Blame - docs/dyn/containeranalysis_v1beta1.projects.notes.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

83

<code><a href="#batchCreate">batchCreate(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

84

<p class="firstline">Creates new notes in batch.</p>

85

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

86

<code><a href="#create">create(parent, body=None, noteId=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

87

<p class="firstline">Creates a new note.</p>

88

89

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

90

<p class="firstline">Deletes the specified note.</p>

91

92

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

93

<p class="firstline">Gets the specified note.</p>

94

95

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

96

<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p>

97

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

98

<code><a href="#list">list(parent, pageToken=None, pageSize=None, filter=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

99

<p class="firstline">Lists notes for the specified project.</p>

100

101

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

102

<p class="firstline">Retrieves the next page of results.</p>

103

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

104

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

105

<p class="firstline">Updates the specified note.</p>

106

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

107

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

108

<p class="firstline">Sets the access control policy on the specified note or occurrence.</p>

109

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

110

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

111

<p class="firstline">Returns the permissions that a caller has on the specified note or</p>

112

<h3>Method Details</h3>

113

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

114

<code class="details" id="batchCreate">batchCreate(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

115

<pre>Creates new notes in batch.

116

117

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

118

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

119

the notes are to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

120

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

121

The object takes the form of:

122

123

{ # Request to create notes in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

124

"notes": { # Required. The notes to create. Max allowed length is 1000.

125

"a_key": { # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

126

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

127

# exists in a provider's project. A `Discovery` occurrence is created in a

128

# consumer's project at the start of analysis.

129

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

130

# discovery.

131

},

132

"name": "A String", # Output only. The name of the note in the form of

133

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

134

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

135

# example, an organization might have one `Authority` for "QA" and one for

136

# "build". This note is intended to act strictly as a grouping mechanism for

137

# the attached occurrences (Attestations). This grouping mechanism also

138

# provides a security boundary, since IAM ACLs gate the ability for a principle

139

# to attach an occurrence to a given note. It also provides a single point of

140

# lookup to find all attached attestation occurrences, even if they don't all

141

# live in the same project.

142

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

143

# authority. Because the name of a note acts as its resource reference, it is

144

# important to disambiguate the canonical name of the Note (which might be a

145

# UUID for security purposes) from "readable" names more suitable for debug

146

# output. Note that these hints should not be used to look up authorities in

147

# security sensitive contexts, such as when looking up attestations to

148

# verify.

149

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

150

# example "qa".

151

},

152

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

153

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

154

# chain step in an in-toto layout. This information goes into a Grafeas note.

155

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

156

# artifacts that enter this supply chain step, and exit the supply chain

157

# step, i.e. materials and products of the step.

158

{ # Defines an object to declare an in-toto artifact rule

159

"artifactRule": [

160

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

161

],

162

},

163

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

164

"expectedProducts": [

165

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

171

"signingKeys": [ # This field contains the public keys that can be used to verify the

172

# signatures on the step metadata.

173

{ # This defines the format used to record keys used in the software supply

174

# chain. An in-toto link is attested using one or more keys defined in the

175

# in-toto layout. An example of this is:

176

# {

177

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

178

# "key_type": "rsa",

179

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

180

# "key_scheme": "rsassa-pss-sha256"

181

# }

182

# The format for in-toto's key definition can be found in section 4.2 of the

183

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

184

"keyScheme": "A String", # This field contains the corresponding signature scheme.

185

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

186

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

187

# and "ecdsa".

188

"keyId": "A String", # key_id is an identifier for the signing key.

189

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

190

},

191

],

192

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

193

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

194

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

195

"expectedCommand": [ # This field contains the expected command used to perform the step.

196

"A String",

197

],

198

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

199

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

200

# list requests.

201

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

202

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

203

# relationship. Linked occurrences are derived from this or an

204

# equivalent image via:

205

# FROM <Basis.resource_url>

206

# Or an equivalent reference, e.g. a tag of the resource_url.

207

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

208

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

209

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

210

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

211

"A String",

212

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

213

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

214

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

215

# Only the name of the final blob is kept.

216

},

217

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

218

# basis of associated occurrence images.

219

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

220

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

221

# a filter in list requests.

222

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

223

# provenance message in the build details occurrence.

224

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

225

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

226

# containing build details.

227

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

228

# findings are valid and unchanged. If `key_type` is empty, this defaults

229

# to PEM encoded public keys.

230

#

231

# This field may be empty if `key_id` references an external key.

232

#

233

# For Cloud Build based signatures, this is a PEM encoded public

234

# key. To verify the Cloud Build signature, place the contents of

235

# this field into a file (public.pem). The signature field is base64-decoded

236

# into its binary representation in signature.bin, and the provenance bytes

237

# from `BuildDetails` are base64-decoded into a binary representation in

238

# signed.bin. OpenSSL can then verify the signature:

239

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

240

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

241

# `key_id`.

242

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

243

# base-64 encoded.

244

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

245

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

246

# CN for a cert), or a reference to an external key (such as a reference to a

247

# key in Cloud Key Management Service).

248

},

249

},

250

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

251

"relatedUrl": [ # URLs associated with this note.

252

{ # Metadata for any related URL information.

253

"url": "A String", # Specific URL associated with the resource.

254

"label": "A String", # Label to describe usage of the URL.

255

},

256

],

257

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

258

"cvssScore": 3.14, # The CVSS score for this vulnerability.

259

"windowsDetails": [ # Windows details get their own format because the information format and

260

# model don't match a normal detail. Specifically Windows updates are done as

261

# patches, thus Windows vulnerabilities really are a missing package, rather

262

# than a package being at an incorrect version.

263

{

264

"name": "A String", # Required. The name of the vulnerability.

265

"cpeUri": "A String", # Required. The CPE URI in

266

# [cpe format](https://cpe.mitre.org/specification/) in which the

267

# vulnerability manifests. Examples include distro or storage location for

268

# vulnerable jar.

269

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

270

# vulnerability. Note that there may be multiple hotfixes (and thus

271

# multiple KBs) that mitigate a given vulnerability. Currently any listed

272

# kb's presence is considered a fix.

273

{

274

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

275

"url": "A String", # A link to the KB in the Windows update catalog -

276

# https://www.catalog.update.microsoft.com/

277

},

278

],

279

"description": "A String", # The description of the vulnerability.

280

},

281

],

282

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

283

# upstream timestamp from the underlying information source - e.g. Ubuntu

284

# security tracker.

285

"severity": "A String", # Note provider assigned impact of the vulnerability.

286

"details": [ # All information about the package to specifically identify this

287

# vulnerability. One entry per (version range and cpe_uri) the package

288

# vulnerability has manifested in.

289

{ # Identifies all appearances of this vulnerability in the package for a

290

# specific distro/location. For example: glibc in

291

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

292

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

293

# upstream timestamp from the underlying information source - e.g. Ubuntu

294

# security tracker.

295

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

296

# packages etc).

297

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

298

"package": "A String", # Required. The package being described.

299

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

300

# format. Examples include distro or storage location for vulnerable jar.

301

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

302

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

303

# versions.

304

"revision": "A String", # The iteration of the package build from the above version.

305

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

306

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

311

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

312

# versions.

313

"revision": "A String", # The iteration of the package build from the above version.

314

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

315

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

316

# name.

317

},

318

"cpeUri": "A String", # Required. The CPE URI in

319

# [cpe format](https://cpe.mitre.org/specification/) in which the

320

# vulnerability manifests. Examples include distro or storage location for

321

# vulnerable jar.

322

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

323

# obsolete details.

324

"description": "A String", # A vendor-specific description of this note.

325

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

326

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

327

# versions.

328

"revision": "A String", # The iteration of the package build from the above version.

329

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

330

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

331

# name.

332

},

333

"package": "A String", # Required. The name of the package where the vulnerability was found.

334

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

335

},

336

],

337

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

338

# For details, see https://www.first.org/cvss/specification-document

339

"baseScore": 3.14, # The base score is a function of the base metric scores.

340

"confidentialityImpact": "A String",

341

"availabilityImpact": "A String",

342

"attackVector": "A String", # Base Metrics

343

# Represents the intrinsic characteristics of a vulnerability that are

344

# constant over time and across user environments.

345

"privilegesRequired": "A String",

346

"impactScore": 3.14,

347

"attackComplexity": "A String",

348

"scope": "A String",

349

"exploitabilityScore": 3.14,

350

"userInteraction": "A String",

351

"integrityImpact": "A String",

352

},

353

},

354

"shortDescription": "A String", # A one sentence description of this note.

355

"relatedNoteNames": [ # Other notes related to this note.

356

"A String",

357

],

358

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

359

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

360

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

361

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

362

"A String",

363

],

364

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

365

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

366

# channels. E.g., glibc (aka libc6) is distributed by many, at various

367

# versions.

368

"distribution": [ # The various channels by which a package is distributed.

369

{ # This represents a particular channel of distribution for a given package.

370

# E.g., Debian's jessie-backports dpkg mirror.

371

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

372

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

373

# versions.

374

"revision": "A String", # The iteration of the package build from the above version.

375

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

376

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

377

# name.

378

},

379

"url": "A String", # The distribution channel-specific homepage for this package.

380

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

381

# denoting the package manager version distributing a package.

382

"description": "A String", # The distribution channel-specific description of this package.

383

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

384

# built.

385

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

386

},

387

],

388

"name": "A String", # Required. Immutable. The name of the package.

389

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

},

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

401

402

{ # Response for creating notes in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

403

"notes": [ # The notes that were created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

404

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

405

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

406

# exists in a provider's project. A `Discovery` occurrence is created in a

407

# consumer's project at the start of analysis.

408

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

409

# discovery.

410

},

411

"name": "A String", # Output only. The name of the note in the form of

412

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

413

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

414

# example, an organization might have one `Authority` for "QA" and one for

415

# "build". This note is intended to act strictly as a grouping mechanism for

416

# the attached occurrences (Attestations). This grouping mechanism also

417

# provides a security boundary, since IAM ACLs gate the ability for a principle

418

# to attach an occurrence to a given note. It also provides a single point of

419

# lookup to find all attached attestation occurrences, even if they don't all

420

# live in the same project.

421

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

422

# authority. Because the name of a note acts as its resource reference, it is

423

# important to disambiguate the canonical name of the Note (which might be a

424

# UUID for security purposes) from "readable" names more suitable for debug

425

# output. Note that these hints should not be used to look up authorities in

426

# security sensitive contexts, such as when looking up attestations to

427

# verify.

428

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

429

# example "qa".

430

},

431

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

432

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

433

# chain step in an in-toto layout. This information goes into a Grafeas note.

434

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

435

# artifacts that enter this supply chain step, and exit the supply chain

436

# step, i.e. materials and products of the step.

437

{ # Defines an object to declare an in-toto artifact rule

438

"artifactRule": [

439

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

440

],

441

},

442

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

443

"expectedProducts": [

444

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

450

"signingKeys": [ # This field contains the public keys that can be used to verify the

451

# signatures on the step metadata.

452

{ # This defines the format used to record keys used in the software supply

453

# chain. An in-toto link is attested using one or more keys defined in the

454

# in-toto layout. An example of this is:

455

# {

456

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

457

# "key_type": "rsa",

458

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

459

# "key_scheme": "rsassa-pss-sha256"

460

# }

461

# The format for in-toto's key definition can be found in section 4.2 of the

462

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

463

"keyScheme": "A String", # This field contains the corresponding signature scheme.

464

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

465

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

466

# and "ecdsa".

467

"keyId": "A String", # key_id is an identifier for the signing key.

468

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

469

},

470

],

471

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

472

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

473

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

474

"expectedCommand": [ # This field contains the expected command used to perform the step.

475

"A String",

476

],

477

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

478

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

479

# list requests.

480

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

481

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

482

# relationship. Linked occurrences are derived from this or an

483

# equivalent image via:

484

# FROM <Basis.resource_url>

485

# Or an equivalent reference, e.g. a tag of the resource_url.

486

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

487

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

488

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

489

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

490

"A String",

491

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

492

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

493

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

494

# Only the name of the final blob is kept.

495

},

496

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

497

# basis of associated occurrence images.

498

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

499

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

500

# a filter in list requests.

501

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

502

# provenance message in the build details occurrence.

503

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

504

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

505

# containing build details.

506

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

507

# findings are valid and unchanged. If `key_type` is empty, this defaults

508

# to PEM encoded public keys.

509

#

510

# This field may be empty if `key_id` references an external key.

511

#

512

# For Cloud Build based signatures, this is a PEM encoded public

513

# key. To verify the Cloud Build signature, place the contents of

514

# this field into a file (public.pem). The signature field is base64-decoded

515

# into its binary representation in signature.bin, and the provenance bytes

516

# from `BuildDetails` are base64-decoded into a binary representation in

517

# signed.bin. OpenSSL can then verify the signature:

518

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

519

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

520

# `key_id`.

521

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

522

# base-64 encoded.

523

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

524

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

525

# CN for a cert), or a reference to an external key (such as a reference to a

526

# key in Cloud Key Management Service).

527

},

528

},

529

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

530

"relatedUrl": [ # URLs associated with this note.

531

{ # Metadata for any related URL information.

532

"url": "A String", # Specific URL associated with the resource.

533

"label": "A String", # Label to describe usage of the URL.

534

},

535

],

536

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

537

"cvssScore": 3.14, # The CVSS score for this vulnerability.

538

"windowsDetails": [ # Windows details get their own format because the information format and

539

# model don't match a normal detail. Specifically Windows updates are done as

540

# patches, thus Windows vulnerabilities really are a missing package, rather

541

# than a package being at an incorrect version.

542

{

543

"name": "A String", # Required. The name of the vulnerability.

544

"cpeUri": "A String", # Required. The CPE URI in

545

# [cpe format](https://cpe.mitre.org/specification/) in which the

546

# vulnerability manifests. Examples include distro or storage location for

547

# vulnerable jar.

548

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

549

# vulnerability. Note that there may be multiple hotfixes (and thus

550

# multiple KBs) that mitigate a given vulnerability. Currently any listed

551

# kb's presence is considered a fix.

552

{

553

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

554

"url": "A String", # A link to the KB in the Windows update catalog -

555

# https://www.catalog.update.microsoft.com/

556

},

557

],

558

"description": "A String", # The description of the vulnerability.

559

},

560

],

561

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

562

# upstream timestamp from the underlying information source - e.g. Ubuntu

563

# security tracker.

564

"severity": "A String", # Note provider assigned impact of the vulnerability.

565

"details": [ # All information about the package to specifically identify this

566

# vulnerability. One entry per (version range and cpe_uri) the package

567

# vulnerability has manifested in.

568

{ # Identifies all appearances of this vulnerability in the package for a

569

# specific distro/location. For example: glibc in

570

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

571

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

572

# upstream timestamp from the underlying information source - e.g. Ubuntu

573

# security tracker.

574

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

575

# packages etc).

576

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

577

"package": "A String", # Required. The package being described.

578

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

579

# format. Examples include distro or storage location for vulnerable jar.

580

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

581

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

582

# versions.

583

"revision": "A String", # The iteration of the package build from the above version.

584

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

585

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

590

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

591

# versions.

592

"revision": "A String", # The iteration of the package build from the above version.

593

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

594

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

595

# name.

596

},

597

"cpeUri": "A String", # Required. The CPE URI in

598

# [cpe format](https://cpe.mitre.org/specification/) in which the

599

# vulnerability manifests. Examples include distro or storage location for

600

# vulnerable jar.

601

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

602

# obsolete details.

603

"description": "A String", # A vendor-specific description of this note.

604

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

605

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

606

# versions.

607

"revision": "A String", # The iteration of the package build from the above version.

608

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

609

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

610

# name.

611

},

612

"package": "A String", # Required. The name of the package where the vulnerability was found.

613

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

614

},

615

],

616

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

617

# For details, see https://www.first.org/cvss/specification-document

618

"baseScore": 3.14, # The base score is a function of the base metric scores.

619

"confidentialityImpact": "A String",

620

"availabilityImpact": "A String",

621

"attackVector": "A String", # Base Metrics

622

# Represents the intrinsic characteristics of a vulnerability that are

623

# constant over time and across user environments.

624

"privilegesRequired": "A String",

625

"impactScore": 3.14,

626

"attackComplexity": "A String",

627

"scope": "A String",

628

"exploitabilityScore": 3.14,

629

"userInteraction": "A String",

630

"integrityImpact": "A String",

631

},

632

},

633

"shortDescription": "A String", # A one sentence description of this note.

634

"relatedNoteNames": [ # Other notes related to this note.

635

"A String",

636

],

637

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

638

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

639

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

640

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

641

"A String",

642

],

643

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

644

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

645

# channels. E.g., glibc (aka libc6) is distributed by many, at various

646

# versions.

647

"distribution": [ # The various channels by which a package is distributed.

648

{ # This represents a particular channel of distribution for a given package.

649

# E.g., Debian's jessie-backports dpkg mirror.

650

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

651

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

652

# versions.

653

"revision": "A String", # The iteration of the package build from the above version.

654

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

655

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

656

# name.

657

},

658

"url": "A String", # The distribution channel-specific homepage for this package.

659

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

660

# denoting the package manager version distributing a package.

661

"description": "A String", # The distribution channel-specific description of this package.

662

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

663

# built.

664

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

665

},

666

],

667

"name": "A String", # Required. Immutable. The name of the package.

668

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

675

<code class="details" id="create">create(parent, body=None, noteId=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

676

<pre>Creates a new note.

677

678

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

679

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

680

the note is to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

681

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

682

The object takes the form of:

683

684

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

685

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

686

# exists in a provider's project. A `Discovery` occurrence is created in a

687

# consumer's project at the start of analysis.

688

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

689

# discovery.

690

},

691

"name": "A String", # Output only. The name of the note in the form of

692

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

693

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

694

# example, an organization might have one `Authority` for "QA" and one for

695

# "build". This note is intended to act strictly as a grouping mechanism for

696

# the attached occurrences (Attestations). This grouping mechanism also

697

# provides a security boundary, since IAM ACLs gate the ability for a principle

698

# to attach an occurrence to a given note. It also provides a single point of

699

# lookup to find all attached attestation occurrences, even if they don't all

700

# live in the same project.

701

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

702

# authority. Because the name of a note acts as its resource reference, it is

703

# important to disambiguate the canonical name of the Note (which might be a

704

# UUID for security purposes) from "readable" names more suitable for debug

705

# output. Note that these hints should not be used to look up authorities in

706

# security sensitive contexts, such as when looking up attestations to

707

# verify.

708

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

709

# example "qa".

710

},

711

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

712

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

713

# chain step in an in-toto layout. This information goes into a Grafeas note.

714

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

715

# artifacts that enter this supply chain step, and exit the supply chain

716

# step, i.e. materials and products of the step.

717

{ # Defines an object to declare an in-toto artifact rule

718

"artifactRule": [

719

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

720

],

721

},

722

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

723

"expectedProducts": [

724

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

730

"signingKeys": [ # This field contains the public keys that can be used to verify the

731

# signatures on the step metadata.

732

{ # This defines the format used to record keys used in the software supply

733

# chain. An in-toto link is attested using one or more keys defined in the

734

# in-toto layout. An example of this is:

735

# {

736

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

737

# "key_type": "rsa",

738

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

739

# "key_scheme": "rsassa-pss-sha256"

740

# }

741

# The format for in-toto's key definition can be found in section 4.2 of the

742

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

743

"keyScheme": "A String", # This field contains the corresponding signature scheme.

744

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

745

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

746

# and "ecdsa".

747

"keyId": "A String", # key_id is an identifier for the signing key.

748

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

749

},

750

],

751

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

752

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

753

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

754

"expectedCommand": [ # This field contains the expected command used to perform the step.

755

"A String",

756

],

757

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

758

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

759

# list requests.

760

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

761

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

762

# relationship. Linked occurrences are derived from this or an

763

# equivalent image via:

764

# FROM <Basis.resource_url>

765

# Or an equivalent reference, e.g. a tag of the resource_url.

766

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

767

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

768

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

769

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

770

"A String",

771

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

772

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

773

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

774

# Only the name of the final blob is kept.

775

},

776

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

777

# basis of associated occurrence images.

778

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

779

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

780

# a filter in list requests.

781

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

782

# provenance message in the build details occurrence.

783

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

784

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

785

# containing build details.

786

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

787

# findings are valid and unchanged. If `key_type` is empty, this defaults

788

# to PEM encoded public keys.

789

#

790

# This field may be empty if `key_id` references an external key.

791

#

792

# For Cloud Build based signatures, this is a PEM encoded public

793

# key. To verify the Cloud Build signature, place the contents of

794

# this field into a file (public.pem). The signature field is base64-decoded

795

# into its binary representation in signature.bin, and the provenance bytes

796

# from `BuildDetails` are base64-decoded into a binary representation in

797

# signed.bin. OpenSSL can then verify the signature:

798

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

799

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

800

# `key_id`.

801

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

802

# base-64 encoded.

803

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

804

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

805

# CN for a cert), or a reference to an external key (such as a reference to a

806

# key in Cloud Key Management Service).

807

},

808

},

809

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

810

"relatedUrl": [ # URLs associated with this note.

811

{ # Metadata for any related URL information.

812

"url": "A String", # Specific URL associated with the resource.

813

"label": "A String", # Label to describe usage of the URL.

814

},

815

],

816

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

817

"cvssScore": 3.14, # The CVSS score for this vulnerability.

818

"windowsDetails": [ # Windows details get their own format because the information format and

819

# model don't match a normal detail. Specifically Windows updates are done as

820

# patches, thus Windows vulnerabilities really are a missing package, rather

821

# than a package being at an incorrect version.

822

{

823

"name": "A String", # Required. The name of the vulnerability.

824

"cpeUri": "A String", # Required. The CPE URI in

825

# [cpe format](https://cpe.mitre.org/specification/) in which the

826

# vulnerability manifests. Examples include distro or storage location for

827

# vulnerable jar.

828

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

829

# vulnerability. Note that there may be multiple hotfixes (and thus

830

# multiple KBs) that mitigate a given vulnerability. Currently any listed

831

# kb's presence is considered a fix.

832

{

833

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

834

"url": "A String", # A link to the KB in the Windows update catalog -

835

# https://www.catalog.update.microsoft.com/

836

},

837

],

838

"description": "A String", # The description of the vulnerability.

839

},

840

],

841

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

842

# upstream timestamp from the underlying information source - e.g. Ubuntu

843

# security tracker.

844

"severity": "A String", # Note provider assigned impact of the vulnerability.

845

"details": [ # All information about the package to specifically identify this

846

# vulnerability. One entry per (version range and cpe_uri) the package

847

# vulnerability has manifested in.

848

{ # Identifies all appearances of this vulnerability in the package for a

849

# specific distro/location. For example: glibc in

850

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

851

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

852

# upstream timestamp from the underlying information source - e.g. Ubuntu

853

# security tracker.

854

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

855

# packages etc).

856

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

857

"package": "A String", # Required. The package being described.

858

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

859

# format. Examples include distro or storage location for vulnerable jar.

860

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

861

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

862

# versions.

863

"revision": "A String", # The iteration of the package build from the above version.

864

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

865

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

870

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

871

# versions.

872

"revision": "A String", # The iteration of the package build from the above version.

873

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

874

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

875

# name.

876

},

877

"cpeUri": "A String", # Required. The CPE URI in

878

# [cpe format](https://cpe.mitre.org/specification/) in which the

879

# vulnerability manifests. Examples include distro or storage location for

880

# vulnerable jar.

881

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

882

# obsolete details.

883

"description": "A String", # A vendor-specific description of this note.

884

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

885

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

886

# versions.

887

"revision": "A String", # The iteration of the package build from the above version.

888

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

889

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

890

# name.

891

},

892

"package": "A String", # Required. The name of the package where the vulnerability was found.

893

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

894

},

895

],

896

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

897

# For details, see https://www.first.org/cvss/specification-document

898

"baseScore": 3.14, # The base score is a function of the base metric scores.

899

"confidentialityImpact": "A String",

900

"availabilityImpact": "A String",

901

"attackVector": "A String", # Base Metrics

902

# Represents the intrinsic characteristics of a vulnerability that are

903

# constant over time and across user environments.

904

"privilegesRequired": "A String",

905

"impactScore": 3.14,

906

"attackComplexity": "A String",

907

"scope": "A String",

908

"exploitabilityScore": 3.14,

909

"userInteraction": "A String",

910

"integrityImpact": "A String",

911

},

912

},

913

"shortDescription": "A String", # A one sentence description of this note.

914

"relatedNoteNames": [ # Other notes related to this note.

915

"A String",

916

],

917

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

918

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

919

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

920

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

921

"A String",

922

],

923

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

924

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

925

# channels. E.g., glibc (aka libc6) is distributed by many, at various

926

# versions.

927

"distribution": [ # The various channels by which a package is distributed.

928

{ # This represents a particular channel of distribution for a given package.

929

# E.g., Debian's jessie-backports dpkg mirror.

930

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

931

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

932

# versions.

933

"revision": "A String", # The iteration of the package build from the above version.

934

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

935

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

936

# name.

937

},

938

"url": "A String", # The distribution channel-specific homepage for this package.

939

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

940

# denoting the package manager version distributing a package.

941

"description": "A String", # The distribution channel-specific description of this package.

942

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

943

# built.

944

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

945

},

946

],

947

"name": "A String", # Required. Immutable. The name of the package.

948

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

949

}

950

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

951

noteId: string, Required. The ID to use for this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

952

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

959

960

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

961

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

962

# exists in a provider's project. A `Discovery` occurrence is created in a

963

# consumer's project at the start of analysis.

964

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

965

# discovery.

966

},

967

"name": "A String", # Output only. The name of the note in the form of

968

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

969

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

970

# example, an organization might have one `Authority` for "QA" and one for

971

# "build". This note is intended to act strictly as a grouping mechanism for

972

# the attached occurrences (Attestations). This grouping mechanism also

973

# provides a security boundary, since IAM ACLs gate the ability for a principle

974

# to attach an occurrence to a given note. It also provides a single point of

975

# lookup to find all attached attestation occurrences, even if they don't all

976

# live in the same project.

977

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

978

# authority. Because the name of a note acts as its resource reference, it is

979

# important to disambiguate the canonical name of the Note (which might be a

980

# UUID for security purposes) from "readable" names more suitable for debug

981

# output. Note that these hints should not be used to look up authorities in

982

# security sensitive contexts, such as when looking up attestations to

983

# verify.

984

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

985

# example "qa".

986

},

987

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

988

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

989

# chain step in an in-toto layout. This information goes into a Grafeas note.

990

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

991

# artifacts that enter this supply chain step, and exit the supply chain

992

# step, i.e. materials and products of the step.

993

{ # Defines an object to declare an in-toto artifact rule

994

"artifactRule": [

995

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

996

],

997

},

998

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

999

"expectedProducts": [

1000

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1006

"signingKeys": [ # This field contains the public keys that can be used to verify the

1007

# signatures on the step metadata.

1008

{ # This defines the format used to record keys used in the software supply

1009

# chain. An in-toto link is attested using one or more keys defined in the

1010

# in-toto layout. An example of this is:

1011

# {

1012

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1013

# "key_type": "rsa",

1014

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1015

# "key_scheme": "rsassa-pss-sha256"

1016

# }

1017

# The format for in-toto's key definition can be found in section 4.2 of the

1018

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1019

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1020

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1021

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1022

# and "ecdsa".

1023

"keyId": "A String", # key_id is an identifier for the signing key.

1024

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1025

},

1026

],

1027

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1028

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1029

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1030

"expectedCommand": [ # This field contains the expected command used to perform the step.

1031

"A String",

1032

],

1033

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1034

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1035

# list requests.

1036

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1037

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1038

# relationship. Linked occurrences are derived from this or an

1039

# equivalent image via:

1040

# FROM <Basis.resource_url>

1041

# Or an equivalent reference, e.g. a tag of the resource_url.

1042

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1043

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1044

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1045

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1046

"A String",

1047

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1048

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1049

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1050

# Only the name of the final blob is kept.

1051

},

1052

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1053

# basis of associated occurrence images.

1054

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1055

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1056

# a filter in list requests.

1057

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

1058

# provenance message in the build details occurrence.

1059

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

1060

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

1061

# containing build details.

1062

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

1063

# findings are valid and unchanged. If `key_type` is empty, this defaults

1064

# to PEM encoded public keys.

1065

#

1066

# This field may be empty if `key_id` references an external key.

1067

#

1068

# For Cloud Build based signatures, this is a PEM encoded public

1069

# key. To verify the Cloud Build signature, place the contents of

1070

# this field into a file (public.pem). The signature field is base64-decoded

1071

# into its binary representation in signature.bin, and the provenance bytes

1072

# from `BuildDetails` are base64-decoded into a binary representation in

1073

# signed.bin. OpenSSL can then verify the signature:

1074

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

1075

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1076

# `key_id`.

1077

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1078

# base-64 encoded.

1079

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

1080

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1081

# CN for a cert), or a reference to an external key (such as a reference to a

1082

# key in Cloud Key Management Service).

1083

},

1084

},

1085

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1086

"relatedUrl": [ # URLs associated with this note.

1087

{ # Metadata for any related URL information.

1088

"url": "A String", # Specific URL associated with the resource.

1089

"label": "A String", # Label to describe usage of the URL.

1090

},

1091

],

1092

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

1093

"cvssScore": 3.14, # The CVSS score for this vulnerability.

1094

"windowsDetails": [ # Windows details get their own format because the information format and

1095

# model don't match a normal detail. Specifically Windows updates are done as

1096

# patches, thus Windows vulnerabilities really are a missing package, rather

1097

# than a package being at an incorrect version.

1098

{

1099

"name": "A String", # Required. The name of the vulnerability.

1100

"cpeUri": "A String", # Required. The CPE URI in

1101

# [cpe format](https://cpe.mitre.org/specification/) in which the

1102

# vulnerability manifests. Examples include distro or storage location for

1103

# vulnerable jar.

1104

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1105

# vulnerability. Note that there may be multiple hotfixes (and thus

1106

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1107

# kb's presence is considered a fix.

1108

{

1109

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

1110

"url": "A String", # A link to the KB in the Windows update catalog -

1111

# https://www.catalog.update.microsoft.com/

1112

},

1113

],

1114

"description": "A String", # The description of the vulnerability.

1115

},

1116

],

1117

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1118

# upstream timestamp from the underlying information source - e.g. Ubuntu

1119

# security tracker.

1120

"severity": "A String", # Note provider assigned impact of the vulnerability.

1121

"details": [ # All information about the package to specifically identify this

1122

# vulnerability. One entry per (version range and cpe_uri) the package

1123

# vulnerability has manifested in.

1124

{ # Identifies all appearances of this vulnerability in the package for a

1125

# specific distro/location. For example: glibc in

1126

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1127

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1128

# upstream timestamp from the underlying information source - e.g. Ubuntu

1129

# security tracker.

1130

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1131

# packages etc).

1132

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1133

"package": "A String", # Required. The package being described.

1134

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1135

# format. Examples include distro or storage location for vulnerable jar.

1136

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1137

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1138

# versions.

1139

"revision": "A String", # The iteration of the package build from the above version.

1140

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1141

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

1146

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1147

# versions.

1148

"revision": "A String", # The iteration of the package build from the above version.

1149

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1150

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1151

# name.

1152

},

1153

"cpeUri": "A String", # Required. The CPE URI in

1154

# [cpe format](https://cpe.mitre.org/specification/) in which the

1155

# vulnerability manifests. Examples include distro or storage location for

1156

# vulnerable jar.

1157

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1158

# obsolete details.

1159

"description": "A String", # A vendor-specific description of this note.

1160

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

1161

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1162

# versions.

1163

"revision": "A String", # The iteration of the package build from the above version.

1164

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1165

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1166

# name.

1167

},

1168

"package": "A String", # Required. The name of the package where the vulnerability was found.

1169

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

1170

},

1171

],

1172

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

1173

# For details, see https://www.first.org/cvss/specification-document

1174

"baseScore": 3.14, # The base score is a function of the base metric scores.

1175

"confidentialityImpact": "A String",

1176

"availabilityImpact": "A String",

1177

"attackVector": "A String", # Base Metrics

1178

# Represents the intrinsic characteristics of a vulnerability that are

1179

# constant over time and across user environments.

1180

"privilegesRequired": "A String",

1181

"impactScore": 3.14,

1182

"attackComplexity": "A String",

1183

"scope": "A String",

1184

"exploitabilityScore": 3.14,

1185

"userInteraction": "A String",

1186

"integrityImpact": "A String",

1187

},

1188

},

1189

"shortDescription": "A String", # A one sentence description of this note.

1190

"relatedNoteNames": [ # Other notes related to this note.

1191

"A String",

1192

],

1193

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

1194

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1195

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

1196

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

1197

"A String",

1198

],

1199

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1200

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

1201

# channels. E.g., glibc (aka libc6) is distributed by many, at various

1202

# versions.

1203

"distribution": [ # The various channels by which a package is distributed.

1204

{ # This represents a particular channel of distribution for a given package.

1205

# E.g., Debian's jessie-backports dpkg mirror.

1206

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

1207

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1208

# versions.

1209

"revision": "A String", # The iteration of the package build from the above version.

1210

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1211

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1212

# name.

1213

},

1214

"url": "A String", # The distribution channel-specific homepage for this package.

1215

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

1216

# denoting the package manager version distributing a package.

1217

"description": "A String", # The distribution channel-specific description of this package.

1218

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

1219

# built.

1220

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

1221

},

1222

],

1223

"name": "A String", # Required. Immutable. The name of the package.

1224

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

1230

<pre>Deletes the specified note.

1231

1232

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1233

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1234

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

1235

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1242

1243

{ # A generic empty message that you can re-use to avoid defining duplicated

1244

# empty messages in your APIs. A typical example is to use it as the request

1245

# or the response type of an API method. For instance:

1246

#

1247

# service Foo {

1248

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

1249

# }

1250

#

1251

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

1257

<pre>Gets the specified note.

1258

1259

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1260

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1261

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

1262

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1269

1270

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1271

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

1272

# exists in a provider's project. A `Discovery` occurrence is created in a

1273

# consumer's project at the start of analysis.

1274

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

1275

# discovery.

1276

},

1277

"name": "A String", # Output only. The name of the note in the form of

1278

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1279

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

1280

# example, an organization might have one `Authority` for "QA" and one for

1281

# "build". This note is intended to act strictly as a grouping mechanism for

1282

# the attached occurrences (Attestations). This grouping mechanism also

1283

# provides a security boundary, since IAM ACLs gate the ability for a principle

1284

# to attach an occurrence to a given note. It also provides a single point of

1285

# lookup to find all attached attestation occurrences, even if they don't all

1286

# live in the same project.

1287

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

1288

# authority. Because the name of a note acts as its resource reference, it is

1289

# important to disambiguate the canonical name of the Note (which might be a

1290

# UUID for security purposes) from "readable" names more suitable for debug

1291

# output. Note that these hints should not be used to look up authorities in

1292

# security sensitive contexts, such as when looking up attestations to

1293

# verify.

1294

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

1295

# example "qa".

1296

},

1297

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1298

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

1299

# chain step in an in-toto layout. This information goes into a Grafeas note.

1300

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

1301

# artifacts that enter this supply chain step, and exit the supply chain

1302

# step, i.e. materials and products of the step.

1303

{ # Defines an object to declare an in-toto artifact rule

1304

"artifactRule": [

1305

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1306

],

1307

},

1308

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1309

"expectedProducts": [

1310

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1316

"signingKeys": [ # This field contains the public keys that can be used to verify the

1317

# signatures on the step metadata.

1318

{ # This defines the format used to record keys used in the software supply

1319

# chain. An in-toto link is attested using one or more keys defined in the

1320

# in-toto layout. An example of this is:

1321

# {

1322

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1323

# "key_type": "rsa",

1324

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1325

# "key_scheme": "rsassa-pss-sha256"

1326

# }

1327

# The format for in-toto's key definition can be found in section 4.2 of the

1328

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1329

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1330

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1331

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1332

# and "ecdsa".

1333

"keyId": "A String", # key_id is an identifier for the signing key.

1334

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1335

},

1336

],

1337

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1338

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1339

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1340

"expectedCommand": [ # This field contains the expected command used to perform the step.

1341

"A String",

1342

],

1343

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1344

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1345

# list requests.

1346

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1347

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1348

# relationship. Linked occurrences are derived from this or an

1349

# equivalent image via:

1350

# FROM <Basis.resource_url>

1351

# Or an equivalent reference, e.g. a tag of the resource_url.

1352

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1353

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1354

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1355

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1356

"A String",

1357

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1358

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1359

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1360

# Only the name of the final blob is kept.

1361

},

1362

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1363

# basis of associated occurrence images.

1364

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1365

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1366

# a filter in list requests.

1367

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

1368

# provenance message in the build details occurrence.

1369

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

1370

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

1371

# containing build details.

1372

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

1373

# findings are valid and unchanged. If `key_type` is empty, this defaults

1374

# to PEM encoded public keys.

1375

#

1376

# This field may be empty if `key_id` references an external key.

1377

#

1378

# For Cloud Build based signatures, this is a PEM encoded public

1379

# key. To verify the Cloud Build signature, place the contents of

1380

# this field into a file (public.pem). The signature field is base64-decoded

1381

# into its binary representation in signature.bin, and the provenance bytes

1382

# from `BuildDetails` are base64-decoded into a binary representation in

1383

# signed.bin. OpenSSL can then verify the signature:

1384

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

1385

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1386

# `key_id`.

1387

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1388

# base-64 encoded.

1389

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

1390

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1391

# CN for a cert), or a reference to an external key (such as a reference to a

1392

# key in Cloud Key Management Service).

1393

},

1394

},

1395

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1396

"relatedUrl": [ # URLs associated with this note.

1397

{ # Metadata for any related URL information.

1398

"url": "A String", # Specific URL associated with the resource.

1399

"label": "A String", # Label to describe usage of the URL.

1400

},

1401

],

1402

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

1403

"cvssScore": 3.14, # The CVSS score for this vulnerability.

1404

"windowsDetails": [ # Windows details get their own format because the information format and

1405

# model don't match a normal detail. Specifically Windows updates are done as

1406

# patches, thus Windows vulnerabilities really are a missing package, rather

1407

# than a package being at an incorrect version.

1408

{

1409

"name": "A String", # Required. The name of the vulnerability.

1410

"cpeUri": "A String", # Required. The CPE URI in

1411

# [cpe format](https://cpe.mitre.org/specification/) in which the

1412

# vulnerability manifests. Examples include distro or storage location for

1413

# vulnerable jar.

1414

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1415

# vulnerability. Note that there may be multiple hotfixes (and thus

1416

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1417

# kb's presence is considered a fix.

1418

{

1419

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

1420

"url": "A String", # A link to the KB in the Windows update catalog -

1421

# https://www.catalog.update.microsoft.com/

1422

},

1423

],

1424

"description": "A String", # The description of the vulnerability.

1425

},

1426

],

1427

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1428

# upstream timestamp from the underlying information source - e.g. Ubuntu

1429

# security tracker.

1430

"severity": "A String", # Note provider assigned impact of the vulnerability.

1431

"details": [ # All information about the package to specifically identify this

1432

# vulnerability. One entry per (version range and cpe_uri) the package

1433

# vulnerability has manifested in.

1434

{ # Identifies all appearances of this vulnerability in the package for a

1435

# specific distro/location. For example: glibc in

1436

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1437

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1438

# upstream timestamp from the underlying information source - e.g. Ubuntu

1439

# security tracker.

1440

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1441

# packages etc).

1442

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1443

"package": "A String", # Required. The package being described.

1444

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1445

# format. Examples include distro or storage location for vulnerable jar.

1446

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1447

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1448

# versions.

1449

"revision": "A String", # The iteration of the package build from the above version.

1450

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1451

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

1456

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1457

# versions.

1458

"revision": "A String", # The iteration of the package build from the above version.

1459

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1460

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1461

# name.

1462

},

1463

"cpeUri": "A String", # Required. The CPE URI in

1464

# [cpe format](https://cpe.mitre.org/specification/) in which the

1465

# vulnerability manifests. Examples include distro or storage location for

1466

# vulnerable jar.

1467

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

1468

# obsolete details.

1469

"description": "A String", # A vendor-specific description of this note.

1470

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

1471

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1472

# versions.

1473

"revision": "A String", # The iteration of the package build from the above version.

1474

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1475

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1476

# name.

1477

},

1478

"package": "A String", # Required. The name of the package where the vulnerability was found.

1479

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

1480

},

1481

],

1482

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

1483

# For details, see https://www.first.org/cvss/specification-document

1484

"baseScore": 3.14, # The base score is a function of the base metric scores.

1485

"confidentialityImpact": "A String",

1486

"availabilityImpact": "A String",

1487

"attackVector": "A String", # Base Metrics

1488

# Represents the intrinsic characteristics of a vulnerability that are

1489

# constant over time and across user environments.

1490

"privilegesRequired": "A String",

1491

"impactScore": 3.14,

1492

"attackComplexity": "A String",

1493

"scope": "A String",

1494

"exploitabilityScore": 3.14,

1495

"userInteraction": "A String",

1496

"integrityImpact": "A String",

1497

},

1498

},

1499

"shortDescription": "A String", # A one sentence description of this note.

1500

"relatedNoteNames": [ # Other notes related to this note.

1501

"A String",

1502

],

1503

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

1504

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1505

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

1506

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

1507

"A String",

1508

],

1509

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1510

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

1511

# channels. E.g., glibc (aka libc6) is distributed by many, at various

1512

# versions.

1513

"distribution": [ # The various channels by which a package is distributed.

1514

{ # This represents a particular channel of distribution for a given package.

1515

# E.g., Debian's jessie-backports dpkg mirror.

1516

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

1517

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1518

# versions.

1519

"revision": "A String", # The iteration of the package build from the above version.

1520

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1521

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1522

# name.

1523

},

1524

"url": "A String", # The distribution channel-specific homepage for this package.

1525

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

1526

# denoting the package manager version distributing a package.

1527

"description": "A String", # The distribution channel-specific description of this package.

1528

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

1529

# built.

1530

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

1531

},

1532

],

1533

"name": "A String", # Required. Immutable. The name of the package.

1534

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

1540

<pre>Gets the access control policy for a note or an occurrence resource.

1541

Requires `containeranalysis.notes.setIamPolicy` or

1542

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

1543

a note or occurrence, respectively.

1544

1545

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

1546

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

1551

See the operation documentation for the appropriate value for this field. (required)

1552

body: object, The request body.

1553

The object takes the form of:

1554

1555

{ # Request message for `GetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1556

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1557

# `GetIamPolicy`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1558

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1559

#

1560

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

1561

# rejected.

1562

#

1563

# Requests for policies with any conditional bindings must specify version 3.

1564

# Policies without any conditional bindings may specify any valid value or

1565

# leave the field unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1566

#

1567

# To learn which resources support conditions in their IAM policies, see the

1568

# [IAM

1569

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1570

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1571

}

1572

1573

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1580

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1581

{ # An Identity and Access Management (IAM) policy, which specifies access

1582

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1583

#

1584

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1585

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

1586

# `members` to a single `role`. Members can be user accounts, service accounts,

1587

# Google groups, and domains (such as G Suite). A `role` is a named list of

1588

# permissions; each `role` can be an IAM predefined role or a user-created

1589

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1590

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1591

# For some types of Google Cloud resources, a `binding` can also specify a

1592

# `condition`, which is a logical expression that allows access to a resource

1593

# only if the expression evaluates to `true`. A condition can add constraints

1594

# based on attributes of the request, the resource, or both. To learn which

1595

# resources support conditions in their IAM policies, see the

1596

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1597

#

1598

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1599

#

1600

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1601

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1602

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1603

# "role": "roles/resourcemanager.organizationAdmin",

1604

# "members": [

1605

# "user:mike@example.com",

1606

# "group:admins@example.com",

1607

# "domain:google.com",

1608

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1609

# ]

1610

# },

1611

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1612

# "role": "roles/resourcemanager.organizationViewer",

1613

# "members": [

1614

# "user:eve@example.com"

1615

# ],

1616

# "condition": {

1617

# "title": "expirable access",

1618

# "description": "Does not grant access after Sep 2020",

1619

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1620

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1621

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1622

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1623

# "etag": "BwWWja0YfJA=",

1624

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1625

# }

1626

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1627

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

1632

# - group:admins@example.com

1633

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1634

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

1635

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1636

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1637

# - user:eve@example.com

1638

# role: roles/resourcemanager.organizationViewer

1639

# condition:

1640

# title: expirable access

1641

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1642

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1643

# - etag: BwWWja0YfJA=

1644

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1645

#

1646

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1647

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1648

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

1649

# prevent simultaneous updates of a policy from overwriting each other.

1650

# It is strongly suggested that systems make use of the `etag` in the

1651

# read-modify-write cycle to perform policy updates in order to avoid race

1652

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

1653

# systems are expected to put that etag in the request to `setIamPolicy` to

1654

# ensure that their change will be applied to the same version of the policy.

1655

#

1656

# **Important:** If you use IAM Conditions, you must include the `etag` field

1657

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1658

# you to overwrite a version `3` policy with a version `1` policy, and all of

1659

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1660

"version": 42, # Specifies the format of the policy.

1661

#

1662

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

1663

# are rejected.

1664

#

1665

# Any operation that affects conditional role bindings must specify version

1666

# `3`. This requirement applies to the following operations:

1667

#

1668

# * Getting a policy that includes a conditional role binding

1669

# * Adding a conditional role binding to a policy

1670

# * Changing a conditional role binding in a policy

1671

# * Removing any role binding, with or without a condition, from a policy

1672

# that includes conditions

1673

#

1674

# **Important:** If you use IAM Conditions, you must include the `etag` field

1675

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

1676

# you to overwrite a version `3` policy with a version `1` policy, and all of

1677

# the conditions in the version `3` policy are lost.

1678

#

1679

# If a policy does not include any conditions, operations on that policy may

1680

# specify any valid version or leave the field unset.

1681

#

1682

# To learn which resources support conditions in their IAM policies, see the

1683

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1684

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1685

# `condition` that determines how and when the `bindings` are applied. Each

1686

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1687

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1688

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

1689

# `members` can have the following values:

1690

#

1691

# * `allUsers`: A special identifier that represents anyone who is

1692

# on the internet; with or without a Google account.

1693

#

1694

# * `allAuthenticatedUsers`: A special identifier that represents anyone

1695

# who is authenticated with a Google account or a service account.

1696

#

1697

# * `user:{emailid}`: An email address that represents a specific Google

1698

# account. For example, `alice@example.com` .

1699

#

1700

#

1701

# * `serviceAccount:{emailid}`: An email address that represents a service

1702

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

1703

#

1704

# * `group:{emailid}`: An email address that represents a Google group.

1705

# For example, `admins@example.com`.

1706

#

1707

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

1708

# identifier) representing a user that has been recently deleted. For

1709

# example, `alice@example.com?uid=123456789012345678901`. If the user is

1710

# recovered, this value reverts to `user:{emailid}` and the recovered user

1711

# retains the role in the binding.

1712

#

1713

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

1714

# unique identifier) representing a service account that has been recently

1715

# deleted. For example,

1716

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

1717

# If the service account is undeleted, this value reverts to

1718

# `serviceAccount:{emailid}` and the undeleted service account retains the

1719

# role in the binding.

1720

#

1721

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

1722

# identifier) representing a Google group that has been recently

1723

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

1724

# the group is recovered, this value reverts to `group:{emailid}` and the

1725

# recovered group retains the role in the binding.

1726

#

1727

#

1728

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

1729

# users of that domain. For example, `google.com` or `example.com`.

1730

#

1731

"A String",

1732

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1733

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

1734

#

1735

# If the condition evaluates to `true`, then this binding applies to the

1736

# current request.

1737

#

1738

# If the condition evaluates to `false`, then this binding does not apply to

1739

# the current request. However, a different role binding might grant the same

1740

# role to one or more of the members in this binding.

1741

#

1742

# To learn which resources support conditions in their IAM policies, see the

1743

# [IAM

1744

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

1745

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

1746

# are documented at https://github.com/google/cel-spec.

1747

#

1748

# Example (Comparison):

1749

#

1750

# title: "Summary size limit"

1751

# description: "Determines if a summary is less than 100 chars"

1752

# expression: "document.summary.size() < 100"

1753

#

1754

# Example (Equality):

1755

#

1756

# title: "Requestor is owner"

1757

# description: "Determines if requestor is the document owner"

1758

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

1763

# description: "Determine whether the document should be publicly visible"

1764

# expression: "document.type != 'private' && document.type != 'internal'"

1765

#

1766

# Example (Data Manipulation):

1767

#

1768

# title: "Notification string"

1769

# description: "Create a notification string with a timestamp."

1770

# expression: "'New message received at ' + string(document.create_time)"

1771

#

1772

# The exact variables and functions that may be referenced within an expression

1773

# are determined by the service that evaluates it. See the service

1774

# documentation for additional information.

1775

"description": "A String", # Optional. Description of the expression. This is a longer text which

1776

# describes the expression, e.g. when hovered over it in a UI.

1777

"expression": "A String", # Textual representation of an expression in Common Expression Language

1778

# syntax.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1779

"location": "A String", # Optional. String indicating the location of the expression for error

1780

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1781

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

1782

# its purpose. This can be used e.g. in UIs which allow to enter the

1783

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1784

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1785

"role": "A String", # Role that is assigned to `members`.

1786

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1787

},

1788

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1793

<code class="details" id="list">list(parent, pageToken=None, pageSize=None, filter=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1794

<pre>Lists notes for the specified project.

1795

1796

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1797

parent: string, Required. The name of the project to list notes for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1798

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1799

pageToken: string, Token to provide to skip to a particular spot in the list.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1800

pageSize: integer, Number of notes to return in the list. Must be positive. Max allowed page

1801

size is 1000. If not specified, page size defaults to 20.

1802

filter: string, The filter expression.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1803

x__xgafv: string, V1 error format.

1804

Allowed values

1805

1 - v1 error format

1806

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1807

1808

Returns:

1809

An object of the form:

1810

1811

{ # Response for listing notes.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1812

"nextPageToken": "A String", # The next pagination token in the list response. It should be used as

1813

# `page_token` for the following request. An empty value means no more

1814

# results.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1815

"notes": [ # The notes requested.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1816

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1817

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

1818

# exists in a provider's project. A `Discovery` occurrence is created in a

1819

# consumer's project at the start of analysis.

1820

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

1821

# discovery.

1822

},

1823

"name": "A String", # Output only. The name of the note in the form of

1824

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1825

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

1826

# example, an organization might have one `Authority` for "QA" and one for

1827

# "build". This note is intended to act strictly as a grouping mechanism for

1828

# the attached occurrences (Attestations). This grouping mechanism also

1829

# provides a security boundary, since IAM ACLs gate the ability for a principle

1830

# to attach an occurrence to a given note. It also provides a single point of

1831

# lookup to find all attached attestation occurrences, even if they don't all

1832

# live in the same project.

1833

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

1834

# authority. Because the name of a note acts as its resource reference, it is

1835

# important to disambiguate the canonical name of the Note (which might be a

1836

# UUID for security purposes) from "readable" names more suitable for debug

1837

# output. Note that these hints should not be used to look up authorities in

1838

# security sensitive contexts, such as when looking up attestations to

1839

# verify.

1840

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

1841

# example "qa".

1842

},

1843

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1844

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

1845

# chain step in an in-toto layout. This information goes into a Grafeas note.

1846

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

1847

# artifacts that enter this supply chain step, and exit the supply chain

1848

# step, i.e. materials and products of the step.

1849

{ # Defines an object to declare an in-toto artifact rule

1850

"artifactRule": [

1851

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1852

],

1853

},

1854

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1855

"expectedProducts": [

1856

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1862

"signingKeys": [ # This field contains the public keys that can be used to verify the

1863

# signatures on the step metadata.

1864

{ # This defines the format used to record keys used in the software supply

1865

# chain. An in-toto link is attested using one or more keys defined in the

1866

# in-toto layout. An example of this is:

1867

# {

1868

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

1869

# "key_type": "rsa",

1870

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

1871

# "key_scheme": "rsassa-pss-sha256"

1872

# }

1873

# The format for in-toto's key definition can be found in section 4.2 of the

1874

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1875

"keyScheme": "A String", # This field contains the corresponding signature scheme.

1876

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1877

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

1878

# and "ecdsa".

1879

"keyId": "A String", # key_id is an identifier for the signing key.

1880

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1881

},

1882

],

1883

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

1884

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1885

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1886

"expectedCommand": [ # This field contains the expected command used to perform the step.

1887

"A String",

1888

],

1889

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1890

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

1891

# list requests.

1892

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1893

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

1894

# relationship. Linked occurrences are derived from this or an

1895

# equivalent image via:

1896

# FROM <Basis.resource_url>

1897

# Or an equivalent reference, e.g. a tag of the resource_url.

1898

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1899

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1900

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1901

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1902

"A String",

1903

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1904

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1905

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1906

# Only the name of the final blob is kept.

1907

},

1908

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

1909

# basis of associated occurrence images.

1910

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

1911

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

1912

# a filter in list requests.

1913

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

1914

# provenance message in the build details occurrence.

1915

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

1916

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

1917

# containing build details.

1918

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

1919

# findings are valid and unchanged. If `key_type` is empty, this defaults

1920

# to PEM encoded public keys.

1921

#

1922

# This field may be empty if `key_id` references an external key.

1923

#

1924

# For Cloud Build based signatures, this is a PEM encoded public

1925

# key. To verify the Cloud Build signature, place the contents of

1926

# this field into a file (public.pem). The signature field is base64-decoded

1927

# into its binary representation in signature.bin, and the provenance bytes

1928

# from `BuildDetails` are base64-decoded into a binary representation in

1929

# signed.bin. OpenSSL can then verify the signature:

1930

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

1931

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

1932

# `key_id`.

1933

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

1934

# base-64 encoded.

1935

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

1936

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

1937

# CN for a cert), or a reference to an external key (such as a reference to a

1938

# key in Cloud Key Management Service).

1939

},

1940

},

1941

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

1942

"relatedUrl": [ # URLs associated with this note.

1943

{ # Metadata for any related URL information.

1944

"url": "A String", # Specific URL associated with the resource.

1945

"label": "A String", # Label to describe usage of the URL.

1946

},

1947

],

1948

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

1949

"cvssScore": 3.14, # The CVSS score for this vulnerability.

1950

"windowsDetails": [ # Windows details get their own format because the information format and

1951

# model don't match a normal detail. Specifically Windows updates are done as

1952

# patches, thus Windows vulnerabilities really are a missing package, rather

1953

# than a package being at an incorrect version.

1954

{

1955

"name": "A String", # Required. The name of the vulnerability.

1956

"cpeUri": "A String", # Required. The CPE URI in

1957

# [cpe format](https://cpe.mitre.org/specification/) in which the

1958

# vulnerability manifests. Examples include distro or storage location for

1959

# vulnerable jar.

1960

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

1961

# vulnerability. Note that there may be multiple hotfixes (and thus

1962

# multiple KBs) that mitigate a given vulnerability. Currently any listed

1963

# kb's presence is considered a fix.

1964

{

1965

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

1966

"url": "A String", # A link to the KB in the Windows update catalog -

1967

# https://www.catalog.update.microsoft.com/

1968

},

1969

],

1970

"description": "A String", # The description of the vulnerability.

1971

},

1972

],

1973

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1974

# upstream timestamp from the underlying information source - e.g. Ubuntu

1975

# security tracker.

1976

"severity": "A String", # Note provider assigned impact of the vulnerability.

1977

"details": [ # All information about the package to specifically identify this

1978

# vulnerability. One entry per (version range and cpe_uri) the package

1979

# vulnerability has manifested in.

1980

{ # Identifies all appearances of this vulnerability in the package for a

1981

# specific distro/location. For example: glibc in

1982

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

1983

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

1984

# upstream timestamp from the underlying information source - e.g. Ubuntu

1985

# security tracker.

1986

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

1987

# packages etc).

1988

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

1989

"package": "A String", # Required. The package being described.

1990

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1991

# format. Examples include distro or storage location for vulnerable jar.

1992

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1993

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1994

# versions.

1995

"revision": "A String", # The iteration of the package build from the above version.

1996

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1997

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

2002

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2003

# versions.

2004

"revision": "A String", # The iteration of the package build from the above version.

2005

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2006

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2007

# name.

2008

},

2009

"cpeUri": "A String", # Required. The CPE URI in

2010

# [cpe format](https://cpe.mitre.org/specification/) in which the

2011

# vulnerability manifests. Examples include distro or storage location for

2012

# vulnerable jar.

2013

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

2014

# obsolete details.

2015

"description": "A String", # A vendor-specific description of this note.

2016

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

2017

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2018

# versions.

2019

"revision": "A String", # The iteration of the package build from the above version.

2020

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2021

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2022

# name.

2023

},

2024

"package": "A String", # Required. The name of the package where the vulnerability was found.

2025

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2026

},

2027

],

2028

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2029

# For details, see https://www.first.org/cvss/specification-document

2030

"baseScore": 3.14, # The base score is a function of the base metric scores.

2031

"confidentialityImpact": "A String",

2032

"availabilityImpact": "A String",

2033

"attackVector": "A String", # Base Metrics

2034

# Represents the intrinsic characteristics of a vulnerability that are

2035

# constant over time and across user environments.

2036

"privilegesRequired": "A String",

2037

"impactScore": 3.14,

2038

"attackComplexity": "A String",

2039

"scope": "A String",

2040

"exploitabilityScore": 3.14,

2041

"userInteraction": "A String",

2042

"integrityImpact": "A String",

2043

},

2044

},

2045

"shortDescription": "A String", # A one sentence description of this note.

2046

"relatedNoteNames": [ # Other notes related to this note.

2047

"A String",

2048

],

2049

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

2050

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2051

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2052

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

2053

"A String",

2054

],

2055

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2056

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

2057

# channels. E.g., glibc (aka libc6) is distributed by many, at various

2058

# versions.

2059

"distribution": [ # The various channels by which a package is distributed.

2060

{ # This represents a particular channel of distribution for a given package.

2061

# E.g., Debian's jessie-backports dpkg mirror.

2062

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

2063

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2064

# versions.

2065

"revision": "A String", # The iteration of the package build from the above version.

2066

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2067

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2068

# name.

2069

},

2070

"url": "A String", # The distribution channel-specific homepage for this package.

2071

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

2072

# denoting the package manager version distributing a package.

2073

"description": "A String", # The distribution channel-specific description of this package.

2074

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

2075

# built.

2076

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

2077

},

2078

],

2079

"name": "A String", # Required. Immutable. The name of the package.

2080

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

2088

<pre>Retrieves the next page of results.

2089

2090

Args:

2091

previous_request: The request for the previous page. (required)

2092

previous_response: The response from the request for the previous page. (required)

2093

2094

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2095

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2096

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2101

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2102

<pre>Updates the specified note.

2103

2104

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2105

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2106

`projects/[PROVIDER_ID]/notes/[NOTE_ID]`. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2107

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2108

The object takes the form of:

2109

2110

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2111

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

2112

# exists in a provider's project. A `Discovery` occurrence is created in a

2113

# consumer's project at the start of analysis.

2114

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

2115

# discovery.

2116

},

2117

"name": "A String", # Output only. The name of the note in the form of

2118

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2119

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

2120

# example, an organization might have one `Authority` for "QA" and one for

2121

# "build". This note is intended to act strictly as a grouping mechanism for

2122

# the attached occurrences (Attestations). This grouping mechanism also

2123

# provides a security boundary, since IAM ACLs gate the ability for a principle

2124

# to attach an occurrence to a given note. It also provides a single point of

2125

# lookup to find all attached attestation occurrences, even if they don't all

2126

# live in the same project.

2127

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

2128

# authority. Because the name of a note acts as its resource reference, it is

2129

# important to disambiguate the canonical name of the Note (which might be a

2130

# UUID for security purposes) from "readable" names more suitable for debug

2131

# output. Note that these hints should not be used to look up authorities in

2132

# security sensitive contexts, such as when looking up attestations to

2133

# verify.

2134

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

2135

# example "qa".

2136

},

2137

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2138

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

2139

# chain step in an in-toto layout. This information goes into a Grafeas note.

2140

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

2141

# artifacts that enter this supply chain step, and exit the supply chain

2142

# step, i.e. materials and products of the step.

2143

{ # Defines an object to declare an in-toto artifact rule

2144

"artifactRule": [

2145

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2146

],

2147

},

2148

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2149

"expectedProducts": [

2150

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2156

"signingKeys": [ # This field contains the public keys that can be used to verify the

2157

# signatures on the step metadata.

2158

{ # This defines the format used to record keys used in the software supply

2159

# chain. An in-toto link is attested using one or more keys defined in the

2160

# in-toto layout. An example of this is:

2161

# {

2162

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

2163

# "key_type": "rsa",

2164

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

2165

# "key_scheme": "rsassa-pss-sha256"

2166

# }

2167

# The format for in-toto's key definition can be found in section 4.2 of the

2168

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2169

"keyScheme": "A String", # This field contains the corresponding signature scheme.

2170

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2171

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

2172

# and "ecdsa".

2173

"keyId": "A String", # key_id is an identifier for the signing key.

2174

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2175

},

2176

],

2177

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

2178

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2179

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2180

"expectedCommand": [ # This field contains the expected command used to perform the step.

2181

"A String",

2182

],

2183

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2184

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

2185

# list requests.

2186

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2187

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

2188

# relationship. Linked occurrences are derived from this or an

2189

# equivalent image via:

2190

# FROM <Basis.resource_url>

2191

# Or an equivalent reference, e.g. a tag of the resource_url.

2192

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2193

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2194

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2195

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2196

"A String",

2197

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2198

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2199

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2200

# Only the name of the final blob is kept.

2201

},

2202

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

2203

# basis of associated occurrence images.

2204

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2205

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

2206

# a filter in list requests.

2207

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

2208

# provenance message in the build details occurrence.

2209

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

2210

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

2211

# containing build details.

2212

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

2213

# findings are valid and unchanged. If `key_type` is empty, this defaults

2214

# to PEM encoded public keys.

2215

#

2216

# This field may be empty if `key_id` references an external key.

2217

#

2218

# For Cloud Build based signatures, this is a PEM encoded public

2219

# key. To verify the Cloud Build signature, place the contents of

2220

# this field into a file (public.pem). The signature field is base64-decoded

2221

# into its binary representation in signature.bin, and the provenance bytes

2222

# from `BuildDetails` are base64-decoded into a binary representation in

2223

# signed.bin. OpenSSL can then verify the signature:

2224

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

2225

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

2226

# `key_id`.

2227

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

2228

# base-64 encoded.

2229

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

2230

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

2231

# CN for a cert), or a reference to an external key (such as a reference to a

2232

# key in Cloud Key Management Service).

2233

},

2234

},

2235

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

2236

"relatedUrl": [ # URLs associated with this note.

2237

{ # Metadata for any related URL information.

2238

"url": "A String", # Specific URL associated with the resource.

2239

"label": "A String", # Label to describe usage of the URL.

2240

},

2241

],

2242

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

2243

"cvssScore": 3.14, # The CVSS score for this vulnerability.

2244

"windowsDetails": [ # Windows details get their own format because the information format and

2245

# model don't match a normal detail. Specifically Windows updates are done as

2246

# patches, thus Windows vulnerabilities really are a missing package, rather

2247

# than a package being at an incorrect version.

2248

{

2249

"name": "A String", # Required. The name of the vulnerability.

2250

"cpeUri": "A String", # Required. The CPE URI in

2251

# [cpe format](https://cpe.mitre.org/specification/) in which the

2252

# vulnerability manifests. Examples include distro or storage location for

2253

# vulnerable jar.

2254

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

2255

# vulnerability. Note that there may be multiple hotfixes (and thus

2256

# multiple KBs) that mitigate a given vulnerability. Currently any listed

2257

# kb's presence is considered a fix.

2258

{

2259

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

2260

"url": "A String", # A link to the KB in the Windows update catalog -

2261

# https://www.catalog.update.microsoft.com/

2262

},

2263

],

2264

"description": "A String", # The description of the vulnerability.

2265

},

2266

],

2267

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2268

# upstream timestamp from the underlying information source - e.g. Ubuntu

2269

# security tracker.

2270

"severity": "A String", # Note provider assigned impact of the vulnerability.

2271

"details": [ # All information about the package to specifically identify this

2272

# vulnerability. One entry per (version range and cpe_uri) the package

2273

# vulnerability has manifested in.

2274

{ # Identifies all appearances of this vulnerability in the package for a

2275

# specific distro/location. For example: glibc in

2276

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

2277

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2278

# upstream timestamp from the underlying information source - e.g. Ubuntu

2279

# security tracker.

2280

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

2281

# packages etc).

2282

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

2283

"package": "A String", # Required. The package being described.

2284

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2285

# format. Examples include distro or storage location for vulnerable jar.

2286

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2287

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2288

# versions.

2289

"revision": "A String", # The iteration of the package build from the above version.

2290

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2291

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

2296

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2297

# versions.

2298

"revision": "A String", # The iteration of the package build from the above version.

2299

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2300

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2301

# name.

2302

},

2303

"cpeUri": "A String", # Required. The CPE URI in

2304

# [cpe format](https://cpe.mitre.org/specification/) in which the

2305

# vulnerability manifests. Examples include distro or storage location for

2306

# vulnerable jar.

2307

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

2308

# obsolete details.

2309

"description": "A String", # A vendor-specific description of this note.

2310

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

2311

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2312

# versions.

2313

"revision": "A String", # The iteration of the package build from the above version.

2314

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2315

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2316

# name.

2317

},

2318

"package": "A String", # Required. The name of the package where the vulnerability was found.

2319

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2320

},

2321

],

2322

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2323

# For details, see https://www.first.org/cvss/specification-document

2324

"baseScore": 3.14, # The base score is a function of the base metric scores.

2325

"confidentialityImpact": "A String",

2326

"availabilityImpact": "A String",

2327

"attackVector": "A String", # Base Metrics

2328

# Represents the intrinsic characteristics of a vulnerability that are

2329

# constant over time and across user environments.

2330

"privilegesRequired": "A String",

2331

"impactScore": 3.14,

2332

"attackComplexity": "A String",

2333

"scope": "A String",

2334

"exploitabilityScore": 3.14,

2335

"userInteraction": "A String",

2336

"integrityImpact": "A String",

2337

},

2338

},

2339

"shortDescription": "A String", # A one sentence description of this note.

2340

"relatedNoteNames": [ # Other notes related to this note.

2341

"A String",

2342

],

2343

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

2344

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2345

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2346

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

2347

"A String",

2348

],

2349

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2350

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

2351

# channels. E.g., glibc (aka libc6) is distributed by many, at various

2352

# versions.

2353

"distribution": [ # The various channels by which a package is distributed.

2354

{ # This represents a particular channel of distribution for a given package.

2355

# E.g., Debian's jessie-backports dpkg mirror.

2356

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

2357

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2358

# versions.

2359

"revision": "A String", # The iteration of the package build from the above version.

2360

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2361

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2362

# name.

2363

},

2364

"url": "A String", # The distribution channel-specific homepage for this package.

2365

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

2366

# denoting the package manager version distributing a package.

2367

"description": "A String", # The distribution channel-specific description of this package.

2368

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

2369

# built.

2370

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

2371

},

2372

],

2373

"name": "A String", # Required. Immutable. The name of the package.

2374

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2375

}

2376

2377

updateMask: string, The fields to update.

2378

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2385

2386

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2387

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

2388

# exists in a provider's project. A `Discovery` occurrence is created in a

2389

# consumer's project at the start of analysis.

2390

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

2391

# discovery.

2392

},

2393

"name": "A String", # Output only. The name of the note in the form of

2394

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2395

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

2396

# example, an organization might have one `Authority` for "QA" and one for

2397

# "build". This note is intended to act strictly as a grouping mechanism for

2398

# the attached occurrences (Attestations). This grouping mechanism also

2399

# provides a security boundary, since IAM ACLs gate the ability for a principle

2400

# to attach an occurrence to a given note. It also provides a single point of

2401

# lookup to find all attached attestation occurrences, even if they don't all

2402

# live in the same project.

2403

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

2404

# authority. Because the name of a note acts as its resource reference, it is

2405

# important to disambiguate the canonical name of the Note (which might be a

2406

# UUID for security purposes) from "readable" names more suitable for debug

2407

# output. Note that these hints should not be used to look up authorities in

2408

# security sensitive contexts, such as when looking up attestations to

2409

# verify.

2410

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

2411

# example "qa".

2412

},

2413

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2414

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

2415

# chain step in an in-toto layout. This information goes into a Grafeas note.

2416

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

2417

# artifacts that enter this supply chain step, and exit the supply chain

2418

# step, i.e. materials and products of the step.

2419

{ # Defines an object to declare an in-toto artifact rule

2420

"artifactRule": [

2421

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2422

],

2423

},

2424

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2425

"expectedProducts": [

2426

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2432

"signingKeys": [ # This field contains the public keys that can be used to verify the

2433

# signatures on the step metadata.

2434

{ # This defines the format used to record keys used in the software supply

2435

# chain. An in-toto link is attested using one or more keys defined in the

2436

# in-toto layout. An example of this is:

2437

# {

2438

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

2439

# "key_type": "rsa",

2440

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

2441

# "key_scheme": "rsassa-pss-sha256"

2442

# }

2443

# The format for in-toto's key definition can be found in section 4.2 of the

2444

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2445

"keyScheme": "A String", # This field contains the corresponding signature scheme.

2446

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2447

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

2448

# and "ecdsa".

2449

"keyId": "A String", # key_id is an identifier for the signing key.

2450

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2451

},

2452

],

2453

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

2454

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2455

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2456

"expectedCommand": [ # This field contains the expected command used to perform the step.

2457

"A String",

2458

],

2459

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2460

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

2461

# list requests.

2462

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2463

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

2464

# relationship. Linked occurrences are derived from this or an

2465

# equivalent image via:

2466

# FROM <Basis.resource_url>

2467

# Or an equivalent reference, e.g. a tag of the resource_url.

2468

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2469

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2470

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2471

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2472

"A String",

2473

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2474

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2475

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2476

# Only the name of the final blob is kept.

2477

},

2478

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

2479

# basis of associated occurrence images.

2480

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2481

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

2482

# a filter in list requests.

2483

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

2484

# provenance message in the build details occurrence.

2485

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

2486

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

2487

# containing build details.

2488

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

2489

# findings are valid and unchanged. If `key_type` is empty, this defaults

2490

# to PEM encoded public keys.

2491

#

2492

# This field may be empty if `key_id` references an external key.

2493

#

2494

# For Cloud Build based signatures, this is a PEM encoded public

2495

# key. To verify the Cloud Build signature, place the contents of

2496

# this field into a file (public.pem). The signature field is base64-decoded

2497

# into its binary representation in signature.bin, and the provenance bytes

2498

# from `BuildDetails` are base64-decoded into a binary representation in

2499

# signed.bin. OpenSSL can then verify the signature:

2500

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

2501

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

2502

# `key_id`.

2503

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

2504

# base-64 encoded.

2505

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

2506

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

2507

# CN for a cert), or a reference to an external key (such as a reference to a

2508

# key in Cloud Key Management Service).

2509

},

2510

},

2511

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

2512

"relatedUrl": [ # URLs associated with this note.

2513

{ # Metadata for any related URL information.

2514

"url": "A String", # Specific URL associated with the resource.

2515

"label": "A String", # Label to describe usage of the URL.

2516

},

2517

],

2518

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

2519

"cvssScore": 3.14, # The CVSS score for this vulnerability.

2520

"windowsDetails": [ # Windows details get their own format because the information format and

2521

# model don't match a normal detail. Specifically Windows updates are done as

2522

# patches, thus Windows vulnerabilities really are a missing package, rather

2523

# than a package being at an incorrect version.

2524

{

2525

"name": "A String", # Required. The name of the vulnerability.

2526

"cpeUri": "A String", # Required. The CPE URI in

2527

# [cpe format](https://cpe.mitre.org/specification/) in which the

2528

# vulnerability manifests. Examples include distro or storage location for

2529

# vulnerable jar.

2530

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

2531

# vulnerability. Note that there may be multiple hotfixes (and thus

2532

# multiple KBs) that mitigate a given vulnerability. Currently any listed

2533

# kb's presence is considered a fix.

2534

{

2535

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

2536

"url": "A String", # A link to the KB in the Windows update catalog -

2537

# https://www.catalog.update.microsoft.com/

2538

},

2539

],

2540

"description": "A String", # The description of the vulnerability.

2541

},

2542

],

2543

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2544

# upstream timestamp from the underlying information source - e.g. Ubuntu

2545

# security tracker.

2546

"severity": "A String", # Note provider assigned impact of the vulnerability.

2547

"details": [ # All information about the package to specifically identify this

2548

# vulnerability. One entry per (version range and cpe_uri) the package

2549

# vulnerability has manifested in.

2550

{ # Identifies all appearances of this vulnerability in the package for a

2551

# specific distro/location. For example: glibc in

2552

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

2553

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

2554

# upstream timestamp from the underlying information source - e.g. Ubuntu

2555

# security tracker.

2556

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

2557

# packages etc).

2558

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

2559

"package": "A String", # Required. The package being described.

2560

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2561

# format. Examples include distro or storage location for vulnerable jar.

2562

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2563

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2564

# versions.

2565

"revision": "A String", # The iteration of the package build from the above version.

2566

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2567

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

2572

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2573

# versions.

2574

"revision": "A String", # The iteration of the package build from the above version.

2575

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2576

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2577

# name.

2578

},

2579

"cpeUri": "A String", # Required. The CPE URI in

2580

# [cpe format](https://cpe.mitre.org/specification/) in which the

2581

# vulnerability manifests. Examples include distro or storage location for

2582

# vulnerable jar.

2583

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

2584

# obsolete details.

2585

"description": "A String", # A vendor-specific description of this note.

2586

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

2587

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2588

# versions.

2589

"revision": "A String", # The iteration of the package build from the above version.

2590

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2591

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2592

# name.

2593

},

2594

"package": "A String", # Required. The name of the package where the vulnerability was found.

2595

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

2596

},

2597

],

2598

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

2599

# For details, see https://www.first.org/cvss/specification-document

2600

"baseScore": 3.14, # The base score is a function of the base metric scores.

2601

"confidentialityImpact": "A String",

2602

"availabilityImpact": "A String",

2603

"attackVector": "A String", # Base Metrics

2604

# Represents the intrinsic characteristics of a vulnerability that are

2605

# constant over time and across user environments.

2606

"privilegesRequired": "A String",

2607

"impactScore": 3.14,

2608

"attackComplexity": "A String",

2609

"scope": "A String",

2610

"exploitabilityScore": 3.14,

2611

"userInteraction": "A String",

2612

"integrityImpact": "A String",

2613

},

2614

},

2615

"shortDescription": "A String", # A one sentence description of this note.

2616

"relatedNoteNames": [ # Other notes related to this note.

2617

"A String",

2618

],

2619

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

2620

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2621

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

2622

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

2623

"A String",

2624

],

2625

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2626

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

2627

# channels. E.g., glibc (aka libc6) is distributed by many, at various

2628

# versions.

2629

"distribution": [ # The various channels by which a package is distributed.

2630

{ # This represents a particular channel of distribution for a given package.

2631

# E.g., Debian's jessie-backports dpkg mirror.

2632

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

2633

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2634

# versions.

2635

"revision": "A String", # The iteration of the package build from the above version.

2636

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2637

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2638

# name.

2639

},

2640

"url": "A String", # The distribution channel-specific homepage for this package.

2641

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

2642

# denoting the package manager version distributing a package.

2643

"description": "A String", # The distribution channel-specific description of this package.

2644

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

2645

# built.

2646

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

2647

},

2648

],

2649

"name": "A String", # Required. Immutable. The name of the package.

2650

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2655

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2656

<pre>Sets the access control policy on the specified note or occurrence.

2657

Requires `containeranalysis.notes.setIamPolicy` or

2658

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

2659

a note or an occurrence, respectively.

2660

2661

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

2662

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being specified.

2667

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2668

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2669

The object takes the form of:

2670

2671

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2672

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2673

# the policy is limited to a few 10s of KB. An empty policy is a

2674

# valid policy but certain Cloud Platform services (such as Projects)

2675

# might reject them.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2676

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2677

#

2678

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2679

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2680

# `members` to a single `role`. Members can be user accounts, service accounts,

2681

# Google groups, and domains (such as G Suite). A `role` is a named list of

2682

# permissions; each `role` can be an IAM predefined role or a user-created

2683

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2684

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2685

# For some types of Google Cloud resources, a `binding` can also specify a

2686

# `condition`, which is a logical expression that allows access to a resource

2687

# only if the expression evaluates to `true`. A condition can add constraints

2688

# based on attributes of the request, the resource, or both. To learn which

2689

# resources support conditions in their IAM policies, see the

2690

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2691

#

2692

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2693

#

2694

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2695

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2696

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2697

# "role": "roles/resourcemanager.organizationAdmin",

2698

# "members": [

2699

# "user:mike@example.com",

2700

# "group:admins@example.com",

2701

# "domain:google.com",

2702

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2703

# ]

2704

# },

2705

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2706

# "role": "roles/resourcemanager.organizationViewer",

2707

# "members": [

2708

# "user:eve@example.com"

2709

# ],

2710

# "condition": {

2711

# "title": "expirable access",

2712

# "description": "Does not grant access after Sep 2020",

2713

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2714

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2715

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2716

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2717

# "etag": "BwWWja0YfJA=",

2718

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2719

# }

2720

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2721

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2726

# - group:admins@example.com

2727

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2728

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2729

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2730

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2731

# - user:eve@example.com

2732

# role: roles/resourcemanager.organizationViewer

2733

# condition:

2734

# title: expirable access

2735

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2736

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2737

# - etag: BwWWja0YfJA=

2738

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2739

#

2740

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2741

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2742

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2743

# prevent simultaneous updates of a policy from overwriting each other.

2744

# It is strongly suggested that systems make use of the `etag` in the

2745

# read-modify-write cycle to perform policy updates in order to avoid race

2746

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2747

# systems are expected to put that etag in the request to `setIamPolicy` to

2748

# ensure that their change will be applied to the same version of the policy.

2749

#

2750

# **Important:** If you use IAM Conditions, you must include the `etag` field

2751

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2752

# you to overwrite a version `3` policy with a version `1` policy, and all of

2753

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2754

"version": 42, # Specifies the format of the policy.

2755

#

2756

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2757

# are rejected.

2758

#

2759

# Any operation that affects conditional role bindings must specify version

2760

# `3`. This requirement applies to the following operations:

2761

#

2762

# * Getting a policy that includes a conditional role binding

2763

# * Adding a conditional role binding to a policy

2764

# * Changing a conditional role binding in a policy

2765

# * Removing any role binding, with or without a condition, from a policy

2766

# that includes conditions

2767

#

2768

# **Important:** If you use IAM Conditions, you must include the `etag` field

2769

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2770

# you to overwrite a version `3` policy with a version `1` policy, and all of

2771

# the conditions in the version `3` policy are lost.

2772

#

2773

# If a policy does not include any conditions, operations on that policy may

2774

# specify any valid version or leave the field unset.

2775

#

2776

# To learn which resources support conditions in their IAM policies, see the

2777

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2778

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2779

# `condition` that determines how and when the `bindings` are applied. Each

2780

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2781

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2782

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

2783

# `members` can have the following values:

2784

#

2785

# * `allUsers`: A special identifier that represents anyone who is

2786

# on the internet; with or without a Google account.

2787

#

2788

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2789

# who is authenticated with a Google account or a service account.

2790

#

2791

# * `user:{emailid}`: An email address that represents a specific Google

2792

# account. For example, `alice@example.com` .

2793

#

2794

#

2795

# * `serviceAccount:{emailid}`: An email address that represents a service

2796

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2797

#

2798

# * `group:{emailid}`: An email address that represents a Google group.

2799

# For example, `admins@example.com`.

2800

#

2801

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

2802

# identifier) representing a user that has been recently deleted. For

2803

# example, `alice@example.com?uid=123456789012345678901`. If the user is

2804

# recovered, this value reverts to `user:{emailid}` and the recovered user

2805

# retains the role in the binding.

2806

#

2807

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

2808

# unique identifier) representing a service account that has been recently

2809

# deleted. For example,

2810

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

2811

# If the service account is undeleted, this value reverts to

2812

# `serviceAccount:{emailid}` and the undeleted service account retains the

2813

# role in the binding.

2814

#

2815

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

2816

# identifier) representing a Google group that has been recently

2817

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

2818

# the group is recovered, this value reverts to `group:{emailid}` and the

2819

# recovered group retains the role in the binding.

2820

#

2821

#

2822

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

2823

# users of that domain. For example, `google.com` or `example.com`.

2824

#

2825

"A String",

2826

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2827

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

2828

#

2829

# If the condition evaluates to `true`, then this binding applies to the

2830

# current request.

2831

#

2832

# If the condition evaluates to `false`, then this binding does not apply to

2833

# the current request. However, a different role binding might grant the same

2834

# role to one or more of the members in this binding.

2835

#

2836

# To learn which resources support conditions in their IAM policies, see the

2837

# [IAM

2838

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2839

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

2840

# are documented at https://github.com/google/cel-spec.

2841

#

2842

# Example (Comparison):

2843

#

2844

# title: "Summary size limit"

2845

# description: "Determines if a summary is less than 100 chars"

2846

# expression: "document.summary.size() < 100"

2847

#

2848

# Example (Equality):

2849

#

2850

# title: "Requestor is owner"

2851

# description: "Determines if requestor is the document owner"

2852

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

2857

# description: "Determine whether the document should be publicly visible"

2858

# expression: "document.type != 'private' && document.type != 'internal'"

2859

#

2860

# Example (Data Manipulation):

2861

#

2862

# title: "Notification string"

2863

# description: "Create a notification string with a timestamp."

2864

# expression: "'New message received at ' + string(document.create_time)"

2865

#

2866

# The exact variables and functions that may be referenced within an expression

2867

# are determined by the service that evaluates it. See the service

2868

# documentation for additional information.

2869

"description": "A String", # Optional. Description of the expression. This is a longer text which

2870

# describes the expression, e.g. when hovered over it in a UI.

2871

"expression": "A String", # Textual representation of an expression in Common Expression Language

2872

# syntax.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

2873

"location": "A String", # Optional. String indicating the location of the expression for error

2874

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2875

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

2876

# its purpose. This can be used e.g. in UIs which allow to enter the

2877

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2878

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2879

"role": "A String", # Role that is assigned to `members`.

2880

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2881

},

2882

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2883

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2884

}

2885

2886

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2893

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2894

{ # An Identity and Access Management (IAM) policy, which specifies access

2895

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2896

#

2897

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2898

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2899

# `members` to a single `role`. Members can be user accounts, service accounts,

2900

# Google groups, and domains (such as G Suite). A `role` is a named list of

2901

# permissions; each `role` can be an IAM predefined role or a user-created

2902

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2903

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2904

# For some types of Google Cloud resources, a `binding` can also specify a

2905

# `condition`, which is a logical expression that allows access to a resource

2906

# only if the expression evaluates to `true`. A condition can add constraints

2907

# based on attributes of the request, the resource, or both. To learn which

2908

# resources support conditions in their IAM policies, see the

2909

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2910

#

2911

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2912

#

2913

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2914

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2915

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2916

# "role": "roles/resourcemanager.organizationAdmin",

2917

# "members": [

2918

# "user:mike@example.com",

2919

# "group:admins@example.com",

2920

# "domain:google.com",

2921

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2922

# ]

2923

# },

2924

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2925

# "role": "roles/resourcemanager.organizationViewer",

2926

# "members": [

2927

# "user:eve@example.com"

2928

# ],

2929

# "condition": {

2930

# "title": "expirable access",

2931

# "description": "Does not grant access after Sep 2020",

2932

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2933

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2934

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2935

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2936

# "etag": "BwWWja0YfJA=",

2937

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2938

# }

2939

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2940

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2945

# - group:admins@example.com

2946

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2947

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2948

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2949

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2950

# - user:eve@example.com

2951

# role: roles/resourcemanager.organizationViewer

2952

# condition:

2953

# title: expirable access

2954

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2955

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2956

# - etag: BwWWja0YfJA=

2957

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2958

#

2959

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2960

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2961

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2962

# prevent simultaneous updates of a policy from overwriting each other.

2963

# It is strongly suggested that systems make use of the `etag` in the

2964

# read-modify-write cycle to perform policy updates in order to avoid race

2965

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2966

# systems are expected to put that etag in the request to `setIamPolicy` to

2967

# ensure that their change will be applied to the same version of the policy.

2968

#

2969

# **Important:** If you use IAM Conditions, you must include the `etag` field

2970

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2971

# you to overwrite a version `3` policy with a version `1` policy, and all of

2972

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2973

"version": 42, # Specifies the format of the policy.

2974

#

2975

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2976

# are rejected.

2977

#

2978

# Any operation that affects conditional role bindings must specify version

2979

# `3`. This requirement applies to the following operations:

2980

#

2981

# * Getting a policy that includes a conditional role binding

2982

# * Adding a conditional role binding to a policy

2983

# * Changing a conditional role binding in a policy

2984

# * Removing any role binding, with or without a condition, from a policy

2985

# that includes conditions

2986

#

2987

# **Important:** If you use IAM Conditions, you must include the `etag` field

2988

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2989

# you to overwrite a version `3` policy with a version `1` policy, and all of

2990

# the conditions in the version `3` policy are lost.

2991

#

2992

# If a policy does not include any conditions, operations on that policy may

2993

# specify any valid version or leave the field unset.

2994

#

2995

# To learn which resources support conditions in their IAM policies, see the

2996

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2997

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2998

# `condition` that determines how and when the `bindings` are applied. Each

2999

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3000

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3001

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

3002

# `members` can have the following values:

3003

#

3004

# * `allUsers`: A special identifier that represents anyone who is

3005

# on the internet; with or without a Google account.

3006

#

3007

# * `allAuthenticatedUsers`: A special identifier that represents anyone

3008

# who is authenticated with a Google account or a service account.

3009

#

3010

# * `user:{emailid}`: An email address that represents a specific Google

3011

# account. For example, `alice@example.com` .

3012

#

3013

#

3014

# * `serviceAccount:{emailid}`: An email address that represents a service

3015

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

3016

#

3017

# * `group:{emailid}`: An email address that represents a Google group.

3018

# For example, `admins@example.com`.

3019

#

3020

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

3021

# identifier) representing a user that has been recently deleted. For

3022

# example, `alice@example.com?uid=123456789012345678901`. If the user is

3023

# recovered, this value reverts to `user:{emailid}` and the recovered user

3024

# retains the role in the binding.

3025

#

3026

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

3027

# unique identifier) representing a service account that has been recently

3028

# deleted. For example,

3029

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

3030

# If the service account is undeleted, this value reverts to

3031

# `serviceAccount:{emailid}` and the undeleted service account retains the

3032

# role in the binding.

3033

#

3034

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

3035

# identifier) representing a Google group that has been recently

3036

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

3037

# the group is recovered, this value reverts to `group:{emailid}` and the

3038

# recovered group retains the role in the binding.

3039

#

3040

#

3041

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

3042

# users of that domain. For example, `google.com` or `example.com`.

3043

#

3044

"A String",

3045

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3046

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

3047

#

3048

# If the condition evaluates to `true`, then this binding applies to the

3049

# current request.

3050

#

3051

# If the condition evaluates to `false`, then this binding does not apply to

3052

# the current request. However, a different role binding might grant the same

3053

# role to one or more of the members in this binding.

3054

#

3055

# To learn which resources support conditions in their IAM policies, see the

3056

# [IAM

3057

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

3058

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

3059

# are documented at https://github.com/google/cel-spec.

3060

#

3061

# Example (Comparison):

3062

#

3063

# title: "Summary size limit"

3064

# description: "Determines if a summary is less than 100 chars"

3065

# expression: "document.summary.size() < 100"

3066

#

3067

# Example (Equality):

3068

#

3069

# title: "Requestor is owner"

3070

# description: "Determines if requestor is the document owner"

3071

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

3076

# description: "Determine whether the document should be publicly visible"

3077

# expression: "document.type != 'private' && document.type != 'internal'"

3078

#

3079

# Example (Data Manipulation):

3080

#

3081

# title: "Notification string"

3082

# description: "Create a notification string with a timestamp."

3083

# expression: "'New message received at ' + string(document.create_time)"

3084

#

3085

# The exact variables and functions that may be referenced within an expression

3086

# are determined by the service that evaluates it. See the service

3087

# documentation for additional information.

3088

"description": "A String", # Optional. Description of the expression. This is a longer text which

3089

# describes the expression, e.g. when hovered over it in a UI.

3090

"expression": "A String", # Textual representation of an expression in Common Expression Language

3091

# syntax.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame]

3092

"location": "A String", # Optional. String indicating the location of the expression for error

3093

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3094

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

3095

# its purpose. This can be used e.g. in UIs which allow to enter the

3096

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3097

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3098

"role": "A String", # Role that is assigned to `members`.

3099

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3100

},

3101

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3106

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3107

<pre>Returns the permissions that a caller has on the specified note or

3108

occurrence. Requires list permission on the project (for example,

3109

`containeranalysis.notes.list`).

3110

3111

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

3112

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy detail is being requested.

3117

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3118

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3119

The object takes the form of:

3120

3121

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3122

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

3123

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3124

# information see

3125

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3126

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3137

3138

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3139

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3140

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3141

"A String",

Bu Sun Kim