Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / 715bd7f9ca9a324a05ee05a6476af383e54930f9 / . / docs / dyn / containeranalysis_v1beta1.projects.occurrences.html
blob: d8771f1f3f4c68e06456b3b2f6e13ab73bc3dfba [file] [log] [blame]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame^]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="containeranalysis_v1beta1.html">Container Analysis API</a> . <a href="containeranalysis_v1beta1.projects.html">projects</a> . <a href="containeranalysis_v1beta1.projects.occurrences.html">occurrences</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78 <code><a href="#batchCreate">batchCreate(parent, body, x__xgafv=None)</a></code></p>
79<p class="firstline">Creates new occurrences in batch.</p>
80<p class="toc_element">
81 <code><a href="#create">create(parent, body, x__xgafv=None)</a></code></p>
82<p class="firstline">Creates a new occurrence.</p>
83<p class="toc_element">
84 <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
85<p class="firstline">Deletes the specified occurrence. For example, use this method to delete an</p>
86<p class="toc_element">
87 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
88<p class="firstline">Gets the specified occurrence.</p>
89<p class="toc_element">
90 <code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>
91<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p>
92<p class="toc_element">
93 <code><a href="#getNotes">getNotes(name, x__xgafv=None)</a></code></p>
94<p class="firstline">Gets the note attached to the specified occurrence. Consumer projects can</p>
95<p class="toc_element">
96 <code><a href="#getVulnerabilitySummary">getVulnerabilitySummary(parent, x__xgafv=None, filter=None)</a></code></p>
97<p class="firstline">Gets a summary of the number and severity of occurrences.</p>
98<p class="toc_element">
99 <code><a href="#list">list(parent, pageSize=None, pageToken=None, x__xgafv=None, filter=None)</a></code></p>
100<p class="firstline">Lists occurrences for the specified project.</p>
101<p class="toc_element">
102 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
103<p class="firstline">Retrieves the next page of results.</p>
104<p class="toc_element">
105 <code><a href="#patch">patch(name, body, updateMask=None, x__xgafv=None)</a></code></p>
106<p class="firstline">Updates the specified occurrence.</p>
107<p class="toc_element">
108 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p>
109<p class="firstline">Sets the access control policy on the specified note or occurrence.</p>
110<p class="toc_element">
111 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p>
112<p class="firstline">Returns the permissions that a caller has on the specified note or</p>
113<h3>Method Details</h3>
114<div class="method">
115 <code class="details" id="batchCreate">batchCreate(parent, body, x__xgafv=None)</code>
116 <pre>Creates new occurrences in batch.
117
118Args:
119 parent: string, The name of the project in the form of `projects/[PROJECT_ID]`, under which
120the occurrences are to be created. (required)
121 body: object, The request body. (required)
122 The object takes the form of:
123
124{ # Request to create occurrences in batch.
125 "occurrences": [ # The occurrences to create. Max allowed length is 1000.
126 { # An instance of an analysis type that has been found on a resource.
127 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
128 # specified. This field can be used as a filter in list requests.
129 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
130 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
131 #
132 # The hash of the resource content. For example, the Docker digest.
133 "type": "A String", # Required. The type of hash that was performed.
134 "value": "A String", # Required. The hash value.
135 },
136 "uri": "A String", # Required. The unique URI of the resource. For example,
137 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
138 "name": "A String", # Deprecated, do not use. Use uri instead.
139 #
140 # The name of the resource. For example, the name of a Docker image -
141 # "Debian".
142 },
143 "name": "A String", # Output only. The name of the occurrence in the form of
144 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
145 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
146 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
147 # scale of 0-10 where 0 indicates low severity and 10 indicates high
148 # severity.
149 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
150 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
151 # packages etc)
152 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
153 # available, and note provider assigned severity when distro has not yet
154 # assigned a severity for this vulnerability.
155 "relatedUrls": [ # Output only. URLs related to this vulnerability.
156 { # Metadata for any related URL information.
157 "url": "A String", # Specific URL associated with the resource.
158 "label": "A String", # Label to describe usage of the URL.
159 },
160 ],
161 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
162 # within the associated resource.
163 { # This message wraps a location affected by a vulnerability and its
164 # associated fix (if one is available).
165 "severityName": "A String", # Deprecated, use Details.effective_severity instead
166 # The severity (e.g., distro assigned severity) for this vulnerability.
167 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
168 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
169 # format. Examples include distro or storage location for vulnerable jar.
170 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
171 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
172 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
173 # versions.
174 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
175 # name.
176 "revision": "A String", # The iteration of the package build from the above version.
177 },
178 "package": "A String", # Required. The package being described.
179 },
180 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
181 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
182 # format. Examples include distro or storage location for vulnerable jar.
183 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
184 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
185 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
186 # versions.
187 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
188 # name.
189 "revision": "A String", # The iteration of the package build from the above version.
190 },
191 "package": "A String", # Required. The package being described.
192 },
193 },
194 ],
195 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
196 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
197 },
198 "updateTime": "A String", # Output only. The time this occurrence was last updated.
199 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
200 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
201 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
202 # Deprecated, do not use.
203 "analysisStatus": "A String", # The status of discovery for the resource.
204 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
205 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
206 # details to show to the user. The LocalizedMessage is output only and
207 # populated by the API.
208 # different programming environments, including REST APIs and RPC APIs. It is
209 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
210 # three pieces of data: error code, error message, and error details.
211 #
212 # You can find out more about this error model and how to work with it in the
213 # [API Design Guide](https://cloud.google.com/apis/design/errors).
214 "message": "A String", # A developer-facing error message, which should be in English. Any
215 # user-facing error message should be localized and sent in the
216 # google.rpc.Status.details field, or localized by the client.
217 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
218 "details": [ # A list of messages that carry the error details. There is a common set of
219 # message types for APIs to use.
220 {
221 "a_key": "", # Properties of the object. Contains field @type with type URL.
222 },
223 ],
224 },
225 },
226 },
227 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
228 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
229 # attestation can be verified using the attached signature. If the verifier
230 # trusts the public key of the signer, then verifying the signature is
231 # sufficient to establish trust. In this circumstance, the authority to which
232 # this attestation is attached is primarily useful for look-up (how to find
233 # this attestation if you already know the authority and artifact to be
234 # verified) and intent (which authority was this attestation intended to sign
235 # for).
236 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
237 # supports `ATTACHED` signatures, where the payload that is signed is included
238 # alongside the signature itself in the same file.
239 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
240 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
241 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
242 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
243 # Implementations may choose to acknowledge "LONG", "SHORT", or other
244 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
245 # In gpg, the full fingerprint can be retrieved from the `fpr` field
246 # returned when calling --list-keys with --with-colons. For example:
247 # ```
248 # gpg --with-colons --with-fingerprint --force-v4-certs \
249 # --list-keys attester@example.com
250 # tru::1:1513631572:0:3:1:5
251 # pub:...<SNIP>...
252 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
253 # ```
254 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
255 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
256 # The verifier must ensure that the provided type is one that the verifier
257 # supports, and that the attestation payload is a valid instantiation of that
258 # type (for example by validating a JSON schema).
259 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
260 # (GPG) or equivalent. Since this message only supports attached signatures,
261 # the payload that was signed must be attached. While the signature format
262 # supported is dependent on the verification implementation, currently only
263 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
264 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
265 # --output=signature.gpg payload.json` will create the signature content
266 # expected in this field in `signature.gpg` for the `payload.json`
267 # attestation payload.
268 },
269 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
270 # This attestation must define the `serialized_payload` that the `signatures`
271 # verify and any metadata necessary to interpret that plaintext. The
272 # signatures should always be over the `serialized_payload` bytestring.
273 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
274 # should consider this attestation message verified if at least one
275 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
276 # for more details on signature structure and verification.
277 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
278 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
279 # Typically this means that the verifier has been configured with a map from
280 # `public_key_id` to public key material (and any required parameters, e.g.
281 # signing algorithm).
282 #
283 # In particular, verification implementations MUST NOT treat the signature
284 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
285 # DOES NOT validate or authenticate a public key; it only provides a mechanism
286 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
287 # a trusted channel. Verification implementations MUST reject signatures in any
288 # of the following circumstances:
289 # * The `public_key_id` is not recognized by the verifier.
290 # * The public key that `public_key_id` refers to does not verify the
291 # signature with respect to the payload.
292 #
293 # The `signature` contents SHOULD NOT be "attached" (where the payload is
294 # included with the serialized `signature` bytes). Verifiers MUST ignore any
295 # "attached" payload and only verify signatures with respect to explicitly
296 # provided payload (e.g. a `payload` field on the proto message that holds
297 # this Signature, or the canonical serialization of the proto message that
298 # holds this signature).
299 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
300 # * The `public_key_id` is required.
301 # * The `public_key_id` MUST be an RFC3986 conformant URI.
302 # * When possible, the `public_key_id` SHOULD be an immutable reference,
303 # such as a cryptographic digest.
304 #
305 # Examples of valid `public_key_id`s:
306 #
307 # OpenPGP V4 public key fingerprint:
308 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
309 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
310 # details on this scheme.
311 #
312 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
313 # serialization):
314 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
315 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
316 "signature": "A String", # The content of the signature, an opaque bytestring.
317 # The payload that this signature verifies MUST be unambiguously provided
318 # with the Signature during verification. A wrapper message might provide
319 # the payload explicitly. Alternatively, a message might have a canonical
320 # serialization that can always be unambiguously computed to derive the
321 # payload.
322 },
323 ],
324 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
325 # The verifier must ensure that the provided type is one that the verifier
326 # supports, and that the attestation payload is a valid instantiation of that
327 # type (for example by validating a JSON schema).
328 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
329 # The encoding and semantic meaning of this payload must match what is set in
330 # `content_type`.
331 },
332 },
333 },
334 "build": { # Details of a build occurrence. # Describes a verifiable build.
335 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
336 # details about the build from source to completion.
337 "commands": [ # Commands requested by the build.
338 { # Command describes a step performed as part of the build pipeline.
339 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
340 "A String",
341 ],
342 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
343 # command is packaged as a Docker container, as presented to `docker pull`.
344 "args": [ # Command-line arguments used when executing this command.
345 "A String",
346 ],
347 "env": [ # Environment variables set before running this command.
348 "A String",
349 ],
350 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
351 # this command as a dependency.
352 "dir": "A String", # Working directory (relative to project source root) used when running this
353 # command.
354 },
355 ],
356 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
357 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
358 # source integrity was maintained in the build.
359 #
360 # The keys to this map are file paths used as build source and the values
361 # contain the hash values for those files.
362 #
363 # If the build source came in a single package such as a gzipped tarfile
364 # (.tar.gz), the FileHash will be for the single path to that file.
365 "a_key": { # Container message for hashes of byte content of files, used in source
366 # messages to verify integrity of source input to the build.
367 "fileHash": [ # Required. Collection of file hashes.
368 { # Container message for hash values.
369 "type": "A String", # Required. The type of hash that was performed.
370 "value": "A String", # Required. The hash value.
371 },
372 ],
373 },
374 },
375 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
376 # location.
377 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
378 # these locations, in the case where the source repository had multiple
379 # remotes or submodules. This list will not include the context specified in
380 # the context field.
381 { # A SourceContext is a reference to a tree of files. A SourceContext together
382 # with a path point to a unique revision of a single file or directory.
383 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
384 # repository (e.g., GitHub).
385 "url": "A String", # Git repository URL.
386 "revisionId": "A String", # Git commit hash.
387 },
388 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
389 # Source Repo.
390 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
391 "kind": "A String", # The alias kind.
392 "name": "A String", # The alias name.
393 },
394 "revisionId": "A String", # A revision ID.
395 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
396 "uid": "A String", # A server-assigned, globally unique identifier.
397 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
398 # winged-cargo-31) and a repo name within that project.
399 "projectId": "A String", # The ID of the project.
400 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
401 },
402 },
403 },
404 "labels": { # Labels with user defined metadata.
405 "a_key": "A String",
406 },
407 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
408 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
409 "kind": "A String", # The alias kind.
410 "name": "A String", # The alias name.
411 },
412 "revisionId": "A String", # A revision (commit) ID.
413 "hostUri": "A String", # The URI of a running Gerrit instance.
414 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
415 # "project/subproject" is a valid project name. The "repo name" is the
416 # hostURI/project.
417 },
418 },
419 ],
420 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
421 # with a path point to a unique revision of a single file or directory.
422 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
423 # repository (e.g., GitHub).
424 "url": "A String", # Git repository URL.
425 "revisionId": "A String", # Git commit hash.
426 },
427 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
428 # Source Repo.
429 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
430 "kind": "A String", # The alias kind.
431 "name": "A String", # The alias name.
432 },
433 "revisionId": "A String", # A revision ID.
434 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
435 "uid": "A String", # A server-assigned, globally unique identifier.
436 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
437 # winged-cargo-31) and a repo name within that project.
438 "projectId": "A String", # The ID of the project.
439 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
440 },
441 },
442 },
443 "labels": { # Labels with user defined metadata.
444 "a_key": "A String",
445 },
446 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
447 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
448 "kind": "A String", # The alias kind.
449 "name": "A String", # The alias name.
450 },
451 "revisionId": "A String", # A revision (commit) ID.
452 "hostUri": "A String", # The URI of a running Gerrit instance.
453 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
454 # "project/subproject" is a valid project name. The "repo name" is the
455 # hostURI/project.
456 },
457 },
458 },
459 "buildOptions": { # Special options applied to this build. This is a catch-all field where
460 # build providers can enter any desired additional details.
461 "a_key": "A String",
462 },
463 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
464 # user's e-mail address at the time the build was initiated; this address may
465 # not represent the same end-user for all time.
466 "projectId": "A String", # ID of the project.
467 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
468 "createTime": "A String", # Time at which the build was created.
469 "builtArtifacts": [ # Output of the build.
470 { # Artifact describes a build product.
471 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
472 # container.
473 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
474 # like `gcr.io/projectID/imagename@sha256:123456`.
475 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
476 # the case of a container build, the name used to push the container image to
477 # Google Container Registry, as presented to `docker push`. Note that a
478 # single Artifact ID can have multiple names, for example if two tags are
479 # applied to one image.
480 "A String",
481 ],
482 },
483 ],
484 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
485 "startTime": "A String", # Time at which execution of the build was started.
486 "endTime": "A String", # Time at which execution of the build was finished.
487 "id": "A String", # Required. Unique identifier of the build.
488 "logsUri": "A String", # URI where any logs for this provenance were written.
489 },
490 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
491 # build signature in the corresponding build note. After verifying the
492 # signature, `provenance_bytes` can be unmarshalled and compared to the
493 # provenance to confirm that it is unchanged. A base64-encoded string
494 # representation of the provenance bytes is used for the signature in order
495 # to interoperate with openssl which expects this format for signature
496 # verification.
497 #
498 # The serialized form is captured both to avoid ambiguity in how the
499 # provenance is marshalled to json as well to prevent incompatibilities with
500 # future changes.
501 },
502 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
503 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
504 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
505 # the deployable field with the same name.
506 "A String",
507 ],
508 "userEmail": "A String", # Identity of the user that triggered this deployment.
509 "address": "A String", # Address of the runtime element hosting this deployment.
510 "platform": "A String", # Platform hosting this deployment.
511 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
512 "undeployTime": "A String", # End of the lifetime of this deployment.
513 "config": "A String", # Configuration used to create this deployment.
514 },
515 },
516 "remediation": "A String", # A description of actions that can be taken to remedy the note.
517 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
518 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
519 # system.
520 "location": [ # Required. All of the places within the filesystem versions of this package
521 # have been found.
522 { # An occurrence of a particular package installation found within a system's
523 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
524 "path": "A String", # The path from which we gathered that this package/version is installed.
525 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
526 # denoting the package manager version distributing a package.
527 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
528 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
529 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
530 # versions.
531 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
532 # name.
533 "revision": "A String", # The iteration of the package build from the above version.
534 },
535 },
536 ],
537 "name": "A String", # Output only. The name of the installed package.
538 },
539 },
540 "createTime": "A String", # Output only. The time this occurrence was created.
541 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
542 # note.
543 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
544 # relationship. This image would be produced from a Dockerfile with FROM
545 # <DockerImage.Basis in attached Note>.
546 "distance": 42, # Output only. The number of layers by which this image differs from the
547 # associated image basis.
548 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
549 # occurrence.
550 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
551 # "distance" and is ordered with [distance] being the layer immediately
552 # following the base image and [1] being the final layer.
553 { # Layer holds metadata specific to a layer of a Docker image.
554 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
555 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
556 },
557 ],
558 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
559 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
560 # representation.
561 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
562 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
563 # Only the name of the final blob is kept.
564 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
565 "A String",
566 ],
567 },
568 },
569 },
570 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
571 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
572 # used as a filter in list requests.
573 },
574 ],
575 }
576
577 x__xgafv: string, V1 error format.
578 Allowed values
579 1 - v1 error format
580 2 - v2 error format
581
582Returns:
583 An object of the form:
584
585 { # Response for creating occurrences in batch.
586 "occurrences": [ # The occurrences that were created.
587 { # An instance of an analysis type that has been found on a resource.
588 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
589 # specified. This field can be used as a filter in list requests.
590 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
591 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
592 #
593 # The hash of the resource content. For example, the Docker digest.
594 "type": "A String", # Required. The type of hash that was performed.
595 "value": "A String", # Required. The hash value.
596 },
597 "uri": "A String", # Required. The unique URI of the resource. For example,
598 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
599 "name": "A String", # Deprecated, do not use. Use uri instead.
600 #
601 # The name of the resource. For example, the name of a Docker image -
602 # "Debian".
603 },
604 "name": "A String", # Output only. The name of the occurrence in the form of
605 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
606 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
607 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
608 # scale of 0-10 where 0 indicates low severity and 10 indicates high
609 # severity.
610 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
611 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
612 # packages etc)
613 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
614 # available, and note provider assigned severity when distro has not yet
615 # assigned a severity for this vulnerability.
616 "relatedUrls": [ # Output only. URLs related to this vulnerability.
617 { # Metadata for any related URL information.
618 "url": "A String", # Specific URL associated with the resource.
619 "label": "A String", # Label to describe usage of the URL.
620 },
621 ],
622 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
623 # within the associated resource.
624 { # This message wraps a location affected by a vulnerability and its
625 # associated fix (if one is available).
626 "severityName": "A String", # Deprecated, use Details.effective_severity instead
627 # The severity (e.g., distro assigned severity) for this vulnerability.
628 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
629 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
630 # format. Examples include distro or storage location for vulnerable jar.
631 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
632 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
633 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
634 # versions.
635 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
636 # name.
637 "revision": "A String", # The iteration of the package build from the above version.
638 },
639 "package": "A String", # Required. The package being described.
640 },
641 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
642 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
643 # format. Examples include distro or storage location for vulnerable jar.
644 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
645 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
646 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
647 # versions.
648 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
649 # name.
650 "revision": "A String", # The iteration of the package build from the above version.
651 },
652 "package": "A String", # Required. The package being described.
653 },
654 },
655 ],
656 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
657 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
658 },
659 "updateTime": "A String", # Output only. The time this occurrence was last updated.
660 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
661 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
662 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
663 # Deprecated, do not use.
664 "analysisStatus": "A String", # The status of discovery for the resource.
665 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
666 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
667 # details to show to the user. The LocalizedMessage is output only and
668 # populated by the API.
669 # different programming environments, including REST APIs and RPC APIs. It is
670 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
671 # three pieces of data: error code, error message, and error details.
672 #
673 # You can find out more about this error model and how to work with it in the
674 # [API Design Guide](https://cloud.google.com/apis/design/errors).
675 "message": "A String", # A developer-facing error message, which should be in English. Any
676 # user-facing error message should be localized and sent in the
677 # google.rpc.Status.details field, or localized by the client.
678 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
679 "details": [ # A list of messages that carry the error details. There is a common set of
680 # message types for APIs to use.
681 {
682 "a_key": "", # Properties of the object. Contains field @type with type URL.
683 },
684 ],
685 },
686 },
687 },
688 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
689 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
690 # attestation can be verified using the attached signature. If the verifier
691 # trusts the public key of the signer, then verifying the signature is
692 # sufficient to establish trust. In this circumstance, the authority to which
693 # this attestation is attached is primarily useful for look-up (how to find
694 # this attestation if you already know the authority and artifact to be
695 # verified) and intent (which authority was this attestation intended to sign
696 # for).
697 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
698 # supports `ATTACHED` signatures, where the payload that is signed is included
699 # alongside the signature itself in the same file.
700 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
701 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
702 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
703 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
704 # Implementations may choose to acknowledge "LONG", "SHORT", or other
705 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
706 # In gpg, the full fingerprint can be retrieved from the `fpr` field
707 # returned when calling --list-keys with --with-colons. For example:
708 # ```
709 # gpg --with-colons --with-fingerprint --force-v4-certs \
710 # --list-keys attester@example.com
711 # tru::1:1513631572:0:3:1:5
712 # pub:...<SNIP>...
713 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
714 # ```
715 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
716 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
717 # The verifier must ensure that the provided type is one that the verifier
718 # supports, and that the attestation payload is a valid instantiation of that
719 # type (for example by validating a JSON schema).
720 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
721 # (GPG) or equivalent. Since this message only supports attached signatures,
722 # the payload that was signed must be attached. While the signature format
723 # supported is dependent on the verification implementation, currently only
724 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
725 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
726 # --output=signature.gpg payload.json` will create the signature content
727 # expected in this field in `signature.gpg` for the `payload.json`
728 # attestation payload.
729 },
730 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
731 # This attestation must define the `serialized_payload` that the `signatures`
732 # verify and any metadata necessary to interpret that plaintext. The
733 # signatures should always be over the `serialized_payload` bytestring.
734 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
735 # should consider this attestation message verified if at least one
736 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
737 # for more details on signature structure and verification.
738 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
739 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
740 # Typically this means that the verifier has been configured with a map from
741 # `public_key_id` to public key material (and any required parameters, e.g.
742 # signing algorithm).
743 #
744 # In particular, verification implementations MUST NOT treat the signature
745 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
746 # DOES NOT validate or authenticate a public key; it only provides a mechanism
747 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
748 # a trusted channel. Verification implementations MUST reject signatures in any
749 # of the following circumstances:
750 # * The `public_key_id` is not recognized by the verifier.
751 # * The public key that `public_key_id` refers to does not verify the
752 # signature with respect to the payload.
753 #
754 # The `signature` contents SHOULD NOT be "attached" (where the payload is
755 # included with the serialized `signature` bytes). Verifiers MUST ignore any
756 # "attached" payload and only verify signatures with respect to explicitly
757 # provided payload (e.g. a `payload` field on the proto message that holds
758 # this Signature, or the canonical serialization of the proto message that
759 # holds this signature).
760 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
761 # * The `public_key_id` is required.
762 # * The `public_key_id` MUST be an RFC3986 conformant URI.
763 # * When possible, the `public_key_id` SHOULD be an immutable reference,
764 # such as a cryptographic digest.
765 #
766 # Examples of valid `public_key_id`s:
767 #
768 # OpenPGP V4 public key fingerprint:
769 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
770 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
771 # details on this scheme.
772 #
773 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
774 # serialization):
775 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
776 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
777 "signature": "A String", # The content of the signature, an opaque bytestring.
778 # The payload that this signature verifies MUST be unambiguously provided
779 # with the Signature during verification. A wrapper message might provide
780 # the payload explicitly. Alternatively, a message might have a canonical
781 # serialization that can always be unambiguously computed to derive the
782 # payload.
783 },
784 ],
785 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
786 # The verifier must ensure that the provided type is one that the verifier
787 # supports, and that the attestation payload is a valid instantiation of that
788 # type (for example by validating a JSON schema).
789 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
790 # The encoding and semantic meaning of this payload must match what is set in
791 # `content_type`.
792 },
793 },
794 },
795 "build": { # Details of a build occurrence. # Describes a verifiable build.
796 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
797 # details about the build from source to completion.
798 "commands": [ # Commands requested by the build.
799 { # Command describes a step performed as part of the build pipeline.
800 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
801 "A String",
802 ],
803 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
804 # command is packaged as a Docker container, as presented to `docker pull`.
805 "args": [ # Command-line arguments used when executing this command.
806 "A String",
807 ],
808 "env": [ # Environment variables set before running this command.
809 "A String",
810 ],
811 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
812 # this command as a dependency.
813 "dir": "A String", # Working directory (relative to project source root) used when running this
814 # command.
815 },
816 ],
817 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
818 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
819 # source integrity was maintained in the build.
820 #
821 # The keys to this map are file paths used as build source and the values
822 # contain the hash values for those files.
823 #
824 # If the build source came in a single package such as a gzipped tarfile
825 # (.tar.gz), the FileHash will be for the single path to that file.
826 "a_key": { # Container message for hashes of byte content of files, used in source
827 # messages to verify integrity of source input to the build.
828 "fileHash": [ # Required. Collection of file hashes.
829 { # Container message for hash values.
830 "type": "A String", # Required. The type of hash that was performed.
831 "value": "A String", # Required. The hash value.
832 },
833 ],
834 },
835 },
836 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
837 # location.
838 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
839 # these locations, in the case where the source repository had multiple
840 # remotes or submodules. This list will not include the context specified in
841 # the context field.
842 { # A SourceContext is a reference to a tree of files. A SourceContext together
843 # with a path point to a unique revision of a single file or directory.
844 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
845 # repository (e.g., GitHub).
846 "url": "A String", # Git repository URL.
847 "revisionId": "A String", # Git commit hash.
848 },
849 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
850 # Source Repo.
851 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
852 "kind": "A String", # The alias kind.
853 "name": "A String", # The alias name.
854 },
855 "revisionId": "A String", # A revision ID.
856 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
857 "uid": "A String", # A server-assigned, globally unique identifier.
858 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
859 # winged-cargo-31) and a repo name within that project.
860 "projectId": "A String", # The ID of the project.
861 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
862 },
863 },
864 },
865 "labels": { # Labels with user defined metadata.
866 "a_key": "A String",
867 },
868 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
869 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
870 "kind": "A String", # The alias kind.
871 "name": "A String", # The alias name.
872 },
873 "revisionId": "A String", # A revision (commit) ID.
874 "hostUri": "A String", # The URI of a running Gerrit instance.
875 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
876 # "project/subproject" is a valid project name. The "repo name" is the
877 # hostURI/project.
878 },
879 },
880 ],
881 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
882 # with a path point to a unique revision of a single file or directory.
883 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
884 # repository (e.g., GitHub).
885 "url": "A String", # Git repository URL.
886 "revisionId": "A String", # Git commit hash.
887 },
888 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
889 # Source Repo.
890 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
891 "kind": "A String", # The alias kind.
892 "name": "A String", # The alias name.
893 },
894 "revisionId": "A String", # A revision ID.
895 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
896 "uid": "A String", # A server-assigned, globally unique identifier.
897 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
898 # winged-cargo-31) and a repo name within that project.
899 "projectId": "A String", # The ID of the project.
900 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
901 },
902 },
903 },
904 "labels": { # Labels with user defined metadata.
905 "a_key": "A String",
906 },
907 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
908 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
909 "kind": "A String", # The alias kind.
910 "name": "A String", # The alias name.
911 },
912 "revisionId": "A String", # A revision (commit) ID.
913 "hostUri": "A String", # The URI of a running Gerrit instance.
914 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
915 # "project/subproject" is a valid project name. The "repo name" is the
916 # hostURI/project.
917 },
918 },
919 },
920 "buildOptions": { # Special options applied to this build. This is a catch-all field where
921 # build providers can enter any desired additional details.
922 "a_key": "A String",
923 },
924 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
925 # user's e-mail address at the time the build was initiated; this address may
926 # not represent the same end-user for all time.
927 "projectId": "A String", # ID of the project.
928 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
929 "createTime": "A String", # Time at which the build was created.
930 "builtArtifacts": [ # Output of the build.
931 { # Artifact describes a build product.
932 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
933 # container.
934 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
935 # like `gcr.io/projectID/imagename@sha256:123456`.
936 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
937 # the case of a container build, the name used to push the container image to
938 # Google Container Registry, as presented to `docker push`. Note that a
939 # single Artifact ID can have multiple names, for example if two tags are
940 # applied to one image.
941 "A String",
942 ],
943 },
944 ],
945 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
946 "startTime": "A String", # Time at which execution of the build was started.
947 "endTime": "A String", # Time at which execution of the build was finished.
948 "id": "A String", # Required. Unique identifier of the build.
949 "logsUri": "A String", # URI where any logs for this provenance were written.
950 },
951 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
952 # build signature in the corresponding build note. After verifying the
953 # signature, `provenance_bytes` can be unmarshalled and compared to the
954 # provenance to confirm that it is unchanged. A base64-encoded string
955 # representation of the provenance bytes is used for the signature in order
956 # to interoperate with openssl which expects this format for signature
957 # verification.
958 #
959 # The serialized form is captured both to avoid ambiguity in how the
960 # provenance is marshalled to json as well to prevent incompatibilities with
961 # future changes.
962 },
963 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
964 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
965 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
966 # the deployable field with the same name.
967 "A String",
968 ],
969 "userEmail": "A String", # Identity of the user that triggered this deployment.
970 "address": "A String", # Address of the runtime element hosting this deployment.
971 "platform": "A String", # Platform hosting this deployment.
972 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
973 "undeployTime": "A String", # End of the lifetime of this deployment.
974 "config": "A String", # Configuration used to create this deployment.
975 },
976 },
977 "remediation": "A String", # A description of actions that can be taken to remedy the note.
978 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
979 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
980 # system.
981 "location": [ # Required. All of the places within the filesystem versions of this package
982 # have been found.
983 { # An occurrence of a particular package installation found within a system's
984 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
985 "path": "A String", # The path from which we gathered that this package/version is installed.
986 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
987 # denoting the package manager version distributing a package.
988 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
989 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
990 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
991 # versions.
992 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
993 # name.
994 "revision": "A String", # The iteration of the package build from the above version.
995 },
996 },
997 ],
998 "name": "A String", # Output only. The name of the installed package.
999 },
1000 },
1001 "createTime": "A String", # Output only. The time this occurrence was created.
1002 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
1003 # note.
1004 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
1005 # relationship. This image would be produced from a Dockerfile with FROM
1006 # <DockerImage.Basis in attached Note>.
1007 "distance": 42, # Output only. The number of layers by which this image differs from the
1008 # associated image basis.
1009 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
1010 # occurrence.
1011 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
1012 # "distance" and is ordered with [distance] being the layer immediately
1013 # following the base image and [1] being the final layer.
1014 { # Layer holds metadata specific to a layer of a Docker image.
1015 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
1016 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
1017 },
1018 ],
1019 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
1020 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
1021 # representation.
1022 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
1023 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
1024 # Only the name of the final blob is kept.
1025 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
1026 "A String",
1027 ],
1028 },
1029 },
1030 },
1031 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
1032 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
1033 # used as a filter in list requests.
1034 },
1035 ],
1036 }</pre>
1037</div>
1038
1039<div class="method">
1040 <code class="details" id="create">create(parent, body, x__xgafv=None)</code>
1041 <pre>Creates a new occurrence.
1042
1043Args:
1044 parent: string, The name of the project in the form of `projects/[PROJECT_ID]`, under which
1045the occurrence is to be created. (required)
1046 body: object, The request body. (required)
1047 The object takes the form of:
1048
1049{ # An instance of an analysis type that has been found on a resource.
1050 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
1051 # specified. This field can be used as a filter in list requests.
1052 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
1053 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
1054 #
1055 # The hash of the resource content. For example, the Docker digest.
1056 "type": "A String", # Required. The type of hash that was performed.
1057 "value": "A String", # Required. The hash value.
1058 },
1059 "uri": "A String", # Required. The unique URI of the resource. For example,
1060 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
1061 "name": "A String", # Deprecated, do not use. Use uri instead.
1062 #
1063 # The name of the resource. For example, the name of a Docker image -
1064 # "Debian".
1065 },
1066 "name": "A String", # Output only. The name of the occurrence in the form of
1067 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
1068 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
1069 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
1070 # scale of 0-10 where 0 indicates low severity and 10 indicates high
1071 # severity.
1072 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
1073 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
1074 # packages etc)
1075 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
1076 # available, and note provider assigned severity when distro has not yet
1077 # assigned a severity for this vulnerability.
1078 "relatedUrls": [ # Output only. URLs related to this vulnerability.
1079 { # Metadata for any related URL information.
1080 "url": "A String", # Specific URL associated with the resource.
1081 "label": "A String", # Label to describe usage of the URL.
1082 },
1083 ],
1084 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
1085 # within the associated resource.
1086 { # This message wraps a location affected by a vulnerability and its
1087 # associated fix (if one is available).
1088 "severityName": "A String", # Deprecated, use Details.effective_severity instead
1089 # The severity (e.g., distro assigned severity) for this vulnerability.
1090 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
1091 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
1092 # format. Examples include distro or storage location for vulnerable jar.
1093 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
1094 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
1095 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
1096 # versions.
1097 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
1098 # name.
1099 "revision": "A String", # The iteration of the package build from the above version.
1100 },
1101 "package": "A String", # Required. The package being described.
1102 },
1103 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
1104 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
1105 # format. Examples include distro or storage location for vulnerable jar.
1106 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
1107 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
1108 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
1109 # versions.
1110 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
1111 # name.
1112 "revision": "A String", # The iteration of the package build from the above version.
1113 },
1114 "package": "A String", # Required. The package being described.
1115 },
1116 },
1117 ],
1118 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
1119 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
1120 },
1121 "updateTime": "A String", # Output only. The time this occurrence was last updated.
1122 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
1123 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
1124 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
1125 # Deprecated, do not use.
1126 "analysisStatus": "A String", # The status of discovery for the resource.
1127 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
1128 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
1129 # details to show to the user. The LocalizedMessage is output only and
1130 # populated by the API.
1131 # different programming environments, including REST APIs and RPC APIs. It is
1132 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
1133 # three pieces of data: error code, error message, and error details.
1134 #
1135 # You can find out more about this error model and how to work with it in the
1136 # [API Design Guide](https://cloud.google.com/apis/design/errors).
1137 "message": "A String", # A developer-facing error message, which should be in English. Any
1138 # user-facing error message should be localized and sent in the
1139 # google.rpc.Status.details field, or localized by the client.
1140 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
1141 "details": [ # A list of messages that carry the error details. There is a common set of
1142 # message types for APIs to use.
1143 {
1144 "a_key": "", # Properties of the object. Contains field @type with type URL.
1145 },
1146 ],
1147 },
1148 },
1149 },
1150 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
1151 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
1152 # attestation can be verified using the attached signature. If the verifier
1153 # trusts the public key of the signer, then verifying the signature is
1154 # sufficient to establish trust. In this circumstance, the authority to which
1155 # this attestation is attached is primarily useful for look-up (how to find
1156 # this attestation if you already know the authority and artifact to be
1157 # verified) and intent (which authority was this attestation intended to sign
1158 # for).
1159 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
1160 # supports `ATTACHED` signatures, where the payload that is signed is included
1161 # alongside the signature itself in the same file.
1162 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
1163 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
1164 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
1165 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
1166 # Implementations may choose to acknowledge "LONG", "SHORT", or other
1167 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
1168 # In gpg, the full fingerprint can be retrieved from the `fpr` field
1169 # returned when calling --list-keys with --with-colons. For example:
1170 # ```
1171 # gpg --with-colons --with-fingerprint --force-v4-certs \
1172 # --list-keys attester@example.com
1173 # tru::1:1513631572:0:3:1:5
1174 # pub:...<SNIP>...
1175 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
1176 # ```
1177 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
1178 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
1179 # The verifier must ensure that the provided type is one that the verifier
1180 # supports, and that the attestation payload is a valid instantiation of that
1181 # type (for example by validating a JSON schema).
1182 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
1183 # (GPG) or equivalent. Since this message only supports attached signatures,
1184 # the payload that was signed must be attached. While the signature format
1185 # supported is dependent on the verification implementation, currently only
1186 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
1187 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
1188 # --output=signature.gpg payload.json` will create the signature content
1189 # expected in this field in `signature.gpg` for the `payload.json`
1190 # attestation payload.
1191 },
1192 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
1193 # This attestation must define the `serialized_payload` that the `signatures`
1194 # verify and any metadata necessary to interpret that plaintext. The
1195 # signatures should always be over the `serialized_payload` bytestring.
1196 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
1197 # should consider this attestation message verified if at least one
1198 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
1199 # for more details on signature structure and verification.
1200 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
1201 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
1202 # Typically this means that the verifier has been configured with a map from
1203 # `public_key_id` to public key material (and any required parameters, e.g.
1204 # signing algorithm).
1205 #
1206 # In particular, verification implementations MUST NOT treat the signature
1207 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
1208 # DOES NOT validate or authenticate a public key; it only provides a mechanism
1209 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
1210 # a trusted channel. Verification implementations MUST reject signatures in any
1211 # of the following circumstances:
1212 # * The `public_key_id` is not recognized by the verifier.
1213 # * The public key that `public_key_id` refers to does not verify the
1214 # signature with respect to the payload.
1215 #
1216 # The `signature` contents SHOULD NOT be "attached" (where the payload is
1217 # included with the serialized `signature` bytes). Verifiers MUST ignore any
1218 # "attached" payload and only verify signatures with respect to explicitly
1219 # provided payload (e.g. a `payload` field on the proto message that holds
1220 # this Signature, or the canonical serialization of the proto message that
1221 # holds this signature).
1222 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
1223 # * The `public_key_id` is required.
1224 # * The `public_key_id` MUST be an RFC3986 conformant URI.
1225 # * When possible, the `public_key_id` SHOULD be an immutable reference,
1226 # such as a cryptographic digest.
1227 #
1228 # Examples of valid `public_key_id`s:
1229 #
1230 # OpenPGP V4 public key fingerprint:
1231 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
1232 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
1233 # details on this scheme.
1234 #
1235 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
1236 # serialization):
1237 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
1238 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
1239 "signature": "A String", # The content of the signature, an opaque bytestring.
1240 # The payload that this signature verifies MUST be unambiguously provided
1241 # with the Signature during verification. A wrapper message might provide
1242 # the payload explicitly. Alternatively, a message might have a canonical
1243 # serialization that can always be unambiguously computed to derive the
1244 # payload.
1245 },
1246 ],
1247 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
1248 # The verifier must ensure that the provided type is one that the verifier
1249 # supports, and that the attestation payload is a valid instantiation of that
1250 # type (for example by validating a JSON schema).
1251 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
1252 # The encoding and semantic meaning of this payload must match what is set in
1253 # `content_type`.
1254 },
1255 },
1256 },
1257 "build": { # Details of a build occurrence. # Describes a verifiable build.
1258 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
1259 # details about the build from source to completion.
1260 "commands": [ # Commands requested by the build.
1261 { # Command describes a step performed as part of the build pipeline.
1262 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
1263 "A String",
1264 ],
1265 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
1266 # command is packaged as a Docker container, as presented to `docker pull`.
1267 "args": [ # Command-line arguments used when executing this command.
1268 "A String",
1269 ],
1270 "env": [ # Environment variables set before running this command.
1271 "A String",
1272 ],
1273 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
1274 # this command as a dependency.
1275 "dir": "A String", # Working directory (relative to project source root) used when running this
1276 # command.
1277 },
1278 ],
1279 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
1280 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
1281 # source integrity was maintained in the build.
1282 #
1283 # The keys to this map are file paths used as build source and the values
1284 # contain the hash values for those files.
1285 #
1286 # If the build source came in a single package such as a gzipped tarfile
1287 # (.tar.gz), the FileHash will be for the single path to that file.
1288 "a_key": { # Container message for hashes of byte content of files, used in source
1289 # messages to verify integrity of source input to the build.
1290 "fileHash": [ # Required. Collection of file hashes.
1291 { # Container message for hash values.
1292 "type": "A String", # Required. The type of hash that was performed.
1293 "value": "A String", # Required. The hash value.
1294 },
1295 ],
1296 },
1297 },
1298 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
1299 # location.
1300 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
1301 # these locations, in the case where the source repository had multiple
1302 # remotes or submodules. This list will not include the context specified in
1303 # the context field.
1304 { # A SourceContext is a reference to a tree of files. A SourceContext together
1305 # with a path point to a unique revision of a single file or directory.
1306 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
1307 # repository (e.g., GitHub).
1308 "url": "A String", # Git repository URL.
1309 "revisionId": "A String", # Git commit hash.
1310 },
1311 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
1312 # Source Repo.
1313 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1314 "kind": "A String", # The alias kind.
1315 "name": "A String", # The alias name.
1316 },
1317 "revisionId": "A String", # A revision ID.
1318 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
1319 "uid": "A String", # A server-assigned, globally unique identifier.
1320 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
1321 # winged-cargo-31) and a repo name within that project.
1322 "projectId": "A String", # The ID of the project.
1323 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
1324 },
1325 },
1326 },
1327 "labels": { # Labels with user defined metadata.
1328 "a_key": "A String",
1329 },
1330 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
1331 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1332 "kind": "A String", # The alias kind.
1333 "name": "A String", # The alias name.
1334 },
1335 "revisionId": "A String", # A revision (commit) ID.
1336 "hostUri": "A String", # The URI of a running Gerrit instance.
1337 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
1338 # "project/subproject" is a valid project name. The "repo name" is the
1339 # hostURI/project.
1340 },
1341 },
1342 ],
1343 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
1344 # with a path point to a unique revision of a single file or directory.
1345 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
1346 # repository (e.g., GitHub).
1347 "url": "A String", # Git repository URL.
1348 "revisionId": "A String", # Git commit hash.
1349 },
1350 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
1351 # Source Repo.
1352 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1353 "kind": "A String", # The alias kind.
1354 "name": "A String", # The alias name.
1355 },
1356 "revisionId": "A String", # A revision ID.
1357 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
1358 "uid": "A String", # A server-assigned, globally unique identifier.
1359 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
1360 # winged-cargo-31) and a repo name within that project.
1361 "projectId": "A String", # The ID of the project.
1362 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
1363 },
1364 },
1365 },
1366 "labels": { # Labels with user defined metadata.
1367 "a_key": "A String",
1368 },
1369 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
1370 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1371 "kind": "A String", # The alias kind.
1372 "name": "A String", # The alias name.
1373 },
1374 "revisionId": "A String", # A revision (commit) ID.
1375 "hostUri": "A String", # The URI of a running Gerrit instance.
1376 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
1377 # "project/subproject" is a valid project name. The "repo name" is the
1378 # hostURI/project.
1379 },
1380 },
1381 },
1382 "buildOptions": { # Special options applied to this build. This is a catch-all field where
1383 # build providers can enter any desired additional details.
1384 "a_key": "A String",
1385 },
1386 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
1387 # user's e-mail address at the time the build was initiated; this address may
1388 # not represent the same end-user for all time.
1389 "projectId": "A String", # ID of the project.
1390 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
1391 "createTime": "A String", # Time at which the build was created.
1392 "builtArtifacts": [ # Output of the build.
1393 { # Artifact describes a build product.
1394 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
1395 # container.
1396 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
1397 # like `gcr.io/projectID/imagename@sha256:123456`.
1398 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
1399 # the case of a container build, the name used to push the container image to
1400 # Google Container Registry, as presented to `docker push`. Note that a
1401 # single Artifact ID can have multiple names, for example if two tags are
1402 # applied to one image.
1403 "A String",
1404 ],
1405 },
1406 ],
1407 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
1408 "startTime": "A String", # Time at which execution of the build was started.
1409 "endTime": "A String", # Time at which execution of the build was finished.
1410 "id": "A String", # Required. Unique identifier of the build.
1411 "logsUri": "A String", # URI where any logs for this provenance were written.
1412 },
1413 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
1414 # build signature in the corresponding build note. After verifying the
1415 # signature, `provenance_bytes` can be unmarshalled and compared to the
1416 # provenance to confirm that it is unchanged. A base64-encoded string
1417 # representation of the provenance bytes is used for the signature in order
1418 # to interoperate with openssl which expects this format for signature
1419 # verification.
1420 #
1421 # The serialized form is captured both to avoid ambiguity in how the
1422 # provenance is marshalled to json as well to prevent incompatibilities with
1423 # future changes.
1424 },
1425 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
1426 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
1427 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
1428 # the deployable field with the same name.
1429 "A String",
1430 ],
1431 "userEmail": "A String", # Identity of the user that triggered this deployment.
1432 "address": "A String", # Address of the runtime element hosting this deployment.
1433 "platform": "A String", # Platform hosting this deployment.
1434 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
1435 "undeployTime": "A String", # End of the lifetime of this deployment.
1436 "config": "A String", # Configuration used to create this deployment.
1437 },
1438 },
1439 "remediation": "A String", # A description of actions that can be taken to remedy the note.
1440 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
1441 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
1442 # system.
1443 "location": [ # Required. All of the places within the filesystem versions of this package
1444 # have been found.
1445 { # An occurrence of a particular package installation found within a system's
1446 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
1447 "path": "A String", # The path from which we gathered that this package/version is installed.
1448 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
1449 # denoting the package manager version distributing a package.
1450 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
1451 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
1452 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
1453 # versions.
1454 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
1455 # name.
1456 "revision": "A String", # The iteration of the package build from the above version.
1457 },
1458 },
1459 ],
1460 "name": "A String", # Output only. The name of the installed package.
1461 },
1462 },
1463 "createTime": "A String", # Output only. The time this occurrence was created.
1464 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
1465 # note.
1466 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
1467 # relationship. This image would be produced from a Dockerfile with FROM
1468 # <DockerImage.Basis in attached Note>.
1469 "distance": 42, # Output only. The number of layers by which this image differs from the
1470 # associated image basis.
1471 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
1472 # occurrence.
1473 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
1474 # "distance" and is ordered with [distance] being the layer immediately
1475 # following the base image and [1] being the final layer.
1476 { # Layer holds metadata specific to a layer of a Docker image.
1477 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
1478 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
1479 },
1480 ],
1481 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
1482 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
1483 # representation.
1484 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
1485 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
1486 # Only the name of the final blob is kept.
1487 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
1488 "A String",
1489 ],
1490 },
1491 },
1492 },
1493 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
1494 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
1495 # used as a filter in list requests.
1496}
1497
1498 x__xgafv: string, V1 error format.
1499 Allowed values
1500 1 - v1 error format
1501 2 - v2 error format
1502
1503Returns:
1504 An object of the form:
1505
1506 { # An instance of an analysis type that has been found on a resource.
1507 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
1508 # specified. This field can be used as a filter in list requests.
1509 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
1510 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
1511 #
1512 # The hash of the resource content. For example, the Docker digest.
1513 "type": "A String", # Required. The type of hash that was performed.
1514 "value": "A String", # Required. The hash value.
1515 },
1516 "uri": "A String", # Required. The unique URI of the resource. For example,
1517 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
1518 "name": "A String", # Deprecated, do not use. Use uri instead.
1519 #
1520 # The name of the resource. For example, the name of a Docker image -
1521 # "Debian".
1522 },
1523 "name": "A String", # Output only. The name of the occurrence in the form of
1524 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
1525 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
1526 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
1527 # scale of 0-10 where 0 indicates low severity and 10 indicates high
1528 # severity.
1529 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
1530 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
1531 # packages etc)
1532 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
1533 # available, and note provider assigned severity when distro has not yet
1534 # assigned a severity for this vulnerability.
1535 "relatedUrls": [ # Output only. URLs related to this vulnerability.
1536 { # Metadata for any related URL information.
1537 "url": "A String", # Specific URL associated with the resource.
1538 "label": "A String", # Label to describe usage of the URL.
1539 },
1540 ],
1541 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
1542 # within the associated resource.
1543 { # This message wraps a location affected by a vulnerability and its
1544 # associated fix (if one is available).
1545 "severityName": "A String", # Deprecated, use Details.effective_severity instead
1546 # The severity (e.g., distro assigned severity) for this vulnerability.
1547 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
1548 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
1549 # format. Examples include distro or storage location for vulnerable jar.
1550 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
1551 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
1552 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
1553 # versions.
1554 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
1555 # name.
1556 "revision": "A String", # The iteration of the package build from the above version.
1557 },
1558 "package": "A String", # Required. The package being described.
1559 },
1560 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
1561 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
1562 # format. Examples include distro or storage location for vulnerable jar.
1563 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
1564 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
1565 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
1566 # versions.
1567 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
1568 # name.
1569 "revision": "A String", # The iteration of the package build from the above version.
1570 },
1571 "package": "A String", # Required. The package being described.
1572 },
1573 },
1574 ],
1575 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
1576 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
1577 },
1578 "updateTime": "A String", # Output only. The time this occurrence was last updated.
1579 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
1580 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
1581 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
1582 # Deprecated, do not use.
1583 "analysisStatus": "A String", # The status of discovery for the resource.
1584 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
1585 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
1586 # details to show to the user. The LocalizedMessage is output only and
1587 # populated by the API.
1588 # different programming environments, including REST APIs and RPC APIs. It is
1589 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
1590 # three pieces of data: error code, error message, and error details.
1591 #
1592 # You can find out more about this error model and how to work with it in the
1593 # [API Design Guide](https://cloud.google.com/apis/design/errors).
1594 "message": "A String", # A developer-facing error message, which should be in English. Any
1595 # user-facing error message should be localized and sent in the
1596 # google.rpc.Status.details field, or localized by the client.
1597 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
1598 "details": [ # A list of messages that carry the error details. There is a common set of
1599 # message types for APIs to use.
1600 {
1601 "a_key": "", # Properties of the object. Contains field @type with type URL.
1602 },
1603 ],
1604 },
1605 },
1606 },
1607 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
1608 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
1609 # attestation can be verified using the attached signature. If the verifier
1610 # trusts the public key of the signer, then verifying the signature is
1611 # sufficient to establish trust. In this circumstance, the authority to which
1612 # this attestation is attached is primarily useful for look-up (how to find
1613 # this attestation if you already know the authority and artifact to be
1614 # verified) and intent (which authority was this attestation intended to sign
1615 # for).
1616 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
1617 # supports `ATTACHED` signatures, where the payload that is signed is included
1618 # alongside the signature itself in the same file.
1619 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
1620 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
1621 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
1622 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
1623 # Implementations may choose to acknowledge "LONG", "SHORT", or other
1624 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
1625 # In gpg, the full fingerprint can be retrieved from the `fpr` field
1626 # returned when calling --list-keys with --with-colons. For example:
1627 # ```
1628 # gpg --with-colons --with-fingerprint --force-v4-certs \
1629 # --list-keys attester@example.com
1630 # tru::1:1513631572:0:3:1:5
1631 # pub:...<SNIP>...
1632 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
1633 # ```
1634 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
1635 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
1636 # The verifier must ensure that the provided type is one that the verifier
1637 # supports, and that the attestation payload is a valid instantiation of that
1638 # type (for example by validating a JSON schema).
1639 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
1640 # (GPG) or equivalent. Since this message only supports attached signatures,
1641 # the payload that was signed must be attached. While the signature format
1642 # supported is dependent on the verification implementation, currently only
1643 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
1644 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
1645 # --output=signature.gpg payload.json` will create the signature content
1646 # expected in this field in `signature.gpg` for the `payload.json`
1647 # attestation payload.
1648 },
1649 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
1650 # This attestation must define the `serialized_payload` that the `signatures`
1651 # verify and any metadata necessary to interpret that plaintext. The
1652 # signatures should always be over the `serialized_payload` bytestring.
1653 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
1654 # should consider this attestation message verified if at least one
1655 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
1656 # for more details on signature structure and verification.
1657 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
1658 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
1659 # Typically this means that the verifier has been configured with a map from
1660 # `public_key_id` to public key material (and any required parameters, e.g.
1661 # signing algorithm).
1662 #
1663 # In particular, verification implementations MUST NOT treat the signature
1664 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
1665 # DOES NOT validate or authenticate a public key; it only provides a mechanism
1666 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
1667 # a trusted channel. Verification implementations MUST reject signatures in any
1668 # of the following circumstances:
1669 # * The `public_key_id` is not recognized by the verifier.
1670 # * The public key that `public_key_id` refers to does not verify the
1671 # signature with respect to the payload.
1672 #
1673 # The `signature` contents SHOULD NOT be "attached" (where the payload is
1674 # included with the serialized `signature` bytes). Verifiers MUST ignore any
1675 # "attached" payload and only verify signatures with respect to explicitly
1676 # provided payload (e.g. a `payload` field on the proto message that holds
1677 # this Signature, or the canonical serialization of the proto message that
1678 # holds this signature).
1679 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
1680 # * The `public_key_id` is required.
1681 # * The `public_key_id` MUST be an RFC3986 conformant URI.
1682 # * When possible, the `public_key_id` SHOULD be an immutable reference,
1683 # such as a cryptographic digest.
1684 #
1685 # Examples of valid `public_key_id`s:
1686 #
1687 # OpenPGP V4 public key fingerprint:
1688 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
1689 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
1690 # details on this scheme.
1691 #
1692 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
1693 # serialization):
1694 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
1695 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
1696 "signature": "A String", # The content of the signature, an opaque bytestring.
1697 # The payload that this signature verifies MUST be unambiguously provided
1698 # with the Signature during verification. A wrapper message might provide
1699 # the payload explicitly. Alternatively, a message might have a canonical
1700 # serialization that can always be unambiguously computed to derive the
1701 # payload.
1702 },
1703 ],
1704 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
1705 # The verifier must ensure that the provided type is one that the verifier
1706 # supports, and that the attestation payload is a valid instantiation of that
1707 # type (for example by validating a JSON schema).
1708 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
1709 # The encoding and semantic meaning of this payload must match what is set in
1710 # `content_type`.
1711 },
1712 },
1713 },
1714 "build": { # Details of a build occurrence. # Describes a verifiable build.
1715 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
1716 # details about the build from source to completion.
1717 "commands": [ # Commands requested by the build.
1718 { # Command describes a step performed as part of the build pipeline.
1719 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
1720 "A String",
1721 ],
1722 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
1723 # command is packaged as a Docker container, as presented to `docker pull`.
1724 "args": [ # Command-line arguments used when executing this command.
1725 "A String",
1726 ],
1727 "env": [ # Environment variables set before running this command.
1728 "A String",
1729 ],
1730 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
1731 # this command as a dependency.
1732 "dir": "A String", # Working directory (relative to project source root) used when running this
1733 # command.
1734 },
1735 ],
1736 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
1737 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
1738 # source integrity was maintained in the build.
1739 #
1740 # The keys to this map are file paths used as build source and the values
1741 # contain the hash values for those files.
1742 #
1743 # If the build source came in a single package such as a gzipped tarfile
1744 # (.tar.gz), the FileHash will be for the single path to that file.
1745 "a_key": { # Container message for hashes of byte content of files, used in source
1746 # messages to verify integrity of source input to the build.
1747 "fileHash": [ # Required. Collection of file hashes.
1748 { # Container message for hash values.
1749 "type": "A String", # Required. The type of hash that was performed.
1750 "value": "A String", # Required. The hash value.
1751 },
1752 ],
1753 },
1754 },
1755 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
1756 # location.
1757 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
1758 # these locations, in the case where the source repository had multiple
1759 # remotes or submodules. This list will not include the context specified in
1760 # the context field.
1761 { # A SourceContext is a reference to a tree of files. A SourceContext together
1762 # with a path point to a unique revision of a single file or directory.
1763 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
1764 # repository (e.g., GitHub).
1765 "url": "A String", # Git repository URL.
1766 "revisionId": "A String", # Git commit hash.
1767 },
1768 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
1769 # Source Repo.
1770 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1771 "kind": "A String", # The alias kind.
1772 "name": "A String", # The alias name.
1773 },
1774 "revisionId": "A String", # A revision ID.
1775 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
1776 "uid": "A String", # A server-assigned, globally unique identifier.
1777 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
1778 # winged-cargo-31) and a repo name within that project.
1779 "projectId": "A String", # The ID of the project.
1780 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
1781 },
1782 },
1783 },
1784 "labels": { # Labels with user defined metadata.
1785 "a_key": "A String",
1786 },
1787 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
1788 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1789 "kind": "A String", # The alias kind.
1790 "name": "A String", # The alias name.
1791 },
1792 "revisionId": "A String", # A revision (commit) ID.
1793 "hostUri": "A String", # The URI of a running Gerrit instance.
1794 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
1795 # "project/subproject" is a valid project name. The "repo name" is the
1796 # hostURI/project.
1797 },
1798 },
1799 ],
1800 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
1801 # with a path point to a unique revision of a single file or directory.
1802 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
1803 # repository (e.g., GitHub).
1804 "url": "A String", # Git repository URL.
1805 "revisionId": "A String", # Git commit hash.
1806 },
1807 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
1808 # Source Repo.
1809 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1810 "kind": "A String", # The alias kind.
1811 "name": "A String", # The alias name.
1812 },
1813 "revisionId": "A String", # A revision ID.
1814 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
1815 "uid": "A String", # A server-assigned, globally unique identifier.
1816 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
1817 # winged-cargo-31) and a repo name within that project.
1818 "projectId": "A String", # The ID of the project.
1819 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
1820 },
1821 },
1822 },
1823 "labels": { # Labels with user defined metadata.
1824 "a_key": "A String",
1825 },
1826 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
1827 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
1828 "kind": "A String", # The alias kind.
1829 "name": "A String", # The alias name.
1830 },
1831 "revisionId": "A String", # A revision (commit) ID.
1832 "hostUri": "A String", # The URI of a running Gerrit instance.
1833 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
1834 # "project/subproject" is a valid project name. The "repo name" is the
1835 # hostURI/project.
1836 },
1837 },
1838 },
1839 "buildOptions": { # Special options applied to this build. This is a catch-all field where
1840 # build providers can enter any desired additional details.
1841 "a_key": "A String",
1842 },
1843 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
1844 # user's e-mail address at the time the build was initiated; this address may
1845 # not represent the same end-user for all time.
1846 "projectId": "A String", # ID of the project.
1847 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
1848 "createTime": "A String", # Time at which the build was created.
1849 "builtArtifacts": [ # Output of the build.
1850 { # Artifact describes a build product.
1851 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
1852 # container.
1853 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
1854 # like `gcr.io/projectID/imagename@sha256:123456`.
1855 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
1856 # the case of a container build, the name used to push the container image to
1857 # Google Container Registry, as presented to `docker push`. Note that a
1858 # single Artifact ID can have multiple names, for example if two tags are
1859 # applied to one image.
1860 "A String",
1861 ],
1862 },
1863 ],
1864 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
1865 "startTime": "A String", # Time at which execution of the build was started.
1866 "endTime": "A String", # Time at which execution of the build was finished.
1867 "id": "A String", # Required. Unique identifier of the build.
1868 "logsUri": "A String", # URI where any logs for this provenance were written.
1869 },
1870 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
1871 # build signature in the corresponding build note. After verifying the
1872 # signature, `provenance_bytes` can be unmarshalled and compared to the
1873 # provenance to confirm that it is unchanged. A base64-encoded string
1874 # representation of the provenance bytes is used for the signature in order
1875 # to interoperate with openssl which expects this format for signature
1876 # verification.
1877 #
1878 # The serialized form is captured both to avoid ambiguity in how the
1879 # provenance is marshalled to json as well to prevent incompatibilities with
1880 # future changes.
1881 },
1882 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
1883 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
1884 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
1885 # the deployable field with the same name.
1886 "A String",
1887 ],
1888 "userEmail": "A String", # Identity of the user that triggered this deployment.
1889 "address": "A String", # Address of the runtime element hosting this deployment.
1890 "platform": "A String", # Platform hosting this deployment.
1891 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
1892 "undeployTime": "A String", # End of the lifetime of this deployment.
1893 "config": "A String", # Configuration used to create this deployment.
1894 },
1895 },
1896 "remediation": "A String", # A description of actions that can be taken to remedy the note.
1897 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
1898 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
1899 # system.
1900 "location": [ # Required. All of the places within the filesystem versions of this package
1901 # have been found.
1902 { # An occurrence of a particular package installation found within a system's
1903 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
1904 "path": "A String", # The path from which we gathered that this package/version is installed.
1905 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
1906 # denoting the package manager version distributing a package.
1907 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
1908 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
1909 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
1910 # versions.
1911 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
1912 # name.
1913 "revision": "A String", # The iteration of the package build from the above version.
1914 },
1915 },
1916 ],
1917 "name": "A String", # Output only. The name of the installed package.
1918 },
1919 },
1920 "createTime": "A String", # Output only. The time this occurrence was created.
1921 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
1922 # note.
1923 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
1924 # relationship. This image would be produced from a Dockerfile with FROM
1925 # <DockerImage.Basis in attached Note>.
1926 "distance": 42, # Output only. The number of layers by which this image differs from the
1927 # associated image basis.
1928 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
1929 # occurrence.
1930 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
1931 # "distance" and is ordered with [distance] being the layer immediately
1932 # following the base image and [1] being the final layer.
1933 { # Layer holds metadata specific to a layer of a Docker image.
1934 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
1935 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
1936 },
1937 ],
1938 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
1939 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
1940 # representation.
1941 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
1942 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
1943 # Only the name of the final blob is kept.
1944 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
1945 "A String",
1946 ],
1947 },
1948 },
1949 },
1950 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
1951 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
1952 # used as a filter in list requests.
1953 }</pre>
1954</div>
1955
1956<div class="method">
1957 <code class="details" id="delete">delete(name, x__xgafv=None)</code>
1958 <pre>Deletes the specified occurrence. For example, use this method to delete an
1959occurrence when the occurrence is no longer applicable for the given
1960resource.
1961
1962Args:
1963 name: string, The name of the occurrence in the form of
1964`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
1965 x__xgafv: string, V1 error format.
1966 Allowed values
1967 1 - v1 error format
1968 2 - v2 error format
1969
1970Returns:
1971 An object of the form:
1972
1973 { # A generic empty message that you can re-use to avoid defining duplicated
1974 # empty messages in your APIs. A typical example is to use it as the request
1975 # or the response type of an API method. For instance:
1976 #
1977 # service Foo {
1978 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
1979 # }
1980 #
1981 # The JSON representation for `Empty` is empty JSON object `{}`.
1982 }</pre>
1983</div>
1984
1985<div class="method">
1986 <code class="details" id="get">get(name, x__xgafv=None)</code>
1987 <pre>Gets the specified occurrence.
1988
1989Args:
1990 name: string, The name of the occurrence in the form of
1991`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
1992 x__xgafv: string, V1 error format.
1993 Allowed values
1994 1 - v1 error format
1995 2 - v2 error format
1996
1997Returns:
1998 An object of the form:
1999
2000 { # An instance of an analysis type that has been found on a resource.
2001 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
2002 # specified. This field can be used as a filter in list requests.
2003 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
2004 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
2005 #
2006 # The hash of the resource content. For example, the Docker digest.
2007 "type": "A String", # Required. The type of hash that was performed.
2008 "value": "A String", # Required. The hash value.
2009 },
2010 "uri": "A String", # Required. The unique URI of the resource. For example,
2011 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
2012 "name": "A String", # Deprecated, do not use. Use uri instead.
2013 #
2014 # The name of the resource. For example, the name of a Docker image -
2015 # "Debian".
2016 },
2017 "name": "A String", # Output only. The name of the occurrence in the form of
2018 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
2019 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
2020 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
2021 # scale of 0-10 where 0 indicates low severity and 10 indicates high
2022 # severity.
2023 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
2024 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
2025 # packages etc)
2026 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
2027 # available, and note provider assigned severity when distro has not yet
2028 # assigned a severity for this vulnerability.
2029 "relatedUrls": [ # Output only. URLs related to this vulnerability.
2030 { # Metadata for any related URL information.
2031 "url": "A String", # Specific URL associated with the resource.
2032 "label": "A String", # Label to describe usage of the URL.
2033 },
2034 ],
2035 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
2036 # within the associated resource.
2037 { # This message wraps a location affected by a vulnerability and its
2038 # associated fix (if one is available).
2039 "severityName": "A String", # Deprecated, use Details.effective_severity instead
2040 # The severity (e.g., distro assigned severity) for this vulnerability.
2041 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
2042 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
2043 # format. Examples include distro or storage location for vulnerable jar.
2044 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
2045 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
2046 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
2047 # versions.
2048 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
2049 # name.
2050 "revision": "A String", # The iteration of the package build from the above version.
2051 },
2052 "package": "A String", # Required. The package being described.
2053 },
2054 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
2055 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
2056 # format. Examples include distro or storage location for vulnerable jar.
2057 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
2058 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
2059 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
2060 # versions.
2061 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
2062 # name.
2063 "revision": "A String", # The iteration of the package build from the above version.
2064 },
2065 "package": "A String", # Required. The package being described.
2066 },
2067 },
2068 ],
2069 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
2070 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
2071 },
2072 "updateTime": "A String", # Output only. The time this occurrence was last updated.
2073 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
2074 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
2075 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
2076 # Deprecated, do not use.
2077 "analysisStatus": "A String", # The status of discovery for the resource.
2078 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
2079 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
2080 # details to show to the user. The LocalizedMessage is output only and
2081 # populated by the API.
2082 # different programming environments, including REST APIs and RPC APIs. It is
2083 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
2084 # three pieces of data: error code, error message, and error details.
2085 #
2086 # You can find out more about this error model and how to work with it in the
2087 # [API Design Guide](https://cloud.google.com/apis/design/errors).
2088 "message": "A String", # A developer-facing error message, which should be in English. Any
2089 # user-facing error message should be localized and sent in the
2090 # google.rpc.Status.details field, or localized by the client.
2091 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
2092 "details": [ # A list of messages that carry the error details. There is a common set of
2093 # message types for APIs to use.
2094 {
2095 "a_key": "", # Properties of the object. Contains field @type with type URL.
2096 },
2097 ],
2098 },
2099 },
2100 },
2101 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
2102 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
2103 # attestation can be verified using the attached signature. If the verifier
2104 # trusts the public key of the signer, then verifying the signature is
2105 # sufficient to establish trust. In this circumstance, the authority to which
2106 # this attestation is attached is primarily useful for look-up (how to find
2107 # this attestation if you already know the authority and artifact to be
2108 # verified) and intent (which authority was this attestation intended to sign
2109 # for).
2110 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
2111 # supports `ATTACHED` signatures, where the payload that is signed is included
2112 # alongside the signature itself in the same file.
2113 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
2114 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
2115 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
2116 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
2117 # Implementations may choose to acknowledge "LONG", "SHORT", or other
2118 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
2119 # In gpg, the full fingerprint can be retrieved from the `fpr` field
2120 # returned when calling --list-keys with --with-colons. For example:
2121 # ```
2122 # gpg --with-colons --with-fingerprint --force-v4-certs \
2123 # --list-keys attester@example.com
2124 # tru::1:1513631572:0:3:1:5
2125 # pub:...<SNIP>...
2126 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
2127 # ```
2128 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
2129 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
2130 # The verifier must ensure that the provided type is one that the verifier
2131 # supports, and that the attestation payload is a valid instantiation of that
2132 # type (for example by validating a JSON schema).
2133 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
2134 # (GPG) or equivalent. Since this message only supports attached signatures,
2135 # the payload that was signed must be attached. While the signature format
2136 # supported is dependent on the verification implementation, currently only
2137 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
2138 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
2139 # --output=signature.gpg payload.json` will create the signature content
2140 # expected in this field in `signature.gpg` for the `payload.json`
2141 # attestation payload.
2142 },
2143 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
2144 # This attestation must define the `serialized_payload` that the `signatures`
2145 # verify and any metadata necessary to interpret that plaintext. The
2146 # signatures should always be over the `serialized_payload` bytestring.
2147 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
2148 # should consider this attestation message verified if at least one
2149 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
2150 # for more details on signature structure and verification.
2151 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
2152 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
2153 # Typically this means that the verifier has been configured with a map from
2154 # `public_key_id` to public key material (and any required parameters, e.g.
2155 # signing algorithm).
2156 #
2157 # In particular, verification implementations MUST NOT treat the signature
2158 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
2159 # DOES NOT validate or authenticate a public key; it only provides a mechanism
2160 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
2161 # a trusted channel. Verification implementations MUST reject signatures in any
2162 # of the following circumstances:
2163 # * The `public_key_id` is not recognized by the verifier.
2164 # * The public key that `public_key_id` refers to does not verify the
2165 # signature with respect to the payload.
2166 #
2167 # The `signature` contents SHOULD NOT be "attached" (where the payload is
2168 # included with the serialized `signature` bytes). Verifiers MUST ignore any
2169 # "attached" payload and only verify signatures with respect to explicitly
2170 # provided payload (e.g. a `payload` field on the proto message that holds
2171 # this Signature, or the canonical serialization of the proto message that
2172 # holds this signature).
2173 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
2174 # * The `public_key_id` is required.
2175 # * The `public_key_id` MUST be an RFC3986 conformant URI.
2176 # * When possible, the `public_key_id` SHOULD be an immutable reference,
2177 # such as a cryptographic digest.
2178 #
2179 # Examples of valid `public_key_id`s:
2180 #
2181 # OpenPGP V4 public key fingerprint:
2182 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
2183 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
2184 # details on this scheme.
2185 #
2186 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
2187 # serialization):
2188 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
2189 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
2190 "signature": "A String", # The content of the signature, an opaque bytestring.
2191 # The payload that this signature verifies MUST be unambiguously provided
2192 # with the Signature during verification. A wrapper message might provide
2193 # the payload explicitly. Alternatively, a message might have a canonical
2194 # serialization that can always be unambiguously computed to derive the
2195 # payload.
2196 },
2197 ],
2198 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
2199 # The verifier must ensure that the provided type is one that the verifier
2200 # supports, and that the attestation payload is a valid instantiation of that
2201 # type (for example by validating a JSON schema).
2202 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
2203 # The encoding and semantic meaning of this payload must match what is set in
2204 # `content_type`.
2205 },
2206 },
2207 },
2208 "build": { # Details of a build occurrence. # Describes a verifiable build.
2209 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
2210 # details about the build from source to completion.
2211 "commands": [ # Commands requested by the build.
2212 { # Command describes a step performed as part of the build pipeline.
2213 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
2214 "A String",
2215 ],
2216 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
2217 # command is packaged as a Docker container, as presented to `docker pull`.
2218 "args": [ # Command-line arguments used when executing this command.
2219 "A String",
2220 ],
2221 "env": [ # Environment variables set before running this command.
2222 "A String",
2223 ],
2224 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
2225 # this command as a dependency.
2226 "dir": "A String", # Working directory (relative to project source root) used when running this
2227 # command.
2228 },
2229 ],
2230 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
2231 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
2232 # source integrity was maintained in the build.
2233 #
2234 # The keys to this map are file paths used as build source and the values
2235 # contain the hash values for those files.
2236 #
2237 # If the build source came in a single package such as a gzipped tarfile
2238 # (.tar.gz), the FileHash will be for the single path to that file.
2239 "a_key": { # Container message for hashes of byte content of files, used in source
2240 # messages to verify integrity of source input to the build.
2241 "fileHash": [ # Required. Collection of file hashes.
2242 { # Container message for hash values.
2243 "type": "A String", # Required. The type of hash that was performed.
2244 "value": "A String", # Required. The hash value.
2245 },
2246 ],
2247 },
2248 },
2249 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
2250 # location.
2251 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
2252 # these locations, in the case where the source repository had multiple
2253 # remotes or submodules. This list will not include the context specified in
2254 # the context field.
2255 { # A SourceContext is a reference to a tree of files. A SourceContext together
2256 # with a path point to a unique revision of a single file or directory.
2257 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
2258 # repository (e.g., GitHub).
2259 "url": "A String", # Git repository URL.
2260 "revisionId": "A String", # Git commit hash.
2261 },
2262 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
2263 # Source Repo.
2264 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
2265 "kind": "A String", # The alias kind.
2266 "name": "A String", # The alias name.
2267 },
2268 "revisionId": "A String", # A revision ID.
2269 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
2270 "uid": "A String", # A server-assigned, globally unique identifier.
2271 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
2272 # winged-cargo-31) and a repo name within that project.
2273 "projectId": "A String", # The ID of the project.
2274 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
2275 },
2276 },
2277 },
2278 "labels": { # Labels with user defined metadata.
2279 "a_key": "A String",
2280 },
2281 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
2282 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
2283 "kind": "A String", # The alias kind.
2284 "name": "A String", # The alias name.
2285 },
2286 "revisionId": "A String", # A revision (commit) ID.
2287 "hostUri": "A String", # The URI of a running Gerrit instance.
2288 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
2289 # "project/subproject" is a valid project name. The "repo name" is the
2290 # hostURI/project.
2291 },
2292 },
2293 ],
2294 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
2295 # with a path point to a unique revision of a single file or directory.
2296 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
2297 # repository (e.g., GitHub).
2298 "url": "A String", # Git repository URL.
2299 "revisionId": "A String", # Git commit hash.
2300 },
2301 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
2302 # Source Repo.
2303 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
2304 "kind": "A String", # The alias kind.
2305 "name": "A String", # The alias name.
2306 },
2307 "revisionId": "A String", # A revision ID.
2308 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
2309 "uid": "A String", # A server-assigned, globally unique identifier.
2310 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
2311 # winged-cargo-31) and a repo name within that project.
2312 "projectId": "A String", # The ID of the project.
2313 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
2314 },
2315 },
2316 },
2317 "labels": { # Labels with user defined metadata.
2318 "a_key": "A String",
2319 },
2320 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
2321 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
2322 "kind": "A String", # The alias kind.
2323 "name": "A String", # The alias name.
2324 },
2325 "revisionId": "A String", # A revision (commit) ID.
2326 "hostUri": "A String", # The URI of a running Gerrit instance.
2327 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
2328 # "project/subproject" is a valid project name. The "repo name" is the
2329 # hostURI/project.
2330 },
2331 },
2332 },
2333 "buildOptions": { # Special options applied to this build. This is a catch-all field where
2334 # build providers can enter any desired additional details.
2335 "a_key": "A String",
2336 },
2337 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
2338 # user's e-mail address at the time the build was initiated; this address may
2339 # not represent the same end-user for all time.
2340 "projectId": "A String", # ID of the project.
2341 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
2342 "createTime": "A String", # Time at which the build was created.
2343 "builtArtifacts": [ # Output of the build.
2344 { # Artifact describes a build product.
2345 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
2346 # container.
2347 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
2348 # like `gcr.io/projectID/imagename@sha256:123456`.
2349 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
2350 # the case of a container build, the name used to push the container image to
2351 # Google Container Registry, as presented to `docker push`. Note that a
2352 # single Artifact ID can have multiple names, for example if two tags are
2353 # applied to one image.
2354 "A String",
2355 ],
2356 },
2357 ],
2358 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
2359 "startTime": "A String", # Time at which execution of the build was started.
2360 "endTime": "A String", # Time at which execution of the build was finished.
2361 "id": "A String", # Required. Unique identifier of the build.
2362 "logsUri": "A String", # URI where any logs for this provenance were written.
2363 },
2364 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
2365 # build signature in the corresponding build note. After verifying the
2366 # signature, `provenance_bytes` can be unmarshalled and compared to the
2367 # provenance to confirm that it is unchanged. A base64-encoded string
2368 # representation of the provenance bytes is used for the signature in order
2369 # to interoperate with openssl which expects this format for signature
2370 # verification.
2371 #
2372 # The serialized form is captured both to avoid ambiguity in how the
2373 # provenance is marshalled to json as well to prevent incompatibilities with
2374 # future changes.
2375 },
2376 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
2377 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
2378 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
2379 # the deployable field with the same name.
2380 "A String",
2381 ],
2382 "userEmail": "A String", # Identity of the user that triggered this deployment.
2383 "address": "A String", # Address of the runtime element hosting this deployment.
2384 "platform": "A String", # Platform hosting this deployment.
2385 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
2386 "undeployTime": "A String", # End of the lifetime of this deployment.
2387 "config": "A String", # Configuration used to create this deployment.
2388 },
2389 },
2390 "remediation": "A String", # A description of actions that can be taken to remedy the note.
2391 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
2392 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
2393 # system.
2394 "location": [ # Required. All of the places within the filesystem versions of this package
2395 # have been found.
2396 { # An occurrence of a particular package installation found within a system's
2397 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
2398 "path": "A String", # The path from which we gathered that this package/version is installed.
2399 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
2400 # denoting the package manager version distributing a package.
2401 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
2402 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
2403 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
2404 # versions.
2405 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
2406 # name.
2407 "revision": "A String", # The iteration of the package build from the above version.
2408 },
2409 },
2410 ],
2411 "name": "A String", # Output only. The name of the installed package.
2412 },
2413 },
2414 "createTime": "A String", # Output only. The time this occurrence was created.
2415 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
2416 # note.
2417 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
2418 # relationship. This image would be produced from a Dockerfile with FROM
2419 # <DockerImage.Basis in attached Note>.
2420 "distance": 42, # Output only. The number of layers by which this image differs from the
2421 # associated image basis.
2422 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
2423 # occurrence.
2424 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
2425 # "distance" and is ordered with [distance] being the layer immediately
2426 # following the base image and [1] being the final layer.
2427 { # Layer holds metadata specific to a layer of a Docker image.
2428 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
2429 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
2430 },
2431 ],
2432 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
2433 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
2434 # representation.
2435 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
2436 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
2437 # Only the name of the final blob is kept.
2438 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
2439 "A String",
2440 ],
2441 },
2442 },
2443 },
2444 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
2445 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
2446 # used as a filter in list requests.
2447 }</pre>
2448</div>
2449
2450<div class="method">
2451 <code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>
2452 <pre>Gets the access control policy for a note or an occurrence resource.
2453Requires `containeranalysis.notes.setIamPolicy` or
2454`containeranalysis.occurrences.setIamPolicy` permission if the resource is
2455a note or occurrence, respectively.
2456
2457The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for
2458notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for
2459occurrences.
2460
2461Args:
2462 resource: string, REQUIRED: The resource for which the policy is being requested.
2463See the operation documentation for the appropriate value for this field. (required)
2464 body: object, The request body.
2465 The object takes the form of:
2466
2467{ # Request message for `GetIamPolicy` method.
2468 }
2469
2470 x__xgafv: string, V1 error format.
2471 Allowed values
2472 1 - v1 error format
2473 2 - v2 error format
2474
2475Returns:
2476 An object of the form:
2477
2478 { # Defines an Identity and Access Management (IAM) policy. It is used to
2479 # specify access control policies for Cloud Platform resources.
2480 #
2481 #
2482 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of
2483 # `members` to a `role`, where the members can be user accounts, Google groups,
2484 # Google domains, and service accounts. A `role` is a named list of permissions
2485 # defined by IAM.
2486 #
2487 # **JSON Example**
2488 #
2489 # {
2490 # "bindings": [
2491 # {
2492 # "role": "roles/owner",
2493 # "members": [
2494 # "user:mike@example.com",
2495 # "group:admins@example.com",
2496 # "domain:google.com",
2497 # "serviceAccount:my-other-app@appspot.gserviceaccount.com"
2498 # ]
2499 # },
2500 # {
2501 # "role": "roles/viewer",
2502 # "members": ["user:sean@example.com"]
2503 # }
2504 # ]
2505 # }
2506 #
2507 # **YAML Example**
2508 #
2509 # bindings:
2510 # - members:
2511 # - user:mike@example.com
2512 # - group:admins@example.com
2513 # - domain:google.com
2514 # - serviceAccount:my-other-app@appspot.gserviceaccount.com
2515 # role: roles/owner
2516 # - members:
2517 # - user:sean@example.com
2518 # role: roles/viewer
2519 #
2520 #
2521 # For a description of IAM and its features, see the
2522 # [IAM developer's guide](https://cloud.google.com/iam/docs).
2523 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
2524 { # Specifies the audit configuration for a service.
2525 # The configuration determines which permission types are logged, and what
2526 # identities, if any, are exempted from logging.
2527 # An AuditConfig must have one or more AuditLogConfigs.
2528 #
2529 # If there are AuditConfigs for both `allServices` and a specific service,
2530 # the union of the two AuditConfigs is used for that service: the log_types
2531 # specified in each AuditConfig are enabled, and the exempted_members in each
2532 # AuditLogConfig are exempted.
2533 #
2534 # Example Policy with multiple AuditConfigs:
2535 #
2536 # {
2537 # "audit_configs": [
2538 # {
2539 # "service": "allServices"
2540 # "audit_log_configs": [
2541 # {
2542 # "log_type": "DATA_READ",
2543 # "exempted_members": [
2544 # "user:foo@gmail.com"
2545 # ]
2546 # },
2547 # {
2548 # "log_type": "DATA_WRITE",
2549 # },
2550 # {
2551 # "log_type": "ADMIN_READ",
2552 # }
2553 # ]
2554 # },
2555 # {
2556 # "service": "fooservice.googleapis.com"
2557 # "audit_log_configs": [
2558 # {
2559 # "log_type": "DATA_READ",
2560 # },
2561 # {
2562 # "log_type": "DATA_WRITE",
2563 # "exempted_members": [
2564 # "user:bar@gmail.com"
2565 # ]
2566 # }
2567 # ]
2568 # }
2569 # ]
2570 # }
2571 #
2572 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
2573 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
2574 # bar@gmail.com from DATA_WRITE logging.
2575 "auditLogConfigs": [ # The configuration for logging of each type of permission.
2576 { # Provides the configuration for logging a type of permissions.
2577 # Example:
2578 #
2579 # {
2580 # "audit_log_configs": [
2581 # {
2582 # "log_type": "DATA_READ",
2583 # "exempted_members": [
2584 # "user:foo@gmail.com"
2585 # ]
2586 # },
2587 # {
2588 # "log_type": "DATA_WRITE",
2589 # }
2590 # ]
2591 # }
2592 #
2593 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
2594 # foo@gmail.com from DATA_READ logging.
2595 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
2596 # permission.
2597 # Follows the same format of Binding.members.
2598 "A String",
2599 ],
2600 "logType": "A String", # The log type that this config enables.
2601 },
2602 ],
2603 "service": "A String", # Specifies a service that will be enabled for audit logging.
2604 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
2605 # `allServices` is a special value that covers all services.
2606 },
2607 ],
2608 "version": 42, # Deprecated.
2609 "bindings": [ # Associates a list of `members` to a `role`.
2610 # `bindings` with no members will result in an error.
2611 { # Associates `members` with a `role`.
2612 "role": "A String", # Role that is assigned to `members`.
2613 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
2614 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
2615 # `members` can have the following values:
2616 #
2617 # * `allUsers`: A special identifier that represents anyone who is
2618 # on the internet; with or without a Google account.
2619 #
2620 # * `allAuthenticatedUsers`: A special identifier that represents anyone
2621 # who is authenticated with a Google account or a service account.
2622 #
2623 # * `user:{emailid}`: An email address that represents a specific Google
2624 # account. For example, `alice@gmail.com` .
2625 #
2626 #
2627 # * `serviceAccount:{emailid}`: An email address that represents a service
2628 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
2629 #
2630 # * `group:{emailid}`: An email address that represents a Google group.
2631 # For example, `admins@example.com`.
2632 #
2633 #
2634 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
2635 # users of that domain. For example, `google.com` or `example.com`.
2636 #
2637 "A String",
2638 ],
2639 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
2640 # NOTE: An unsatisfied condition will not allow user access via current
2641 # binding. Different bindings, including their conditions, are examined
2642 # independently.
2643 #
2644 # title: "User account presence"
2645 # description: "Determines whether the request has a user account"
2646 # expression: "size(request.user) > 0"
2647 "location": "A String", # An optional string indicating the location of the expression for error
2648 # reporting, e.g. a file name and a position in the file.
2649 "expression": "A String", # Textual representation of an expression in
2650 # Common Expression Language syntax.
2651 #
2652 # The application context of the containing message determines which
2653 # well-known feature set of CEL is supported.
2654 "description": "A String", # An optional description of the expression. This is a longer text which
2655 # describes the expression, e.g. when hovered over it in a UI.
2656 "title": "A String", # An optional title for the expression, i.e. a short string describing
2657 # its purpose. This can be used e.g. in UIs which allow to enter the
2658 # expression.
2659 },
2660 },
2661 ],
2662 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
2663 # prevent simultaneous updates of a policy from overwriting each other.
2664 # It is strongly suggested that systems make use of the `etag` in the
2665 # read-modify-write cycle to perform policy updates in order to avoid race
2666 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
2667 # systems are expected to put that etag in the request to `setIamPolicy` to
2668 # ensure that their change will be applied to the same version of the policy.
2669 #
2670 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
2671 # policy is overwritten blindly.
2672 }</pre>
2673</div>
2674
2675<div class="method">
2676 <code class="details" id="getNotes">getNotes(name, x__xgafv=None)</code>
2677 <pre>Gets the note attached to the specified occurrence. Consumer projects can
2678use this method to get a note that belongs to a provider project.
2679
2680Args:
2681 name: string, The name of the occurrence in the form of
2682`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
2683 x__xgafv: string, V1 error format.
2684 Allowed values
2685 1 - v1 error format
2686 2 - v2 error format
2687
2688Returns:
2689 An object of the form:
2690
2691 { # A type of analysis that can be done for a resource.
2692 "updateTime": "A String", # Output only. The time this note was last updated. This field can be used as
2693 # a filter in list requests.
2694 "relatedNoteNames": [ # Other notes related to this note.
2695 "A String",
2696 ],
2697 "name": "A String", # Output only. The name of the note in the form of
2698 # `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.
2699 "package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.
2700 # channels. E.g., glibc (aka libc6) is distributed by many, at various
2701 # versions.
2702 "distribution": [ # The various channels by which a package is distributed.
2703 { # This represents a particular channel of distribution for a given package.
2704 # E.g., Debian's jessie-backports dpkg mirror.
2705 "cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)
2706 # denoting the package manager version distributing a package.
2707 "maintainer": "A String", # A freeform string denoting the maintainer of this package.
2708 "description": "A String", # The distribution channel-specific description of this package.
2709 "url": "A String", # The distribution channel-specific homepage for this package.
2710 "architecture": "A String", # The CPU architecture for which packages in this distribution channel were
2711 # built.
2712 "latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.
2713 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
2714 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
2715 # versions.
2716 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
2717 # name.
2718 "revision": "A String", # The iteration of the package build from the above version.
2719 },
2720 },
2721 ],
2722 "name": "A String", # Required. Immutable. The name of the package.
2723 },
2724 "vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.
2725 "windowsDetails": [ # Windows details get their own format because the information format and
2726 # model don't match a normal detail. Specifically Windows updates are done as
2727 # patches, thus Windows vulnerabilities really are a missing package, rather
2728 # than a package being at an incorrect version.
2729 {
2730 "cpeUri": "A String", # Required. The CPE URI in
2731 # [cpe format](https://cpe.mitre.org/specification/) in which the
2732 # vulnerability manifests. Examples include distro or storage location for
2733 # vulnerable jar.
2734 "fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this
2735 # vulnerability. Note that there may be multiple hotfixes (and thus
2736 # multiple KBs) that mitigate a given vulnerability. Currently any listed
2737 # kb's presence is considered a fix.
2738 {
2739 "url": "A String", # A link to the KB in the Windows update catalog -
2740 # https://www.catalog.update.microsoft.com/
2741 "name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).
2742 },
2743 ],
2744 "name": "A String", # Required. The name of the vulnerability.
2745 "description": "A String", # The description of the vulnerability.
2746 },
2747 ],
2748 "cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.
2749 # For details, see https://www.first.org/cvss/specification-document
2750 "attackComplexity": "A String",
2751 "attackVector": "A String", # Base Metrics
2752 # Represents the intrinsic characteristics of a vulnerability that are
2753 # constant over time and across user environments.
2754 "availabilityImpact": "A String",
2755 "userInteraction": "A String",
2756 "baseScore": 3.14, # The base score is a function of the base metric scores.
2757 "privilegesRequired": "A String",
2758 "impactScore": 3.14,
2759 "exploitabilityScore": 3.14,
2760 "confidentialityImpact": "A String",
2761 "integrityImpact": "A String",
2762 "scope": "A String",
2763 },
2764 "cvssScore": 3.14, # The CVSS score for this vulnerability.
2765 "severity": "A String", # Note provider assigned impact of the vulnerability.
2766 "details": [ # All information about the package to specifically identify this
2767 # vulnerability. One entry per (version range and cpe_uri) the package
2768 # vulnerability has manifested in.
2769 { # Identifies all appearances of this vulnerability in the package for a
2770 # specific distro/location. For example: glibc in
2771 # cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
2772 "severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.
2773 "cpeUri": "A String", # Required. The CPE URI in
2774 # [cpe format](https://cpe.mitre.org/specification/) in which the
2775 # vulnerability manifests. Examples include distro or storage location for
2776 # vulnerable jar.
2777 "description": "A String", # A vendor-specific description of this note.
2778 "minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.
2779 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
2780 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
2781 # versions.
2782 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
2783 # name.
2784 "revision": "A String", # The iteration of the package build from the above version.
2785 },
2786 "package": "A String", # Required. The name of the package where the vulnerability was found.
2787 "packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js
2788 # packages etc).
2789 "isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to
2790 # obsolete details.
2791 "maxAffectedVersion": { # Version contains structured information about the version of a package. # Deprecated, do not use. Use fixed_location instead.
2792 #
2793 # The max version of the package in which the vulnerability exists.
2794 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
2795 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
2796 # versions.
2797 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
2798 # name.
2799 "revision": "A String", # The iteration of the package build from the above version.
2800 },
2801 "fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.
2802 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
2803 # format. Examples include distro or storage location for vulnerable jar.
2804 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
2805 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
2806 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
2807 # versions.
2808 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
2809 # name.
2810 "revision": "A String", # The iteration of the package build from the above version.
2811 },
2812 "package": "A String", # Required. The package being described.
2813 },
2814 },
2815 ],
2816 },
2817 "kind": "A String", # Output only. The type of analysis. This field can be used as a filter in
2818 # list requests.
2819 "relatedUrl": [ # URLs associated with this note.
2820 { # Metadata for any related URL information.
2821 "url": "A String", # Specific URL associated with the resource.
2822 "label": "A String", # Label to describe usage of the URL.
2823 },
2824 ],
2825 "longDescription": "A String", # A detailed description of this note.
2826 "attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.
2827 # example, an organization might have one `Authority` for "QA" and one for
2828 # "build". This note is intended to act strictly as a grouping mechanism for
2829 # the attached occurrences (Attestations). This grouping mechanism also
2830 # provides a security boundary, since IAM ACLs gate the ability for a principle
2831 # to attach an occurrence to a given note. It also provides a single point of
2832 # lookup to find all attached attestation occurrences, even if they don't all
2833 # live in the same project.
2834 "hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.
2835 # authority. Because the name of a note acts as its resource reference, it is
2836 # important to disambiguate the canonical name of the Note (which might be a
2837 # UUID for security purposes) from "readable" names more suitable for debug
2838 # output. Note that these hints should not be used to look up authorities in
2839 # security sensitive contexts, such as when looking up attestations to
2840 # verify.
2841 "humanReadableName": "A String", # Required. The human readable name of this attestation authority, for
2842 # example "qa".
2843 },
2844 },
2845 "build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.
2846 # provenance message in the build details occurrence.
2847 "builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.
2848 "signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note
2849 # containing build details.
2850 "publicKey": "A String", # Public key of the builder which can be used to verify that the related
2851 # findings are valid and unchanged. If `key_type` is empty, this defaults
2852 # to PEM encoded public keys.
2853 #
2854 # This field may be empty if `key_id` references an external key.
2855 #
2856 # For Cloud Build based signatures, this is a PEM encoded public
2857 # key. To verify the Cloud Build signature, place the contents of
2858 # this field into a file (public.pem). The signature field is base64-decoded
2859 # into its binary representation in signature.bin, and the provenance bytes
2860 # from `BuildDetails` are base64-decoded into a binary representation in
2861 # signed.bin. OpenSSL can then verify the signature:
2862 # `openssl sha256 -verify public.pem -signature signature.bin signed.bin`
2863 "keyType": "A String", # The type of the key, either stored in `public_key` or referenced in
2864 # `key_id`.
2865 "keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key
2866 # stored in `public_key` (such as the ID or fingerprint for a PGP key, or the
2867 # CN for a cert), or a reference to an external key (such as a reference to a
2868 # key in Cloud Key Management Service).
2869 "signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is
2870 # base-64 encoded.
2871 },
2872 },
2873 "baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.
2874 # relationship. Linked occurrences are derived from this or an
2875 # equivalent image via:
2876 # FROM <Basis.resource_url>
2877 # Or an equivalent reference, e.g. a tag of the resource_url.
2878 "resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the
2879 # basis of associated occurrence images.
2880 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.
2881 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
2882 # representation.
2883 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
2884 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
2885 # Only the name of the final blob is kept.
2886 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
2887 "A String",
2888 ],
2889 },
2890 },
2891 "expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.
2892 "deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.
2893 "resourceUri": [ # Required. Resource URI for the artifact being deployed.
2894 "A String",
2895 ],
2896 },
2897 "shortDescription": "A String", # A one sentence description of this note.
2898 "createTime": "A String", # Output only. The time this note was created. This field can be used as a
2899 # filter in list requests.
2900 "discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.
2901 # exists in a provider's project. A `Discovery` occurrence is created in a
2902 # consumer's project at the start of analysis.
2903 "analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this
2904 # discovery.
2905 },
2906 }</pre>
2907</div>
2908
2909<div class="method">
2910 <code class="details" id="getVulnerabilitySummary">getVulnerabilitySummary(parent, x__xgafv=None, filter=None)</code>
2911 <pre>Gets a summary of the number and severity of occurrences.
2912
2913Args:
2914 parent: string, The name of the project to get a vulnerability summary for in the form of
2915`projects/[PROJECT_ID]`. (required)
2916 x__xgafv: string, V1 error format.
2917 Allowed values
2918 1 - v1 error format
2919 2 - v2 error format
2920 filter: string, The filter expression.
2921
2922Returns:
2923 An object of the form:
2924
2925 { # A summary of how many vulnerability occurrences there are per resource and
2926 # severity type.
2927 "counts": [ # A listing by resource of the number of fixable and total vulnerabilities.
2928 { # Per resource and severity counts of fixable and total vulnerabilities.
2929 "totalCount": "A String", # The total number of vulnerabilities associated with this resource.
2930 "resource": { # An entity that can have metadata. For example, a Docker image. # The affected resource.
2931 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
2932 #
2933 # The hash of the resource content. For example, the Docker digest.
2934 "type": "A String", # Required. The type of hash that was performed.
2935 "value": "A String", # Required. The hash value.
2936 },
2937 "uri": "A String", # Required. The unique URI of the resource. For example,
2938 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
2939 "name": "A String", # Deprecated, do not use. Use uri instead.
2940 #
2941 # The name of the resource. For example, the name of a Docker image -
2942 # "Debian".
2943 },
2944 "severity": "A String", # The severity for this count. SEVERITY_UNSPECIFIED indicates total across
2945 # all severities.
2946 "fixableCount": "A String", # The number of fixable vulnerabilities associated with this resource.
2947 },
2948 ],
2949 }</pre>
2950</div>
2951
2952<div class="method">
2953 <code class="details" id="list">list(parent, pageSize=None, pageToken=None, x__xgafv=None, filter=None)</code>
2954 <pre>Lists occurrences for the specified project.
2955
2956Args:
2957 parent: string, The name of the project to list occurrences for in the form of
2958`projects/[PROJECT_ID]`. (required)
2959 pageSize: integer, Number of occurrences to return in the list. Must be positive. Max allowed
2960page size is 1000. If not specified, page size defaults to 20.
2961 pageToken: string, Token to provide to skip to a particular spot in the list.
2962 x__xgafv: string, V1 error format.
2963 Allowed values
2964 1 - v1 error format
2965 2 - v2 error format
2966 filter: string, The filter expression.
2967
2968Returns:
2969 An object of the form:
2970
2971 { # Response for listing occurrences.
2972 "nextPageToken": "A String", # The next pagination token in the list response. It should be used as
2973 # `page_token` for the following request. An empty value means no more
2974 # results.
2975 "occurrences": [ # The occurrences requested.
2976 { # An instance of an analysis type that has been found on a resource.
2977 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
2978 # specified. This field can be used as a filter in list requests.
2979 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
2980 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
2981 #
2982 # The hash of the resource content. For example, the Docker digest.
2983 "type": "A String", # Required. The type of hash that was performed.
2984 "value": "A String", # Required. The hash value.
2985 },
2986 "uri": "A String", # Required. The unique URI of the resource. For example,
2987 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
2988 "name": "A String", # Deprecated, do not use. Use uri instead.
2989 #
2990 # The name of the resource. For example, the name of a Docker image -
2991 # "Debian".
2992 },
2993 "name": "A String", # Output only. The name of the occurrence in the form of
2994 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
2995 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
2996 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
2997 # scale of 0-10 where 0 indicates low severity and 10 indicates high
2998 # severity.
2999 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
3000 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
3001 # packages etc)
3002 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
3003 # available, and note provider assigned severity when distro has not yet
3004 # assigned a severity for this vulnerability.
3005 "relatedUrls": [ # Output only. URLs related to this vulnerability.
3006 { # Metadata for any related URL information.
3007 "url": "A String", # Specific URL associated with the resource.
3008 "label": "A String", # Label to describe usage of the URL.
3009 },
3010 ],
3011 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
3012 # within the associated resource.
3013 { # This message wraps a location affected by a vulnerability and its
3014 # associated fix (if one is available).
3015 "severityName": "A String", # Deprecated, use Details.effective_severity instead
3016 # The severity (e.g., distro assigned severity) for this vulnerability.
3017 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
3018 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
3019 # format. Examples include distro or storage location for vulnerable jar.
3020 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
3021 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3022 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3023 # versions.
3024 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3025 # name.
3026 "revision": "A String", # The iteration of the package build from the above version.
3027 },
3028 "package": "A String", # Required. The package being described.
3029 },
3030 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
3031 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
3032 # format. Examples include distro or storage location for vulnerable jar.
3033 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
3034 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3035 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3036 # versions.
3037 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3038 # name.
3039 "revision": "A String", # The iteration of the package build from the above version.
3040 },
3041 "package": "A String", # Required. The package being described.
3042 },
3043 },
3044 ],
3045 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
3046 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
3047 },
3048 "updateTime": "A String", # Output only. The time this occurrence was last updated.
3049 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
3050 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
3051 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
3052 # Deprecated, do not use.
3053 "analysisStatus": "A String", # The status of discovery for the resource.
3054 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
3055 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
3056 # details to show to the user. The LocalizedMessage is output only and
3057 # populated by the API.
3058 # different programming environments, including REST APIs and RPC APIs. It is
3059 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
3060 # three pieces of data: error code, error message, and error details.
3061 #
3062 # You can find out more about this error model and how to work with it in the
3063 # [API Design Guide](https://cloud.google.com/apis/design/errors).
3064 "message": "A String", # A developer-facing error message, which should be in English. Any
3065 # user-facing error message should be localized and sent in the
3066 # google.rpc.Status.details field, or localized by the client.
3067 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
3068 "details": [ # A list of messages that carry the error details. There is a common set of
3069 # message types for APIs to use.
3070 {
3071 "a_key": "", # Properties of the object. Contains field @type with type URL.
3072 },
3073 ],
3074 },
3075 },
3076 },
3077 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
3078 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
3079 # attestation can be verified using the attached signature. If the verifier
3080 # trusts the public key of the signer, then verifying the signature is
3081 # sufficient to establish trust. In this circumstance, the authority to which
3082 # this attestation is attached is primarily useful for look-up (how to find
3083 # this attestation if you already know the authority and artifact to be
3084 # verified) and intent (which authority was this attestation intended to sign
3085 # for).
3086 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
3087 # supports `ATTACHED` signatures, where the payload that is signed is included
3088 # alongside the signature itself in the same file.
3089 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
3090 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
3091 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
3092 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
3093 # Implementations may choose to acknowledge "LONG", "SHORT", or other
3094 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
3095 # In gpg, the full fingerprint can be retrieved from the `fpr` field
3096 # returned when calling --list-keys with --with-colons. For example:
3097 # ```
3098 # gpg --with-colons --with-fingerprint --force-v4-certs \
3099 # --list-keys attester@example.com
3100 # tru::1:1513631572:0:3:1:5
3101 # pub:...<SNIP>...
3102 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
3103 # ```
3104 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
3105 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
3106 # The verifier must ensure that the provided type is one that the verifier
3107 # supports, and that the attestation payload is a valid instantiation of that
3108 # type (for example by validating a JSON schema).
3109 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
3110 # (GPG) or equivalent. Since this message only supports attached signatures,
3111 # the payload that was signed must be attached. While the signature format
3112 # supported is dependent on the verification implementation, currently only
3113 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
3114 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
3115 # --output=signature.gpg payload.json` will create the signature content
3116 # expected in this field in `signature.gpg` for the `payload.json`
3117 # attestation payload.
3118 },
3119 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
3120 # This attestation must define the `serialized_payload` that the `signatures`
3121 # verify and any metadata necessary to interpret that plaintext. The
3122 # signatures should always be over the `serialized_payload` bytestring.
3123 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
3124 # should consider this attestation message verified if at least one
3125 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
3126 # for more details on signature structure and verification.
3127 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
3128 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
3129 # Typically this means that the verifier has been configured with a map from
3130 # `public_key_id` to public key material (and any required parameters, e.g.
3131 # signing algorithm).
3132 #
3133 # In particular, verification implementations MUST NOT treat the signature
3134 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
3135 # DOES NOT validate or authenticate a public key; it only provides a mechanism
3136 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
3137 # a trusted channel. Verification implementations MUST reject signatures in any
3138 # of the following circumstances:
3139 # * The `public_key_id` is not recognized by the verifier.
3140 # * The public key that `public_key_id` refers to does not verify the
3141 # signature with respect to the payload.
3142 #
3143 # The `signature` contents SHOULD NOT be "attached" (where the payload is
3144 # included with the serialized `signature` bytes). Verifiers MUST ignore any
3145 # "attached" payload and only verify signatures with respect to explicitly
3146 # provided payload (e.g. a `payload` field on the proto message that holds
3147 # this Signature, or the canonical serialization of the proto message that
3148 # holds this signature).
3149 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
3150 # * The `public_key_id` is required.
3151 # * The `public_key_id` MUST be an RFC3986 conformant URI.
3152 # * When possible, the `public_key_id` SHOULD be an immutable reference,
3153 # such as a cryptographic digest.
3154 #
3155 # Examples of valid `public_key_id`s:
3156 #
3157 # OpenPGP V4 public key fingerprint:
3158 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
3159 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
3160 # details on this scheme.
3161 #
3162 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
3163 # serialization):
3164 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
3165 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
3166 "signature": "A String", # The content of the signature, an opaque bytestring.
3167 # The payload that this signature verifies MUST be unambiguously provided
3168 # with the Signature during verification. A wrapper message might provide
3169 # the payload explicitly. Alternatively, a message might have a canonical
3170 # serialization that can always be unambiguously computed to derive the
3171 # payload.
3172 },
3173 ],
3174 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
3175 # The verifier must ensure that the provided type is one that the verifier
3176 # supports, and that the attestation payload is a valid instantiation of that
3177 # type (for example by validating a JSON schema).
3178 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
3179 # The encoding and semantic meaning of this payload must match what is set in
3180 # `content_type`.
3181 },
3182 },
3183 },
3184 "build": { # Details of a build occurrence. # Describes a verifiable build.
3185 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
3186 # details about the build from source to completion.
3187 "commands": [ # Commands requested by the build.
3188 { # Command describes a step performed as part of the build pipeline.
3189 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
3190 "A String",
3191 ],
3192 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
3193 # command is packaged as a Docker container, as presented to `docker pull`.
3194 "args": [ # Command-line arguments used when executing this command.
3195 "A String",
3196 ],
3197 "env": [ # Environment variables set before running this command.
3198 "A String",
3199 ],
3200 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
3201 # this command as a dependency.
3202 "dir": "A String", # Working directory (relative to project source root) used when running this
3203 # command.
3204 },
3205 ],
3206 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
3207 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
3208 # source integrity was maintained in the build.
3209 #
3210 # The keys to this map are file paths used as build source and the values
3211 # contain the hash values for those files.
3212 #
3213 # If the build source came in a single package such as a gzipped tarfile
3214 # (.tar.gz), the FileHash will be for the single path to that file.
3215 "a_key": { # Container message for hashes of byte content of files, used in source
3216 # messages to verify integrity of source input to the build.
3217 "fileHash": [ # Required. Collection of file hashes.
3218 { # Container message for hash values.
3219 "type": "A String", # Required. The type of hash that was performed.
3220 "value": "A String", # Required. The hash value.
3221 },
3222 ],
3223 },
3224 },
3225 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
3226 # location.
3227 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
3228 # these locations, in the case where the source repository had multiple
3229 # remotes or submodules. This list will not include the context specified in
3230 # the context field.
3231 { # A SourceContext is a reference to a tree of files. A SourceContext together
3232 # with a path point to a unique revision of a single file or directory.
3233 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
3234 # repository (e.g., GitHub).
3235 "url": "A String", # Git repository URL.
3236 "revisionId": "A String", # Git commit hash.
3237 },
3238 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
3239 # Source Repo.
3240 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3241 "kind": "A String", # The alias kind.
3242 "name": "A String", # The alias name.
3243 },
3244 "revisionId": "A String", # A revision ID.
3245 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
3246 "uid": "A String", # A server-assigned, globally unique identifier.
3247 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
3248 # winged-cargo-31) and a repo name within that project.
3249 "projectId": "A String", # The ID of the project.
3250 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
3251 },
3252 },
3253 },
3254 "labels": { # Labels with user defined metadata.
3255 "a_key": "A String",
3256 },
3257 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
3258 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3259 "kind": "A String", # The alias kind.
3260 "name": "A String", # The alias name.
3261 },
3262 "revisionId": "A String", # A revision (commit) ID.
3263 "hostUri": "A String", # The URI of a running Gerrit instance.
3264 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
3265 # "project/subproject" is a valid project name. The "repo name" is the
3266 # hostURI/project.
3267 },
3268 },
3269 ],
3270 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
3271 # with a path point to a unique revision of a single file or directory.
3272 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
3273 # repository (e.g., GitHub).
3274 "url": "A String", # Git repository URL.
3275 "revisionId": "A String", # Git commit hash.
3276 },
3277 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
3278 # Source Repo.
3279 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3280 "kind": "A String", # The alias kind.
3281 "name": "A String", # The alias name.
3282 },
3283 "revisionId": "A String", # A revision ID.
3284 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
3285 "uid": "A String", # A server-assigned, globally unique identifier.
3286 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
3287 # winged-cargo-31) and a repo name within that project.
3288 "projectId": "A String", # The ID of the project.
3289 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
3290 },
3291 },
3292 },
3293 "labels": { # Labels with user defined metadata.
3294 "a_key": "A String",
3295 },
3296 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
3297 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3298 "kind": "A String", # The alias kind.
3299 "name": "A String", # The alias name.
3300 },
3301 "revisionId": "A String", # A revision (commit) ID.
3302 "hostUri": "A String", # The URI of a running Gerrit instance.
3303 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
3304 # "project/subproject" is a valid project name. The "repo name" is the
3305 # hostURI/project.
3306 },
3307 },
3308 },
3309 "buildOptions": { # Special options applied to this build. This is a catch-all field where
3310 # build providers can enter any desired additional details.
3311 "a_key": "A String",
3312 },
3313 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
3314 # user's e-mail address at the time the build was initiated; this address may
3315 # not represent the same end-user for all time.
3316 "projectId": "A String", # ID of the project.
3317 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
3318 "createTime": "A String", # Time at which the build was created.
3319 "builtArtifacts": [ # Output of the build.
3320 { # Artifact describes a build product.
3321 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
3322 # container.
3323 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
3324 # like `gcr.io/projectID/imagename@sha256:123456`.
3325 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
3326 # the case of a container build, the name used to push the container image to
3327 # Google Container Registry, as presented to `docker push`. Note that a
3328 # single Artifact ID can have multiple names, for example if two tags are
3329 # applied to one image.
3330 "A String",
3331 ],
3332 },
3333 ],
3334 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
3335 "startTime": "A String", # Time at which execution of the build was started.
3336 "endTime": "A String", # Time at which execution of the build was finished.
3337 "id": "A String", # Required. Unique identifier of the build.
3338 "logsUri": "A String", # URI where any logs for this provenance were written.
3339 },
3340 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
3341 # build signature in the corresponding build note. After verifying the
3342 # signature, `provenance_bytes` can be unmarshalled and compared to the
3343 # provenance to confirm that it is unchanged. A base64-encoded string
3344 # representation of the provenance bytes is used for the signature in order
3345 # to interoperate with openssl which expects this format for signature
3346 # verification.
3347 #
3348 # The serialized form is captured both to avoid ambiguity in how the
3349 # provenance is marshalled to json as well to prevent incompatibilities with
3350 # future changes.
3351 },
3352 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
3353 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
3354 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
3355 # the deployable field with the same name.
3356 "A String",
3357 ],
3358 "userEmail": "A String", # Identity of the user that triggered this deployment.
3359 "address": "A String", # Address of the runtime element hosting this deployment.
3360 "platform": "A String", # Platform hosting this deployment.
3361 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
3362 "undeployTime": "A String", # End of the lifetime of this deployment.
3363 "config": "A String", # Configuration used to create this deployment.
3364 },
3365 },
3366 "remediation": "A String", # A description of actions that can be taken to remedy the note.
3367 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
3368 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
3369 # system.
3370 "location": [ # Required. All of the places within the filesystem versions of this package
3371 # have been found.
3372 { # An occurrence of a particular package installation found within a system's
3373 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
3374 "path": "A String", # The path from which we gathered that this package/version is installed.
3375 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
3376 # denoting the package manager version distributing a package.
3377 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
3378 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3379 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3380 # versions.
3381 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3382 # name.
3383 "revision": "A String", # The iteration of the package build from the above version.
3384 },
3385 },
3386 ],
3387 "name": "A String", # Output only. The name of the installed package.
3388 },
3389 },
3390 "createTime": "A String", # Output only. The time this occurrence was created.
3391 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
3392 # note.
3393 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
3394 # relationship. This image would be produced from a Dockerfile with FROM
3395 # <DockerImage.Basis in attached Note>.
3396 "distance": 42, # Output only. The number of layers by which this image differs from the
3397 # associated image basis.
3398 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
3399 # occurrence.
3400 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
3401 # "distance" and is ordered with [distance] being the layer immediately
3402 # following the base image and [1] being the final layer.
3403 { # Layer holds metadata specific to a layer of a Docker image.
3404 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
3405 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
3406 },
3407 ],
3408 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
3409 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
3410 # representation.
3411 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
3412 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
3413 # Only the name of the final blob is kept.
3414 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
3415 "A String",
3416 ],
3417 },
3418 },
3419 },
3420 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
3421 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
3422 # used as a filter in list requests.
3423 },
3424 ],
3425 }</pre>
3426</div>
3427
3428<div class="method">
3429 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
3430 <pre>Retrieves the next page of results.
3431
3432Args:
3433 previous_request: The request for the previous page. (required)
3434 previous_response: The response from the request for the previous page. (required)
3435
3436Returns:
3437 A request object that you can call 'execute()' on to request the next
3438 page. Returns None if there are no more items in the collection.
3439 </pre>
3440</div>
3441
3442<div class="method">
3443 <code class="details" id="patch">patch(name, body, updateMask=None, x__xgafv=None)</code>
3444 <pre>Updates the specified occurrence.
3445
3446Args:
3447 name: string, The name of the occurrence in the form of
3448`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
3449 body: object, The request body. (required)
3450 The object takes the form of:
3451
3452{ # An instance of an analysis type that has been found on a resource.
3453 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
3454 # specified. This field can be used as a filter in list requests.
3455 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
3456 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
3457 #
3458 # The hash of the resource content. For example, the Docker digest.
3459 "type": "A String", # Required. The type of hash that was performed.
3460 "value": "A String", # Required. The hash value.
3461 },
3462 "uri": "A String", # Required. The unique URI of the resource. For example,
3463 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
3464 "name": "A String", # Deprecated, do not use. Use uri instead.
3465 #
3466 # The name of the resource. For example, the name of a Docker image -
3467 # "Debian".
3468 },
3469 "name": "A String", # Output only. The name of the occurrence in the form of
3470 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
3471 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
3472 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
3473 # scale of 0-10 where 0 indicates low severity and 10 indicates high
3474 # severity.
3475 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
3476 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
3477 # packages etc)
3478 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
3479 # available, and note provider assigned severity when distro has not yet
3480 # assigned a severity for this vulnerability.
3481 "relatedUrls": [ # Output only. URLs related to this vulnerability.
3482 { # Metadata for any related URL information.
3483 "url": "A String", # Specific URL associated with the resource.
3484 "label": "A String", # Label to describe usage of the URL.
3485 },
3486 ],
3487 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
3488 # within the associated resource.
3489 { # This message wraps a location affected by a vulnerability and its
3490 # associated fix (if one is available).
3491 "severityName": "A String", # Deprecated, use Details.effective_severity instead
3492 # The severity (e.g., distro assigned severity) for this vulnerability.
3493 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
3494 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
3495 # format. Examples include distro or storage location for vulnerable jar.
3496 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
3497 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3498 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3499 # versions.
3500 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3501 # name.
3502 "revision": "A String", # The iteration of the package build from the above version.
3503 },
3504 "package": "A String", # Required. The package being described.
3505 },
3506 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
3507 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
3508 # format. Examples include distro or storage location for vulnerable jar.
3509 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
3510 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3511 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3512 # versions.
3513 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3514 # name.
3515 "revision": "A String", # The iteration of the package build from the above version.
3516 },
3517 "package": "A String", # Required. The package being described.
3518 },
3519 },
3520 ],
3521 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
3522 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
3523 },
3524 "updateTime": "A String", # Output only. The time this occurrence was last updated.
3525 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
3526 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
3527 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
3528 # Deprecated, do not use.
3529 "analysisStatus": "A String", # The status of discovery for the resource.
3530 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
3531 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
3532 # details to show to the user. The LocalizedMessage is output only and
3533 # populated by the API.
3534 # different programming environments, including REST APIs and RPC APIs. It is
3535 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
3536 # three pieces of data: error code, error message, and error details.
3537 #
3538 # You can find out more about this error model and how to work with it in the
3539 # [API Design Guide](https://cloud.google.com/apis/design/errors).
3540 "message": "A String", # A developer-facing error message, which should be in English. Any
3541 # user-facing error message should be localized and sent in the
3542 # google.rpc.Status.details field, or localized by the client.
3543 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
3544 "details": [ # A list of messages that carry the error details. There is a common set of
3545 # message types for APIs to use.
3546 {
3547 "a_key": "", # Properties of the object. Contains field @type with type URL.
3548 },
3549 ],
3550 },
3551 },
3552 },
3553 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
3554 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
3555 # attestation can be verified using the attached signature. If the verifier
3556 # trusts the public key of the signer, then verifying the signature is
3557 # sufficient to establish trust. In this circumstance, the authority to which
3558 # this attestation is attached is primarily useful for look-up (how to find
3559 # this attestation if you already know the authority and artifact to be
3560 # verified) and intent (which authority was this attestation intended to sign
3561 # for).
3562 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
3563 # supports `ATTACHED` signatures, where the payload that is signed is included
3564 # alongside the signature itself in the same file.
3565 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
3566 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
3567 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
3568 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
3569 # Implementations may choose to acknowledge "LONG", "SHORT", or other
3570 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
3571 # In gpg, the full fingerprint can be retrieved from the `fpr` field
3572 # returned when calling --list-keys with --with-colons. For example:
3573 # ```
3574 # gpg --with-colons --with-fingerprint --force-v4-certs \
3575 # --list-keys attester@example.com
3576 # tru::1:1513631572:0:3:1:5
3577 # pub:...<SNIP>...
3578 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
3579 # ```
3580 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
3581 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
3582 # The verifier must ensure that the provided type is one that the verifier
3583 # supports, and that the attestation payload is a valid instantiation of that
3584 # type (for example by validating a JSON schema).
3585 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
3586 # (GPG) or equivalent. Since this message only supports attached signatures,
3587 # the payload that was signed must be attached. While the signature format
3588 # supported is dependent on the verification implementation, currently only
3589 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
3590 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
3591 # --output=signature.gpg payload.json` will create the signature content
3592 # expected in this field in `signature.gpg` for the `payload.json`
3593 # attestation payload.
3594 },
3595 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
3596 # This attestation must define the `serialized_payload` that the `signatures`
3597 # verify and any metadata necessary to interpret that plaintext. The
3598 # signatures should always be over the `serialized_payload` bytestring.
3599 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
3600 # should consider this attestation message verified if at least one
3601 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
3602 # for more details on signature structure and verification.
3603 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
3604 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
3605 # Typically this means that the verifier has been configured with a map from
3606 # `public_key_id` to public key material (and any required parameters, e.g.
3607 # signing algorithm).
3608 #
3609 # In particular, verification implementations MUST NOT treat the signature
3610 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
3611 # DOES NOT validate or authenticate a public key; it only provides a mechanism
3612 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
3613 # a trusted channel. Verification implementations MUST reject signatures in any
3614 # of the following circumstances:
3615 # * The `public_key_id` is not recognized by the verifier.
3616 # * The public key that `public_key_id` refers to does not verify the
3617 # signature with respect to the payload.
3618 #
3619 # The `signature` contents SHOULD NOT be "attached" (where the payload is
3620 # included with the serialized `signature` bytes). Verifiers MUST ignore any
3621 # "attached" payload and only verify signatures with respect to explicitly
3622 # provided payload (e.g. a `payload` field on the proto message that holds
3623 # this Signature, or the canonical serialization of the proto message that
3624 # holds this signature).
3625 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
3626 # * The `public_key_id` is required.
3627 # * The `public_key_id` MUST be an RFC3986 conformant URI.
3628 # * When possible, the `public_key_id` SHOULD be an immutable reference,
3629 # such as a cryptographic digest.
3630 #
3631 # Examples of valid `public_key_id`s:
3632 #
3633 # OpenPGP V4 public key fingerprint:
3634 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
3635 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
3636 # details on this scheme.
3637 #
3638 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
3639 # serialization):
3640 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
3641 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
3642 "signature": "A String", # The content of the signature, an opaque bytestring.
3643 # The payload that this signature verifies MUST be unambiguously provided
3644 # with the Signature during verification. A wrapper message might provide
3645 # the payload explicitly. Alternatively, a message might have a canonical
3646 # serialization that can always be unambiguously computed to derive the
3647 # payload.
3648 },
3649 ],
3650 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
3651 # The verifier must ensure that the provided type is one that the verifier
3652 # supports, and that the attestation payload is a valid instantiation of that
3653 # type (for example by validating a JSON schema).
3654 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
3655 # The encoding and semantic meaning of this payload must match what is set in
3656 # `content_type`.
3657 },
3658 },
3659 },
3660 "build": { # Details of a build occurrence. # Describes a verifiable build.
3661 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
3662 # details about the build from source to completion.
3663 "commands": [ # Commands requested by the build.
3664 { # Command describes a step performed as part of the build pipeline.
3665 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
3666 "A String",
3667 ],
3668 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
3669 # command is packaged as a Docker container, as presented to `docker pull`.
3670 "args": [ # Command-line arguments used when executing this command.
3671 "A String",
3672 ],
3673 "env": [ # Environment variables set before running this command.
3674 "A String",
3675 ],
3676 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
3677 # this command as a dependency.
3678 "dir": "A String", # Working directory (relative to project source root) used when running this
3679 # command.
3680 },
3681 ],
3682 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
3683 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
3684 # source integrity was maintained in the build.
3685 #
3686 # The keys to this map are file paths used as build source and the values
3687 # contain the hash values for those files.
3688 #
3689 # If the build source came in a single package such as a gzipped tarfile
3690 # (.tar.gz), the FileHash will be for the single path to that file.
3691 "a_key": { # Container message for hashes of byte content of files, used in source
3692 # messages to verify integrity of source input to the build.
3693 "fileHash": [ # Required. Collection of file hashes.
3694 { # Container message for hash values.
3695 "type": "A String", # Required. The type of hash that was performed.
3696 "value": "A String", # Required. The hash value.
3697 },
3698 ],
3699 },
3700 },
3701 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
3702 # location.
3703 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
3704 # these locations, in the case where the source repository had multiple
3705 # remotes or submodules. This list will not include the context specified in
3706 # the context field.
3707 { # A SourceContext is a reference to a tree of files. A SourceContext together
3708 # with a path point to a unique revision of a single file or directory.
3709 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
3710 # repository (e.g., GitHub).
3711 "url": "A String", # Git repository URL.
3712 "revisionId": "A String", # Git commit hash.
3713 },
3714 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
3715 # Source Repo.
3716 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3717 "kind": "A String", # The alias kind.
3718 "name": "A String", # The alias name.
3719 },
3720 "revisionId": "A String", # A revision ID.
3721 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
3722 "uid": "A String", # A server-assigned, globally unique identifier.
3723 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
3724 # winged-cargo-31) and a repo name within that project.
3725 "projectId": "A String", # The ID of the project.
3726 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
3727 },
3728 },
3729 },
3730 "labels": { # Labels with user defined metadata.
3731 "a_key": "A String",
3732 },
3733 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
3734 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3735 "kind": "A String", # The alias kind.
3736 "name": "A String", # The alias name.
3737 },
3738 "revisionId": "A String", # A revision (commit) ID.
3739 "hostUri": "A String", # The URI of a running Gerrit instance.
3740 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
3741 # "project/subproject" is a valid project name. The "repo name" is the
3742 # hostURI/project.
3743 },
3744 },
3745 ],
3746 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
3747 # with a path point to a unique revision of a single file or directory.
3748 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
3749 # repository (e.g., GitHub).
3750 "url": "A String", # Git repository URL.
3751 "revisionId": "A String", # Git commit hash.
3752 },
3753 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
3754 # Source Repo.
3755 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3756 "kind": "A String", # The alias kind.
3757 "name": "A String", # The alias name.
3758 },
3759 "revisionId": "A String", # A revision ID.
3760 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
3761 "uid": "A String", # A server-assigned, globally unique identifier.
3762 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
3763 # winged-cargo-31) and a repo name within that project.
3764 "projectId": "A String", # The ID of the project.
3765 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
3766 },
3767 },
3768 },
3769 "labels": { # Labels with user defined metadata.
3770 "a_key": "A String",
3771 },
3772 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
3773 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
3774 "kind": "A String", # The alias kind.
3775 "name": "A String", # The alias name.
3776 },
3777 "revisionId": "A String", # A revision (commit) ID.
3778 "hostUri": "A String", # The URI of a running Gerrit instance.
3779 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
3780 # "project/subproject" is a valid project name. The "repo name" is the
3781 # hostURI/project.
3782 },
3783 },
3784 },
3785 "buildOptions": { # Special options applied to this build. This is a catch-all field where
3786 # build providers can enter any desired additional details.
3787 "a_key": "A String",
3788 },
3789 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
3790 # user's e-mail address at the time the build was initiated; this address may
3791 # not represent the same end-user for all time.
3792 "projectId": "A String", # ID of the project.
3793 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
3794 "createTime": "A String", # Time at which the build was created.
3795 "builtArtifacts": [ # Output of the build.
3796 { # Artifact describes a build product.
3797 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
3798 # container.
3799 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
3800 # like `gcr.io/projectID/imagename@sha256:123456`.
3801 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
3802 # the case of a container build, the name used to push the container image to
3803 # Google Container Registry, as presented to `docker push`. Note that a
3804 # single Artifact ID can have multiple names, for example if two tags are
3805 # applied to one image.
3806 "A String",
3807 ],
3808 },
3809 ],
3810 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
3811 "startTime": "A String", # Time at which execution of the build was started.
3812 "endTime": "A String", # Time at which execution of the build was finished.
3813 "id": "A String", # Required. Unique identifier of the build.
3814 "logsUri": "A String", # URI where any logs for this provenance were written.
3815 },
3816 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
3817 # build signature in the corresponding build note. After verifying the
3818 # signature, `provenance_bytes` can be unmarshalled and compared to the
3819 # provenance to confirm that it is unchanged. A base64-encoded string
3820 # representation of the provenance bytes is used for the signature in order
3821 # to interoperate with openssl which expects this format for signature
3822 # verification.
3823 #
3824 # The serialized form is captured both to avoid ambiguity in how the
3825 # provenance is marshalled to json as well to prevent incompatibilities with
3826 # future changes.
3827 },
3828 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
3829 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
3830 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
3831 # the deployable field with the same name.
3832 "A String",
3833 ],
3834 "userEmail": "A String", # Identity of the user that triggered this deployment.
3835 "address": "A String", # Address of the runtime element hosting this deployment.
3836 "platform": "A String", # Platform hosting this deployment.
3837 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
3838 "undeployTime": "A String", # End of the lifetime of this deployment.
3839 "config": "A String", # Configuration used to create this deployment.
3840 },
3841 },
3842 "remediation": "A String", # A description of actions that can be taken to remedy the note.
3843 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
3844 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
3845 # system.
3846 "location": [ # Required. All of the places within the filesystem versions of this package
3847 # have been found.
3848 { # An occurrence of a particular package installation found within a system's
3849 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
3850 "path": "A String", # The path from which we gathered that this package/version is installed.
3851 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
3852 # denoting the package manager version distributing a package.
3853 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
3854 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3855 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3856 # versions.
3857 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3858 # name.
3859 "revision": "A String", # The iteration of the package build from the above version.
3860 },
3861 },
3862 ],
3863 "name": "A String", # Output only. The name of the installed package.
3864 },
3865 },
3866 "createTime": "A String", # Output only. The time this occurrence was created.
3867 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
3868 # note.
3869 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
3870 # relationship. This image would be produced from a Dockerfile with FROM
3871 # <DockerImage.Basis in attached Note>.
3872 "distance": 42, # Output only. The number of layers by which this image differs from the
3873 # associated image basis.
3874 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
3875 # occurrence.
3876 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
3877 # "distance" and is ordered with [distance] being the layer immediately
3878 # following the base image and [1] being the final layer.
3879 { # Layer holds metadata specific to a layer of a Docker image.
3880 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
3881 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
3882 },
3883 ],
3884 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
3885 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
3886 # representation.
3887 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
3888 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
3889 # Only the name of the final blob is kept.
3890 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
3891 "A String",
3892 ],
3893 },
3894 },
3895 },
3896 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
3897 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
3898 # used as a filter in list requests.
3899}
3900
3901 updateMask: string, The fields to update.
3902 x__xgafv: string, V1 error format.
3903 Allowed values
3904 1 - v1 error format
3905 2 - v2 error format
3906
3907Returns:
3908 An object of the form:
3909
3910 { # An instance of an analysis type that has been found on a resource.
3911 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
3912 # specified. This field can be used as a filter in list requests.
3913 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
3914 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
3915 #
3916 # The hash of the resource content. For example, the Docker digest.
3917 "type": "A String", # Required. The type of hash that was performed.
3918 "value": "A String", # Required. The hash value.
3919 },
3920 "uri": "A String", # Required. The unique URI of the resource. For example,
3921 # `https://gcr.io/project/image@sha256:foo` for a Docker image.
3922 "name": "A String", # Deprecated, do not use. Use uri instead.
3923 #
3924 # The name of the resource. For example, the name of a Docker image -
3925 # "Debian".
3926 },
3927 "name": "A String", # Output only. The name of the occurrence in the form of
3928 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
3929 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
3930 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
3931 # scale of 0-10 where 0 indicates low severity and 10 indicates high
3932 # severity.
3933 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
3934 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
3935 # packages etc)
3936 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
3937 # available, and note provider assigned severity when distro has not yet
3938 # assigned a severity for this vulnerability.
3939 "relatedUrls": [ # Output only. URLs related to this vulnerability.
3940 { # Metadata for any related URL information.
3941 "url": "A String", # Specific URL associated with the resource.
3942 "label": "A String", # Label to describe usage of the URL.
3943 },
3944 ],
3945 "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
3946 # within the associated resource.
3947 { # This message wraps a location affected by a vulnerability and its
3948 # associated fix (if one is available).
3949 "severityName": "A String", # Deprecated, use Details.effective_severity instead
3950 # The severity (e.g., distro assigned severity) for this vulnerability.
3951 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
3952 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
3953 # format. Examples include distro or storage location for vulnerable jar.
3954 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
3955 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3956 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3957 # versions.
3958 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3959 # name.
3960 "revision": "A String", # The iteration of the package build from the above version.
3961 },
3962 "package": "A String", # Required. The package being described.
3963 },
3964 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
3965 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
3966 # format. Examples include distro or storage location for vulnerable jar.
3967 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
3968 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
3969 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
3970 # versions.
3971 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
3972 # name.
3973 "revision": "A String", # The iteration of the package build from the above version.
3974 },
3975 "package": "A String", # Required. The package being described.
3976 },
3977 },
3978 ],
3979 "longDescription": "A String", # Output only. A detailed description of this vulnerability.
3980 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
3981 },
3982 "updateTime": "A String", # Output only. The time this occurrence was last updated.
3983 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
3984 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
3985 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
3986 # Deprecated, do not use.
3987 "analysisStatus": "A String", # The status of discovery for the resource.
3988 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
3989 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
3990 # details to show to the user. The LocalizedMessage is output only and
3991 # populated by the API.
3992 # different programming environments, including REST APIs and RPC APIs. It is
3993 # used by [gRPC](https://github.com/grpc). Each `Status` message contains
3994 # three pieces of data: error code, error message, and error details.
3995 #
3996 # You can find out more about this error model and how to work with it in the
3997 # [API Design Guide](https://cloud.google.com/apis/design/errors).
3998 "message": "A String", # A developer-facing error message, which should be in English. Any
3999 # user-facing error message should be localized and sent in the
4000 # google.rpc.Status.details field, or localized by the client.
4001 "code": 42, # The status code, which should be an enum value of google.rpc.Code.
4002 "details": [ # A list of messages that carry the error details. There is a common set of
4003 # message types for APIs to use.
4004 {
4005 "a_key": "", # Properties of the object. Contains field @type with type URL.
4006 },
4007 ],
4008 },
4009 },
4010 },
4011 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
4012 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
4013 # attestation can be verified using the attached signature. If the verifier
4014 # trusts the public key of the signer, then verifying the signature is
4015 # sufficient to establish trust. In this circumstance, the authority to which
4016 # this attestation is attached is primarily useful for look-up (how to find
4017 # this attestation if you already know the authority and artifact to be
4018 # verified) and intent (which authority was this attestation intended to sign
4019 # for).
4020 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
4021 # supports `ATTACHED` signatures, where the payload that is signed is included
4022 # alongside the signature itself in the same file.
4023 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
4024 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
4025 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
4026 # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
4027 # Implementations may choose to acknowledge "LONG", "SHORT", or other
4028 # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
4029 # In gpg, the full fingerprint can be retrieved from the `fpr` field
4030 # returned when calling --list-keys with --with-colons. For example:
4031 # ```
4032 # gpg --with-colons --with-fingerprint --force-v4-certs \
4033 # --list-keys attester@example.com
4034 # tru::1:1513631572:0:3:1:5
4035 # pub:...<SNIP>...
4036 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
4037 # ```
4038 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
4039 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
4040 # The verifier must ensure that the provided type is one that the verifier
4041 # supports, and that the attestation payload is a valid instantiation of that
4042 # type (for example by validating a JSON schema).
4043 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
4044 # (GPG) or equivalent. Since this message only supports attached signatures,
4045 # the payload that was signed must be attached. While the signature format
4046 # supported is dependent on the verification implementation, currently only
4047 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
4048 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
4049 # --output=signature.gpg payload.json` will create the signature content
4050 # expected in this field in `signature.gpg` for the `payload.json`
4051 # attestation payload.
4052 },
4053 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
4054 # This attestation must define the `serialized_payload` that the `signatures`
4055 # verify and any metadata necessary to interpret that plaintext. The
4056 # signatures should always be over the `serialized_payload` bytestring.
4057 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations
4058 # should consider this attestation message verified if at least one
4059 # `signature` verifies `serialized_payload`. See `Signature` in common.proto
4060 # for more details on signature structure and verification.
4061 { # Verifiers (e.g. Kritis implementations) MUST verify signatures
4062 # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
4063 # Typically this means that the verifier has been configured with a map from
4064 # `public_key_id` to public key material (and any required parameters, e.g.
4065 # signing algorithm).
4066 #
4067 # In particular, verification implementations MUST NOT treat the signature
4068 # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
4069 # DOES NOT validate or authenticate a public key; it only provides a mechanism
4070 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
4071 # a trusted channel. Verification implementations MUST reject signatures in any
4072 # of the following circumstances:
4073 # * The `public_key_id` is not recognized by the verifier.
4074 # * The public key that `public_key_id` refers to does not verify the
4075 # signature with respect to the payload.
4076 #
4077 # The `signature` contents SHOULD NOT be "attached" (where the payload is
4078 # included with the serialized `signature` bytes). Verifiers MUST ignore any
4079 # "attached" payload and only verify signatures with respect to explicitly
4080 # provided payload (e.g. a `payload` field on the proto message that holds
4081 # this Signature, or the canonical serialization of the proto message that
4082 # holds this signature).
4083 "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
4084 # * The `public_key_id` is required.
4085 # * The `public_key_id` MUST be an RFC3986 conformant URI.
4086 # * When possible, the `public_key_id` SHOULD be an immutable reference,
4087 # such as a cryptographic digest.
4088 #
4089 # Examples of valid `public_key_id`s:
4090 #
4091 # OpenPGP V4 public key fingerprint:
4092 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
4093 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
4094 # details on this scheme.
4095 #
4096 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
4097 # serialization):
4098 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
4099 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
4100 "signature": "A String", # The content of the signature, an opaque bytestring.
4101 # The payload that this signature verifies MUST be unambiguously provided
4102 # with the Signature during verification. A wrapper message might provide
4103 # the payload explicitly. Alternatively, a message might have a canonical
4104 # serialization that can always be unambiguously computed to derive the
4105 # payload.
4106 },
4107 ],
4108 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
4109 # The verifier must ensure that the provided type is one that the verifier
4110 # supports, and that the attestation payload is a valid instantiation of that
4111 # type (for example by validating a JSON schema).
4112 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
4113 # The encoding and semantic meaning of this payload must match what is set in
4114 # `content_type`.
4115 },
4116 },
4117 },
4118 "build": { # Details of a build occurrence. # Describes a verifiable build.
4119 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
4120 # details about the build from source to completion.
4121 "commands": [ # Commands requested by the build.
4122 { # Command describes a step performed as part of the build pipeline.
4123 "waitFor": [ # The ID(s) of the command(s) that this command depends on.
4124 "A String",
4125 ],
4126 "name": "A String", # Required. Name of the command, as presented on the command line, or if the
4127 # command is packaged as a Docker container, as presented to `docker pull`.
4128 "args": [ # Command-line arguments used when executing this command.
4129 "A String",
4130 ],
4131 "env": [ # Environment variables set before running this command.
4132 "A String",
4133 ],
4134 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
4135 # this command as a dependency.
4136 "dir": "A String", # Working directory (relative to project source root) used when running this
4137 # command.
4138 },
4139 ],
4140 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
4141 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
4142 # source integrity was maintained in the build.
4143 #
4144 # The keys to this map are file paths used as build source and the values
4145 # contain the hash values for those files.
4146 #
4147 # If the build source came in a single package such as a gzipped tarfile
4148 # (.tar.gz), the FileHash will be for the single path to that file.
4149 "a_key": { # Container message for hashes of byte content of files, used in source
4150 # messages to verify integrity of source input to the build.
4151 "fileHash": [ # Required. Collection of file hashes.
4152 { # Container message for hash values.
4153 "type": "A String", # Required. The type of hash that was performed.
4154 "value": "A String", # Required. The hash value.
4155 },
4156 ],
4157 },
4158 },
4159 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
4160 # location.
4161 "additionalContexts": [ # If provided, some of the source code used for the build may be found in
4162 # these locations, in the case where the source repository had multiple
4163 # remotes or submodules. This list will not include the context specified in
4164 # the context field.
4165 { # A SourceContext is a reference to a tree of files. A SourceContext together
4166 # with a path point to a unique revision of a single file or directory.
4167 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
4168 # repository (e.g., GitHub).
4169 "url": "A String", # Git repository URL.
4170 "revisionId": "A String", # Git commit hash.
4171 },
4172 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
4173 # Source Repo.
4174 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
4175 "kind": "A String", # The alias kind.
4176 "name": "A String", # The alias name.
4177 },
4178 "revisionId": "A String", # A revision ID.
4179 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
4180 "uid": "A String", # A server-assigned, globally unique identifier.
4181 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
4182 # winged-cargo-31) and a repo name within that project.
4183 "projectId": "A String", # The ID of the project.
4184 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
4185 },
4186 },
4187 },
4188 "labels": { # Labels with user defined metadata.
4189 "a_key": "A String",
4190 },
4191 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
4192 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
4193 "kind": "A String", # The alias kind.
4194 "name": "A String", # The alias name.
4195 },
4196 "revisionId": "A String", # A revision (commit) ID.
4197 "hostUri": "A String", # The URI of a running Gerrit instance.
4198 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
4199 # "project/subproject" is a valid project name. The "repo name" is the
4200 # hostURI/project.
4201 },
4202 },
4203 ],
4204 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
4205 # with a path point to a unique revision of a single file or directory.
4206 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
4207 # repository (e.g., GitHub).
4208 "url": "A String", # Git repository URL.
4209 "revisionId": "A String", # Git commit hash.
4210 },
4211 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
4212 # Source Repo.
4213 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
4214 "kind": "A String", # The alias kind.
4215 "name": "A String", # The alias name.
4216 },
4217 "revisionId": "A String", # A revision ID.
4218 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
4219 "uid": "A String", # A server-assigned, globally unique identifier.
4220 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
4221 # winged-cargo-31) and a repo name within that project.
4222 "projectId": "A String", # The ID of the project.
4223 "repoName": "A String", # The name of the repo. Leave empty for the default repo.
4224 },
4225 },
4226 },
4227 "labels": { # Labels with user defined metadata.
4228 "a_key": "A String",
4229 },
4230 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
4231 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
4232 "kind": "A String", # The alias kind.
4233 "name": "A String", # The alias name.
4234 },
4235 "revisionId": "A String", # A revision (commit) ID.
4236 "hostUri": "A String", # The URI of a running Gerrit instance.
4237 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
4238 # "project/subproject" is a valid project name. The "repo name" is the
4239 # hostURI/project.
4240 },
4241 },
4242 },
4243 "buildOptions": { # Special options applied to this build. This is a catch-all field where
4244 # build providers can enter any desired additional details.
4245 "a_key": "A String",
4246 },
4247 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
4248 # user's e-mail address at the time the build was initiated; this address may
4249 # not represent the same end-user for all time.
4250 "projectId": "A String", # ID of the project.
4251 "builderVersion": "A String", # Version string of the builder at the time this build was executed.
4252 "createTime": "A String", # Time at which the build was created.
4253 "builtArtifacts": [ # Output of the build.
4254 { # Artifact describes a build product.
4255 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
4256 # container.
4257 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
4258 # like `gcr.io/projectID/imagename@sha256:123456`.
4259 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
4260 # the case of a container build, the name used to push the container image to
4261 # Google Container Registry, as presented to `docker push`. Note that a
4262 # single Artifact ID can have multiple names, for example if two tags are
4263 # applied to one image.
4264 "A String",
4265 ],
4266 },
4267 ],
4268 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
4269 "startTime": "A String", # Time at which execution of the build was started.
4270 "endTime": "A String", # Time at which execution of the build was finished.
4271 "id": "A String", # Required. Unique identifier of the build.
4272 "logsUri": "A String", # URI where any logs for this provenance were written.
4273 },
4274 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
4275 # build signature in the corresponding build note. After verifying the
4276 # signature, `provenance_bytes` can be unmarshalled and compared to the
4277 # provenance to confirm that it is unchanged. A base64-encoded string
4278 # representation of the provenance bytes is used for the signature in order
4279 # to interoperate with openssl which expects this format for signature
4280 # verification.
4281 #
4282 # The serialized form is captured both to avoid ambiguity in how the
4283 # provenance is marshalled to json as well to prevent incompatibilities with
4284 # future changes.
4285 },
4286 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
4287 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
4288 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
4289 # the deployable field with the same name.
4290 "A String",
4291 ],
4292 "userEmail": "A String", # Identity of the user that triggered this deployment.
4293 "address": "A String", # Address of the runtime element hosting this deployment.
4294 "platform": "A String", # Platform hosting this deployment.
4295 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
4296 "undeployTime": "A String", # End of the lifetime of this deployment.
4297 "config": "A String", # Configuration used to create this deployment.
4298 },
4299 },
4300 "remediation": "A String", # A description of actions that can be taken to remedy the note.
4301 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
4302 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
4303 # system.
4304 "location": [ # Required. All of the places within the filesystem versions of this package
4305 # have been found.
4306 { # An occurrence of a particular package installation found within a system's
4307 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
4308 "path": "A String", # The path from which we gathered that this package/version is installed.
4309 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
4310 # denoting the package manager version distributing a package.
4311 "version": { # Version contains structured information about the version of a package. # The version installed at this location.
4312 "epoch": 42, # Used to correct mistakes in the version numbering scheme.
4313 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
4314 # versions.
4315 "name": "A String", # Required only when version kind is NORMAL. The main part of the version
4316 # name.
4317 "revision": "A String", # The iteration of the package build from the above version.
4318 },
4319 },
4320 ],
4321 "name": "A String", # Output only. The name of the installed package.
4322 },
4323 },
4324 "createTime": "A String", # Output only. The time this occurrence was created.
4325 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
4326 # note.
4327 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
4328 # relationship. This image would be produced from a Dockerfile with FROM
4329 # <DockerImage.Basis in attached Note>.
4330 "distance": 42, # Output only. The number of layers by which this image differs from the
4331 # associated image basis.
4332 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
4333 # occurrence.
4334 "layerInfo": [ # This contains layer-specific metadata, if populated it has length
4335 # "distance" and is ordered with [distance] being the layer immediately
4336 # following the base image and [1] being the final layer.
4337 { # Layer holds metadata specific to a layer of a Docker image.
4338 "arguments": "A String", # The recovered arguments to the Dockerfile directive.
4339 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
4340 },
4341 ],
4342 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
4343 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
4344 # representation.
4345 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
4346 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
4347 # Only the name of the final blob is kept.
4348 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
4349 "A String",
4350 ],
4351 },
4352 },
4353 },
4354 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
4355 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
4356 # used as a filter in list requests.
4357 }</pre>
4358</div>
4359
4360<div class="method">
4361 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code>
4362 <pre>Sets the access control policy on the specified note or occurrence.
4363Requires `containeranalysis.notes.setIamPolicy` or
4364`containeranalysis.occurrences.setIamPolicy` permission if the resource is
4365a note or an occurrence, respectively.
4366
4367The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for
4368notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for
4369occurrences.
4370
4371Args:
4372 resource: string, REQUIRED: The resource for which the policy is being specified.
4373See the operation documentation for the appropriate value for this field. (required)
4374 body: object, The request body. (required)
4375 The object takes the form of:
4376
4377{ # Request message for `SetIamPolicy` method.
4378 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of
4379 # the policy is limited to a few 10s of KB. An empty policy is a
4380 # valid policy but certain Cloud Platform services (such as Projects)
4381 # might reject them.
4382 # specify access control policies for Cloud Platform resources.
4383 #
4384 #
4385 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of
4386 # `members` to a `role`, where the members can be user accounts, Google groups,
4387 # Google domains, and service accounts. A `role` is a named list of permissions
4388 # defined by IAM.
4389 #
4390 # **JSON Example**
4391 #
4392 # {
4393 # "bindings": [
4394 # {
4395 # "role": "roles/owner",
4396 # "members": [
4397 # "user:mike@example.com",
4398 # "group:admins@example.com",
4399 # "domain:google.com",
4400 # "serviceAccount:my-other-app@appspot.gserviceaccount.com"
4401 # ]
4402 # },
4403 # {
4404 # "role": "roles/viewer",
4405 # "members": ["user:sean@example.com"]
4406 # }
4407 # ]
4408 # }
4409 #
4410 # **YAML Example**
4411 #
4412 # bindings:
4413 # - members:
4414 # - user:mike@example.com
4415 # - group:admins@example.com
4416 # - domain:google.com
4417 # - serviceAccount:my-other-app@appspot.gserviceaccount.com
4418 # role: roles/owner
4419 # - members:
4420 # - user:sean@example.com
4421 # role: roles/viewer
4422 #
4423 #
4424 # For a description of IAM and its features, see the
4425 # [IAM developer's guide](https://cloud.google.com/iam/docs).
4426 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
4427 { # Specifies the audit configuration for a service.
4428 # The configuration determines which permission types are logged, and what
4429 # identities, if any, are exempted from logging.
4430 # An AuditConfig must have one or more AuditLogConfigs.
4431 #
4432 # If there are AuditConfigs for both `allServices` and a specific service,
4433 # the union of the two AuditConfigs is used for that service: the log_types
4434 # specified in each AuditConfig are enabled, and the exempted_members in each
4435 # AuditLogConfig are exempted.
4436 #
4437 # Example Policy with multiple AuditConfigs:
4438 #
4439 # {
4440 # "audit_configs": [
4441 # {
4442 # "service": "allServices"
4443 # "audit_log_configs": [
4444 # {
4445 # "log_type": "DATA_READ",
4446 # "exempted_members": [
4447 # "user:foo@gmail.com"
4448 # ]
4449 # },
4450 # {
4451 # "log_type": "DATA_WRITE",
4452 # },
4453 # {
4454 # "log_type": "ADMIN_READ",
4455 # }
4456 # ]
4457 # },
4458 # {
4459 # "service": "fooservice.googleapis.com"
4460 # "audit_log_configs": [
4461 # {
4462 # "log_type": "DATA_READ",
4463 # },
4464 # {
4465 # "log_type": "DATA_WRITE",
4466 # "exempted_members": [
4467 # "user:bar@gmail.com"
4468 # ]
4469 # }
4470 # ]
4471 # }
4472 # ]
4473 # }
4474 #
4475 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
4476 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
4477 # bar@gmail.com from DATA_WRITE logging.
4478 "auditLogConfigs": [ # The configuration for logging of each type of permission.
4479 { # Provides the configuration for logging a type of permissions.
4480 # Example:
4481 #
4482 # {
4483 # "audit_log_configs": [
4484 # {
4485 # "log_type": "DATA_READ",
4486 # "exempted_members": [
4487 # "user:foo@gmail.com"
4488 # ]
4489 # },
4490 # {
4491 # "log_type": "DATA_WRITE",
4492 # }
4493 # ]
4494 # }
4495 #
4496 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
4497 # foo@gmail.com from DATA_READ logging.
4498 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
4499 # permission.
4500 # Follows the same format of Binding.members.
4501 "A String",
4502 ],
4503 "logType": "A String", # The log type that this config enables.
4504 },
4505 ],
4506 "service": "A String", # Specifies a service that will be enabled for audit logging.
4507 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
4508 # `allServices` is a special value that covers all services.
4509 },
4510 ],
4511 "version": 42, # Deprecated.
4512 "bindings": [ # Associates a list of `members` to a `role`.
4513 # `bindings` with no members will result in an error.
4514 { # Associates `members` with a `role`.
4515 "role": "A String", # Role that is assigned to `members`.
4516 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
4517 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
4518 # `members` can have the following values:
4519 #
4520 # * `allUsers`: A special identifier that represents anyone who is
4521 # on the internet; with or without a Google account.
4522 #
4523 # * `allAuthenticatedUsers`: A special identifier that represents anyone
4524 # who is authenticated with a Google account or a service account.
4525 #
4526 # * `user:{emailid}`: An email address that represents a specific Google
4527 # account. For example, `alice@gmail.com` .
4528 #
4529 #
4530 # * `serviceAccount:{emailid}`: An email address that represents a service
4531 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
4532 #
4533 # * `group:{emailid}`: An email address that represents a Google group.
4534 # For example, `admins@example.com`.
4535 #
4536 #
4537 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
4538 # users of that domain. For example, `google.com` or `example.com`.
4539 #
4540 "A String",
4541 ],
4542 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
4543 # NOTE: An unsatisfied condition will not allow user access via current
4544 # binding. Different bindings, including their conditions, are examined
4545 # independently.
4546 #
4547 # title: "User account presence"
4548 # description: "Determines whether the request has a user account"
4549 # expression: "size(request.user) > 0"
4550 "location": "A String", # An optional string indicating the location of the expression for error
4551 # reporting, e.g. a file name and a position in the file.
4552 "expression": "A String", # Textual representation of an expression in
4553 # Common Expression Language syntax.
4554 #
4555 # The application context of the containing message determines which
4556 # well-known feature set of CEL is supported.
4557 "description": "A String", # An optional description of the expression. This is a longer text which
4558 # describes the expression, e.g. when hovered over it in a UI.
4559 "title": "A String", # An optional title for the expression, i.e. a short string describing
4560 # its purpose. This can be used e.g. in UIs which allow to enter the
4561 # expression.
4562 },
4563 },
4564 ],
4565 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
4566 # prevent simultaneous updates of a policy from overwriting each other.
4567 # It is strongly suggested that systems make use of the `etag` in the
4568 # read-modify-write cycle to perform policy updates in order to avoid race
4569 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
4570 # systems are expected to put that etag in the request to `setIamPolicy` to
4571 # ensure that their change will be applied to the same version of the policy.
4572 #
4573 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
4574 # policy is overwritten blindly.
4575 },
4576 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only
4577 # the fields in the mask will be modified. If no mask is provided, the
4578 # following default mask is used:
4579 # paths: "bindings, etag"
4580 # This field is only used by Cloud IAM.
4581 }
4582
4583 x__xgafv: string, V1 error format.
4584 Allowed values
4585 1 - v1 error format
4586 2 - v2 error format
4587
4588Returns:
4589 An object of the form:
4590
4591 { # Defines an Identity and Access Management (IAM) policy. It is used to
4592 # specify access control policies for Cloud Platform resources.
4593 #
4594 #
4595 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of
4596 # `members` to a `role`, where the members can be user accounts, Google groups,
4597 # Google domains, and service accounts. A `role` is a named list of permissions
4598 # defined by IAM.
4599 #
4600 # **JSON Example**
4601 #
4602 # {
4603 # "bindings": [
4604 # {
4605 # "role": "roles/owner",
4606 # "members": [
4607 # "user:mike@example.com",
4608 # "group:admins@example.com",
4609 # "domain:google.com",
4610 # "serviceAccount:my-other-app@appspot.gserviceaccount.com"
4611 # ]
4612 # },
4613 # {
4614 # "role": "roles/viewer",
4615 # "members": ["user:sean@example.com"]
4616 # }
4617 # ]
4618 # }
4619 #
4620 # **YAML Example**
4621 #
4622 # bindings:
4623 # - members:
4624 # - user:mike@example.com
4625 # - group:admins@example.com
4626 # - domain:google.com
4627 # - serviceAccount:my-other-app@appspot.gserviceaccount.com
4628 # role: roles/owner
4629 # - members:
4630 # - user:sean@example.com
4631 # role: roles/viewer
4632 #
4633 #
4634 # For a description of IAM and its features, see the
4635 # [IAM developer's guide](https://cloud.google.com/iam/docs).
4636 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy.
4637 { # Specifies the audit configuration for a service.
4638 # The configuration determines which permission types are logged, and what
4639 # identities, if any, are exempted from logging.
4640 # An AuditConfig must have one or more AuditLogConfigs.
4641 #
4642 # If there are AuditConfigs for both `allServices` and a specific service,
4643 # the union of the two AuditConfigs is used for that service: the log_types
4644 # specified in each AuditConfig are enabled, and the exempted_members in each
4645 # AuditLogConfig are exempted.
4646 #
4647 # Example Policy with multiple AuditConfigs:
4648 #
4649 # {
4650 # "audit_configs": [
4651 # {
4652 # "service": "allServices"
4653 # "audit_log_configs": [
4654 # {
4655 # "log_type": "DATA_READ",
4656 # "exempted_members": [
4657 # "user:foo@gmail.com"
4658 # ]
4659 # },
4660 # {
4661 # "log_type": "DATA_WRITE",
4662 # },
4663 # {
4664 # "log_type": "ADMIN_READ",
4665 # }
4666 # ]
4667 # },
4668 # {
4669 # "service": "fooservice.googleapis.com"
4670 # "audit_log_configs": [
4671 # {
4672 # "log_type": "DATA_READ",
4673 # },
4674 # {
4675 # "log_type": "DATA_WRITE",
4676 # "exempted_members": [
4677 # "user:bar@gmail.com"
4678 # ]
4679 # }
4680 # ]
4681 # }
4682 # ]
4683 # }
4684 #
4685 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ
4686 # logging. It also exempts foo@gmail.com from DATA_READ logging, and
4687 # bar@gmail.com from DATA_WRITE logging.
4688 "auditLogConfigs": [ # The configuration for logging of each type of permission.
4689 { # Provides the configuration for logging a type of permissions.
4690 # Example:
4691 #
4692 # {
4693 # "audit_log_configs": [
4694 # {
4695 # "log_type": "DATA_READ",
4696 # "exempted_members": [
4697 # "user:foo@gmail.com"
4698 # ]
4699 # },
4700 # {
4701 # "log_type": "DATA_WRITE",
4702 # }
4703 # ]
4704 # }
4705 #
4706 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting
4707 # foo@gmail.com from DATA_READ logging.
4708 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of
4709 # permission.
4710 # Follows the same format of Binding.members.
4711 "A String",
4712 ],
4713 "logType": "A String", # The log type that this config enables.
4714 },
4715 ],
4716 "service": "A String", # Specifies a service that will be enabled for audit logging.
4717 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
4718 # `allServices` is a special value that covers all services.
4719 },
4720 ],
4721 "version": 42, # Deprecated.
4722 "bindings": [ # Associates a list of `members` to a `role`.
4723 # `bindings` with no members will result in an error.
4724 { # Associates `members` with a `role`.
4725 "role": "A String", # Role that is assigned to `members`.
4726 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
4727 "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
4728 # `members` can have the following values:
4729 #
4730 # * `allUsers`: A special identifier that represents anyone who is
4731 # on the internet; with or without a Google account.
4732 #
4733 # * `allAuthenticatedUsers`: A special identifier that represents anyone
4734 # who is authenticated with a Google account or a service account.
4735 #
4736 # * `user:{emailid}`: An email address that represents a specific Google
4737 # account. For example, `alice@gmail.com` .
4738 #
4739 #
4740 # * `serviceAccount:{emailid}`: An email address that represents a service
4741 # account. For example, `my-other-app@appspot.gserviceaccount.com`.
4742 #
4743 # * `group:{emailid}`: An email address that represents a Google group.
4744 # For example, `admins@example.com`.
4745 #
4746 #
4747 # * `domain:{domain}`: The G Suite domain (primary) that represents all the
4748 # users of that domain. For example, `google.com` or `example.com`.
4749 #
4750 "A String",
4751 ],
4752 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding.
4753 # NOTE: An unsatisfied condition will not allow user access via current
4754 # binding. Different bindings, including their conditions, are examined
4755 # independently.
4756 #
4757 # title: "User account presence"
4758 # description: "Determines whether the request has a user account"
4759 # expression: "size(request.user) > 0"
4760 "location": "A String", # An optional string indicating the location of the expression for error
4761 # reporting, e.g. a file name and a position in the file.
4762 "expression": "A String", # Textual representation of an expression in
4763 # Common Expression Language syntax.
4764 #
4765 # The application context of the containing message determines which
4766 # well-known feature set of CEL is supported.
4767 "description": "A String", # An optional description of the expression. This is a longer text which
4768 # describes the expression, e.g. when hovered over it in a UI.
4769 "title": "A String", # An optional title for the expression, i.e. a short string describing
4770 # its purpose. This can be used e.g. in UIs which allow to enter the
4771 # expression.
4772 },
4773 },
4774 ],
4775 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
4776 # prevent simultaneous updates of a policy from overwriting each other.
4777 # It is strongly suggested that systems make use of the `etag` in the
4778 # read-modify-write cycle to perform policy updates in order to avoid race
4779 # conditions: An `etag` is returned in the response to `getIamPolicy`, and
4780 # systems are expected to put that etag in the request to `setIamPolicy` to
4781 # ensure that their change will be applied to the same version of the policy.
4782 #
4783 # If no `etag` is provided in the call to `setIamPolicy`, then the existing
4784 # policy is overwritten blindly.
4785 }</pre>
4786</div>
4787
4788<div class="method">
4789 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code>
4790 <pre>Returns the permissions that a caller has on the specified note or
4791occurrence. Requires list permission on the project (for example,
4792`containeranalysis.notes.list`).
4793
4794The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for
4795notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for
4796occurrences.
4797
4798Args:
4799 resource: string, REQUIRED: The resource for which the policy detail is being requested.
4800See the operation documentation for the appropriate value for this field. (required)
4801 body: object, The request body. (required)
4802 The object takes the form of:
4803
4804{ # Request message for `TestIamPermissions` method.
4805 "permissions": [ # The set of permissions to check for the `resource`. Permissions with
4806 # wildcards (such as '*' or 'storage.*') are not allowed. For more
4807 # information see
4808 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
4809 "A String",
4810 ],
4811 }
4812
4813 x__xgafv: string, V1 error format.
4814 Allowed values
4815 1 - v1 error format
4816 2 - v2 error format
4817
4818Returns:
4819 An object of the form:
4820
4821 { # Response message for `TestIamPermissions` method.
4822 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
4823 # allowed.
4824 "A String",
4825 ],
4826 }</pre>
4827</div>
4828
4829</body></html>