameters, e.g.

4661

# signing algorithm).

4662

#

4663

# In particular, verification implementations MUST NOT treat the signature

4664

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

4665

# DOES NOT validate or authenticate a public key; it only provides a mechanism

4666

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

4667

# a trusted channel. Verification implementations MUST reject signatures in any

4668

# of the following circumstances:

4669

# * The `public_key_id` is not recognized by the verifier.

4670

# * The public key that `public_key_id` refers to does not verify the

4671

# signature with respect to the payload.

4672

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4673

# The `signature` contents SHOULD NOT be "attached" (where the payload is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4674

# included with the serialized `signature` bytes). Verifiers MUST ignore any

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4675

# "attached" payload and only verify signatures with respect to explicitly

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4676

# provided payload (e.g. a `payload` field on the proto message that holds

4677

# this Signature, or the canonical serialization of the proto message that

4678

# holds this signature).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4679

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4680

# * The `public_key_id` is required.

4681

# * The `public_key_id` MUST be an RFC3986 conformant URI.

4682

# * When possible, the `public_key_id` SHOULD be an immutable reference,

4683

# such as a cryptographic digest.

4684

#

4685

# Examples of valid `public_key_id`s:

4686

#

4687

# OpenPGP V4 public key fingerprint:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4688

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4689

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

4690

# details on this scheme.

4691

#

4692

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

4693

# serialization):

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4694

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

4695

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

4696

"signature": "A String", # The content of the signature, an opaque bytestring.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4697

# The payload that this signature verifies MUST be unambiguously provided

4698

# with the Signature during verification. A wrapper message might provide

4699

# the payload explicitly. Alternatively, a message might have a canonical

4700

# serialization that can always be unambiguously computed to derive the

4701

# payload.

4702

},

4703

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4704

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

4705

# The encoding and semantic meaning of this payload must match what is set in

4706

# `content_type`.

4707

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4708

# The verifier must ensure that the provided type is one that the verifier

4709

# supports, and that the attestation payload is a valid instantiation of that

4710

# type (for example by validating a JSON schema).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4711

},

4712

},

4713

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4714

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

4715

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

4716

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

4717

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

4718

# available, and note provider assigned severity when distro has not yet

4719

# assigned a severity for this vulnerability.

4720

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

4721

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

4722

# scale of 0-10 where 0 indicates low severity and 10 indicates high

4723

# severity.

4724

"relatedUrls": [ # Output only. URLs related to this vulnerability.

4725

{ # Metadata for any related URL information.

4726

"url": "A String", # Specific URL associated with the resource.

4727

"label": "A String", # Label to describe usage of the URL.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4728

},

4729

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4730

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

4731

# packages etc)

4732

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

4733

# within the associated resource.

4734

{ # This message wraps a location affected by a vulnerability and its

4735

# associated fix (if one is available).

4736

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

4737

"package": "A String", # Required. The package being described.

4738

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4739

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4740

# name.

4741

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4742

# versions.

4743

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4744

"revision": "A String", # The iteration of the package build from the above version.

4745

},

4746

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4747

# format. Examples include distro or storage location for vulnerable jar.

4748

},

4749

"severityName": "A String", # Deprecated, use Details.effective_severity instead

4750

# The severity (e.g., distro assigned severity) for this vulnerability.

4751

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

4752

"package": "A String", # Required. The package being described.

4753

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4754

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4755

# name.

4756

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4757

# versions.

4758

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4759

"revision": "A String", # The iteration of the package build from the above version.

4760

},

4761

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4762

# format. Examples include distro or storage location for vulnerable jar.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4763

},

4764

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4765

],

4766

},

4767

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

4768

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

4769

# system.

4770

"location": [ # Required. All of the places within the filesystem versions of this package

4771

# have been found.

4772

{ # An occurrence of a particular package installation found within a system's

4773

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

4774

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

4775

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4776

# name.

4777

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4778

# versions.

4779

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4780

"revision": "A String", # The iteration of the package build from the above version.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4781

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4782

"path": "A String", # The path from which we gathered that this package/version is installed.

4783

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

4784

# denoting the package manager version distributing a package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4785

},

4786

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4787

"name": "A String", # Output only. The name of the installed package.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4788

},

4789

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4790

"build": { # Details of a build occurrence. # Describes a verifiable build.

4791

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4792

# build signature in the corresponding build note. After verifying the

4793

# signature, `provenance_bytes` can be unmarshalled and compared to the

4794

# provenance to confirm that it is unchanged. A base64-encoded string

4795

# representation of the provenance bytes is used for the signature in order

4796

# to interoperate with openssl which expects this format for signature

4797

# verification.

4798

#

4799

# The serialized form is captured both to avoid ambiguity in how the

4800

# provenance is marshalled to json as well to prevent incompatibilities with

4801

# future changes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4802

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

4803

# details about the build from source to completion.

4804

"logsUri": "A String", # URI where any logs for this provenance were written.

4805

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

4806

# user's e-mail address at the time the build was initiated; this address may

4807

# not represent the same end-user for all time.

4808

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

4809

"commands": [ # Commands requested by the build.

4810

{ # Command describes a step performed as part of the build pipeline.

4811

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

4812

# command is packaged as a Docker container, as presented to `docker pull`.

4813

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

4814

# this command as a dependency.

4815

"dir": "A String", # Working directory (relative to project source root) used when running this

4816

# command.

4817

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

4818

"A String",

4819

],

4820

"env": [ # Environment variables set before running this command.

4821

"A String",

4822

],

4823

"args": [ # Command-line arguments used when executing this command.

4824

"A String",

4825

],

4826

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4827

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4828

"builtArtifacts": [ # Output of the build.

4829

{ # Artifact describes a build product.

4830

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

4831

# like `gcr.io/projectID/imagename@sha256:123456`.

4832

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

4833

# the case of a container build, the name used to push the container image to

4834

# Google Container Registry, as presented to `docker push`. Note that a

4835

# single Artifact ID can have multiple names, for example if two tags are

4836

# applied to one image.

4837

"A String",

4838

],

4839

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"id": "A String", # Required. Unique identifier of the build.

4844

"buildOptions": { # Special options applied to this build. This is a catch-all field where

4845

# build providers can enter any desired additional details.

4846

"a_key": "A String",

4847

},

4848

"endTime": "A String", # Time at which execution of the build was finished.

4849

"startTime": "A String", # Time at which execution of the build was started.

4850

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

4851

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

4852

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

4853

# location.

4854

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

4855

# these locations, in the case where the source repository had multiple

4856

# remotes or submodules. This list will not include the context specified in

4857

# the context field.

4858

{ # A SourceContext is a reference to a tree of files. A SourceContext together

4859

# with a path point to a unique revision of a single file or directory.

4860

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4861

# Source Repo.

4862

"revisionId": "A String", # A revision ID.

4863

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4864

"uid": "A String", # A server-assigned, globally unique identifier.

4865

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4866

# winged-cargo-31) and a repo name within that project.

4867

"projectId": "A String", # The ID of the project.

4868

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4869

},

4870

},

4871

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4872

"name": "A String", # The alias name.

4873

"kind": "A String", # The alias kind.

4874

},

4875

},

4876

"labels": { # Labels with user defined metadata.

4877

"a_key": "A String",

4878

},

4879

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4880

# repository (e.g., GitHub).

4881

"revisionId": "A String", # Git commit hash.

4882

"url": "A String", # Git repository URL.

4883

},

4884

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4885

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4886

# "project/subproject" is a valid project name. The "repo name" is the

4887

# hostURI/project.

4888

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4889

"name": "A String", # The alias name.

4890

"kind": "A String", # The alias kind.

4891

},

4892

"hostUri": "A String", # The URI of a running Gerrit instance.

4893

"revisionId": "A String", # A revision (commit) ID.

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

4898

# source integrity was maintained in the build.

4899

#

4900

# The keys to this map are file paths used as build source and the values

4901

# contain the hash values for those files.

4902

#

4903

# If the build source came in a single package such as a gzipped tarfile

4904

# (.tar.gz), the FileHash will be for the single path to that file.

4905

"a_key": { # Container message for hashes of byte content of files, used in source

4906

# messages to verify integrity of source input to the build.

4907

"fileHash": [ # Required. Collection of file hashes.

4908

{ # Container message for hash values.

4909

"type": "A String", # Required. The type of hash that was performed.

4910

"value": "A String", # Required. The hash value.

4911

},

4912

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4913

},

4914

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4915

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

4916

# with a path point to a unique revision of a single file or directory.

4917

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4918

# Source Repo.

4919

"revisionId": "A String", # A revision ID.

4920

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4921

"uid": "A String", # A server-assigned, globally unique identifier.

4922

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4923

# winged-cargo-31) and a repo name within that project.

4924

"projectId": "A String", # The ID of the project.

4925

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4926

},

4927

},

4928

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4929

"name": "A String", # The alias name.

4930

"kind": "A String", # The alias kind.

4931

},

4932

},

4933

"labels": { # Labels with user defined metadata.

4934

"a_key": "A String",

4935

},

4936

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4937

# repository (e.g., GitHub).

4938

"revisionId": "A String", # Git commit hash.

4939

"url": "A String", # Git repository URL.

4940

},

4941

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4942

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4943

# "project/subproject" is a valid project name. The "repo name" is the

4944

# hostURI/project.

4945

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4946

"name": "A String", # The alias name.

4947

"kind": "A String", # The alias kind.

4948

},

4949

"hostUri": "A String", # The URI of a running Gerrit instance.

4950

"revisionId": "A String", # A revision (commit) ID.

4951

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4952

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4953

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4954

"createTime": "A String", # Time at which the build was created.

4955

"projectId": "A String", # ID of the project.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4956

},

4957

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4958

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

4959

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

4960

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

4961

# details to show to the user. The LocalizedMessage is output only and

4962

# populated by the API.

4963

# different programming environments, including REST APIs and RPC APIs. It is

4964

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

4965

# three pieces of data: error code, error message, and error details.

4966

#

4967

# You can find out more about this error model and how to work with it in the

4968

# [API Design Guide](https://cloud.google.com/apis/design/errors).

4969

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

4970

"message": "A String", # A developer-facing error message, which should be in English. Any

4971

# user-facing error message should be localized and sent in the

4972

# google.rpc.Status.details field, or localized by the client.

4973

"details": [ # A list of messages that carry the error details. There is a common set of

4974

# message types for APIs to use.

4975

{

4976

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"analysisStatus": "A String", # The status of discovery for the resource.

4981

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

4982

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

4983

# Deprecated, do not use.

4984

},

4985

},

4986

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4987

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

4988

# used as a filter in list requests.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

4989

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

4990

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

4991

"undeployTime": "A String", # End of the lifetime of this deployment.

4992

"platform": "A String", # Platform hosting this deployment.

4993

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

4994

"address": "A String", # Address of the runtime element hosting this deployment.

4995

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

4996

# the deployable field with the same name.

4997

"A String",

4998

],

4999

"userEmail": "A String", # Identity of the user that triggered this deployment.

5000

"config": "A String", # Configuration used to create this deployment.

5001

},

5002

},

5003

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5008

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5009

<pre>Sets the access control policy on the specified note or occurrence.

5010

Requires `containeranalysis.notes.setIamPolicy` or

5011

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

5012

a note or an occurrence, respectively.

5013

5014

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

5015

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being specified.

5020

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5021

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5022

The object takes the form of:

5023

5024

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5025

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5026

# the policy is limited to a few 10s of KB. An empty policy is a

5027

# valid policy but certain Cloud Platform services (such as Projects)

5028

# might reject them.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5029

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5030

#

5031

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5032

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

5033

# `members` to a single `role`. Members can be user accounts, service accounts,

5034

# Google groups, and domains (such as G Suite). A `role` is a named list of

5035

# permissions; each `role` can be an IAM predefined role or a user-created

5036

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5037

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5038

# For some types of Google Cloud resources, a `binding` can also specify a

5039

# `condition`, which is a logical expression that allows access to a resource

5040

# only if the expression evaluates to `true`. A condition can add constraints

5041

# based on attributes of the request, the resource, or both. To learn which

5042

# resources support conditions in their IAM policies, see the

5043

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5044

#

5045

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5046

#

5047

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5048

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5049

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5050

# "role": "roles/resourcemanager.organizationAdmin",

5051

# "members": [

5052

# "user:mike@example.com",

5053

# "group:admins@example.com",

5054

# "domain:google.com",

5055

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5056

# ]

5057

# },

5058

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5059

# "role": "roles/resourcemanager.organizationViewer",

5060

# "members": [

5061

# "user:eve@example.com"

5062

# ],

5063

# "condition": {

5064

# "title": "expirable access",

5065

# "description": "Does not grant access after Sep 2020",

5066

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5067

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5068

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5069

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5070

# "etag": "BwWWja0YfJA=",

5071

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5072

# }

5073

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5074

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

5079

# - group:admins@example.com

5080

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5081

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

5082

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5083

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5084

# - user:eve@example.com

5085

# role: roles/resourcemanager.organizationViewer

5086

# condition:

5087

# title: expirable access

5088

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5089

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5090

# - etag: BwWWja0YfJA=

5091

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5092

#

5093

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5094

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5095

"version": 42, # Specifies the format of the policy.

5096

#

5097

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

5098

# are rejected.

5099

#

5100

# Any operation that affects conditional role bindings must specify version

5101

# `3`. This requirement applies to the following operations:

5102

#

5103

# * Getting a policy that includes a conditional role binding

5104

# * Adding a conditional role binding to a policy

5105

# * Changing a conditional role binding in a policy

5106

# * Removing any role binding, with or without a condition, from a policy

5107

# that includes conditions

5108

#

5109

# **Important:** If you use IAM Conditions, you must include the `etag` field

5110

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5111

# you to overwrite a version `3` policy with a version `1` policy, and all of

5112

# the conditions in the version `3` policy are lost.

5113

#

5114

# If a policy does not include any conditions, operations on that policy may

5115

# specify any valid version or leave the field unset.

5116

#

5117

# To learn which resources support conditions in their IAM policies, see the

5118

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5119

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5120

# `condition` that determines how and when the `bindings` are applied. Each

5121

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5122

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5123

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5124

# `members` can have the following values:

5125

#

5126

# * `allUsers`: A special identifier that represents anyone who is

5127

# on the internet; with or without a Google account.

5128

#

5129

# * `allAuthenticatedUsers`: A special identifier that represents anyone

5130

# who is authenticated with a Google account or a service account.

5131

#

5132

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5133

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5134

#

5135

#

5136

# * `serviceAccount:{emailid}`: An email address that represents a service

5137

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

5138

#

5139

# * `group:{emailid}`: An email address that represents a Google group.

5140

# For example, `admins@example.com`.

5141

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5142

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

5143

# identifier) representing a user that has been recently deleted. For

5144

# example, `alice@example.com?uid=123456789012345678901`. If the user is

5145

# recovered, this value reverts to `user:{emailid}` and the recovered user

5146

# retains the role in the binding.

5147

#

5148

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

5149

# unique identifier) representing a service account that has been recently

5150

# deleted. For example,

5151

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

5152

# If the service account is undeleted, this value reverts to

5153

# `serviceAccount:{emailid}` and the undeleted service account retains the

5154

# role in the binding.

5155

#

5156

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

5157

# identifier) representing a Google group that has been recently

5158

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

5159

# the group is recovered, this value reverts to `group:{emailid}` and the

5160

# recovered group retains the role in the binding.

5161

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5162

#

5163

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

5164

# users of that domain. For example, `google.com` or `example.com`.

5165

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5166

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5167

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5168

"role": "A String", # Role that is assigned to `members`.

5169

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

5170

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

5171

#

5172

# If the condition evaluates to `true`, then this binding applies to the

5173

# current request.

5174

#

5175

# If the condition evaluates to `false`, then this binding does not apply to

5176

# the current request. However, a different role binding might grant the same

5177

# role to one or more of the members in this binding.

5178

#

5179

# To learn which resources support conditions in their IAM policies, see the

5180

# [IAM

5181

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5182

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

5183

# are documented at https://github.com/google/cel-spec.

5184

#

5185

# Example (Comparison):

5186

#

5187

# title: "Summary size limit"

5188

# description: "Determines if a summary is less than 100 chars"

5189

# expression: "document.summary.size() < 100"

5190

#

5191

# Example (Equality):

5192

#

5193

# title: "Requestor is owner"

5194

# description: "Determines if requestor is the document owner"

5195

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

5200

# description: "Determine whether the document should be publicly visible"

5201

# expression: "document.type != 'private' && document.type != 'internal'"

5202

#

5203

# Example (Data Manipulation):

5204

#

5205

# title: "Notification string"

5206

# description: "Create a notification string with a timestamp."

5207

# expression: "'New message received at ' + string(document.create_time)"

5208

#

5209

# The exact variables and functions that may be referenced within an expression

5210

# are determined by the service that evaluates it. See the service

5211

# documentation for additional information.

5212

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

5213

# its purpose. This can be used e.g. in UIs which allow to enter the

5214

# expression.

5215

"location": "A String", # Optional. String indicating the location of the expression for error

5216

# reporting, e.g. a file name and a position in the file.

5217

"description": "A String", # Optional. Description of the expression. This is a longer text which

5218

# describes the expression, e.g. when hovered over it in a UI.

5219

"expression": "A String", # Textual representation of an expression in Common Expression Language

5220

# syntax.

5221

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5222

},

5223

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5224

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5225

# prevent simultaneous updates of a policy from overwriting each other.

5226

# It is strongly suggested that systems make use of the `etag` in the

5227

# read-modify-write cycle to perform policy updates in order to avoid race

5228

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

5229

# systems are expected to put that etag in the request to `setIamPolicy` to

5230

# ensure that their change will be applied to the same version of the policy.

5231

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5232

# **Important:** If you use IAM Conditions, you must include the `etag` field

5233

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5234

# you to overwrite a version `3` policy with a version `1` policy, and all of

5235

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5236

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5237

}

5238

5239

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

5246

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5247

{ # An Identity and Access Management (IAM) policy, which specifies access

5248

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5249

#

5250

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5251

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

5252

# `members` to a single `role`. Members can be user accounts, service accounts,

5253

# Google groups, and domains (such as G Suite). A `role` is a named list of

5254

# permissions; each `role` can be an IAM predefined role or a user-created

5255

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5256

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5257

# For some types of Google Cloud resources, a `binding` can also specify a

5258

# `condition`, which is a logical expression that allows access to a resource

5259

# only if the expression evaluates to `true`. A condition can add constraints

5260

# based on attributes of the request, the resource, or both. To learn which

5261

# resources support conditions in their IAM policies, see the

5262

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5263

#

5264

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5265

#

5266

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5267

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5268

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5269

# "role": "roles/resourcemanager.organizationAdmin",

5270

# "members": [

5271

# "user:mike@example.com",

5272

# "group:admins@example.com",

5273

# "domain:google.com",

5274

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5275

# ]

5276

# },

5277

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5278

# "role": "roles/resourcemanager.organizationViewer",

5279

# "members": [

5280

# "user:eve@example.com"

5281

# ],

5282

# "condition": {

5283

# "title": "expirable access",

5284

# "description": "Does not grant access after Sep 2020",

5285

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5286

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5287

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5288

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5289

# "etag": "BwWWja0YfJA=",

5290

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5291

# }

5292

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5293

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

5298

# - group:admins@example.com

5299

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5300

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

5301

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5302

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5303

# - user:eve@example.com

5304

# role: roles/resourcemanager.organizationViewer

5305

# condition:

5306

# title: expirable access

5307

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5308

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5309

# - etag: BwWWja0YfJA=

5310

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5311

#

5312

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5313

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5314

"version": 42, # Specifies the format of the policy.

5315

#

5316

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

5317

# are rejected.

5318

#

5319

# Any operation that affects conditional role bindings must specify version

5320

# `3`. This requirement applies to the following operations:

5321

#

5322

# * Getting a policy that includes a conditional role binding

5323

# * Adding a conditional role binding to a policy

5324

# * Changing a conditional role binding in a policy

5325

# * Removing any role binding, with or without a condition, from a policy

5326

# that includes conditions

5327

#

5328

# **Important:** If you use IAM Conditions, you must include the `etag` field

5329

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5330

# you to overwrite a version `3` policy with a version `1` policy, and all of

5331

# the conditions in the version `3` policy are lost.

5332

#

5333

# If a policy does not include any conditions, operations on that policy may

5334

# specify any valid version or leave the field unset.

5335

#

5336

# To learn which resources support conditions in their IAM policies, see the

5337

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5338

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5339

# `condition` that determines how and when the `bindings` are applied. Each

5340

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5341

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5342

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5343

# `members` can have the following values:

5344

#

5345

# * `allUsers`: A special identifier that represents anyone who is

5346

# on the internet; with or without a Google account.

5347

#

5348

# * `allAuthenticatedUsers`: A special identifier that represents anyone

5349

# who is authenticated with a Google account or a service account.

5350

#

5351

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5352

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5353

#

5354

#

5355

# * `serviceAccount:{emailid}`: An email address that represents a service

5356

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

5357

#

5358

# * `group:{emailid}`: An email address that represents a Google group.

5359

# For example, `admins@example.com`.

5360

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5361

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

5362

# identifier) representing a user that has been recently deleted. For

5363

# example, `alice@example.com?uid=123456789012345678901`. If the user is

5364

# recovered, this value reverts to `user:{emailid}` and the recovered user

5365

# retains the role in the binding.

5366

#

5367

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

5368

# unique identifier) representing a service account that has been recently

5369

# deleted. For example,

5370

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

5371

# If the service account is undeleted, this value reverts to

5372

# `serviceAccount:{emailid}` and the undeleted service account retains the

5373

# role in the binding.

5374

#

5375

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

5376

# identifier) representing a Google group that has been recently

5377

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

5378

# the group is recovered, this value reverts to `group:{emailid}` and the

5379

# recovered group retains the role in the binding.

5380

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5381

#

5382

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

5383

# users of that domain. For example, `google.com` or `example.com`.

5384

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5385

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5386

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5387

"role": "A String", # Role that is assigned to `members`.

5388

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

5389

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

5390

#

5391

# If the condition evaluates to `true`, then this binding applies to the

5392

# current request.

5393

#

5394

# If the condition evaluates to `false`, then this binding does not apply to

5395

# the current request. However, a different role binding might grant the same

5396

# role to one or more of the members in this binding.

5397

#

5398

# To learn which resources support conditions in their IAM policies, see the

5399

# [IAM

5400

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5401

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

5402

# are documented at https://github.com/google/cel-spec.

5403

#

5404

# Example (Comparison):

5405

#

5406

# title: "Summary size limit"

5407

# description: "Determines if a summary is less than 100 chars"

5408

# expression: "document.summary.size() < 100"

5409

#

5410

# Example (Equality):

5411

#

5412

# title: "Requestor is owner"

5413

# description: "Determines if requestor is the document owner"

5414

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

5419

# description: "Determine whether the document should be publicly visible"

5420

# expression: "document.type != 'private' && document.type != 'internal'"

5421

#

5422

# Example (Data Manipulation):

5423

#

5424

# title: "Notification string"

5425

# description: "Create a notification string with a timestamp."

5426

# expression: "'New message received at ' + string(document.create_time)"

5427

#

5428

# The exact variables and functions that may be referenced within an expression

5429

# are determined by the service that evaluates it. See the service

5430

# documentation for additional information.

5431

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

5432

# its purpose. This can be used e.g. in UIs which allow to enter the

5433

# expression.

5434

"location": "A String", # Optional. String indicating the location of the expression for error

5435

# reporting, e.g. a file name and a position in the file.

5436

"description": "A String", # Optional. Description of the expression. This is a longer text which

5437

# describes the expression, e.g. when hovered over it in a UI.

5438

"expression": "A String", # Textual representation of an expression in Common Expression Language

5439

# syntax.

5440

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5441

},

5442

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5443

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5444

# prevent simultaneous updates of a policy from overwriting each other.

5445

# It is strongly suggested that systems make use of the `etag` in the

5446

# read-modify-write cycle to perform policy updates in order to avoid race

5447

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

5448

# systems are expected to put that etag in the request to `setIamPolicy` to

5449

# ensure that their change will be applied to the same version of the policy.

5450

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5451

# **Important:** If you use IAM Conditions, you must include the `etag` field

5452

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5453

# you to overwrite a version `3` policy with a version `1` policy, and all of

5454

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5459

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5460

<pre>Returns the permissions that a caller has on the specified note or

5461

occurrence. Requires list permission on the project (for example,

5462

`containeranalysis.notes.list`).

5463

5464

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

5465

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy detail is being requested.

5470

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5471

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5472

The object takes the form of:

5473

5474

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5475

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

5476

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5477

# information see

5478

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5479

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

5490

5491

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5492

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5493

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame^]

5494

"A String",

Bu Sun Kim