Blame - docs/dyn/containeranalysis_v1beta1.projects.occurrences.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

78

<code><a href="#batchCreate">batchCreate(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Creates new occurrences in batch.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

82

<p class="firstline">Creates a new occurrence.</p>

83

84

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

85

<p class="firstline">Deletes the specified occurrence. For example, use this method to delete an</p>

86

87

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

88

<p class="firstline">Gets the specified occurrence.</p>

89

90

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

91

<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p>

92

93

<code><a href="#getNotes">getNotes(name, x__xgafv=None)</a></code></p>

94

<p class="firstline">Gets the note attached to the specified occurrence. Consumer projects can</p>

95

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

96

<code><a href="#getVulnerabilitySummary">getVulnerabilitySummary(parent, filter=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

97

<p class="firstline">Gets a summary of the number and severity of occurrences.</p>

98

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

99

<code><a href="#list">list(parent, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

100

<p class="firstline">Lists occurrences for the specified project.</p>

101

102

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

103

<p class="firstline">Retrieves the next page of results.</p>

104

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

105

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

106

<p class="firstline">Updates the specified occurrence.</p>

107

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

108

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

109

<p class="firstline">Sets the access control policy on the specified note or occurrence.</p>

110

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

111

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

112

<p class="firstline">Returns the permissions that a caller has on the specified note or</p>

113

<h3>Method Details</h3>

114

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

115

<code class="details" id="batchCreate">batchCreate(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

116

<pre>Creates new occurrences in batch.

117

118

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

119

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

120

the occurrences are to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

121

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

122

The object takes the form of:

123

124

{ # Request to create occurrences in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

125

"occurrences": [ # Required. The occurrences to create. Max allowed length is 1000.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

126

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

127

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

128

# specified. This field can be used as a filter in list requests.

129

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

130

"name": "A String", # Deprecated, do not use. Use uri instead.

131

#

132

# The name of the resource. For example, the name of a Docker image -

133

# "Debian".

134

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

135

#

136

# The hash of the resource content. For example, the Docker digest.

137

"type": "A String", # Required. The type of hash that was performed.

138

"value": "A String", # Required. The hash value.

139

},

140

"uri": "A String", # Required. The unique URI of the resource. For example,

141

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

142

},

143

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

144

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

145

# attestation can be verified using the attached signature. If the verifier

146

# trusts the public key of the signer, then verifying the signature is

147

# sufficient to establish trust. In this circumstance, the authority to which

148

# this attestation is attached is primarily useful for look-up (how to find

149

# this attestation if you already know the authority and artifact to be

150

# verified) and intent (which authority was this attestation intended to sign

151

# for).

152

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

153

# supports `ATTACHED` signatures, where the payload that is signed is included

154

# alongside the signature itself in the same file.

155

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

156

# The verifier must ensure that the provided type is one that the verifier

157

# supports, and that the attestation payload is a valid instantiation of that

158

# type (for example by validating a JSON schema).

159

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

160

# (GPG) or equivalent. Since this message only supports attached signatures,

161

# the payload that was signed must be attached. While the signature format

162

# supported is dependent on the verification implementation, currently only

163

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

164

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

165

# --output=signature.gpg payload.json` will create the signature content

166

# expected in this field in `signature.gpg` for the `payload.json`

167

# attestation payload.

168

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

169

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

170

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

171

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

172

# Implementations may choose to acknowledge "LONG", "SHORT", or other

173

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

174

# In gpg, the full fingerprint can be retrieved from the `fpr` field

175

# returned when calling --list-keys with --with-colons. For example:

176

# ```

177

# gpg --with-colons --with-fingerprint --force-v4-certs \

178

# --list-keys attester@example.com

179

# tru::1:1513631572:0:3:1:5

180

# pub:...<SNIP>...

181

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

182

# ```

183

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

184

},

185

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

186

# This attestation must define the `serialized_payload` that the `signatures`

187

# verify and any metadata necessary to interpret that plaintext. The

188

# signatures should always be over the `serialized_payload` bytestring.

189

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

190

# The verifier must ensure that the provided type is one that the verifier

191

# supports, and that the attestation payload is a valid instantiation of that

192

# type (for example by validating a JSON schema).

193

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

194

# should consider this attestation message verified if at least one

195

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

196

# for more details on signature structure and verification.

197

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

198

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

199

# Typically this means that the verifier has been configured with a map from

200

# `public_key_id` to public key material (and any required parameters, e.g.

201

# signing algorithm).

202

#

203

# In particular, verification implementations MUST NOT treat the signature

204

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

205

# DOES NOT validate or authenticate a public key; it only provides a mechanism

206

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

207

# a trusted channel. Verification implementations MUST reject signatures in any

208

# of the following circumstances:

209

# * The `public_key_id` is not recognized by the verifier.

210

# * The public key that `public_key_id` refers to does not verify the

211

# signature with respect to the payload.

212

#

213

# The `signature` contents SHOULD NOT be "attached" (where the payload is

214

# included with the serialized `signature` bytes). Verifiers MUST ignore any

215

# "attached" payload and only verify signatures with respect to explicitly

216

# provided payload (e.g. a `payload` field on the proto message that holds

217

# this Signature, or the canonical serialization of the proto message that

218

# holds this signature).

219

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

220

# * The `public_key_id` is required.

221

# * The `public_key_id` MUST be an RFC3986 conformant URI.

222

# * When possible, the `public_key_id` SHOULD be an immutable reference,

223

# such as a cryptographic digest.

224

#

225

# Examples of valid `public_key_id`s:

226

#

227

# OpenPGP V4 public key fingerprint:

228

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

229

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

230

# details on this scheme.

231

#

232

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

233

# serialization):

234

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

235

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

236

"signature": "A String", # The content of the signature, an opaque bytestring.

237

# The payload that this signature verifies MUST be unambiguously provided

238

# with the Signature during verification. A wrapper message might provide

239

# the payload explicitly. Alternatively, a message might have a canonical

240

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

245

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

251

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

252

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

253

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

254

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

255

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

256

# available, and note provider assigned severity when distro has not yet

257

# assigned a severity for this vulnerability.

258

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

259

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

260

# scale of 0-10 where 0 indicates low severity and 10 indicates high

261

# severity.

262

"relatedUrls": [ # Output only. URLs related to this vulnerability.

263

{ # Metadata for any related URL information.

264

"url": "A String", # Specific URL associated with the resource.

265

"label": "A String", # Label to describe usage of the URL.

266

},

267

],

268

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

269

# packages etc)

270

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

271

# within the associated resource.

272

{ # This message wraps a location affected by a vulnerability and its

273

# associated fix (if one is available).

274

"severityName": "A String", # Deprecated, use Details.effective_severity instead

275

# The severity (e.g., distro assigned severity) for this vulnerability.

276

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

277

"package": "A String", # Required. The package being described.

278

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

279

"revision": "A String", # The iteration of the package build from the above version.

280

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

281

# name.

282

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

283

# versions.

284

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

285

},

286

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

287

# format. Examples include distro or storage location for vulnerable jar.

288

},

289

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

290

"package": "A String", # Required. The package being described.

291

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

292

"revision": "A String", # The iteration of the package build from the above version.

293

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

294

# name.

295

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

296

# versions.

297

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

298

},

299

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

300

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

306

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

307

# system.

308

"location": [ # Required. All of the places within the filesystem versions of this package

309

# have been found.

310

{ # An occurrence of a particular package installation found within a system's

311

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

312

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

313

# denoting the package manager version distributing a package.

314

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

315

"revision": "A String", # The iteration of the package build from the above version.

316

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

317

# name.

318

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

319

# versions.

320

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

321

},

322

"path": "A String", # The path from which we gathered that this package/version is installed.

323

},

324

],

325

"name": "A String", # Output only. The name of the installed package.

326

},

327

},

328

"build": { # Details of a build occurrence. # Describes a verifiable build.

329

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

330

# build signature in the corresponding build note. After verifying the

331

# signature, `provenance_bytes` can be unmarshalled and compared to the

332

# provenance to confirm that it is unchanged. A base64-encoded string

333

# representation of the provenance bytes is used for the signature in order

334

# to interoperate with openssl which expects this format for signature

335

# verification.

336

#

337

# The serialized form is captured both to avoid ambiguity in how the

338

# provenance is marshalled to json as well to prevent incompatibilities with

339

# future changes.

340

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

341

# details about the build from source to completion.

342

"endTime": "A String", # Time at which execution of the build was finished.

343

"startTime": "A String", # Time at which execution of the build was started.

344

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

345

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

346

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

347

# location.

348

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

349

# these locations, in the case where the source repository had multiple

350

# remotes or submodules. This list will not include the context specified in

351

# the context field.

352

{ # A SourceContext is a reference to a tree of files. A SourceContext together

353

# with a path point to a unique revision of a single file or directory.

354

"labels": { # Labels with user defined metadata.

355

"a_key": "A String",

356

},

357

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

358

# repository (e.g., GitHub).

359

"url": "A String", # Git repository URL.

360

"revisionId": "A String", # Git commit hash.

361

},

362

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

363

"hostUri": "A String", # The URI of a running Gerrit instance.

364

"revisionId": "A String", # A revision (commit) ID.

365

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

366

# "project/subproject" is a valid project name. The "repo name" is the

367

# hostURI/project.

368

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

369

"name": "A String", # The alias name.

370

"kind": "A String", # The alias kind.

371

},

372

},

373

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

374

# Source Repo.

375

"revisionId": "A String", # A revision ID.

376

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

377

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

378

# winged-cargo-31) and a repo name within that project.

379

"projectId": "A String", # The ID of the project.

380

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

381

},

382

"uid": "A String", # A server-assigned, globally unique identifier.

383

},

384

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

385

"name": "A String", # The alias name.

386

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

392

# source integrity was maintained in the build.

393

#

394

# The keys to this map are file paths used as build source and the values

395

# contain the hash values for those files.

396

#

397

# If the build source came in a single package such as a gzipped tarfile

398

# (.tar.gz), the FileHash will be for the single path to that file.

399

"a_key": { # Container message for hashes of byte content of files, used in source

400

# messages to verify integrity of source input to the build.

401

"fileHash": [ # Required. Collection of file hashes.

402

{ # Container message for hash values.

403

"type": "A String", # Required. The type of hash that was performed.

404

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

410

# with a path point to a unique revision of a single file or directory.

411

"labels": { # Labels with user defined metadata.

412

"a_key": "A String",

413

},

414

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

415

# repository (e.g., GitHub).

416

"url": "A String", # Git repository URL.

417

"revisionId": "A String", # Git commit hash.

418

},

419

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

420

"hostUri": "A String", # The URI of a running Gerrit instance.

421

"revisionId": "A String", # A revision (commit) ID.

422

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

423

# "project/subproject" is a valid project name. The "repo name" is the

424

# hostURI/project.

425

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

426

"name": "A String", # The alias name.

427

"kind": "A String", # The alias kind.

428

},

429

},

430

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

431

# Source Repo.

432

"revisionId": "A String", # A revision ID.

433

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

434

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

435

# winged-cargo-31) and a repo name within that project.

436

"projectId": "A String", # The ID of the project.

437

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

438

},

439

"uid": "A String", # A server-assigned, globally unique identifier.

440

},

441

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

442

"name": "A String", # The alias name.

443

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

449

"projectId": "A String", # ID of the project.

450

"logsUri": "A String", # URI where any logs for this provenance were written.

451

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

452

# user's e-mail address at the time the build was initiated; this address may

453

# not represent the same end-user for all time.

454

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

455

"commands": [ # Commands requested by the build.

456

{ # Command describes a step performed as part of the build pipeline.

457

"dir": "A String", # Working directory (relative to project source root) used when running this

458

# command.

459

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

460

"A String",

461

],

462

"env": [ # Environment variables set before running this command.

463

"A String",

464

],

465

"args": [ # Command-line arguments used when executing this command.

466

"A String",

467

],

468

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

469

# command is packaged as a Docker container, as presented to `docker pull`.

470

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

471

# this command as a dependency.

472

},

473

],

474

"builtArtifacts": [ # Output of the build.

475

{ # Artifact describes a build product.

476

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

477

# container.

478

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

479

# like `gcr.io/projectID/imagename@sha256:123456`.

480

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

481

# the case of a container build, the name used to push the container image to

482

# Google Container Registry, as presented to `docker push`. Note that a

483

# single Artifact ID can have multiple names, for example if two tags are

484

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

490

"buildOptions": { # Special options applied to this build. This is a catch-all field where

491

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

497

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

498

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

499

# details to show to the user. The LocalizedMessage is output only and

500

# populated by the API.

501

# different programming environments, including REST APIs and RPC APIs. It is

502

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

503

# three pieces of data: error code, error message, and error details.

504

#

505

# You can find out more about this error model and how to work with it in the

506

# [API Design Guide](https://cloud.google.com/apis/design/errors).

507

"details": [ # A list of messages that carry the error details. There is a common set of

508

# message types for APIs to use.

509

{

510

"a_key": "", # Properties of the object. Contains field @type with type URL.

511

},

512

],

513

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

514

"message": "A String", # A developer-facing error message, which should be in English. Any

515

# user-facing error message should be localized and sent in the

516

# google.rpc.Status.details field, or localized by the client.

517

},

518

"analysisStatus": "A String", # The status of discovery for the resource.

519

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

520

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

521

# Deprecated, do not use.

522

},

523

},

524

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

525

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

526

# used as a filter in list requests.

527

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

528

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

529

"userEmail": "A String", # Identity of the user that triggered this deployment.

530

"config": "A String", # Configuration used to create this deployment.

531

"undeployTime": "A String", # End of the lifetime of this deployment.

532

"platform": "A String", # Platform hosting this deployment.

533

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

534

"address": "A String", # Address of the runtime element hosting this deployment.

535

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

536

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

542

"updateTime": "A String", # Output only. The time this occurrence was last updated.

543

"remediation": "A String", # A description of actions that can be taken to remedy the note.

544

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

545

# signatures and the in-toto link itself. This is used for occurrences of a

546

# Grafeas in-toto note.

547

"signed": { # This corresponds to an in-toto link.

548

"command": [ # This field contains the full command executed for the step. This can also

549

# be empty if links are generated for operations that aren't directly mapped

550

# to a specific command. Each term in the command is an independent string

551

# in the list. An example of a command in the in-toto metadata field is:

552

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

553

"A String",

554

],

555

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

556

# are not the actual result of the step.

557

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

563

# environment. It is suggested for this field to contain information that

564

# details environment variables, filesystem information, and the present

565

# working directory. The recommended structure of this field is:

566

# "environment": {

567

# "custom_values": {

568

# "variables": "<ENV>",

569

# "filesystem": "<FS>",

570

# "workdir": "<CWD>",

571

# "<ANY OTHER RELEVANT FIELDS>": "..."

572

# }

573

# }

574

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

580

# for the operation performed. The key of the map is the path of the artifact

581

# and the structure contains the recorded hash information. An example is:

582

# "materials": [

583

# {

584

# "resource_uri": "foo/bar",

585

# "hashes": {

586

# "sha256": "ebebf...",

587

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

593

"sha256": "A String",

594

},

595

"resourceUri": "A String",

596

},

597

],

598

"products": [ # Products are the supply chain artifacts generated as a result of the step.

599

# The structure is identical to that of materials.

600

{

601

"hashes": { # Defines a hash object for use in Materials and Products.

602

"sha256": "A String",

603

},

604

"resourceUri": "A String",

605

},

606

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

607

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

608

"signatures": [

609

{ # A signature object consists of the KeyID used and the signature itself.

610

"sig": "A String",

611

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

612

},

613

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

614

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

615

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

616

# note.

617

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

618

# relationship. This image would be produced from a Dockerfile with FROM

619

# <DockerImage.Basis in attached Note>.

620

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

621

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

622

"A String",

623

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

624

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

625

# representation.

626

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

627

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

628

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

629

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

630

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

631

# "distance" and is ordered with [distance] being the layer immediately

632

# following the base image and [1] being the final layer.

633

{ # Layer holds metadata specific to a layer of a Docker image.

634

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

635

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

636

},

637

],

638

"distance": 42, # Output only. The number of layers by which this image differs from the

639

# associated image basis.

640

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

641

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

642

},

643

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

655

656

{ # Response for creating occurrences in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

657

"occurrences": [ # The occurrences that were created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

658

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

659

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

660

# specified. This field can be used as a filter in list requests.

661

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

662

"name": "A String", # Deprecated, do not use. Use uri instead.

663

#

664

# The name of the resource. For example, the name of a Docker image -

665

# "Debian".

666

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

667

#

668

# The hash of the resource content. For example, the Docker digest.

669

"type": "A String", # Required. The type of hash that was performed.

670

"value": "A String", # Required. The hash value.

671

},

672

"uri": "A String", # Required. The unique URI of the resource. For example,

673

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

674

},

675

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

676

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

677

# attestation can be verified using the attached signature. If the verifier

678

# trusts the public key of the signer, then verifying the signature is

679

# sufficient to establish trust. In this circumstance, the authority to which

680

# this attestation is attached is primarily useful for look-up (how to find

681

# this attestation if you already know the authority and artifact to be

682

# verified) and intent (which authority was this attestation intended to sign

683

# for).

684

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

685

# supports `ATTACHED` signatures, where the payload that is signed is included

686

# alongside the signature itself in the same file.

687

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

688

# The verifier must ensure that the provided type is one that the verifier

689

# supports, and that the attestation payload is a valid instantiation of that

690

# type (for example by validating a JSON schema).

691

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

692

# (GPG) or equivalent. Since this message only supports attached signatures,

693

# the payload that was signed must be attached. While the signature format

694

# supported is dependent on the verification implementation, currently only

695

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

696

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

697

# --output=signature.gpg payload.json` will create the signature content

698

# expected in this field in `signature.gpg` for the `payload.json`

699

# attestation payload.

700

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

701

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

702

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

703

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

704

# Implementations may choose to acknowledge "LONG", "SHORT", or other

705

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

706

# In gpg, the full fingerprint can be retrieved from the `fpr` field

707

# returned when calling --list-keys with --with-colons. For example:

708

# ```

709

# gpg --with-colons --with-fingerprint --force-v4-certs \

710

# --list-keys attester@example.com

711

# tru::1:1513631572:0:3:1:5

712

# pub:...<SNIP>...

713

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

714

# ```

715

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

716

},

717

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

718

# This attestation must define the `serialized_payload` that the `signatures`

719

# verify and any metadata necessary to interpret that plaintext. The

720

# signatures should always be over the `serialized_payload` bytestring.

721

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

722

# The verifier must ensure that the provided type is one that the verifier

723

# supports, and that the attestation payload is a valid instantiation of that

724

# type (for example by validating a JSON schema).

725

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

726

# should consider this attestation message verified if at least one

727

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

728

# for more details on signature structure and verification.

729

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

730

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

731

# Typically this means that the verifier has been configured with a map from

732

# `public_key_id` to public key material (and any required parameters, e.g.

733

# signing algorithm).

734

#

735

# In particular, verification implementations MUST NOT treat the signature

736

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

737

# DOES NOT validate or authenticate a public key; it only provides a mechanism

738

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

739

# a trusted channel. Verification implementations MUST reject signatures in any

740

# of the following circumstances:

741

# * The `public_key_id` is not recognized by the verifier.

742

# * The public key that `public_key_id` refers to does not verify the

743

# signature with respect to the payload.

744

#

745

# The `signature` contents SHOULD NOT be "attached" (where the payload is

746

# included with the serialized `signature` bytes). Verifiers MUST ignore any

747

# "attached" payload and only verify signatures with respect to explicitly

748

# provided payload (e.g. a `payload` field on the proto message that holds

749

# this Signature, or the canonical serialization of the proto message that

750

# holds this signature).

751

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

752

# * The `public_key_id` is required.

753

# * The `public_key_id` MUST be an RFC3986 conformant URI.

754

# * When possible, the `public_key_id` SHOULD be an immutable reference,

755

# such as a cryptographic digest.

756

#

757

# Examples of valid `public_key_id`s:

758

#

759

# OpenPGP V4 public key fingerprint:

760

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

761

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

762

# details on this scheme.

763

#

764

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

765

# serialization):

766

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

767

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

768

"signature": "A String", # The content of the signature, an opaque bytestring.

769

# The payload that this signature verifies MUST be unambiguously provided

770

# with the Signature during verification. A wrapper message might provide

771

# the payload explicitly. Alternatively, a message might have a canonical

772

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

777

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

783

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

784

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

785

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

786

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

787

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

788

# available, and note provider assigned severity when distro has not yet

789

# assigned a severity for this vulnerability.

790

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

791

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

792

# scale of 0-10 where 0 indicates low severity and 10 indicates high

793

# severity.

794

"relatedUrls": [ # Output only. URLs related to this vulnerability.

795

{ # Metadata for any related URL information.

796

"url": "A String", # Specific URL associated with the resource.

797

"label": "A String", # Label to describe usage of the URL.

798

},

799

],

800

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

801

# packages etc)

802

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

803

# within the associated resource.

804

{ # This message wraps a location affected by a vulnerability and its

805

# associated fix (if one is available).

806

"severityName": "A String", # Deprecated, use Details.effective_severity instead

807

# The severity (e.g., distro assigned severity) for this vulnerability.

808

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

809

"package": "A String", # Required. The package being described.

810

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

811

"revision": "A String", # The iteration of the package build from the above version.

812

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

813

# name.

814

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

815

# versions.

816

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

817

},

818

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

819

# format. Examples include distro or storage location for vulnerable jar.

820

},

821

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

822

"package": "A String", # Required. The package being described.

823

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

824

"revision": "A String", # The iteration of the package build from the above version.

825

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

826

# name.

827

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

828

# versions.

829

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

830

},

831

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

832

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

838

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

839

# system.

840

"location": [ # Required. All of the places within the filesystem versions of this package

841

# have been found.

842

{ # An occurrence of a particular package installation found within a system's

843

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

844

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

845

# denoting the package manager version distributing a package.

846

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

847

"revision": "A String", # The iteration of the package build from the above version.

848

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

849

# name.

850

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

851

# versions.

852

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

853

},

854

"path": "A String", # The path from which we gathered that this package/version is installed.

855

},

856

],

857

"name": "A String", # Output only. The name of the installed package.

858

},

859

},

860

"build": { # Details of a build occurrence. # Describes a verifiable build.

861

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

862

# build signature in the corresponding build note. After verifying the

863

# signature, `provenance_bytes` can be unmarshalled and compared to the

864

# provenance to confirm that it is unchanged. A base64-encoded string

865

# representation of the provenance bytes is used for the signature in order

866

# to interoperate with openssl which expects this format for signature

867

# verification.

868

#

869

# The serialized form is captured both to avoid ambiguity in how the

870

# provenance is marshalled to json as well to prevent incompatibilities with

871

# future changes.

872

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

873

# details about the build from source to completion.

874

"endTime": "A String", # Time at which execution of the build was finished.

875

"startTime": "A String", # Time at which execution of the build was started.

876

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

877

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

878

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

879

# location.

880

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

881

# these locations, in the case where the source repository had multiple

882

# remotes or submodules. This list will not include the context specified in

883

# the context field.

884

{ # A SourceContext is a reference to a tree of files. A SourceContext together

885

# with a path point to a unique revision of a single file or directory.

886

"labels": { # Labels with user defined metadata.

887

"a_key": "A String",

888

},

889

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

890

# repository (e.g., GitHub).

891

"url": "A String", # Git repository URL.

892

"revisionId": "A String", # Git commit hash.

893

},

894

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

895

"hostUri": "A String", # The URI of a running Gerrit instance.

896

"revisionId": "A String", # A revision (commit) ID.

897

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

898

# "project/subproject" is a valid project name. The "repo name" is the

899

# hostURI/project.

900

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

901

"name": "A String", # The alias name.

902

"kind": "A String", # The alias kind.

903

},

904

},

905

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

906

# Source Repo.

907

"revisionId": "A String", # A revision ID.

908

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

909

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

910

# winged-cargo-31) and a repo name within that project.

911

"projectId": "A String", # The ID of the project.

912

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

913

},

914

"uid": "A String", # A server-assigned, globally unique identifier.

915

},

916

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

917

"name": "A String", # The alias name.

918

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

924

# source integrity was maintained in the build.

925

#

926

# The keys to this map are file paths used as build source and the values

927

# contain the hash values for those files.

928

#

929

# If the build source came in a single package such as a gzipped tarfile

930

# (.tar.gz), the FileHash will be for the single path to that file.

931

"a_key": { # Container message for hashes of byte content of files, used in source

932

# messages to verify integrity of source input to the build.

933

"fileHash": [ # Required. Collection of file hashes.

934

{ # Container message for hash values.

935

"type": "A String", # Required. The type of hash that was performed.

936

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

942

# with a path point to a unique revision of a single file or directory.

943

"labels": { # Labels with user defined metadata.

944

"a_key": "A String",

945

},

946

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

947

# repository (e.g., GitHub).

948

"url": "A String", # Git repository URL.

949

"revisionId": "A String", # Git commit hash.

950

},

951

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

952

"hostUri": "A String", # The URI of a running Gerrit instance.

953

"revisionId": "A String", # A revision (commit) ID.

954

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

955

# "project/subproject" is a valid project name. The "repo name" is the

956

# hostURI/project.

957

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

958

"name": "A String", # The alias name.

959

"kind": "A String", # The alias kind.

960

},

961

},

962

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

963

# Source Repo.

964

"revisionId": "A String", # A revision ID.

965

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

966

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

967

# winged-cargo-31) and a repo name within that project.

968

"projectId": "A String", # The ID of the project.

969

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

970

},

971

"uid": "A String", # A server-assigned, globally unique identifier.

972

},

973

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

974

"name": "A String", # The alias name.

975

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

981

"projectId": "A String", # ID of the project.

982

"logsUri": "A String", # URI where any logs for this provenance were written.

983

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

984

# user's e-mail address at the time the build was initiated; this address may

985

# not represent the same end-user for all time.

986

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

987

"commands": [ # Commands requested by the build.

988

{ # Command describes a step performed as part of the build pipeline.

989

"dir": "A String", # Working directory (relative to project source root) used when running this

990

# command.

991

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

992

"A String",

993

],

994

"env": [ # Environment variables set before running this command.

995

"A String",

996

],

997

"args": [ # Command-line arguments used when executing this command.

998

"A String",

999

],

1000

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

1001

# command is packaged as a Docker container, as presented to `docker pull`.

1002

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

1003

# this command as a dependency.

1004

},

1005

],

1006

"builtArtifacts": [ # Output of the build.

1007

{ # Artifact describes a build product.

1008

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

1009

# container.

1010

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

1011

# like `gcr.io/projectID/imagename@sha256:123456`.

1012

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

1013

# the case of a container build, the name used to push the container image to

1014

# Google Container Registry, as presented to `docker push`. Note that a

1015

# single Artifact ID can have multiple names, for example if two tags are

1016

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

1022

"buildOptions": { # Special options applied to this build. This is a catch-all field where

1023

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

1029

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

1030

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

1031

# details to show to the user. The LocalizedMessage is output only and

1032

# populated by the API.

1033

# different programming environments, including REST APIs and RPC APIs. It is

1034

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1035

# three pieces of data: error code, error message, and error details.

1036

#

1037

# You can find out more about this error model and how to work with it in the

1038

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1039

"details": [ # A list of messages that carry the error details. There is a common set of

1040

# message types for APIs to use.

1041

{

1042

"a_key": "", # Properties of the object. Contains field @type with type URL.

1043

},

1044

],

1045

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1046

"message": "A String", # A developer-facing error message, which should be in English. Any

1047

# user-facing error message should be localized and sent in the

1048

# google.rpc.Status.details field, or localized by the client.

1049

},

1050

"analysisStatus": "A String", # The status of discovery for the resource.

1051

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

1052

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

1053

# Deprecated, do not use.

1054

},

1055

},

1056

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

1057

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

1058

# used as a filter in list requests.

1059

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

1060

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

1061

"userEmail": "A String", # Identity of the user that triggered this deployment.

1062

"config": "A String", # Configuration used to create this deployment.

1063

"undeployTime": "A String", # End of the lifetime of this deployment.

1064

"platform": "A String", # Platform hosting this deployment.

1065

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

1066

"address": "A String", # Address of the runtime element hosting this deployment.

1067

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

1068

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1074

"updateTime": "A String", # Output only. The time this occurrence was last updated.

1075

"remediation": "A String", # A description of actions that can be taken to remedy the note.

1076

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

1077

# signatures and the in-toto link itself. This is used for occurrences of a

1078

# Grafeas in-toto note.

1079

"signed": { # This corresponds to an in-toto link.

1080

"command": [ # This field contains the full command executed for the step. This can also

1081

# be empty if links are generated for operations that aren't directly mapped

1082

# to a specific command. Each term in the command is an independent string

1083

# in the list. An example of a command in the in-toto metadata field is:

1084

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

1085

"A String",

1086

],

1087

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

1088

# are not the actual result of the step.

1089

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

1095

# environment. It is suggested for this field to contain information that

1096

# details environment variables, filesystem information, and the present

1097

# working directory. The recommended structure of this field is:

1098

# "environment": {

1099

# "custom_values": {

1100

# "variables": "<ENV>",

1101

# "filesystem": "<FS>",

1102

# "workdir": "<CWD>",

1103

# "<ANY OTHER RELEVANT FIELDS>": "..."

1104

# }

1105

# }

1106

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

1112

# for the operation performed. The key of the map is the path of the artifact

1113

# and the structure contains the recorded hash information. An example is:

1114

# "materials": [

1115

# {

1116

# "resource_uri": "foo/bar",

1117

# "hashes": {

1118

# "sha256": "ebebf...",

1119

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

1125

"sha256": "A String",

1126

},

1127

"resourceUri": "A String",

1128

},

1129

],

1130

"products": [ # Products are the supply chain artifacts generated as a result of the step.

1131

# The structure is identical to that of materials.

1132

{

1133

"hashes": { # Defines a hash object for use in Materials and Products.

1134

"sha256": "A String",

1135

},

1136

"resourceUri": "A String",

1137

},

1138

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1139

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1140

"signatures": [

1141

{ # A signature object consists of the KeyID used and the signature itself.

1142

"sig": "A String",

1143

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1144

},

1145

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1146

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1147

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

1148

# note.

1149

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

1150

# relationship. This image would be produced from a Dockerfile with FROM

1151

# <DockerImage.Basis in attached Note>.

1152

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1153

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1154

"A String",

1155

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1156

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1157

# representation.

1158

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1159

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1160

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1161

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1162

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

1163

# "distance" and is ordered with [distance] being the layer immediately

1164

# following the base image and [1] being the final layer.

1165

{ # Layer holds metadata specific to a layer of a Docker image.

1166

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

1167

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

1168

},

1169

],

1170

"distance": 42, # Output only. The number of layers by which this image differs from the

1171

# associated image basis.

1172

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

1173

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1174

},

1175

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1182

<code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1183

<pre>Creates a new occurrence.

1184

1185

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1186

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1187

the occurrence is to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1188

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1189

The object takes the form of:

1190

1191

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1192

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

1193

# specified. This field can be used as a filter in list requests.

1194

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

1195

"name": "A String", # Deprecated, do not use. Use uri instead.

1196

#

1197

# The name of the resource. For example, the name of a Docker image -

1198

# "Debian".

1199

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

1200

#

1201

# The hash of the resource content. For example, the Docker digest.

1202

"type": "A String", # Required. The type of hash that was performed.

1203

"value": "A String", # Required. The hash value.

1204

},

1205

"uri": "A String", # Required. The unique URI of the resource. For example,

1206

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

1207

},

1208

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

1209

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

1210

# attestation can be verified using the attached signature. If the verifier

1211

# trusts the public key of the signer, then verifying the signature is

1212

# sufficient to establish trust. In this circumstance, the authority to which

1213

# this attestation is attached is primarily useful for look-up (how to find

1214

# this attestation if you already know the authority and artifact to be

1215

# verified) and intent (which authority was this attestation intended to sign

1216

# for).

1217

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

1218

# supports `ATTACHED` signatures, where the payload that is signed is included

1219

# alongside the signature itself in the same file.

1220

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1221

# The verifier must ensure that the provided type is one that the verifier

1222

# supports, and that the attestation payload is a valid instantiation of that

1223

# type (for example by validating a JSON schema).

1224

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

1225

# (GPG) or equivalent. Since this message only supports attached signatures,

1226

# the payload that was signed must be attached. While the signature format

1227

# supported is dependent on the verification implementation, currently only

1228

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

1229

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

1230

# --output=signature.gpg payload.json` will create the signature content

1231

# expected in this field in `signature.gpg` for the `payload.json`

1232

# attestation payload.

1233

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

1234

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

1235

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

1236

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

1237

# Implementations may choose to acknowledge "LONG", "SHORT", or other

1238

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

1239

# In gpg, the full fingerprint can be retrieved from the `fpr` field

1240

# returned when calling --list-keys with --with-colons. For example:

1241

# ```

1242

# gpg --with-colons --with-fingerprint --force-v4-certs \

1243

# --list-keys attester@example.com

1244

# tru::1:1513631572:0:3:1:5

1245

# pub:...<SNIP>...

1246

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

1247

# ```

1248

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

1249

},

1250

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

1251

# This attestation must define the `serialized_payload` that the `signatures`

1252

# verify and any metadata necessary to interpret that plaintext. The

1253

# signatures should always be over the `serialized_payload` bytestring.

1254

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1255

# The verifier must ensure that the provided type is one that the verifier

1256

# supports, and that the attestation payload is a valid instantiation of that

1257

# type (for example by validating a JSON schema).

1258

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

1259

# should consider this attestation message verified if at least one

1260

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

1261

# for more details on signature structure and verification.

1262

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

1263

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

1264

# Typically this means that the verifier has been configured with a map from

1265

# `public_key_id` to public key material (and any required parameters, e.g.

1266

# signing algorithm).

1267

#

1268

# In particular, verification implementations MUST NOT treat the signature

1269

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

1270

# DOES NOT validate or authenticate a public key; it only provides a mechanism

1271

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

1272

# a trusted channel. Verification implementations MUST reject signatures in any

1273

# of the following circumstances:

1274

# * The `public_key_id` is not recognized by the verifier.

1275

# * The public key that `public_key_id` refers to does not verify the

1276

# signature with respect to the payload.

1277

#

1278

# The `signature` contents SHOULD NOT be "attached" (where the payload is

1279

# included with the serialized `signature` bytes). Verifiers MUST ignore any

1280

# "attached" payload and only verify signatures with respect to explicitly

1281

# provided payload (e.g. a `payload` field on the proto message that holds

1282

# this Signature, or the canonical serialization of the proto message that

1283

# holds this signature).

1284

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

1285

# * The `public_key_id` is required.

1286

# * The `public_key_id` MUST be an RFC3986 conformant URI.

1287

# * When possible, the `public_key_id` SHOULD be an immutable reference,

1288

# such as a cryptographic digest.

1289

#

1290

# Examples of valid `public_key_id`s:

1291

#

1292

# OpenPGP V4 public key fingerprint:

1293

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

1294

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

1295

# details on this scheme.

1296

#

1297

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

1298

# serialization):

1299

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

1300

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

1301

"signature": "A String", # The content of the signature, an opaque bytestring.

1302

# The payload that this signature verifies MUST be unambiguously provided

1303

# with the Signature during verification. A wrapper message might provide

1304

# the payload explicitly. Alternatively, a message might have a canonical

1305

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

1310

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

1316

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

1317

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

1318

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

1319

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

1320

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

1321

# available, and note provider assigned severity when distro has not yet

1322

# assigned a severity for this vulnerability.

1323

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

1324

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

1325

# scale of 0-10 where 0 indicates low severity and 10 indicates high

1326

# severity.

1327

"relatedUrls": [ # Output only. URLs related to this vulnerability.

1328

{ # Metadata for any related URL information.

1329

"url": "A String", # Specific URL associated with the resource.

1330

"label": "A String", # Label to describe usage of the URL.

1331

},

1332

],

1333

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

1334

# packages etc)

1335

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

1336

# within the associated resource.

1337

{ # This message wraps a location affected by a vulnerability and its

1338

# associated fix (if one is available).

1339

"severityName": "A String", # Deprecated, use Details.effective_severity instead

1340

# The severity (e.g., distro assigned severity) for this vulnerability.

1341

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

1342

"package": "A String", # Required. The package being described.

1343

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1344

"revision": "A String", # The iteration of the package build from the above version.

1345

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1346

# name.

1347

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1348

# versions.

1349

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1350

},

1351

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1352

# format. Examples include distro or storage location for vulnerable jar.

1353

},

1354

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

1355

"package": "A String", # Required. The package being described.

1356

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1357

"revision": "A String", # The iteration of the package build from the above version.

1358

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1359

# name.

1360

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1361

# versions.

1362

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1363

},

1364

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1365

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

1371

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

1372

# system.

1373

"location": [ # Required. All of the places within the filesystem versions of this package

1374

# have been found.

1375

{ # An occurrence of a particular package installation found within a system's

1376

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

1377

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

1378

# denoting the package manager version distributing a package.

1379

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

1380

"revision": "A String", # The iteration of the package build from the above version.

1381

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1382

# name.

1383

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1384

# versions.

1385

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1386

},

1387

"path": "A String", # The path from which we gathered that this package/version is installed.

1388

},

1389

],

1390

"name": "A String", # Output only. The name of the installed package.

1391

},

1392

},

1393

"build": { # Details of a build occurrence. # Describes a verifiable build.

1394

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

1395

# build signature in the corresponding build note. After verifying the

1396

# signature, `provenance_bytes` can be unmarshalled and compared to the

1397

# provenance to confirm that it is unchanged. A base64-encoded string

1398

# representation of the provenance bytes is used for the signature in order

1399

# to interoperate with openssl which expects this format for signature

1400

# verification.

1401

#

1402

# The serialized form is captured both to avoid ambiguity in how the

1403

# provenance is marshalled to json as well to prevent incompatibilities with

1404

# future changes.

1405

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

1406

# details about the build from source to completion.

1407

"endTime": "A String", # Time at which execution of the build was finished.

1408

"startTime": "A String", # Time at which execution of the build was started.

1409

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

1410

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

1411

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

1412

# location.

1413

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

1414

# these locations, in the case where the source repository had multiple

1415

# remotes or submodules. This list will not include the context specified in

1416

# the context field.

1417

{ # A SourceContext is a reference to a tree of files. A SourceContext together

1418

# with a path point to a unique revision of a single file or directory.

1419

"labels": { # Labels with user defined metadata.

1420

"a_key": "A String",

1421

},

1422

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1423

# repository (e.g., GitHub).

1424

"url": "A String", # Git repository URL.

1425

"revisionId": "A String", # Git commit hash.

1426

},

1427

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1428

"hostUri": "A String", # The URI of a running Gerrit instance.

1429

"revisionId": "A String", # A revision (commit) ID.

1430

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1431

# "project/subproject" is a valid project name. The "repo name" is the

1432

# hostURI/project.

1433

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1434

"name": "A String", # The alias name.

1435

"kind": "A String", # The alias kind.

1436

},

1437

},

1438

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1439

# Source Repo.

1440

"revisionId": "A String", # A revision ID.

1441

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1442

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1443

# winged-cargo-31) and a repo name within that project.

1444

"projectId": "A String", # The ID of the project.

1445

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1446

},

1447

"uid": "A String", # A server-assigned, globally unique identifier.

1448

},

1449

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1450

"name": "A String", # The alias name.

1451

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

1457

# source integrity was maintained in the build.

1458

#

1459

# The keys to this map are file paths used as build source and the values

1460

# contain the hash values for those files.

1461

#

1462

# If the build source came in a single package such as a gzipped tarfile

1463

# (.tar.gz), the FileHash will be for the single path to that file.

1464

"a_key": { # Container message for hashes of byte content of files, used in source

1465

# messages to verify integrity of source input to the build.

1466

"fileHash": [ # Required. Collection of file hashes.

1467

{ # Container message for hash values.

1468

"type": "A String", # Required. The type of hash that was performed.

1469

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

1475

# with a path point to a unique revision of a single file or directory.

1476

"labels": { # Labels with user defined metadata.

1477

"a_key": "A String",

1478

},

1479

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1480

# repository (e.g., GitHub).

1481

"url": "A String", # Git repository URL.

1482

"revisionId": "A String", # Git commit hash.

1483

},

1484

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1485

"hostUri": "A String", # The URI of a running Gerrit instance.

1486

"revisionId": "A String", # A revision (commit) ID.

1487

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1488

# "project/subproject" is a valid project name. The "repo name" is the

1489

# hostURI/project.

1490

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1491

"name": "A String", # The alias name.

1492

"kind": "A String", # The alias kind.

1493

},

1494

},

1495

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1496

# Source Repo.

1497

"revisionId": "A String", # A revision ID.

1498

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1499

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1500

# winged-cargo-31) and a repo name within that project.

1501

"projectId": "A String", # The ID of the project.

1502

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1503

},

1504

"uid": "A String", # A server-assigned, globally unique identifier.

1505

},

1506

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1507

"name": "A String", # The alias name.

1508

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

1514

"projectId": "A String", # ID of the project.

1515

"logsUri": "A String", # URI where any logs for this provenance were written.

1516

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

1517

# user's e-mail address at the time the build was initiated; this address may

1518

# not represent the same end-user for all time.

1519

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

1520

"commands": [ # Commands requested by the build.

1521

{ # Command describes a step performed as part of the build pipeline.

1522

"dir": "A String", # Working directory (relative to project source root) used when running this

1523

# command.

1524

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

1525

"A String",

1526

],

1527

"env": [ # Environment variables set before running this command.

1528

"A String",

1529

],

1530

"args": [ # Command-line arguments used when executing this command.

1531

"A String",

1532

],

1533

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

1534

# command is packaged as a Docker container, as presented to `docker pull`.

1535

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

1536

# this command as a dependency.

1537

},

1538

],

1539

"builtArtifacts": [ # Output of the build.

1540

{ # Artifact describes a build product.

1541

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

1542

# container.

1543

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

1544

# like `gcr.io/projectID/imagename@sha256:123456`.

1545

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

1546

# the case of a container build, the name used to push the container image to

1547

# Google Container Registry, as presented to `docker push`. Note that a

1548

# single Artifact ID can have multiple names, for example if two tags are

1549

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

1555

"buildOptions": { # Special options applied to this build. This is a catch-all field where

1556

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

1562

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

1563

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

1564

# details to show to the user. The LocalizedMessage is output only and

1565

# populated by the API.

1566

# different programming environments, including REST APIs and RPC APIs. It is

1567

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1568

# three pieces of data: error code, error message, and error details.

1569

#

1570

# You can find out more about this error model and how to work with it in the

1571

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1572

"details": [ # A list of messages that carry the error details. There is a common set of

1573

# message types for APIs to use.

1574

{

1575

"a_key": "", # Properties of the object. Contains field @type with type URL.

1576

},

1577

],

1578

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1579

"message": "A String", # A developer-facing error message, which should be in English. Any

1580

# user-facing error message should be localized and sent in the

1581

# google.rpc.Status.details field, or localized by the client.

1582

},

1583

"analysisStatus": "A String", # The status of discovery for the resource.

1584

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

1585

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

1586

# Deprecated, do not use.

1587

},

1588

},

1589

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

1590

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

1591

# used as a filter in list requests.

1592

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

1593

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

1594

"userEmail": "A String", # Identity of the user that triggered this deployment.

1595

"config": "A String", # Configuration used to create this deployment.

1596

"undeployTime": "A String", # End of the lifetime of this deployment.

1597

"platform": "A String", # Platform hosting this deployment.

1598

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

1599

"address": "A String", # Address of the runtime element hosting this deployment.

1600

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

1601

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1607

"updateTime": "A String", # Output only. The time this occurrence was last updated.

1608

"remediation": "A String", # A description of actions that can be taken to remedy the note.

1609

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

1610

# signatures and the in-toto link itself. This is used for occurrences of a

1611

# Grafeas in-toto note.

1612

"signed": { # This corresponds to an in-toto link.

1613

"command": [ # This field contains the full command executed for the step. This can also

1614

# be empty if links are generated for operations that aren't directly mapped

1615

# to a specific command. Each term in the command is an independent string

1616

# in the list. An example of a command in the in-toto metadata field is:

1617

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

1618

"A String",

1619

],

1620

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

1621

# are not the actual result of the step.

1622

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

1628

# environment. It is suggested for this field to contain information that

1629

# details environment variables, filesystem information, and the present

1630

# working directory. The recommended structure of this field is:

1631

# "environment": {

1632

# "custom_values": {

1633

# "variables": "<ENV>",

1634

# "filesystem": "<FS>",

1635

# "workdir": "<CWD>",

1636

# "<ANY OTHER RELEVANT FIELDS>": "..."

1637

# }

1638

# }

1639

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

1645

# for the operation performed. The key of the map is the path of the artifact

1646

# and the structure contains the recorded hash information. An example is:

1647

# "materials": [

1648

# {

1649

# "resource_uri": "foo/bar",

1650

# "hashes": {

1651

# "sha256": "ebebf...",

1652

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

1658

"sha256": "A String",

1659

},

1660

"resourceUri": "A String",

1661

},

1662

],

1663

"products": [ # Products are the supply chain artifacts generated as a result of the step.

1664

# The structure is identical to that of materials.

1665

{

1666

"hashes": { # Defines a hash object for use in Materials and Products.

1667

"sha256": "A String",

1668

},

1669

"resourceUri": "A String",

1670

},

1671

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1672

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1673

"signatures": [

1674

{ # A signature object consists of the KeyID used and the signature itself.

1675

"sig": "A String",

1676

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1677

},

1678

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1679

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1680

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

1681

# note.

1682

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

1683

# relationship. This image would be produced from a Dockerfile with FROM

1684

# <DockerImage.Basis in attached Note>.

1685

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1686

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1687

"A String",

1688

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1689

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1690

# representation.

1691

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1692

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1693

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1694

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1695

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

1696

# "distance" and is ordered with [distance] being the layer immediately

1697

# following the base image and [1] being the final layer.

1698

{ # Layer holds metadata specific to a layer of a Docker image.

1699

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

1700

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

1701

},

1702

],

1703

"distance": 42, # Output only. The number of layers by which this image differs from the

1704

# associated image basis.

1705

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

1706

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1707

},

1708

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1709

}

1710

1711

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1718

1719

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1720

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

1721

# specified. This field can be used as a filter in list requests.

1722

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

1723

"name": "A String", # Deprecated, do not use. Use uri instead.

1724

#

1725

# The name of the resource. For example, the name of a Docker image -

1726

# "Debian".

1727

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

1728

#

1729

# The hash of the resource content. For example, the Docker digest.

1730

"type": "A String", # Required. The type of hash that was performed.

1731

"value": "A String", # Required. The hash value.

1732

},

1733

"uri": "A String", # Required. The unique URI of the resource. For example,

1734

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

1735

},

1736

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

1737

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

1738

# attestation can be verified using the attached signature. If the verifier

1739

# trusts the public key of the signer, then verifying the signature is

1740

# sufficient to establish trust. In this circumstance, the authority to which

1741

# this attestation is attached is primarily useful for look-up (how to find

1742

# this attestation if you already know the authority and artifact to be

1743

# verified) and intent (which authority was this attestation intended to sign

1744

# for).

1745

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

1746

# supports `ATTACHED` signatures, where the payload that is signed is included

1747

# alongside the signature itself in the same file.

1748

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1749

# The verifier must ensure that the provided type is one that the verifier

1750

# supports, and that the attestation payload is a valid instantiation of that

1751

# type (for example by validating a JSON schema).

1752

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

1753

# (GPG) or equivalent. Since this message only supports attached signatures,

1754

# the payload that was signed must be attached. While the signature format

1755

# supported is dependent on the verification implementation, currently only

1756

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

1757

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

1758

# --output=signature.gpg payload.json` will create the signature content

1759

# expected in this field in `signature.gpg` for the `payload.json`

1760

# attestation payload.

1761

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

1762

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

1763

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

1764

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

1765

# Implementations may choose to acknowledge "LONG", "SHORT", or other

1766

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

1767

# In gpg, the full fingerprint can be retrieved from the `fpr` field

1768

# returned when calling --list-keys with --with-colons. For example:

1769

# ```

1770

# gpg --with-colons --with-fingerprint --force-v4-certs \

1771

# --list-keys attester@example.com

1772

# tru::1:1513631572:0:3:1:5

1773

# pub:...<SNIP>...

1774

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

1775

# ```

1776

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

1777

},

1778

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

1779

# This attestation must define the `serialized_payload` that the `signatures`

1780

# verify and any metadata necessary to interpret that plaintext. The

1781

# signatures should always be over the `serialized_payload` bytestring.

1782

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1783

# The verifier must ensure that the provided type is one that the verifier

1784

# supports, and that the attestation payload is a valid instantiation of that

1785

# type (for example by validating a JSON schema).

1786

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

1787

# should consider this attestation message verified if at least one

1788

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

1789

# for more details on signature structure and verification.

1790

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

1791

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

1792

# Typically this means that the verifier has been configured with a map from

1793

# `public_key_id` to public key material (and any required parameters, e.g.

1794

# signing algorithm).

1795

#

1796

# In particular, verification implementations MUST NOT treat the signature

1797

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

1798

# DOES NOT validate or authenticate a public key; it only provides a mechanism

1799

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

1800

# a trusted channel. Verification implementations MUST reject signatures in any

1801

# of the following circumstances:

1802

# * The `public_key_id` is not recognized by the verifier.

1803

# * The public key that `public_key_id` refers to does not verify the

1804

# signature with respect to the payload.

1805

#

1806

# The `signature` contents SHOULD NOT be "attached" (where the payload is

1807

# included with the serialized `signature` bytes). Verifiers MUST ignore any

1808

# "attached" payload and only verify signatures with respect to explicitly

1809

# provided payload (e.g. a `payload` field on the proto message that holds

1810

# this Signature, or the canonical serialization of the proto message that

1811

# holds this signature).

1812

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

1813

# * The `public_key_id` is required.

1814

# * The `public_key_id` MUST be an RFC3986 conformant URI.

1815

# * When possible, the `public_key_id` SHOULD be an immutable reference,

1816

# such as a cryptographic digest.

1817

#

1818

# Examples of valid `public_key_id`s:

1819

#

1820

# OpenPGP V4 public key fingerprint:

1821

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

1822

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

1823

# details on this scheme.

1824

#

1825

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

1826

# serialization):

1827

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

1828

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

1829

"signature": "A String", # The content of the signature, an opaque bytestring.

1830

# The payload that this signature verifies MUST be unambiguously provided

1831

# with the Signature during verification. A wrapper message might provide

1832

# the payload explicitly. Alternatively, a message might have a canonical

1833

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

1838

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

1844

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

1845

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

1846

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

1847

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

1848

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

1849

# available, and note provider assigned severity when distro has not yet

1850

# assigned a severity for this vulnerability.

1851

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

1852

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

1853

# scale of 0-10 where 0 indicates low severity and 10 indicates high

1854

# severity.

1855

"relatedUrls": [ # Output only. URLs related to this vulnerability.

1856

{ # Metadata for any related URL information.

1857

"url": "A String", # Specific URL associated with the resource.

1858

"label": "A String", # Label to describe usage of the URL.

1859

},

1860

],

1861

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

1862

# packages etc)

1863

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

1864

# within the associated resource.

1865

{ # This message wraps a location affected by a vulnerability and its

1866

# associated fix (if one is available).

1867

"severityName": "A String", # Deprecated, use Details.effective_severity instead

1868

# The severity (e.g., distro assigned severity) for this vulnerability.

1869

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

1870

"package": "A String", # Required. The package being described.

1871

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1872

"revision": "A String", # The iteration of the package build from the above version.

1873

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1874

# name.

1875

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1876

# versions.

1877

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1878

},

1879

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1880

# format. Examples include distro or storage location for vulnerable jar.

1881

},

1882

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

1883

"package": "A String", # Required. The package being described.

1884

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1885

"revision": "A String", # The iteration of the package build from the above version.

1886

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1887

# name.

1888

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1889

# versions.

1890

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1891

},

1892

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1893

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

1899

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

1900

# system.

1901

"location": [ # Required. All of the places within the filesystem versions of this package

1902

# have been found.

1903

{ # An occurrence of a particular package installation found within a system's

1904

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

1905

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

1906

# denoting the package manager version distributing a package.

1907

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

1908

"revision": "A String", # The iteration of the package build from the above version.

1909

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

1910

# name.

1911

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1912

# versions.

1913

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1914

},

1915

"path": "A String", # The path from which we gathered that this package/version is installed.

1916

},

1917

],

1918

"name": "A String", # Output only. The name of the installed package.

1919

},

1920

},

1921

"build": { # Details of a build occurrence. # Describes a verifiable build.

1922

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

1923

# build signature in the corresponding build note. After verifying the

1924

# signature, `provenance_bytes` can be unmarshalled and compared to the

1925

# provenance to confirm that it is unchanged. A base64-encoded string

1926

# representation of the provenance bytes is used for the signature in order

1927

# to interoperate with openssl which expects this format for signature

1928

# verification.

1929

#

1930

# The serialized form is captured both to avoid ambiguity in how the

1931

# provenance is marshalled to json as well to prevent incompatibilities with

1932

# future changes.

1933

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

1934

# details about the build from source to completion.

1935

"endTime": "A String", # Time at which execution of the build was finished.

1936

"startTime": "A String", # Time at which execution of the build was started.

1937

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

1938

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

1939

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

1940

# location.

1941

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

1942

# these locations, in the case where the source repository had multiple

1943

# remotes or submodules. This list will not include the context specified in

1944

# the context field.

1945

{ # A SourceContext is a reference to a tree of files. A SourceContext together

1946

# with a path point to a unique revision of a single file or directory.

1947

"labels": { # Labels with user defined metadata.

1948

"a_key": "A String",

1949

},

1950

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1951

# repository (e.g., GitHub).

1952

"url": "A String", # Git repository URL.

1953

"revisionId": "A String", # Git commit hash.

1954

},

1955

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1956

"hostUri": "A String", # The URI of a running Gerrit instance.

1957

"revisionId": "A String", # A revision (commit) ID.

1958

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1959

# "project/subproject" is a valid project name. The "repo name" is the

1960

# hostURI/project.

1961

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1962

"name": "A String", # The alias name.

1963

"kind": "A String", # The alias kind.

1964

},

1965

},

1966

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1967

# Source Repo.

1968

"revisionId": "A String", # A revision ID.

1969

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1970

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1971

# winged-cargo-31) and a repo name within that project.

1972

"projectId": "A String", # The ID of the project.

1973

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1974

},

1975

"uid": "A String", # A server-assigned, globally unique identifier.

1976

},

1977

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1978

"name": "A String", # The alias name.

1979

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

1985

# source integrity was maintained in the build.

1986

#

1987

# The keys to this map are file paths used as build source and the values

1988

# contain the hash values for those files.

1989

#

1990

# If the build source came in a single package such as a gzipped tarfile

1991

# (.tar.gz), the FileHash will be for the single path to that file.

1992

"a_key": { # Container message for hashes of byte content of files, used in source

1993

# messages to verify integrity of source input to the build.

1994

"fileHash": [ # Required. Collection of file hashes.

1995

{ # Container message for hash values.

1996

"type": "A String", # Required. The type of hash that was performed.

1997

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

2003

# with a path point to a unique revision of a single file or directory.

2004

"labels": { # Labels with user defined metadata.

2005

"a_key": "A String",

2006

},

2007

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2008

# repository (e.g., GitHub).

2009

"url": "A String", # Git repository URL.

2010

"revisionId": "A String", # Git commit hash.

2011

},

2012

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2013

"hostUri": "A String", # The URI of a running Gerrit instance.

2014

"revisionId": "A String", # A revision (commit) ID.

2015

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2016

# "project/subproject" is a valid project name. The "repo name" is the

2017

# hostURI/project.

2018

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2019

"name": "A String", # The alias name.

2020

"kind": "A String", # The alias kind.

2021

},

2022

},

2023

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2024

# Source Repo.

2025

"revisionId": "A String", # A revision ID.

2026

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2027

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2028

# winged-cargo-31) and a repo name within that project.

2029

"projectId": "A String", # The ID of the project.

2030

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2031

},

2032

"uid": "A String", # A server-assigned, globally unique identifier.

2033

},

2034

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2035

"name": "A String", # The alias name.

2036

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

2042

"projectId": "A String", # ID of the project.

2043

"logsUri": "A String", # URI where any logs for this provenance were written.

2044

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

2045

# user's e-mail address at the time the build was initiated; this address may

2046

# not represent the same end-user for all time.

2047

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

2048

"commands": [ # Commands requested by the build.

2049

{ # Command describes a step performed as part of the build pipeline.

2050

"dir": "A String", # Working directory (relative to project source root) used when running this

2051

# command.

2052

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

2053

"A String",

2054

],

2055

"env": [ # Environment variables set before running this command.

2056

"A String",

2057

],

2058

"args": [ # Command-line arguments used when executing this command.

2059

"A String",

2060

],

2061

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

2062

# command is packaged as a Docker container, as presented to `docker pull`.

2063

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

2064

# this command as a dependency.

2065

},

2066

],

2067

"builtArtifacts": [ # Output of the build.

2068

{ # Artifact describes a build product.

2069

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

2070

# container.

2071

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

2072

# like `gcr.io/projectID/imagename@sha256:123456`.

2073

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

2074

# the case of a container build, the name used to push the container image to

2075

# Google Container Registry, as presented to `docker push`. Note that a

2076

# single Artifact ID can have multiple names, for example if two tags are

2077

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

2083

"buildOptions": { # Special options applied to this build. This is a catch-all field where

2084

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

2090

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

2091

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

2092

# details to show to the user. The LocalizedMessage is output only and

2093

# populated by the API.

2094

# different programming environments, including REST APIs and RPC APIs. It is

2095

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

2096

# three pieces of data: error code, error message, and error details.

2097

#

2098

# You can find out more about this error model and how to work with it in the

2099

# [API Design Guide](https://cloud.google.com/apis/design/errors).

2100

"details": [ # A list of messages that carry the error details. There is a common set of

2101

# message types for APIs to use.

2102

{

2103

"a_key": "", # Properties of the object. Contains field @type with type URL.

2104

},

2105

],

2106

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

2107

"message": "A String", # A developer-facing error message, which should be in English. Any

2108

# user-facing error message should be localized and sent in the

2109

# google.rpc.Status.details field, or localized by the client.

2110

},

2111

"analysisStatus": "A String", # The status of discovery for the resource.

2112

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

2113

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

2114

# Deprecated, do not use.

2115

},

2116

},

2117

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

2118

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

2119

# used as a filter in list requests.

2120

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

2121

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

2122

"userEmail": "A String", # Identity of the user that triggered this deployment.

2123

"config": "A String", # Configuration used to create this deployment.

2124

"undeployTime": "A String", # End of the lifetime of this deployment.

2125

"platform": "A String", # Platform hosting this deployment.

2126

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

2127

"address": "A String", # Address of the runtime element hosting this deployment.

2128

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

2129

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2135

"updateTime": "A String", # Output only. The time this occurrence was last updated.

2136

"remediation": "A String", # A description of actions that can be taken to remedy the note.

2137

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

2138

# signatures and the in-toto link itself. This is used for occurrences of a

2139

# Grafeas in-toto note.

2140

"signed": { # This corresponds to an in-toto link.

2141

"command": [ # This field contains the full command executed for the step. This can also

2142

# be empty if links are generated for operations that aren't directly mapped

2143

# to a specific command. Each term in the command is an independent string

2144

# in the list. An example of a command in the in-toto metadata field is:

2145

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

2146

"A String",

2147

],

2148

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

2149

# are not the actual result of the step.

2150

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

2156

# environment. It is suggested for this field to contain information that

2157

# details environment variables, filesystem information, and the present

2158

# working directory. The recommended structure of this field is:

2159

# "environment": {

2160

# "custom_values": {

2161

# "variables": "<ENV>",

2162

# "filesystem": "<FS>",

2163

# "workdir": "<CWD>",

2164

# "<ANY OTHER RELEVANT FIELDS>": "..."

2165

# }

2166

# }

2167

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

2173

# for the operation performed. The key of the map is the path of the artifact

2174

# and the structure contains the recorded hash information. An example is:

2175

# "materials": [

2176

# {

2177

# "resource_uri": "foo/bar",

2178

# "hashes": {

2179

# "sha256": "ebebf...",

2180

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

2186

"sha256": "A String",

2187

},

2188

"resourceUri": "A String",

2189

},

2190

],

2191

"products": [ # Products are the supply chain artifacts generated as a result of the step.

2192

# The structure is identical to that of materials.

2193

{

2194

"hashes": { # Defines a hash object for use in Materials and Products.

2195

"sha256": "A String",

2196

},

2197

"resourceUri": "A String",

2198

},

2199

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2200

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2201

"signatures": [

2202

{ # A signature object consists of the KeyID used and the signature itself.

2203

"sig": "A String",

2204

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2205

},

2206

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2207

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2208

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

2209

# note.

2210

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

2211

# relationship. This image would be produced from a Dockerfile with FROM

2212

# <DockerImage.Basis in attached Note>.

2213

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2214

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2215

"A String",

2216

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2217

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2218

# representation.

2219

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2220

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2221

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2222

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2223

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

2224

# "distance" and is ordered with [distance] being the layer immediately

2225

# following the base image and [1] being the final layer.

2226

{ # Layer holds metadata specific to a layer of a Docker image.

2227

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

2228

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

2229

},

2230

],

2231

"distance": 42, # Output only. The number of layers by which this image differs from the

2232

# associated image basis.

2233

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

2234

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2235

},

2236

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

2242

<pre>Deletes the specified occurrence. For example, use this method to delete an

2243

occurrence when the occurrence is no longer applicable for the given

2244

resource.

2245

2246

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2247

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2248

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

2249

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2256

2257

{ # A generic empty message that you can re-use to avoid defining duplicated

2258

# empty messages in your APIs. A typical example is to use it as the request

2259

# or the response type of an API method. For instance:

2260

#

2261

# service Foo {

2262

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

2263

# }

2264

#

2265

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

2271

<pre>Gets the specified occurrence.

2272

2273

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2274

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2275

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

2276

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2283

2284

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2285

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

2286

# specified. This field can be used as a filter in list requests.

2287

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

2288

"name": "A String", # Deprecated, do not use. Use uri instead.

2289

#

2290

# The name of the resource. For example, the name of a Docker image -

2291

# "Debian".

2292

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

2293

#

2294

# The hash of the resource content. For example, the Docker digest.

2295

"type": "A String", # Required. The type of hash that was performed.

2296

"value": "A String", # Required. The hash value.

2297

},

2298

"uri": "A String", # Required. The unique URI of the resource. For example,

2299

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

2300

},

2301

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

2302

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

2303

# attestation can be verified using the attached signature. If the verifier

2304

# trusts the public key of the signer, then verifying the signature is

2305

# sufficient to establish trust. In this circumstance, the authority to which

2306

# this attestation is attached is primarily useful for look-up (how to find

2307

# this attestation if you already know the authority and artifact to be

2308

# verified) and intent (which authority was this attestation intended to sign

2309

# for).

2310

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

2311

# supports `ATTACHED` signatures, where the payload that is signed is included

2312

# alongside the signature itself in the same file.

2313

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

2314

# The verifier must ensure that the provided type is one that the verifier

2315

# supports, and that the attestation payload is a valid instantiation of that

2316

# type (for example by validating a JSON schema).

2317

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

2318

# (GPG) or equivalent. Since this message only supports attached signatures,

2319

# the payload that was signed must be attached. While the signature format

2320

# supported is dependent on the verification implementation, currently only

2321

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

2322

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

2323

# --output=signature.gpg payload.json` will create the signature content

2324

# expected in this field in `signature.gpg` for the `payload.json`

2325

# attestation payload.

2326

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

2327

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

2328

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

2329

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

2330

# Implementations may choose to acknowledge "LONG", "SHORT", or other

2331

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

2332

# In gpg, the full fingerprint can be retrieved from the `fpr` field

2333

# returned when calling --list-keys with --with-colons. For example:

2334

# ```

2335

# gpg --with-colons --with-fingerprint --force-v4-certs \

2336

# --list-keys attester@example.com

2337

# tru::1:1513631572:0:3:1:5

2338

# pub:...<SNIP>...

2339

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

2340

# ```

2341

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

2342

},

2343

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

2344

# This attestation must define the `serialized_payload` that the `signatures`

2345

# verify and any metadata necessary to interpret that plaintext. The

2346

# signatures should always be over the `serialized_payload` bytestring.

2347

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

2348

# The verifier must ensure that the provided type is one that the verifier

2349

# supports, and that the attestation payload is a valid instantiation of that

2350

# type (for example by validating a JSON schema).

2351

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

2352

# should consider this attestation message verified if at least one

2353

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

2354

# for more details on signature structure and verification.

2355

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

2356

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

2357

# Typically this means that the verifier has been configured with a map from

2358

# `public_key_id` to public key material (and any required parameters, e.g.

2359

# signing algorithm).

2360

#

2361

# In particular, verification implementations MUST NOT treat the signature

2362

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

2363

# DOES NOT validate or authenticate a public key; it only provides a mechanism

2364

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

2365

# a trusted channel. Verification implementations MUST reject signatures in any

2366

# of the following circumstances:

2367

# * The `public_key_id` is not recognized by the verifier.

2368

# * The public key that `public_key_id` refers to does not verify the

2369

# signature with respect to the payload.

2370

#

2371

# The `signature` contents SHOULD NOT be "attached" (where the payload is

2372

# included with the serialized `signature` bytes). Verifiers MUST ignore any

2373

# "attached" payload and only verify signatures with respect to explicitly

2374

# provided payload (e.g. a `payload` field on the proto message that holds

2375

# this Signature, or the canonical serialization of the proto message that

2376

# holds this signature).

2377

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

2378

# * The `public_key_id` is required.

2379

# * The `public_key_id` MUST be an RFC3986 conformant URI.

2380

# * When possible, the `public_key_id` SHOULD be an immutable reference,

2381

# such as a cryptographic digest.

2382

#

2383

# Examples of valid `public_key_id`s:

2384

#

2385

# OpenPGP V4 public key fingerprint:

2386

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

2387

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

2388

# details on this scheme.

2389

#

2390

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

2391

# serialization):

2392

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

2393

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

2394

"signature": "A String", # The content of the signature, an opaque bytestring.

2395

# The payload that this signature verifies MUST be unambiguously provided

2396

# with the Signature during verification. A wrapper message might provide

2397

# the payload explicitly. Alternatively, a message might have a canonical

2398

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

2403

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

2409

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

2410

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

2411

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

2412

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

2413

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

2414

# available, and note provider assigned severity when distro has not yet

2415

# assigned a severity for this vulnerability.

2416

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

2417

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

2418

# scale of 0-10 where 0 indicates low severity and 10 indicates high

2419

# severity.

2420

"relatedUrls": [ # Output only. URLs related to this vulnerability.

2421

{ # Metadata for any related URL information.

2422

"url": "A String", # Specific URL associated with the resource.

2423

"label": "A String", # Label to describe usage of the URL.

2424

},

2425

],

2426

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

2427

# packages etc)

2428

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

2429

# within the associated resource.

2430

{ # This message wraps a location affected by a vulnerability and its

2431

# associated fix (if one is available).

2432

"severityName": "A String", # Deprecated, use Details.effective_severity instead

2433

# The severity (e.g., distro assigned severity) for this vulnerability.

2434

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

2435

"package": "A String", # Required. The package being described.

2436

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2437

"revision": "A String", # The iteration of the package build from the above version.

2438

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2439

# name.

2440

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2441

# versions.

2442

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2443

},

2444

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2445

# format. Examples include distro or storage location for vulnerable jar.

2446

},

2447

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

2448

"package": "A String", # Required. The package being described.

2449

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2450

"revision": "A String", # The iteration of the package build from the above version.

2451

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2452

# name.

2453

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2454

# versions.

2455

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2456

},

2457

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2458

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

2464

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

2465

# system.

2466

"location": [ # Required. All of the places within the filesystem versions of this package

2467

# have been found.

2468

{ # An occurrence of a particular package installation found within a system's

2469

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

2470

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

2471

# denoting the package manager version distributing a package.

2472

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

2473

"revision": "A String", # The iteration of the package build from the above version.

2474

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

2475

# name.

2476

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2477

# versions.

2478

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2479

},

2480

"path": "A String", # The path from which we gathered that this package/version is installed.

2481

},

2482

],

2483

"name": "A String", # Output only. The name of the installed package.

2484

},

2485

},

2486

"build": { # Details of a build occurrence. # Describes a verifiable build.

2487

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

2488

# build signature in the corresponding build note. After verifying the

2489

# signature, `provenance_bytes` can be unmarshalled and compared to the

2490

# provenance to confirm that it is unchanged. A base64-encoded string

2491

# representation of the provenance bytes is used for the signature in order

2492

# to interoperate with openssl which expects this format for signature

2493

# verification.

2494

#

2495

# The serialized form is captured both to avoid ambiguity in how the

2496

# provenance is marshalled to json as well to prevent incompatibilities with

2497

# future changes.

2498

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

2499

# details about the build from source to completion.

2500

"endTime": "A String", # Time at which execution of the build was finished.

2501

"startTime": "A String", # Time at which execution of the build was started.

2502

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

2503

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

2504

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

2505

# location.

2506

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

2507

# these locations, in the case where the source repository had multiple

2508

# remotes or submodules. This list will not include the context specified in

2509

# the context field.

2510

{ # A SourceContext is a reference to a tree of files. A SourceContext together

2511

# with a path point to a unique revision of a single file or directory.

2512

"labels": { # Labels with user defined metadata.

2513

"a_key": "A String",

2514

},

2515

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2516

# repository (e.g., GitHub).

2517

"url": "A String", # Git repository URL.

2518

"revisionId": "A String", # Git commit hash.

2519

},

2520

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2521

"hostUri": "A String", # The URI of a running Gerrit instance.

2522

"revisionId": "A String", # A revision (commit) ID.

2523

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2524

# "project/subproject" is a valid project name. The "repo name" is the

2525

# hostURI/project.

2526

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2527

"name": "A String", # The alias name.

2528

"kind": "A String", # The alias kind.

2529

},

2530

},

2531

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2532

# Source Repo.

2533

"revisionId": "A String", # A revision ID.

2534

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2535

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2536

# winged-cargo-31) and a repo name within that project.

2537

"projectId": "A String", # The ID of the project.

2538

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2539

},

2540

"uid": "A String", # A server-assigned, globally unique identifier.

2541

},

2542

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2543

"name": "A String", # The alias name.

2544

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

2550

# source integrity was maintained in the build.

2551

#

2552

# The keys to this map are file paths used as build source and the values

2553

# contain the hash values for those files.

2554

#

2555

# If the build source came in a single package such as a gzipped tarfile

2556

# (.tar.gz), the FileHash will be for the single path to that file.

2557

"a_key": { # Container message for hashes of byte content of files, used in source

2558

# messages to verify integrity of source input to the build.

2559

"fileHash": [ # Required. Collection of file hashes.

2560

{ # Container message for hash values.

2561

"type": "A String", # Required. The type of hash that was performed.

2562

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

2568

# with a path point to a unique revision of a single file or directory.

2569

"labels": { # Labels with user defined metadata.

2570

"a_key": "A String",

2571

},

2572

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2573

# repository (e.g., GitHub).

2574

"url": "A String", # Git repository URL.

2575

"revisionId": "A String", # Git commit hash.

2576

},

2577

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2578

"hostUri": "A String", # The URI of a running Gerrit instance.

2579

"revisionId": "A String", # A revision (commit) ID.

2580

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2581

# "project/subproject" is a valid project name. The "repo name" is the

2582

# hostURI/project.

2583

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2584

"name": "A String", # The alias name.

2585

"kind": "A String", # The alias kind.

2586

},

2587

},

2588

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2589

# Source Repo.

2590

"revisionId": "A String", # A revision ID.

2591

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2592

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2593

# winged-cargo-31) and a repo name within that project.

2594

"projectId": "A String", # The ID of the project.

2595

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2596

},

2597

"uid": "A String", # A server-assigned, globally unique identifier.

2598

},

2599

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2600

"name": "A String", # The alias name.

2601

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

2607

"projectId": "A String", # ID of the project.

2608

"logsUri": "A String", # URI where any logs for this provenance were written.

2609

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

2610

# user's e-mail address at the time the build was initiated; this address may

2611

# not represent the same end-user for all time.

2612

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

2613

"commands": [ # Commands requested by the build.

2614

{ # Command describes a step performed as part of the build pipeline.

2615

"dir": "A String", # Working directory (relative to project source root) used when running this

2616

# command.

2617

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

2618

"A String",

2619

],

2620

"env": [ # Environment variables set before running this command.

2621

"A String",

2622

],

2623

"args": [ # Command-line arguments used when executing this command.

2624

"A String",

2625

],

2626

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

2627

# command is packaged as a Docker container, as presented to `docker pull`.

2628

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

2629

# this command as a dependency.

2630

},

2631

],

2632

"builtArtifacts": [ # Output of the build.

2633

{ # Artifact describes a build product.

2634

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

2635

# container.

2636

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

2637

# like `gcr.io/projectID/imagename@sha256:123456`.

2638

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

2639

# the case of a container build, the name used to push the container image to

2640

# Google Container Registry, as presented to `docker push`. Note that a

2641

# single Artifact ID can have multiple names, for example if two tags are

2642

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

2648

"buildOptions": { # Special options applied to this build. This is a catch-all field where

2649

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

2655

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

2656

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

2657

# details to show to the user. The LocalizedMessage is output only and

2658

# populated by the API.

2659

# different programming environments, including REST APIs and RPC APIs. It is

2660

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

2661

# three pieces of data: error code, error message, and error details.

2662

#

2663

# You can find out more about this error model and how to work with it in the

2664

# [API Design Guide](https://cloud.google.com/apis/design/errors).

2665

"details": [ # A list of messages that carry the error details. There is a common set of

2666

# message types for APIs to use.

2667

{

2668

"a_key": "", # Properties of the object. Contains field @type with type URL.

2669

},

2670

],

2671

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

2672

"message": "A String", # A developer-facing error message, which should be in English. Any

2673

# user-facing error message should be localized and sent in the

2674

# google.rpc.Status.details field, or localized by the client.

2675

},

2676

"analysisStatus": "A String", # The status of discovery for the resource.

2677

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

2678

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

2679

# Deprecated, do not use.

2680

},

2681

},

2682

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

2683

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

2684

# used as a filter in list requests.

2685

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

2686

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

2687

"userEmail": "A String", # Identity of the user that triggered this deployment.

2688

"config": "A String", # Configuration used to create this deployment.

2689

"undeployTime": "A String", # End of the lifetime of this deployment.

2690

"platform": "A String", # Platform hosting this deployment.

2691

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

2692

"address": "A String", # Address of the runtime element hosting this deployment.

2693

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

2694

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2700

"updateTime": "A String", # Output only. The time this occurrence was last updated.

2701

"remediation": "A String", # A description of actions that can be taken to remedy the note.

2702

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

2703

# signatures and the in-toto link itself. This is used for occurrences of a

2704

# Grafeas in-toto note.

2705

"signed": { # This corresponds to an in-toto link.

2706

"command": [ # This field contains the full command executed for the step. This can also

2707

# be empty if links are generated for operations that aren't directly mapped

2708

# to a specific command. Each term in the command is an independent string

2709

# in the list. An example of a command in the in-toto metadata field is:

2710

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

2711

"A String",

2712

],

2713

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

2714

# are not the actual result of the step.

2715

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

2721

# environment. It is suggested for this field to contain information that

2722

# details environment variables, filesystem information, and the present

2723

# working directory. The recommended structure of this field is:

2724

# "environment": {

2725

# "custom_values": {

2726

# "variables": "<ENV>",

2727

# "filesystem": "<FS>",

2728

# "workdir": "<CWD>",

2729

# "<ANY OTHER RELEVANT FIELDS>": "..."

2730

# }

2731

# }

2732

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

2738

# for the operation performed. The key of the map is the path of the artifact

2739

# and the structure contains the recorded hash information. An example is:

2740

# "materials": [

2741

# {

2742

# "resource_uri": "foo/bar",

2743

# "hashes": {

2744

# "sha256": "ebebf...",

2745

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

2751

"sha256": "A String",

2752

},

2753

"resourceUri": "A String",

2754

},

2755

],

2756

"products": [ # Products are the supply chain artifacts generated as a result of the step.

2757

# The structure is identical to that of materials.

2758

{

2759

"hashes": { # Defines a hash object for use in Materials and Products.

2760

"sha256": "A String",

2761

},

2762

"resourceUri": "A String",

2763

},

2764

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2765

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2766

"signatures": [

2767

{ # A signature object consists of the KeyID used and the signature itself.

2768

"sig": "A String",

2769

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2770

},

2771

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2772

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2773

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

2774

# note.

2775

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

2776

# relationship. This image would be produced from a Dockerfile with FROM

2777

# <DockerImage.Basis in attached Note>.

2778

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2779

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2780

"A String",

2781

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2782

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2783

# representation.

2784

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2785

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2786

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2787

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2788

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

2789

# "distance" and is ordered with [distance] being the layer immediately

2790

# following the base image and [1] being the final layer.

2791

{ # Layer holds metadata specific to a layer of a Docker image.

2792

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

2793

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

2794

},

2795

],

2796

"distance": 42, # Output only. The number of layers by which this image differs from the

2797

# associated image basis.

2798

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

2799

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2800

},

2801

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

2807

<pre>Gets the access control policy for a note or an occurrence resource.

2808

Requires `containeranalysis.notes.setIamPolicy` or

2809

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

2810

a note or occurrence, respectively.

2811

2812

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

2813

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

2818

See the operation documentation for the appropriate value for this field. (required)

2819

body: object, The request body.

2820

The object takes the form of:

2821

2822

{ # Request message for `GetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2823

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2824

# `GetIamPolicy`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2825

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2826

#

2827

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

2828

# rejected.

2829

#

2830

# Requests for policies with any conditional bindings must specify version 3.

2831

# Policies without any conditional bindings may specify any valid value or

2832

# leave the field unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2833

#

2834

# To learn which resources support conditions in their IAM policies, see the

2835

# [IAM

2836

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2837

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2838

}

2839

2840

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2847

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2848

{ # An Identity and Access Management (IAM) policy, which specifies access

2849

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2850

#

2851

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2852

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2853

# `members` to a single `role`. Members can be user accounts, service accounts,

2854

# Google groups, and domains (such as G Suite). A `role` is a named list of

2855

# permissions; each `role` can be an IAM predefined role or a user-created

2856

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2857

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2858

# For some types of Google Cloud resources, a `binding` can also specify a

2859

# `condition`, which is a logical expression that allows access to a resource

2860

# only if the expression evaluates to `true`. A condition can add constraints

2861

# based on attributes of the request, the resource, or both. To learn which

2862

# resources support conditions in their IAM policies, see the

2863

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2864

#

2865

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2866

#

2867

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2868

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2869

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2870

# "role": "roles/resourcemanager.organizationAdmin",

2871

# "members": [

2872

# "user:mike@example.com",

2873

# "group:admins@example.com",

2874

# "domain:google.com",

2875

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2876

# ]

2877

# },

2878

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2879

# "role": "roles/resourcemanager.organizationViewer",

2880

# "members": [

2881

# "user:eve@example.com"

2882

# ],

2883

# "condition": {

2884

# "title": "expirable access",

2885

# "description": "Does not grant access after Sep 2020",

2886

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2887

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2888

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2889

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2890

# "etag": "BwWWja0YfJA=",

2891

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2892

# }

2893

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2894

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2899

# - group:admins@example.com

2900

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2901

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2902

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2903

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2904

# - user:eve@example.com

2905

# role: roles/resourcemanager.organizationViewer

2906

# condition:

2907

# title: expirable access

2908

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2909

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2910

# - etag: BwWWja0YfJA=

2911

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2912

#

2913

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2914

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2915

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2916

# prevent simultaneous updates of a policy from overwriting each other.

2917

# It is strongly suggested that systems make use of the `etag` in the

2918

# read-modify-write cycle to perform policy updates in order to avoid race

2919

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2920

# systems are expected to put that etag in the request to `setIamPolicy` to

2921

# ensure that their change will be applied to the same version of the policy.

2922

#

2923

# **Important:** If you use IAM Conditions, you must include the `etag` field

2924

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2925

# you to overwrite a version `3` policy with a version `1` policy, and all of

2926

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2927

"version": 42, # Specifies the format of the policy.

2928

#

2929

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2930

# are rejected.

2931

#

2932

# Any operation that affects conditional role bindings must specify version

2933

# `3`. This requirement applies to the following operations:

2934

#

2935

# * Getting a policy that includes a conditional role binding

2936

# * Adding a conditional role binding to a policy

2937

# * Changing a conditional role binding in a policy

2938

# * Removing any role binding, with or without a condition, from a policy

2939

# that includes conditions

2940

#

2941

# **Important:** If you use IAM Conditions, you must include the `etag` field

2942

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2943

# you to overwrite a version `3` policy with a version `1` policy, and all of

2944

# the conditions in the version `3` policy are lost.

2945

#

2946

# If a policy does not include any conditions, operations on that policy may

2947

# specify any valid version or leave the field unset.

2948

#

2949

# To learn which resources support conditions in their IAM policies, see the

2950

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2951

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2952

# `condition` that determines how and when the `bindings` are applied. Each

2953

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2954

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2955

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

2956

#

2957

# If the condition evaluates to `true`, then this binding applies to the

2958

# current request.

2959

#

2960

# If the condition evaluates to `false`, then this binding does not apply to

2961

# the current request. However, a different role binding might grant the same

2962

# role to one or more of the members in this binding.

2963

#

2964

# To learn which resources support conditions in their IAM policies, see the

2965

# [IAM

2966

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2967

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

2968

# are documented at https://github.com/google/cel-spec.

2969

#

2970

# Example (Comparison):

2971

#

2972

# title: "Summary size limit"

2973

# description: "Determines if a summary is less than 100 chars"

2974

# expression: "document.summary.size() < 100"

2975

#

2976

# Example (Equality):

2977

#

2978

# title: "Requestor is owner"

2979

# description: "Determines if requestor is the document owner"

2980

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

2985

# description: "Determine whether the document should be publicly visible"

2986

# expression: "document.type != 'private' && document.type != 'internal'"

2987

#

2988

# Example (Data Manipulation):

2989

#

2990

# title: "Notification string"

2991

# description: "Create a notification string with a timestamp."

2992

# expression: "'New message received at ' + string(document.create_time)"

2993

#

2994

# The exact variables and functions that may be referenced within an expression

2995

# are determined by the service that evaluates it. See the service

2996

# documentation for additional information.

2997

"description": "A String", # Optional. Description of the expression. This is a longer text which

2998

# describes the expression, e.g. when hovered over it in a UI.

2999

"expression": "A String", # Textual representation of an expression in Common Expression Language

3000

# syntax.

3001

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

3002

# its purpose. This can be used e.g. in UIs which allow to enter the

3003

# expression.

3004

"location": "A String", # Optional. String indicating the location of the expression for error

3005

# reporting, e.g. a file name and a position in the file.

3006

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3007

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3008

# `members` can have the following values:

3009

#

3010

# * `allUsers`: A special identifier that represents anyone who is

3011

# on the internet; with or without a Google account.

3012

#

3013

# * `allAuthenticatedUsers`: A special identifier that represents anyone

3014

# who is authenticated with a Google account or a service account.

3015

#

3016

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3017

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3018

#

3019

#

3020

# * `serviceAccount:{emailid}`: An email address that represents a service

3021

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

3022

#

3023

# * `group:{emailid}`: An email address that represents a Google group.

3024

# For example, `admins@example.com`.

3025

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3026

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

3027

# identifier) representing a user that has been recently deleted. For

3028

# example, `alice@example.com?uid=123456789012345678901`. If the user is

3029

# recovered, this value reverts to `user:{emailid}` and the recovered user

3030

# retains the role in the binding.

3031

#

3032

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

3033

# unique identifier) representing a service account that has been recently

3034

# deleted. For example,

3035

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

3036

# If the service account is undeleted, this value reverts to

3037

# `serviceAccount:{emailid}` and the undeleted service account retains the

3038

# role in the binding.

3039

#

3040

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

3041

# identifier) representing a Google group that has been recently

3042

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

3043

# the group is recovered, this value reverts to `group:{emailid}` and the

3044

# recovered group retains the role in the binding.

3045

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3046

#

3047

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

3048

# users of that domain. For example, `google.com` or `example.com`.

3049

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3050

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3051

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3052

"role": "A String", # Role that is assigned to `members`.

3053

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3054

},

3055

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getNotes">getNotes(name, x__xgafv=None)</code>

3061

<pre>Gets the note attached to the specified occurrence. Consumer projects can

3062

use this method to get a note that belongs to a provider project.

3063

3064

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3065

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3066

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

3067

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3074

3075

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3076

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

3077

# example, an organization might have one `Authority` for "QA" and one for

3078

# "build". This note is intended to act strictly as a grouping mechanism for

3079

# the attached occurrences (Attestations). This grouping mechanism also

3080

# provides a security boundary, since IAM ACLs gate the ability for a principle

3081

# to attach an occurrence to a given note. It also provides a single point of

3082

# lookup to find all attached attestation occurrences, even if they don't all

3083

# live in the same project.

3084

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

3085

# authority. Because the name of a note acts as its resource reference, it is

3086

# important to disambiguate the canonical name of the Note (which might be a

3087

# UUID for security purposes) from "readable" names more suitable for debug

3088

# output. Note that these hints should not be used to look up authorities in

3089

# security sensitive contexts, such as when looking up attestations to

3090

# verify.

3091

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

# example "qa".

},

},

"name": "A String", # Output only. The name of the note in the form of

3096

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

3097

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3098

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

3099

# For details, see https://www.first.org/cvss/specification-document

3100

"baseScore": 3.14, # The base score is a function of the base metric scores.

3101

"scope": "A String",

3102

"integrityImpact": "A String",

3103

"exploitabilityScore": 3.14,

3104

"impactScore": 3.14,

3105

"attackComplexity": "A String",

3106

"availabilityImpact": "A String",

3107

"privilegesRequired": "A String",

3108

"userInteraction": "A String",

3109

"attackVector": "A String", # Base Metrics

3110

# Represents the intrinsic characteristics of a vulnerability that are

3111

# constant over time and across user environments.

3112

"confidentialityImpact": "A String",

3113

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3114

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

3115

# upstream timestamp from the underlying information source - e.g. Ubuntu

3116

# security tracker.

3117

"windowsDetails": [ # Windows details get their own format because the information format and

3118

# model don't match a normal detail. Specifically Windows updates are done as

3119

# patches, thus Windows vulnerabilities really are a missing package, rather

3120

# than a package being at an incorrect version.

3121

{

3122

"name": "A String", # Required. The name of the vulnerability.

3123

"cpeUri": "A String", # Required. The CPE URI in

3124

# [cpe format](https://cpe.mitre.org/specification/) in which the

3125

# vulnerability manifests. Examples include distro or storage location for

3126

# vulnerable jar.

3127

"description": "A String", # The description of the vulnerability.

3128

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

3129

# vulnerability. Note that there may be multiple hotfixes (and thus

3130

# multiple KBs) that mitigate a given vulnerability. Currently any listed

3131

# kb's presence is considered a fix.

3132

{

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3133

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3134

"url": "A String", # A link to the KB in the Windows update catalog -

3135

# https://www.catalog.update.microsoft.com/

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3140

"details": [ # All information about the package to specifically identify this

3141

# vulnerability. One entry per (version range and cpe_uri) the package

3142

# vulnerability has manifested in.

3143

{ # Identifies all appearances of this vulnerability in the package for a

3144

# specific distro/location. For example: glibc in

3145

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

3146

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

3147

# obsolete details.

3148

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

3149

# upstream timestamp from the underlying information source - e.g. Ubuntu

3150

# security tracker.

3151

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

3152

# packages etc).

3153

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

3154

"package": "A String", # Required. The package being described.

3155

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3156

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3157

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3158

# name.

3159

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3160

# versions.

3161

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3162

},

3163

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3164

# format. Examples include distro or storage location for vulnerable jar.

3165

},

3166

"cpeUri": "A String", # Required. The CPE URI in

3167

# [cpe format](https://cpe.mitre.org/specification/) in which the

3168

# vulnerability manifests. Examples include distro or storage location for

3169

# vulnerable jar.

3170

"description": "A String", # A vendor-specific description of this note.

3171

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

3172

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3173

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3174

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3175

# name.

3176

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3177

# versions.

3178

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3179

},

3180

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3181

"revision": "A String", # The iteration of the package build from the above version.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3182

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3183

# name.

3184

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3185

# versions.

3186

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3187

},

3188

"package": "A String", # Required. The name of the package where the vulnerability was found.

3189

},

3190

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3191

"severity": "A String", # Note provider assigned impact of the vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3192

"cvssScore": 3.14, # The CVSS score for this vulnerability.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3193

},

3194

"relatedNoteNames": [ # Other notes related to this note.

3195

"A String",

3196

],

3197

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3198

# provenance message in the build details occurrence.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3199

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3200

# containing build details.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3201

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

3202

# `key_id`.

3203

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

3204

# base-64 encoded.

3205

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3206

# findings are valid and unchanged. If `key_type` is empty, this defaults

3207

# to PEM encoded public keys.

3208

#

3209

# This field may be empty if `key_id` references an external key.

3210

#

3211

# For Cloud Build based signatures, this is a PEM encoded public

3212

# key. To verify the Cloud Build signature, place the contents of

3213

# this field into a file (public.pem). The signature field is base64-decoded

3214

# into its binary representation in signature.bin, and the provenance bytes

3215

# from `BuildDetails` are base64-decoded into a binary representation in

3216

# signed.bin. OpenSSL can then verify the signature:

3217

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3218

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3219

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

3220

# CN for a cert), or a reference to an external key (such as a reference to a

3221

# key in Cloud Key Management Service).

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3222

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3223

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3224

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3225

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

3226

# channels. E.g., glibc (aka libc6) is distributed by many, at various

3227

# versions.

3228

"name": "A String", # Required. Immutable. The name of the package.

3229

"distribution": [ # The various channels by which a package is distributed.

3230

{ # This represents a particular channel of distribution for a given package.

3231

# E.g., Debian's jessie-backports dpkg mirror.

3232

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

3233

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

3234

"revision": "A String", # The iteration of the package build from the above version.

3235

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3236

# name.

3237

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3238

# versions.

3239

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3240

},

3241

"description": "A String", # The distribution channel-specific description of this package.

3242

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

3243

# denoting the package manager version distributing a package.

3244

"url": "A String", # The distribution channel-specific homepage for this package.

3245

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

# built.

},

],

},

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

3251

# filter in list requests.

3252

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

3253

# exists in a provider's project. A `Discovery` occurrence is created in a

3254

# consumer's project at the start of analysis.

3255

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

3256

# discovery.

3257

},

3258

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

3259

# a filter in list requests.

3260

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

3261

# chain step in an in-toto layout. This information goes into a Grafeas note.

3262

"expectedProducts": [

3263

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"stepName": "A String", # This field identifies the name of the step in the supply chain.

3270

"signingKeys": [ # This field contains the public keys that can be used to verify the

3271

# signatures on the step metadata.

3272

{ # This defines the format used to record keys used in the software supply

3273

# chain. An in-toto link is attested using one or more keys defined in the

3274

# in-toto layout. An example of this is:

3275

# {

3276

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

3277

# "key_type": "rsa",

3278

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

3279

# "key_scheme": "rsassa-pss-sha256"

3280

# }

3281

# The format for in-toto's key definition can be found in section 4.2 of the

3282

# in-toto specification.

3283

"keyId": "A String", # key_id is an identifier for the signing key.

3284

"publicKeyValue": "A String", # This field contains the actual public key.

3285

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

3286

# and "ecdsa".

3287

"keyScheme": "A String", # This field contains the corresponding signature scheme.

3288

# Eg: "rsassa-pss-sha256".

3289

},

3290

],

3291

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

3292

# need to be used to sign the step's in-toto link.

3293

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

3294

# artifacts that enter this supply chain step, and exit the supply chain

3295

# step, i.e. materials and products of the step.

3296

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

"expectedCommand": [ # This field contains the expected command used to perform the step.

"A String",

],

},

"relatedUrl": [ # URLs associated with this note.

3307

{ # Metadata for any related URL information.

3308

"url": "A String", # Specific URL associated with the resource.

3309

"label": "A String", # Label to describe usage of the URL.

3310

},

3311

],

3312

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

3313

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

3314

# relationship. Linked occurrences are derived from this or an

3315

# equivalent image via:

3316

# FROM <Basis.resource_url>

3317

# Or an equivalent reference, e.g. a tag of the resource_url.

3318

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

3319

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

3320

"A String",

3321

],

3322

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

3323

# representation.

3324

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

3325

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

3326

# Only the name of the final blob is kept.

3327

},

3328

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

3329

# basis of associated occurrence images.

3330

},

3331

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

3332

# list requests.

3333

"longDescription": "A String", # A detailed description of this note.

3334

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

3335

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

"A String",

],

},

"shortDescription": "A String", # A one sentence description of this note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3344

<code class="details" id="getVulnerabilitySummary">getVulnerabilitySummary(parent, filter=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3345

<pre>Gets a summary of the number and severity of occurrences.

3346

3347

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3348

parent: string, Required. The name of the project to get a vulnerability summary for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3349

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3350

filter: string, The filter expression.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3351

x__xgafv: string, V1 error format.

3352

Allowed values

3353

1 - v1 error format

3354

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3355

3356

Returns:

3357

An object of the form:

3358

3359

{ # A summary of how many vulnerability occurrences there are per resource and

3360

# severity type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3361

"counts": [ # A listing by resource of the number of fixable and total vulnerabilities.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3362

{ # Per resource and severity counts of fixable and total vulnerabilities.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3363

"resource": { # An entity that can have metadata. For example, a Docker image. # The affected resource.

3364

"name": "A String", # Deprecated, do not use. Use uri instead.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3365

#

3366

# The name of the resource. For example, the name of a Docker image -

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3367

# "Debian".

3368

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

3369

#

3370

# The hash of the resource content. For example, the Docker digest.

3371

"type": "A String", # Required. The type of hash that was performed.

3372

"value": "A String", # Required. The hash value.

3373

},

3374

"uri": "A String", # Required. The unique URI of the resource. For example,

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3375

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3376

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3377

"severity": "A String", # The severity for this count. SEVERITY_UNSPECIFIED indicates total across

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3378

# all severities.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3379

"totalCount": "A String", # The total number of vulnerabilities associated with this resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3380

"fixableCount": "A String", # The number of fixable vulnerabilities associated with this resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3387

<code class="details" id="list">list(parent, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3388

<pre>Lists occurrences for the specified project.

3389

3390

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3391

parent: string, Required. The name of the project to list occurrences for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3392

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3393

filter: string, The filter expression.

3394

pageToken: string, Token to provide to skip to a particular spot in the list.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3395

pageSize: integer, Number of occurrences to return in the list. Must be positive. Max allowed

3396

page size is 1000. If not specified, page size defaults to 20.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3397

x__xgafv: string, V1 error format.

3398

Allowed values

3399

1 - v1 error format

3400

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3401

3402

Returns:

3403

An object of the form:

3404

3405

{ # Response for listing occurrences.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3406

"occurrences": [ # The occurrences requested.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3407

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3408

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

3409

# specified. This field can be used as a filter in list requests.

3410

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

3411

"name": "A String", # Deprecated, do not use. Use uri instead.

3412

#

3413

# The name of the resource. For example, the name of a Docker image -

3414

# "Debian".

3415

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

3416

#

3417

# The hash of the resource content. For example, the Docker digest.

3418

"type": "A String", # Required. The type of hash that was performed.

3419

"value": "A String", # Required. The hash value.

3420

},

3421

"uri": "A String", # Required. The unique URI of the resource. For example,

3422

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

3423

},

3424

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

3425

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

3426

# attestation can be verified using the attached signature. If the verifier

3427

# trusts the public key of the signer, then verifying the signature is

3428

# sufficient to establish trust. In this circumstance, the authority to which

3429

# this attestation is attached is primarily useful for look-up (how to find

3430

# this attestation if you already know the authority and artifact to be

3431

# verified) and intent (which authority was this attestation intended to sign

3432

# for).

3433

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

3434

# supports `ATTACHED` signatures, where the payload that is signed is included

3435

# alongside the signature itself in the same file.

3436

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

3437

# The verifier must ensure that the provided type is one that the verifier

3438

# supports, and that the attestation payload is a valid instantiation of that

3439

# type (for example by validating a JSON schema).

3440

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

3441

# (GPG) or equivalent. Since this message only supports attached signatures,

3442

# the payload that was signed must be attached. While the signature format

3443

# supported is dependent on the verification implementation, currently only

3444

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

3445

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

3446

# --output=signature.gpg payload.json` will create the signature content

3447

# expected in this field in `signature.gpg` for the `payload.json`

3448

# attestation payload.

3449

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

3450

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

3451

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

3452

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

3453

# Implementations may choose to acknowledge "LONG", "SHORT", or other

3454

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

3455

# In gpg, the full fingerprint can be retrieved from the `fpr` field

3456

# returned when calling --list-keys with --with-colons. For example:

3457

# ```

3458

# gpg --with-colons --with-fingerprint --force-v4-certs \

3459

# --list-keys attester@example.com

3460

# tru::1:1513631572:0:3:1:5

3461

# pub:...<SNIP>...

3462

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

3463

# ```

3464

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

3465

},

3466

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

3467

# This attestation must define the `serialized_payload` that the `signatures`

3468

# verify and any metadata necessary to interpret that plaintext. The

3469

# signatures should always be over the `serialized_payload` bytestring.

3470

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

3471

# The verifier must ensure that the provided type is one that the verifier

3472

# supports, and that the attestation payload is a valid instantiation of that

3473

# type (for example by validating a JSON schema).

3474

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

3475

# should consider this attestation message verified if at least one

3476

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

3477

# for more details on signature structure and verification.

3478

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

3479

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

3480

# Typically this means that the verifier has been configured with a map from

3481

# `public_key_id` to public key material (and any required parameters, e.g.

3482

# signing algorithm).

3483

#

3484

# In particular, verification implementations MUST NOT treat the signature

3485

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

3486

# DOES NOT validate or authenticate a public key; it only provides a mechanism

3487

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

3488

# a trusted channel. Verification implementations MUST reject signatures in any

3489

# of the following circumstances:

3490

# * The `public_key_id` is not recognized by the verifier.

3491

# * The public key that `public_key_id` refers to does not verify the

3492

# signature with respect to the payload.

3493

#

3494

# The `signature` contents SHOULD NOT be "attached" (where the payload is

3495

# included with the serialized `signature` bytes). Verifiers MUST ignore any

3496

# "attached" payload and only verify signatures with respect to explicitly

3497

# provided payload (e.g. a `payload` field on the proto message that holds

3498

# this Signature, or the canonical serialization of the proto message that

3499

# holds this signature).

3500

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

3501

# * The `public_key_id` is required.

3502

# * The `public_key_id` MUST be an RFC3986 conformant URI.

3503

# * When possible, the `public_key_id` SHOULD be an immutable reference,

3504

# such as a cryptographic digest.

3505

#

3506

# Examples of valid `public_key_id`s:

3507

#

3508

# OpenPGP V4 public key fingerprint:

3509

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

3510

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

3511

# details on this scheme.

3512

#

3513

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

3514

# serialization):

3515

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

3516

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

3517

"signature": "A String", # The content of the signature, an opaque bytestring.

3518

# The payload that this signature verifies MUST be unambiguously provided

3519

# with the Signature during verification. A wrapper message might provide

3520

# the payload explicitly. Alternatively, a message might have a canonical

3521

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

3526

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

3532

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

3533

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

3534

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

3535

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

3536

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

3537

# available, and note provider assigned severity when distro has not yet

3538

# assigned a severity for this vulnerability.

3539

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

3540

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

3541

# scale of 0-10 where 0 indicates low severity and 10 indicates high

3542

# severity.

3543

"relatedUrls": [ # Output only. URLs related to this vulnerability.

3544

{ # Metadata for any related URL information.

3545

"url": "A String", # Specific URL associated with the resource.

3546

"label": "A String", # Label to describe usage of the URL.

3547

},

3548

],

3549

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

3550

# packages etc)

3551

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

3552

# within the associated resource.

3553

{ # This message wraps a location affected by a vulnerability and its

3554

# associated fix (if one is available).

3555

"severityName": "A String", # Deprecated, use Details.effective_severity instead

3556

# The severity (e.g., distro assigned severity) for this vulnerability.

3557

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

3558

"package": "A String", # Required. The package being described.

3559

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3560

"revision": "A String", # The iteration of the package build from the above version.

3561

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3562

# name.

3563

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3564

# versions.

3565

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3566

},

3567

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3568

# format. Examples include distro or storage location for vulnerable jar.

3569

},

3570

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

3571

"package": "A String", # Required. The package being described.

3572

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3573

"revision": "A String", # The iteration of the package build from the above version.

3574

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3575

# name.

3576

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3577

# versions.

3578

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3579

},

3580

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3581

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

3587

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

3588

# system.

3589

"location": [ # Required. All of the places within the filesystem versions of this package

3590

# have been found.

3591

{ # An occurrence of a particular package installation found within a system's

3592

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

3593

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

3594

# denoting the package manager version distributing a package.

3595

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

3596

"revision": "A String", # The iteration of the package build from the above version.

3597

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3598

# name.

3599

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3600

# versions.

3601

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3602

},

3603

"path": "A String", # The path from which we gathered that this package/version is installed.

3604

},

3605

],

3606

"name": "A String", # Output only. The name of the installed package.

3607

},

3608

},

3609

"build": { # Details of a build occurrence. # Describes a verifiable build.

3610

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

3611

# build signature in the corresponding build note. After verifying the

3612

# signature, `provenance_bytes` can be unmarshalled and compared to the

3613

# provenance to confirm that it is unchanged. A base64-encoded string

3614

# representation of the provenance bytes is used for the signature in order

3615

# to interoperate with openssl which expects this format for signature

3616

# verification.

3617

#

3618

# The serialized form is captured both to avoid ambiguity in how the

3619

# provenance is marshalled to json as well to prevent incompatibilities with

3620

# future changes.

3621

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

3622

# details about the build from source to completion.

3623

"endTime": "A String", # Time at which execution of the build was finished.

3624

"startTime": "A String", # Time at which execution of the build was started.

3625

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

3626

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

3627

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

3628

# location.

3629

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

3630

# these locations, in the case where the source repository had multiple

3631

# remotes or submodules. This list will not include the context specified in

3632

# the context field.

3633

{ # A SourceContext is a reference to a tree of files. A SourceContext together

3634

# with a path point to a unique revision of a single file or directory.

3635

"labels": { # Labels with user defined metadata.

3636

"a_key": "A String",

3637

},

3638

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

3639

# repository (e.g., GitHub).

3640

"url": "A String", # Git repository URL.

3641

"revisionId": "A String", # Git commit hash.

3642

},

3643

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

3644

"hostUri": "A String", # The URI of a running Gerrit instance.

3645

"revisionId": "A String", # A revision (commit) ID.

3646

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

3647

# "project/subproject" is a valid project name. The "repo name" is the

3648

# hostURI/project.

3649

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3650

"name": "A String", # The alias name.

3651

"kind": "A String", # The alias kind.

3652

},

3653

},

3654

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

3655

# Source Repo.

3656

"revisionId": "A String", # A revision ID.

3657

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

3658

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

3659

# winged-cargo-31) and a repo name within that project.

3660

"projectId": "A String", # The ID of the project.

3661

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

3662

},

3663

"uid": "A String", # A server-assigned, globally unique identifier.

3664

},

3665

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3666

"name": "A String", # The alias name.

3667

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

3673

# source integrity was maintained in the build.

3674

#

3675

# The keys to this map are file paths used as build source and the values

3676

# contain the hash values for those files.

3677

#

3678

# If the build source came in a single package such as a gzipped tarfile

3679

# (.tar.gz), the FileHash will be for the single path to that file.

3680

"a_key": { # Container message for hashes of byte content of files, used in source

3681

# messages to verify integrity of source input to the build.

3682

"fileHash": [ # Required. Collection of file hashes.

3683

{ # Container message for hash values.

3684

"type": "A String", # Required. The type of hash that was performed.

3685

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

3691

# with a path point to a unique revision of a single file or directory.

3692

"labels": { # Labels with user defined metadata.

3693

"a_key": "A String",

3694

},

3695

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

3696

# repository (e.g., GitHub).

3697

"url": "A String", # Git repository URL.

3698

"revisionId": "A String", # Git commit hash.

3699

},

3700

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

3701

"hostUri": "A String", # The URI of a running Gerrit instance.

3702

"revisionId": "A String", # A revision (commit) ID.

3703

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

3704

# "project/subproject" is a valid project name. The "repo name" is the

3705

# hostURI/project.

3706

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3707

"name": "A String", # The alias name.

3708

"kind": "A String", # The alias kind.

3709

},

3710

},

3711

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

3712

# Source Repo.

3713

"revisionId": "A String", # A revision ID.

3714

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

3715

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

3716

# winged-cargo-31) and a repo name within that project.

3717

"projectId": "A String", # The ID of the project.

3718

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

3719

},

3720

"uid": "A String", # A server-assigned, globally unique identifier.

3721

},

3722

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3723

"name": "A String", # The alias name.

3724

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

3730

"projectId": "A String", # ID of the project.

3731

"logsUri": "A String", # URI where any logs for this provenance were written.

3732

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

3733

# user's e-mail address at the time the build was initiated; this address may

3734

# not represent the same end-user for all time.

3735

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

3736

"commands": [ # Commands requested by the build.

3737

{ # Command describes a step performed as part of the build pipeline.

3738

"dir": "A String", # Working directory (relative to project source root) used when running this

3739

# command.

3740

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

3741

"A String",

3742

],

3743

"env": [ # Environment variables set before running this command.

3744

"A String",

3745

],

3746

"args": [ # Command-line arguments used when executing this command.

3747

"A String",

3748

],

3749

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

3750

# command is packaged as a Docker container, as presented to `docker pull`.

3751

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

3752

# this command as a dependency.

3753

},

3754

],

3755

"builtArtifacts": [ # Output of the build.

3756

{ # Artifact describes a build product.

3757

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

3758

# container.

3759

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

3760

# like `gcr.io/projectID/imagename@sha256:123456`.

3761

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

3762

# the case of a container build, the name used to push the container image to

3763

# Google Container Registry, as presented to `docker push`. Note that a

3764

# single Artifact ID can have multiple names, for example if two tags are

3765

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

3771

"buildOptions": { # Special options applied to this build. This is a catch-all field where

3772

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

3778

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

3779

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

3780

# details to show to the user. The LocalizedMessage is output only and

3781

# populated by the API.

3782

# different programming environments, including REST APIs and RPC APIs. It is

3783

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

3784

# three pieces of data: error code, error message, and error details.

3785

#

3786

# You can find out more about this error model and how to work with it in the

3787

# [API Design Guide](https://cloud.google.com/apis/design/errors).

3788

"details": [ # A list of messages that carry the error details. There is a common set of

3789

# message types for APIs to use.

3790

{

3791

"a_key": "", # Properties of the object. Contains field @type with type URL.

3792

},

3793

],

3794

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

3795

"message": "A String", # A developer-facing error message, which should be in English. Any

3796

# user-facing error message should be localized and sent in the

3797

# google.rpc.Status.details field, or localized by the client.

3798

},

3799

"analysisStatus": "A String", # The status of discovery for the resource.

3800

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

3801

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

3802

# Deprecated, do not use.

3803

},

3804

},

3805

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

3806

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

3807

# used as a filter in list requests.

3808

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

3809

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

3810

"userEmail": "A String", # Identity of the user that triggered this deployment.

3811

"config": "A String", # Configuration used to create this deployment.

3812

"undeployTime": "A String", # End of the lifetime of this deployment.

3813

"platform": "A String", # Platform hosting this deployment.

3814

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

3815

"address": "A String", # Address of the runtime element hosting this deployment.

3816

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

3817

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3823

"updateTime": "A String", # Output only. The time this occurrence was last updated.

3824

"remediation": "A String", # A description of actions that can be taken to remedy the note.

3825

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

3826

# signatures and the in-toto link itself. This is used for occurrences of a

3827

# Grafeas in-toto note.

3828

"signed": { # This corresponds to an in-toto link.

3829

"command": [ # This field contains the full command executed for the step. This can also

3830

# be empty if links are generated for operations that aren't directly mapped

3831

# to a specific command. Each term in the command is an independent string

3832

# in the list. An example of a command in the in-toto metadata field is:

3833

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

3834

"A String",

3835

],

3836

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

3837

# are not the actual result of the step.

3838

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

3844

# environment. It is suggested for this field to contain information that

3845

# details environment variables, filesystem information, and the present

3846

# working directory. The recommended structure of this field is:

3847

# "environment": {

3848

# "custom_values": {

3849

# "variables": "<ENV>",

3850

# "filesystem": "<FS>",

3851

# "workdir": "<CWD>",

3852

# "<ANY OTHER RELEVANT FIELDS>": "..."

3853

# }

3854

# }

3855

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

3861

# for the operation performed. The key of the map is the path of the artifact

3862

# and the structure contains the recorded hash information. An example is:

3863

# "materials": [

3864

# {

3865

# "resource_uri": "foo/bar",

3866

# "hashes": {

3867

# "sha256": "ebebf...",

3868

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

3874

"sha256": "A String",

3875

},

3876

"resourceUri": "A String",

3877

},

3878

],

3879

"products": [ # Products are the supply chain artifacts generated as a result of the step.

3880

# The structure is identical to that of materials.

3881

{

3882

"hashes": { # Defines a hash object for use in Materials and Products.

3883

"sha256": "A String",

3884

},

3885

"resourceUri": "A String",

3886

},

3887

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3888

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3889

"signatures": [

3890

{ # A signature object consists of the KeyID used and the signature itself.

3891

"sig": "A String",

3892

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3893

},

3894

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3895

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3896

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

3897

# note.

3898

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

3899

# relationship. This image would be produced from a Dockerfile with FROM

3900

# <DockerImage.Basis in attached Note>.

3901

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3902

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

3903

"A String",

3904

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3905

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

3906

# representation.

3907

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

3908

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

3909

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3910

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3911

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

3912

# "distance" and is ordered with [distance] being the layer immediately

3913

# following the base image and [1] being the final layer.

3914

{ # Layer holds metadata specific to a layer of a Docker image.

3915

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

3916

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

3917

},

3918

],

3919

"distance": 42, # Output only. The number of layers by which this image differs from the

3920

# associated image basis.

3921

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

3922

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3923

},

3924

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3925

},

3926

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3927

"nextPageToken": "A String", # The next pagination token in the list response. It should be used as

3928

# `page_token` for the following request. An empty value means no more

3929

# results.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

3935

<pre>Retrieves the next page of results.

3936

3937

Args:

3938

previous_request: The request for the previous page. (required)

3939

previous_response: The response from the request for the previous page. (required)

3940

3941

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3942

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3943

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3948

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3949

<pre>Updates the specified occurrence.

3950

3951

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3952

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3953

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3954

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3955

The object takes the form of:

3956

3957

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3958

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

3959

# specified. This field can be used as a filter in list requests.

3960

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

3961

"name": "A String", # Deprecated, do not use. Use uri instead.

3962

#

3963

# The name of the resource. For example, the name of a Docker image -

3964

# "Debian".

3965

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

3966

#

3967

# The hash of the resource content. For example, the Docker digest.

3968

"type": "A String", # Required. The type of hash that was performed.

3969

"value": "A String", # Required. The hash value.

3970

},

3971

"uri": "A String", # Required. The unique URI of the resource. For example,

3972

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

3973

},

3974

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

3975

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

3976

# attestation can be verified using the attached signature. If the verifier

3977

# trusts the public key of the signer, then verifying the signature is

3978

# sufficient to establish trust. In this circumstance, the authority to which

3979

# this attestation is attached is primarily useful for look-up (how to find

3980

# this attestation if you already know the authority and artifact to be

3981

# verified) and intent (which authority was this attestation intended to sign

3982

# for).

3983

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

3984

# supports `ATTACHED` signatures, where the payload that is signed is included

3985

# alongside the signature itself in the same file.

3986

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

3987

# The verifier must ensure that the provided type is one that the verifier

3988

# supports, and that the attestation payload is a valid instantiation of that

3989

# type (for example by validating a JSON schema).

3990

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

3991

# (GPG) or equivalent. Since this message only supports attached signatures,

3992

# the payload that was signed must be attached. While the signature format

3993

# supported is dependent on the verification implementation, currently only

3994

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

3995

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

3996

# --output=signature.gpg payload.json` will create the signature content

3997

# expected in this field in `signature.gpg` for the `payload.json`

3998

# attestation payload.

3999

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

4000

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

4001

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

4002

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

4003

# Implementations may choose to acknowledge "LONG", "SHORT", or other

4004

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

4005

# In gpg, the full fingerprint can be retrieved from the `fpr` field

4006

# returned when calling --list-keys with --with-colons. For example:

4007

# ```

4008

# gpg --with-colons --with-fingerprint --force-v4-certs \

4009

# --list-keys attester@example.com

4010

# tru::1:1513631572:0:3:1:5

4011

# pub:...<SNIP>...

4012

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

4013

# ```

4014

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

4015

},

4016

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

4017

# This attestation must define the `serialized_payload` that the `signatures`

4018

# verify and any metadata necessary to interpret that plaintext. The

4019

# signatures should always be over the `serialized_payload` bytestring.

4020

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4021

# The verifier must ensure that the provided type is one that the verifier

4022

# supports, and that the attestation payload is a valid instantiation of that

4023

# type (for example by validating a JSON schema).

4024

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

4025

# should consider this attestation message verified if at least one

4026

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

4027

# for more details on signature structure and verification.

4028

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

4029

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

4030

# Typically this means that the verifier has been configured with a map from

4031

# `public_key_id` to public key material (and any required parameters, e.g.

4032

# signing algorithm).

4033

#

4034

# In particular, verification implementations MUST NOT treat the signature

4035

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

4036

# DOES NOT validate or authenticate a public key; it only provides a mechanism

4037

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

4038

# a trusted channel. Verification implementations MUST reject signatures in any

4039

# of the following circumstances:

4040

# * The `public_key_id` is not recognized by the verifier.

4041

# * The public key that `public_key_id` refers to does not verify the

4042

# signature with respect to the payload.

4043

#

4044

# The `signature` contents SHOULD NOT be "attached" (where the payload is

4045

# included with the serialized `signature` bytes). Verifiers MUST ignore any

4046

# "attached" payload and only verify signatures with respect to explicitly

4047

# provided payload (e.g. a `payload` field on the proto message that holds

4048

# this Signature, or the canonical serialization of the proto message that

4049

# holds this signature).

4050

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

4051

# * The `public_key_id` is required.

4052

# * The `public_key_id` MUST be an RFC3986 conformant URI.

4053

# * When possible, the `public_key_id` SHOULD be an immutable reference,

4054

# such as a cryptographic digest.

4055

#

4056

# Examples of valid `public_key_id`s:

4057

#

4058

# OpenPGP V4 public key fingerprint:

4059

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

4060

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

4061

# details on this scheme.

4062

#

4063

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

4064

# serialization):

4065

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

4066

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

4067

"signature": "A String", # The content of the signature, an opaque bytestring.

4068

# The payload that this signature verifies MUST be unambiguously provided

4069

# with the Signature during verification. A wrapper message might provide

4070

# the payload explicitly. Alternatively, a message might have a canonical

4071

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

4076

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

4082

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

4083

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

4084

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

4085

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

4086

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

4087

# available, and note provider assigned severity when distro has not yet

4088

# assigned a severity for this vulnerability.

4089

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

4090

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

4091

# scale of 0-10 where 0 indicates low severity and 10 indicates high

4092

# severity.

4093

"relatedUrls": [ # Output only. URLs related to this vulnerability.

4094

{ # Metadata for any related URL information.

4095

"url": "A String", # Specific URL associated with the resource.

4096

"label": "A String", # Label to describe usage of the URL.

4097

},

4098

],

4099

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

4100

# packages etc)

4101

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

4102

# within the associated resource.

4103

{ # This message wraps a location affected by a vulnerability and its

4104

# associated fix (if one is available).

4105

"severityName": "A String", # Deprecated, use Details.effective_severity instead

4106

# The severity (e.g., distro assigned severity) for this vulnerability.

4107

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

4108

"package": "A String", # Required. The package being described.

4109

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4110

"revision": "A String", # The iteration of the package build from the above version.

4111

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4112

# name.

4113

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4114

# versions.

4115

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4116

},

4117

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4118

# format. Examples include distro or storage location for vulnerable jar.

4119

},

4120

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

4121

"package": "A String", # Required. The package being described.

4122

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4123

"revision": "A String", # The iteration of the package build from the above version.

4124

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4125

# name.

4126

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4127

# versions.

4128

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4129

},

4130

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4131

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

4137

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

4138

# system.

4139

"location": [ # Required. All of the places within the filesystem versions of this package

4140

# have been found.

4141

{ # An occurrence of a particular package installation found within a system's

4142

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

4143

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

4144

# denoting the package manager version distributing a package.

4145

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

4146

"revision": "A String", # The iteration of the package build from the above version.

4147

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4148

# name.

4149

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4150

# versions.

4151

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4152

},

4153

"path": "A String", # The path from which we gathered that this package/version is installed.

4154

},

4155

],

4156

"name": "A String", # Output only. The name of the installed package.

4157

},

4158

},

4159

"build": { # Details of a build occurrence. # Describes a verifiable build.

4160

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

4161

# build signature in the corresponding build note. After verifying the

4162

# signature, `provenance_bytes` can be unmarshalled and compared to the

4163

# provenance to confirm that it is unchanged. A base64-encoded string

4164

# representation of the provenance bytes is used for the signature in order

4165

# to interoperate with openssl which expects this format for signature

4166

# verification.

4167

#

4168

# The serialized form is captured both to avoid ambiguity in how the

4169

# provenance is marshalled to json as well to prevent incompatibilities with

4170

# future changes.

4171

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

4172

# details about the build from source to completion.

4173

"endTime": "A String", # Time at which execution of the build was finished.

4174

"startTime": "A String", # Time at which execution of the build was started.

4175

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

4176

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

4177

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

4178

# location.

4179

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

4180

# these locations, in the case where the source repository had multiple

4181

# remotes or submodules. This list will not include the context specified in

4182

# the context field.

4183

{ # A SourceContext is a reference to a tree of files. A SourceContext together

4184

# with a path point to a unique revision of a single file or directory.

4185

"labels": { # Labels with user defined metadata.

4186

"a_key": "A String",

4187

},

4188

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4189

# repository (e.g., GitHub).

4190

"url": "A String", # Git repository URL.

4191

"revisionId": "A String", # Git commit hash.

4192

},

4193

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4194

"hostUri": "A String", # The URI of a running Gerrit instance.

4195

"revisionId": "A String", # A revision (commit) ID.

4196

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4197

# "project/subproject" is a valid project name. The "repo name" is the

4198

# hostURI/project.

4199

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4200

"name": "A String", # The alias name.

4201

"kind": "A String", # The alias kind.

4202

},

4203

},

4204

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4205

# Source Repo.

4206

"revisionId": "A String", # A revision ID.

4207

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4208

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4209

# winged-cargo-31) and a repo name within that project.

4210

"projectId": "A String", # The ID of the project.

4211

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4212

},

4213

"uid": "A String", # A server-assigned, globally unique identifier.

4214

},

4215

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4216

"name": "A String", # The alias name.

4217

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

4223

# source integrity was maintained in the build.

4224

#

4225

# The keys to this map are file paths used as build source and the values

4226

# contain the hash values for those files.

4227

#

4228

# If the build source came in a single package such as a gzipped tarfile

4229

# (.tar.gz), the FileHash will be for the single path to that file.

4230

"a_key": { # Container message for hashes of byte content of files, used in source

4231

# messages to verify integrity of source input to the build.

4232

"fileHash": [ # Required. Collection of file hashes.

4233

{ # Container message for hash values.

4234

"type": "A String", # Required. The type of hash that was performed.

4235

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

4241

# with a path point to a unique revision of a single file or directory.

4242

"labels": { # Labels with user defined metadata.

4243

"a_key": "A String",

4244

},

4245

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4246

# repository (e.g., GitHub).

4247

"url": "A String", # Git repository URL.

4248

"revisionId": "A String", # Git commit hash.

4249

},

4250

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4251

"hostUri": "A String", # The URI of a running Gerrit instance.

4252

"revisionId": "A String", # A revision (commit) ID.

4253

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4254

# "project/subproject" is a valid project name. The "repo name" is the

4255

# hostURI/project.

4256

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4257

"name": "A String", # The alias name.

4258

"kind": "A String", # The alias kind.

4259

},

4260

},

4261

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4262

# Source Repo.

4263

"revisionId": "A String", # A revision ID.

4264

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4265

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4266

# winged-cargo-31) and a repo name within that project.

4267

"projectId": "A String", # The ID of the project.

4268

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4269

},

4270

"uid": "A String", # A server-assigned, globally unique identifier.

4271

},

4272

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4273

"name": "A String", # The alias name.

4274

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

4280

"projectId": "A String", # ID of the project.

4281

"logsUri": "A String", # URI where any logs for this provenance were written.

4282

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

4283

# user's e-mail address at the time the build was initiated; this address may

4284

# not represent the same end-user for all time.

4285

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

4286

"commands": [ # Commands requested by the build.

4287

{ # Command describes a step performed as part of the build pipeline.

4288

"dir": "A String", # Working directory (relative to project source root) used when running this

4289

# command.

4290

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

4291

"A String",

4292

],

4293

"env": [ # Environment variables set before running this command.

4294

"A String",

4295

],

4296

"args": [ # Command-line arguments used when executing this command.

4297

"A String",

4298

],

4299

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

4300

# command is packaged as a Docker container, as presented to `docker pull`.

4301

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

4302

# this command as a dependency.

4303

},

4304

],

4305

"builtArtifacts": [ # Output of the build.

4306

{ # Artifact describes a build product.

4307

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

4308

# container.

4309

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

4310

# like `gcr.io/projectID/imagename@sha256:123456`.

4311

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

4312

# the case of a container build, the name used to push the container image to

4313

# Google Container Registry, as presented to `docker push`. Note that a

4314

# single Artifact ID can have multiple names, for example if two tags are

4315

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

4321

"buildOptions": { # Special options applied to this build. This is a catch-all field where

4322

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

4328

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

4329

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

4330

# details to show to the user. The LocalizedMessage is output only and

4331

# populated by the API.

4332

# different programming environments, including REST APIs and RPC APIs. It is

4333

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

4334

# three pieces of data: error code, error message, and error details.

4335

#

4336

# You can find out more about this error model and how to work with it in the

4337

# [API Design Guide](https://cloud.google.com/apis/design/errors).

4338

"details": [ # A list of messages that carry the error details. There is a common set of

4339

# message types for APIs to use.

4340

{

4341

"a_key": "", # Properties of the object. Contains field @type with type URL.

4342

},

4343

],

4344

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

4345

"message": "A String", # A developer-facing error message, which should be in English. Any

4346

# user-facing error message should be localized and sent in the

4347

# google.rpc.Status.details field, or localized by the client.

4348

},

4349

"analysisStatus": "A String", # The status of discovery for the resource.

4350

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

4351

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

4352

# Deprecated, do not use.

4353

},

4354

},

4355

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

4356

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

4357

# used as a filter in list requests.

4358

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

4359

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

4360

"userEmail": "A String", # Identity of the user that triggered this deployment.

4361

"config": "A String", # Configuration used to create this deployment.

4362

"undeployTime": "A String", # End of the lifetime of this deployment.

4363

"platform": "A String", # Platform hosting this deployment.

4364

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

4365

"address": "A String", # Address of the runtime element hosting this deployment.

4366

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

4367

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4373

"updateTime": "A String", # Output only. The time this occurrence was last updated.

4374

"remediation": "A String", # A description of actions that can be taken to remedy the note.

4375

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

4376

# signatures and the in-toto link itself. This is used for occurrences of a

4377

# Grafeas in-toto note.

4378

"signed": { # This corresponds to an in-toto link.

4379

"command": [ # This field contains the full command executed for the step. This can also

4380

# be empty if links are generated for operations that aren't directly mapped

4381

# to a specific command. Each term in the command is an independent string

4382

# in the list. An example of a command in the in-toto metadata field is:

4383

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

4384

"A String",

4385

],

4386

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

4387

# are not the actual result of the step.

4388

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

4394

# environment. It is suggested for this field to contain information that

4395

# details environment variables, filesystem information, and the present

4396

# working directory. The recommended structure of this field is:

4397

# "environment": {

4398

# "custom_values": {

4399

# "variables": "<ENV>",

4400

# "filesystem": "<FS>",

4401

# "workdir": "<CWD>",

4402

# "<ANY OTHER RELEVANT FIELDS>": "..."

4403

# }

4404

# }

4405

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

4411

# for the operation performed. The key of the map is the path of the artifact

4412

# and the structure contains the recorded hash information. An example is:

4413

# "materials": [

4414

# {

4415

# "resource_uri": "foo/bar",

4416

# "hashes": {

4417

# "sha256": "ebebf...",

4418

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

4424

"sha256": "A String",

4425

},

4426

"resourceUri": "A String",

4427

},

4428

],

4429

"products": [ # Products are the supply chain artifacts generated as a result of the step.

4430

# The structure is identical to that of materials.

4431

{

4432

"hashes": { # Defines a hash object for use in Materials and Products.

4433

"sha256": "A String",

4434

},

4435

"resourceUri": "A String",

4436

},

4437

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4438

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4439

"signatures": [

4440

{ # A signature object consists of the KeyID used and the signature itself.

4441

"sig": "A String",

4442

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4443

},

4444

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4445

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4446

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

4447

# note.

4448

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

4449

# relationship. This image would be produced from a Dockerfile with FROM

4450

# <DockerImage.Basis in attached Note>.

4451

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4452

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

4453

"A String",

4454

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4455

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

4456

# representation.

4457

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

4458

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

4459

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4460

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4461

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

4462

# "distance" and is ordered with [distance] being the layer immediately

4463

# following the base image and [1] being the final layer.

4464

{ # Layer holds metadata specific to a layer of a Docker image.

4465

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

4466

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

4467

},

4468

],

4469

"distance": 42, # Output only. The number of layers by which this image differs from the

4470

# associated image basis.

4471

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

4472

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4473

},

4474

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4475

}

4476

4477

updateMask: string, The fields to update.

4478

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4485

4486

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4487

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

4488

# specified. This field can be used as a filter in list requests.

4489

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

4490

"name": "A String", # Deprecated, do not use. Use uri instead.

4491

#

4492

# The name of the resource. For example, the name of a Docker image -

4493

# "Debian".

4494

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

4495

#

4496

# The hash of the resource content. For example, the Docker digest.

4497

"type": "A String", # Required. The type of hash that was performed.

4498

"value": "A String", # Required. The hash value.

4499

},

4500

"uri": "A String", # Required. The unique URI of the resource. For example,

4501

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

4502

},

4503

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

4504

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

4505

# attestation can be verified using the attached signature. If the verifier

4506

# trusts the public key of the signer, then verifying the signature is

4507

# sufficient to establish trust. In this circumstance, the authority to which

4508

# this attestation is attached is primarily useful for look-up (how to find

4509

# this attestation if you already know the authority and artifact to be

4510

# verified) and intent (which authority was this attestation intended to sign

4511

# for).

4512

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

4513

# supports `ATTACHED` signatures, where the payload that is signed is included

4514

# alongside the signature itself in the same file.

4515

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4516

# The verifier must ensure that the provided type is one that the verifier

4517

# supports, and that the attestation payload is a valid instantiation of that

4518

# type (for example by validating a JSON schema).

4519

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

4520

# (GPG) or equivalent. Since this message only supports attached signatures,

4521

# the payload that was signed must be attached. While the signature format

4522

# supported is dependent on the verification implementation, currently only

4523

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

4524

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

4525

# --output=signature.gpg payload.json` will create the signature content

4526

# expected in this field in `signature.gpg` for the `payload.json`

4527

# attestation payload.

4528

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

4529

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

4530

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

4531

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

4532

# Implementations may choose to acknowledge "LONG", "SHORT", or other

4533

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

4534

# In gpg, the full fingerprint can be retrieved from the `fpr` field

4535

# returned when calling --list-keys with --with-colons. For example:

4536

# ```

4537

# gpg --with-colons --with-fingerprint --force-v4-certs \

4538

# --list-keys attester@example.com

4539

# tru::1:1513631572:0:3:1:5

4540

# pub:...<SNIP>...

4541

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

4542

# ```

4543

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

4544

},

4545

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

4546

# This attestation must define the `serialized_payload` that the `signatures`

4547

# verify and any metadata necessary to interpret that plaintext. The

4548

# signatures should always be over the `serialized_payload` bytestring.

4549

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4550

# The verifier must ensure that the provided type is one that the verifier

4551

# supports, and that the attestation payload is a valid instantiation of that

4552

# type (for example by validating a JSON schema).

4553

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

4554

# should consider this attestation message verified if at least one

4555

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

4556

# for more details on signature structure and verification.

4557

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

4558

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

4559

# Typically this means that the verifier has been configured with a map from

4560

# `public_key_id` to public key material (and any required parameters, e.g.

4561

# signing algorithm).

4562

#

4563

# In particular, verification implementations MUST NOT treat the signature

4564

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

4565

# DOES NOT validate or authenticate a public key; it only provides a mechanism

4566

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

4567

# a trusted channel. Verification implementations MUST reject signatures in any

4568

# of the following circumstances:

4569

# * The `public_key_id` is not recognized by the verifier.

4570

# * The public key that `public_key_id` refers to does not verify the

4571

# signature with respect to the payload.

4572

#

4573

# The `signature` contents SHOULD NOT be "attached" (where the payload is

4574

# included with the serialized `signature` bytes). Verifiers MUST ignore any

4575

# "attached" payload and only verify signatures with respect to explicitly

4576

# provided payload (e.g. a `payload` field on the proto message that holds

4577

# this Signature, or the canonical serialization of the proto message that

4578

# holds this signature).

4579

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

4580

# * The `public_key_id` is required.

4581

# * The `public_key_id` MUST be an RFC3986 conformant URI.

4582

# * When possible, the `public_key_id` SHOULD be an immutable reference,

4583

# such as a cryptographic digest.

4584

#

4585

# Examples of valid `public_key_id`s:

4586

#

4587

# OpenPGP V4 public key fingerprint:

4588

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

4589

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

4590

# details on this scheme.

4591

#

4592

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

4593

# serialization):

4594

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

4595

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

4596

"signature": "A String", # The content of the signature, an opaque bytestring.

4597

# The payload that this signature verifies MUST be unambiguously provided

4598

# with the Signature during verification. A wrapper message might provide

4599

# the payload explicitly. Alternatively, a message might have a canonical

4600

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

4605

# The encoding and semantic meaning of this payload must match what is set in

# `content_type`.

},

},

},

"name": "A String", # Output only. The name of the occurrence in the form of

4611

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

4612

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

4613

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

4614

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

4615

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

4616

# available, and note provider assigned severity when distro has not yet

4617

# assigned a severity for this vulnerability.

4618

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

4619

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

4620

# scale of 0-10 where 0 indicates low severity and 10 indicates high

4621

# severity.

4622

"relatedUrls": [ # Output only. URLs related to this vulnerability.

4623

{ # Metadata for any related URL information.

4624

"url": "A String", # Specific URL associated with the resource.

4625

"label": "A String", # Label to describe usage of the URL.

4626

},

4627

],

4628

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

4629

# packages etc)

4630

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

4631

# within the associated resource.

4632

{ # This message wraps a location affected by a vulnerability and its

4633

# associated fix (if one is available).

4634

"severityName": "A String", # Deprecated, use Details.effective_severity instead

4635

# The severity (e.g., distro assigned severity) for this vulnerability.

4636

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

4637

"package": "A String", # Required. The package being described.

4638

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4639

"revision": "A String", # The iteration of the package build from the above version.

4640

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4641

# name.

4642

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4643

# versions.

4644

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4645

},

4646

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4647

# format. Examples include distro or storage location for vulnerable jar.

4648

},

4649

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

4650

"package": "A String", # Required. The package being described.

4651

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4652

"revision": "A String", # The iteration of the package build from the above version.

4653

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4654

# name.

4655

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4656

# versions.

4657

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4658

},

4659

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4660

# format. Examples include distro or storage location for vulnerable jar.

},

},

],

},

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

4666

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

4667

# system.

4668

"location": [ # Required. All of the places within the filesystem versions of this package

4669

# have been found.

4670

{ # An occurrence of a particular package installation found within a system's

4671

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

4672

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

4673

# denoting the package manager version distributing a package.

4674

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

4675

"revision": "A String", # The iteration of the package build from the above version.

4676

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

4677

# name.

4678

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4679

# versions.

4680

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4681

},

4682

"path": "A String", # The path from which we gathered that this package/version is installed.

4683

},

4684

],

4685

"name": "A String", # Output only. The name of the installed package.

4686

},

4687

},

4688

"build": { # Details of a build occurrence. # Describes a verifiable build.

4689

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

4690

# build signature in the corresponding build note. After verifying the

4691

# signature, `provenance_bytes` can be unmarshalled and compared to the

4692

# provenance to confirm that it is unchanged. A base64-encoded string

4693

# representation of the provenance bytes is used for the signature in order

4694

# to interoperate with openssl which expects this format for signature

4695

# verification.

4696

#

4697

# The serialized form is captured both to avoid ambiguity in how the

4698

# provenance is marshalled to json as well to prevent incompatibilities with

4699

# future changes.

4700

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

4701

# details about the build from source to completion.

4702

"endTime": "A String", # Time at which execution of the build was finished.

4703

"startTime": "A String", # Time at which execution of the build was started.

4704

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

4705

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

4706

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

4707

# location.

4708

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

4709

# these locations, in the case where the source repository had multiple

4710

# remotes or submodules. This list will not include the context specified in

4711

# the context field.

4712

{ # A SourceContext is a reference to a tree of files. A SourceContext together

4713

# with a path point to a unique revision of a single file or directory.

4714

"labels": { # Labels with user defined metadata.

4715

"a_key": "A String",

4716

},

4717

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4718

# repository (e.g., GitHub).

4719

"url": "A String", # Git repository URL.

4720

"revisionId": "A String", # Git commit hash.

4721

},

4722

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4723

"hostUri": "A String", # The URI of a running Gerrit instance.

4724

"revisionId": "A String", # A revision (commit) ID.

4725

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4726

# "project/subproject" is a valid project name. The "repo name" is the

4727

# hostURI/project.

4728

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4729

"name": "A String", # The alias name.

4730

"kind": "A String", # The alias kind.

4731

},

4732

},

4733

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4734

# Source Repo.

4735

"revisionId": "A String", # A revision ID.

4736

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4737

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4738

# winged-cargo-31) and a repo name within that project.

4739

"projectId": "A String", # The ID of the project.

4740

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4741

},

4742

"uid": "A String", # A server-assigned, globally unique identifier.

4743

},

4744

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4745

"name": "A String", # The alias name.

4746

"kind": "A String", # The alias kind.

},

},

},

],

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

4752

# source integrity was maintained in the build.

4753

#

4754

# The keys to this map are file paths used as build source and the values

4755

# contain the hash values for those files.

4756

#

4757

# If the build source came in a single package such as a gzipped tarfile

4758

# (.tar.gz), the FileHash will be for the single path to that file.

4759

"a_key": { # Container message for hashes of byte content of files, used in source

4760

# messages to verify integrity of source input to the build.

4761

"fileHash": [ # Required. Collection of file hashes.

4762

{ # Container message for hash values.

4763

"type": "A String", # Required. The type of hash that was performed.

4764

"value": "A String", # Required. The hash value.

},

],

},

},

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

4770

# with a path point to a unique revision of a single file or directory.

4771

"labels": { # Labels with user defined metadata.

4772

"a_key": "A String",

4773

},

4774

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4775

# repository (e.g., GitHub).

4776

"url": "A String", # Git repository URL.

4777

"revisionId": "A String", # Git commit hash.

4778

},

4779

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4780

"hostUri": "A String", # The URI of a running Gerrit instance.

4781

"revisionId": "A String", # A revision (commit) ID.

4782

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4783

# "project/subproject" is a valid project name. The "repo name" is the

4784

# hostURI/project.

4785

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4786

"name": "A String", # The alias name.

4787

"kind": "A String", # The alias kind.

4788

},

4789

},

4790

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4791

# Source Repo.

4792

"revisionId": "A String", # A revision ID.

4793

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4794

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4795

# winged-cargo-31) and a repo name within that project.

4796

"projectId": "A String", # The ID of the project.

4797

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4798

},

4799

"uid": "A String", # A server-assigned, globally unique identifier.

4800

},

4801

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4802

"name": "A String", # The alias name.

4803

"kind": "A String", # The alias kind.

},

},

},

},

"createTime": "A String", # Time at which the build was created.

4809

"projectId": "A String", # ID of the project.

4810

"logsUri": "A String", # URI where any logs for this provenance were written.

4811

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

4812

# user's e-mail address at the time the build was initiated; this address may

4813

# not represent the same end-user for all time.

4814

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

4815

"commands": [ # Commands requested by the build.

4816

{ # Command describes a step performed as part of the build pipeline.

4817

"dir": "A String", # Working directory (relative to project source root) used when running this

4818

# command.

4819

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

4820

"A String",

4821

],

4822

"env": [ # Environment variables set before running this command.

4823

"A String",

4824

],

4825

"args": [ # Command-line arguments used when executing this command.

4826

"A String",

4827

],

4828

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

4829

# command is packaged as a Docker container, as presented to `docker pull`.

4830

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

4831

# this command as a dependency.

4832

},

4833

],

4834

"builtArtifacts": [ # Output of the build.

4835

{ # Artifact describes a build product.

4836

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

4837

# container.

4838

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

4839

# like `gcr.io/projectID/imagename@sha256:123456`.

4840

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

4841

# the case of a container build, the name used to push the container image to

4842

# Google Container Registry, as presented to `docker push`. Note that a

4843

# single Artifact ID can have multiple names, for example if two tags are

4844

# applied to one image.

"A String",

],

},

],

"id": "A String", # Required. Unique identifier of the build.

4850

"buildOptions": { # Special options applied to this build. This is a catch-all field where

4851

# build providers can enter any desired additional details.

"a_key": "A String",

},

},

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

4857

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

4858

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

4859

# details to show to the user. The LocalizedMessage is output only and

4860

# populated by the API.

4861

# different programming environments, including REST APIs and RPC APIs. It is

4862

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

4863

# three pieces of data: error code, error message, and error details.

4864

#

4865

# You can find out more about this error model and how to work with it in the

4866

# [API Design Guide](https://cloud.google.com/apis/design/errors).

4867

"details": [ # A list of messages that carry the error details. There is a common set of

4868

# message types for APIs to use.

4869

{

4870

"a_key": "", # Properties of the object. Contains field @type with type URL.

4871

},

4872

],

4873

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

4874

"message": "A String", # A developer-facing error message, which should be in English. Any

4875

# user-facing error message should be localized and sent in the

4876

# google.rpc.Status.details field, or localized by the client.

4877

},

4878

"analysisStatus": "A String", # The status of discovery for the resource.

4879

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

4880

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

4881

# Deprecated, do not use.

4882

},

4883

},

4884

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

4885

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

4886

# used as a filter in list requests.

4887

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

4888

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

4889

"userEmail": "A String", # Identity of the user that triggered this deployment.

4890

"config": "A String", # Configuration used to create this deployment.

4891

"undeployTime": "A String", # End of the lifetime of this deployment.

4892

"platform": "A String", # Platform hosting this deployment.

4893

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

4894

"address": "A String", # Address of the runtime element hosting this deployment.

4895

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

4896

# the deployable field with the same name.

"A String",

],

},

},

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4902

"updateTime": "A String", # Output only. The time this occurrence was last updated.

4903

"remediation": "A String", # A description of actions that can be taken to remedy the note.

4904

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

4905

# signatures and the in-toto link itself. This is used for occurrences of a

4906

# Grafeas in-toto note.

4907

"signed": { # This corresponds to an in-toto link.

4908

"command": [ # This field contains the full command executed for the step. This can also

4909

# be empty if links are generated for operations that aren't directly mapped

4910

# to a specific command. Each term in the command is an independent string

4911

# in the list. An example of a command in the in-toto metadata field is:

4912

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

4913

"A String",

4914

],

4915

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

4916

# are not the actual result of the step.

4917

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

4923

# environment. It is suggested for this field to contain information that

4924

# details environment variables, filesystem information, and the present

4925

# working directory. The recommended structure of this field is:

4926

# "environment": {

4927

# "custom_values": {

4928

# "variables": "<ENV>",

4929

# "filesystem": "<FS>",

4930

# "workdir": "<CWD>",

4931

# "<ANY OTHER RELEVANT FIELDS>": "..."

4932

# }

4933

# }

4934

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

4940

# for the operation performed. The key of the map is the path of the artifact

4941

# and the structure contains the recorded hash information. An example is:

4942

# "materials": [

4943

# {

4944

# "resource_uri": "foo/bar",

4945

# "hashes": {

4946

# "sha256": "ebebf...",

4947

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

4953

"sha256": "A String",

4954

},

4955

"resourceUri": "A String",

4956

},

4957

],

4958

"products": [ # Products are the supply chain artifacts generated as a result of the step.

4959

# The structure is identical to that of materials.

4960

{

4961

"hashes": { # Defines a hash object for use in Materials and Products.

4962

"sha256": "A String",

4963

},

4964

"resourceUri": "A String",

4965

},

4966

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4967

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4968

"signatures": [

4969

{ # A signature object consists of the KeyID used and the signature itself.

4970

"sig": "A String",

4971

"keyid": "A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4972

},

4973

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4974

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4975

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

4976

# note.

4977

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

4978

# relationship. This image would be produced from a Dockerfile with FROM

4979

# <DockerImage.Basis in attached Note>.

4980

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4981

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

4982

"A String",

4983

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4984

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

4985

# representation.

4986

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

4987

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

4988

# Only the name of the final blob is kept.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4989

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4990

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

4991

# "distance" and is ordered with [distance] being the layer immediately

4992

# following the base image and [1] being the final layer.

4993

{ # Layer holds metadata specific to a layer of a Docker image.

4994

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

4995

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

4996

},

4997

],

4998

"distance": 42, # Output only. The number of layers by which this image differs from the

4999

# associated image basis.

5000

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

5001

# occurrence.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5002

},

5003

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5008

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5009

<pre>Sets the access control policy on the specified note or occurrence.

5010

Requires `containeranalysis.notes.setIamPolicy` or

5011

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

5012

a note or an occurrence, respectively.

5013

5014

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

5015

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being specified.

5020

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5021

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5022

The object takes the form of:

5023

5024

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5025

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5026

# the policy is limited to a few 10s of KB. An empty policy is a

5027

# valid policy but certain Cloud Platform services (such as Projects)

5028

# might reject them.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5029

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5030

#

5031

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5032

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

5033

# `members` to a single `role`. Members can be user accounts, service accounts,

5034

# Google groups, and domains (such as G Suite). A `role` is a named list of

5035

# permissions; each `role` can be an IAM predefined role or a user-created

5036

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5037

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5038

# For some types of Google Cloud resources, a `binding` can also specify a

5039

# `condition`, which is a logical expression that allows access to a resource

5040

# only if the expression evaluates to `true`. A condition can add constraints

5041

# based on attributes of the request, the resource, or both. To learn which

5042

# resources support conditions in their IAM policies, see the

5043

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5044

#

5045

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5046

#

5047

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5048

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5049

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5050

# "role": "roles/resourcemanager.organizationAdmin",

5051

# "members": [

5052

# "user:mike@example.com",

5053

# "group:admins@example.com",

5054

# "domain:google.com",

5055

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5056

# ]

5057

# },

5058

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5059

# "role": "roles/resourcemanager.organizationViewer",

5060

# "members": [

5061

# "user:eve@example.com"

5062

# ],

5063

# "condition": {

5064

# "title": "expirable access",

5065

# "description": "Does not grant access after Sep 2020",

5066

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5067

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5068

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5069

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5070

# "etag": "BwWWja0YfJA=",

5071

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5072

# }

5073

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5074

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

5079

# - group:admins@example.com

5080

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5081

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

5082

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5083

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5084

# - user:eve@example.com

5085

# role: roles/resourcemanager.organizationViewer

5086

# condition:

5087

# title: expirable access

5088

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5089

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5090

# - etag: BwWWja0YfJA=

5091

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5092

#

5093

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5094

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5095

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

5096

# prevent simultaneous updates of a policy from overwriting each other.

5097

# It is strongly suggested that systems make use of the `etag` in the

5098

# read-modify-write cycle to perform policy updates in order to avoid race

5099

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

5100

# systems are expected to put that etag in the request to `setIamPolicy` to

5101

# ensure that their change will be applied to the same version of the policy.

5102

#

5103

# **Important:** If you use IAM Conditions, you must include the `etag` field

5104

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5105

# you to overwrite a version `3` policy with a version `1` policy, and all of

5106

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5107

"version": 42, # Specifies the format of the policy.

5108

#

5109

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

5110

# are rejected.

5111

#

5112

# Any operation that affects conditional role bindings must specify version

5113

# `3`. This requirement applies to the following operations:

5114

#

5115

# * Getting a policy that includes a conditional role binding

5116

# * Adding a conditional role binding to a policy

5117

# * Changing a conditional role binding in a policy

5118

# * Removing any role binding, with or without a condition, from a policy

5119

# that includes conditions

5120

#

5121

# **Important:** If you use IAM Conditions, you must include the `etag` field

5122

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5123

# you to overwrite a version `3` policy with a version `1` policy, and all of

5124

# the conditions in the version `3` policy are lost.

5125

#

5126

# If a policy does not include any conditions, operations on that policy may

5127

# specify any valid version or leave the field unset.

5128

#

5129

# To learn which resources support conditions in their IAM policies, see the

5130

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5131

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5132

# `condition` that determines how and when the `bindings` are applied. Each

5133

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5134

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5135

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

5136

#

5137

# If the condition evaluates to `true`, then this binding applies to the

5138

# current request.

5139

#

5140

# If the condition evaluates to `false`, then this binding does not apply to

5141

# the current request. However, a different role binding might grant the same

5142

# role to one or more of the members in this binding.

5143

#

5144

# To learn which resources support conditions in their IAM policies, see the

5145

# [IAM

5146

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5147

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

5148

# are documented at https://github.com/google/cel-spec.

5149

#

5150

# Example (Comparison):

5151

#

5152

# title: "Summary size limit"

5153

# description: "Determines if a summary is less than 100 chars"

5154

# expression: "document.summary.size() < 100"

5155

#

5156

# Example (Equality):

5157

#

5158

# title: "Requestor is owner"

5159

# description: "Determines if requestor is the document owner"

5160

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

5165

# description: "Determine whether the document should be publicly visible"

5166

# expression: "document.type != 'private' && document.type != 'internal'"

5167

#

5168

# Example (Data Manipulation):

5169

#

5170

# title: "Notification string"

5171

# description: "Create a notification string with a timestamp."

5172

# expression: "'New message received at ' + string(document.create_time)"

5173

#

5174

# The exact variables and functions that may be referenced within an expression

5175

# are determined by the service that evaluates it. See the service

5176

# documentation for additional information.

5177

"description": "A String", # Optional. Description of the expression. This is a longer text which

5178

# describes the expression, e.g. when hovered over it in a UI.

5179

"expression": "A String", # Textual representation of an expression in Common Expression Language

5180

# syntax.

5181

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

5182

# its purpose. This can be used e.g. in UIs which allow to enter the

5183

# expression.

5184

"location": "A String", # Optional. String indicating the location of the expression for error

5185

# reporting, e.g. a file name and a position in the file.

5186

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5187

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5188

# `members` can have the following values:

5189

#

5190

# * `allUsers`: A special identifier that represents anyone who is

5191

# on the internet; with or without a Google account.

5192

#

5193

# * `allAuthenticatedUsers`: A special identifier that represents anyone

5194

# who is authenticated with a Google account or a service account.

5195

#

5196

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5197

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5198

#

5199

#

5200

# * `serviceAccount:{emailid}`: An email address that represents a service

5201

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

5202

#

5203

# * `group:{emailid}`: An email address that represents a Google group.

5204

# For example, `admins@example.com`.

5205

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5206

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

5207

# identifier) representing a user that has been recently deleted. For

5208

# example, `alice@example.com?uid=123456789012345678901`. If the user is

5209

# recovered, this value reverts to `user:{emailid}` and the recovered user

5210

# retains the role in the binding.

5211

#

5212

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

5213

# unique identifier) representing a service account that has been recently

5214

# deleted. For example,

5215

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

5216

# If the service account is undeleted, this value reverts to

5217

# `serviceAccount:{emailid}` and the undeleted service account retains the

5218

# role in the binding.

5219

#

5220

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

5221

# identifier) representing a Google group that has been recently

5222

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

5223

# the group is recovered, this value reverts to `group:{emailid}` and the

5224

# recovered group retains the role in the binding.

5225

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5226

#

5227

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

5228

# users of that domain. For example, `google.com` or `example.com`.

5229

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5230

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5231

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5232

"role": "A String", # Role that is assigned to `members`.

5233

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5234

},

5235

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5236

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5237

}

5238

5239

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

5246

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5247

{ # An Identity and Access Management (IAM) policy, which specifies access

5248

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5249

#

5250

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5251

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

5252

# `members` to a single `role`. Members can be user accounts, service accounts,

5253

# Google groups, and domains (such as G Suite). A `role` is a named list of

5254

# permissions; each `role` can be an IAM predefined role or a user-created

5255

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5256

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5257

# For some types of Google Cloud resources, a `binding` can also specify a

5258

# `condition`, which is a logical expression that allows access to a resource

5259

# only if the expression evaluates to `true`. A condition can add constraints

5260

# based on attributes of the request, the resource, or both. To learn which

5261

# resources support conditions in their IAM policies, see the

5262

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5263

#

5264

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5265

#

5266

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5267

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5268

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5269

# "role": "roles/resourcemanager.organizationAdmin",

5270

# "members": [

5271

# "user:mike@example.com",

5272

# "group:admins@example.com",

5273

# "domain:google.com",

5274

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5275

# ]

5276

# },

5277

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5278

# "role": "roles/resourcemanager.organizationViewer",

5279

# "members": [

5280

# "user:eve@example.com"

5281

# ],

5282

# "condition": {

5283

# "title": "expirable access",

5284

# "description": "Does not grant access after Sep 2020",

5285

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5286

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5287

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5288

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5289

# "etag": "BwWWja0YfJA=",

5290

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5291

# }

5292

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5293

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

5298

# - group:admins@example.com

5299

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5300

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

5301

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5302

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5303

# - user:eve@example.com

5304

# role: roles/resourcemanager.organizationViewer

5305

# condition:

5306

# title: expirable access

5307

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5308

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5309

# - etag: BwWWja0YfJA=

5310

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5311

#

5312

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5313

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5314

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

5315

# prevent simultaneous updates of a policy from overwriting each other.

5316

# It is strongly suggested that systems make use of the `etag` in the

5317

# read-modify-write cycle to perform policy updates in order to avoid race

5318

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

5319

# systems are expected to put that etag in the request to `setIamPolicy` to

5320

# ensure that their change will be applied to the same version of the policy.

5321

#

5322

# **Important:** If you use IAM Conditions, you must include the `etag` field

5323

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5324

# you to overwrite a version `3` policy with a version `1` policy, and all of

5325

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5326

"version": 42, # Specifies the format of the policy.

5327

#

5328

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

5329

# are rejected.

5330

#

5331

# Any operation that affects conditional role bindings must specify version

5332

# `3`. This requirement applies to the following operations:

5333

#

5334

# * Getting a policy that includes a conditional role binding

5335

# * Adding a conditional role binding to a policy

5336

# * Changing a conditional role binding in a policy

5337

# * Removing any role binding, with or without a condition, from a policy

5338

# that includes conditions

5339

#

5340

# **Important:** If you use IAM Conditions, you must include the `etag` field

5341

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5342

# you to overwrite a version `3` policy with a version `1` policy, and all of

5343

# the conditions in the version `3` policy are lost.

5344

#

5345

# If a policy does not include any conditions, operations on that policy may

5346

# specify any valid version or leave the field unset.

5347

#

5348

# To learn which resources support conditions in their IAM policies, see the

5349

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5350

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5351

# `condition` that determines how and when the `bindings` are applied. Each

5352

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5353

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5354

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

5355

#

5356

# If the condition evaluates to `true`, then this binding applies to the

5357

# current request.

5358

#

5359

# If the condition evaluates to `false`, then this binding does not apply to

5360

# the current request. However, a different role binding might grant the same

5361

# role to one or more of the members in this binding.

5362

#

5363

# To learn which resources support conditions in their IAM policies, see the

5364

# [IAM

5365

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5366

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

5367

# are documented at https://github.com/google/cel-spec.

5368

#

5369

# Example (Comparison):

5370

#

5371

# title: "Summary size limit"

5372

# description: "Determines if a summary is less than 100 chars"

5373

# expression: "document.summary.size() < 100"

5374

#

5375

# Example (Equality):

5376

#

5377

# title: "Requestor is owner"

5378

# description: "Determines if requestor is the document owner"

5379

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

5384

# description: "Determine whether the document should be publicly visible"

5385

# expression: "document.type != 'private' && document.type != 'internal'"

5386

#

5387

# Example (Data Manipulation):

5388

#

5389

# title: "Notification string"

5390

# description: "Create a notification string with a timestamp."

5391

# expression: "'New message received at ' + string(document.create_time)"

5392

#

5393

# The exact variables and functions that may be referenced within an expression

5394

# are determined by the service that evaluates it. See the service

5395

# documentation for additional information.

5396

"description": "A String", # Optional. Description of the expression. This is a longer text which

5397

# describes the expression, e.g. when hovered over it in a UI.

5398

"expression": "A String", # Textual representation of an expression in Common Expression Language

5399

# syntax.

5400

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

5401

# its purpose. This can be used e.g. in UIs which allow to enter the

5402

# expression.

5403

"location": "A String", # Optional. String indicating the location of the expression for error

5404

# reporting, e.g. a file name and a position in the file.

5405

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5406

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5407

# `members` can have the following values:

5408

#

5409

# * `allUsers`: A special identifier that represents anyone who is

5410

# on the internet; with or without a Google account.

5411

#

5412

# * `allAuthenticatedUsers`: A special identifier that represents anyone

5413

# who is authenticated with a Google account or a service account.

5414

#

5415

# * `user:{emailid}`: An email address that represents a specific Google

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5416

# account. For example, `alice@example.com` .

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5417

#

5418

#

5419

# * `serviceAccount:{emailid}`: An email address that represents a service

5420

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

5421

#

5422

# * `group:{emailid}`: An email address that represents a Google group.

5423

# For example, `admins@example.com`.

5424

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5425

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

5426

# identifier) representing a user that has been recently deleted. For

5427

# example, `alice@example.com?uid=123456789012345678901`. If the user is

5428

# recovered, this value reverts to `user:{emailid}` and the recovered user

5429

# retains the role in the binding.

5430

#

5431

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

5432

# unique identifier) representing a service account that has been recently

5433

# deleted. For example,

5434

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

5435

# If the service account is undeleted, this value reverts to

5436

# `serviceAccount:{emailid}` and the undeleted service account retains the

5437

# role in the binding.

5438

#

5439

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

5440

# identifier) representing a Google group that has been recently

5441

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

5442

# the group is recovered, this value reverts to `group:{emailid}` and the

5443

# recovered group retains the role in the binding.

5444

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5445

#

5446

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

5447

# users of that domain. For example, `google.com` or `example.com`.

5448

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5449

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5450

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5451

"role": "A String", # Role that is assigned to `members`.

5452

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5453

},

5454

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5459

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5460

<pre>Returns the permissions that a caller has on the specified note or

5461

occurrence. Requires list permission on the project (for example,

5462

`containeranalysis.notes.list`).

5463

5464

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

5465

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy detail is being requested.

5470

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5471

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5472

The object takes the form of:

5473

5474

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5475

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

5476

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5477

# information see

5478

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5479

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

5490

5491

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5492

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5493

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5494

"A String",

Bu Sun Kim