Blame - docs/dyn/containeranalysis_v1beta1.projects.occurrences.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

78

<code><a href="#batchCreate">batchCreate(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Creates new occurrences in batch.</p>

80

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

81

<code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

82

<p class="firstline">Creates a new occurrence.</p>

83

84

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

85

<p class="firstline">Deletes the specified occurrence. For example, use this method to delete an</p>

86

87

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

88

<p class="firstline">Gets the specified occurrence.</p>

89

90

<code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

91

<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p>

92

93

<code><a href="#getNotes">getNotes(name, x__xgafv=None)</a></code></p>

94

<p class="firstline">Gets the note attached to the specified occurrence. Consumer projects can</p>

95

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

96

<code><a href="#getVulnerabilitySummary">getVulnerabilitySummary(parent, filter=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

97

<p class="firstline">Gets a summary of the number and severity of occurrences.</p>

98

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

99

<code><a href="#list">list(parent, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

100

<p class="firstline">Lists occurrences for the specified project.</p>

101

102

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

103

<p class="firstline">Retrieves the next page of results.</p>

104

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

105

<code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

106

<p class="firstline">Updates the specified occurrence.</p>

107

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

108

<code><a href="#setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

109

<p class="firstline">Sets the access control policy on the specified note or occurrence.</p>

110

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

111

<code><a href="#testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

112

<p class="firstline">Returns the permissions that a caller has on the specified note or</p>

113

<h3>Method Details</h3>

114

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

115

<code class="details" id="batchCreate">batchCreate(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

116

<pre>Creates new occurrences in batch.

117

118

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

119

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

120

the occurrences are to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

121

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

122

The object takes the form of:

123

124

{ # Request to create occurrences in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

125

"occurrences": [ # Required. The occurrences to create. Max allowed length is 1000.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

126

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

127

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

128

"name": "A String", # Output only. The name of the occurrence in the form of

129

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

130

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

131

# signatures and the in-toto link itself. This is used for occurrences of a

132

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

133

"signatures": [

134

{ # A signature object consists of the KeyID used and the signature itself.

135

"sig": "A String",

136

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

137

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

138

],

139

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

140

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

141

# environment. It is suggested for this field to contain information that

142

# details environment variables, filesystem information, and the present

143

# working directory. The recommended structure of this field is:

144

# "environment": {

145

# "custom_values": {

146

# "variables": "<ENV>",

147

# "filesystem": "<FS>",

148

# "workdir": "<CWD>",

149

# "<ANY OTHER RELEVANT FIELDS>": "..."

150

# }

151

# }

152

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

158

# for the operation performed. The key of the map is the path of the artifact

159

# and the structure contains the recorded hash information. An example is:

160

# "materials": [

161

# {

162

# "resource_uri": "foo/bar",

163

# "hashes": {

164

# "sha256": "ebebf...",

165

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

171

"sha256": "A String",

172

},

173

"resourceUri": "A String",

174

},

175

],

176

"products": [ # Products are the supply chain artifacts generated as a result of the step.

177

# The structure is identical to that of materials.

178

{

179

"hashes": { # Defines a hash object for use in Materials and Products.

180

"sha256": "A String",

181

},

182

"resourceUri": "A String",

183

},

184

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

185

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

186

# are not the actual result of the step.

187

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

193

# be empty if links are generated for operations that aren't directly mapped

194

# to a specific command. Each term in the command is an independent string

195

# in the list. An example of a command in the in-toto metadata field is:

196

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

197

"A String",

198

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

199

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

200

},

201

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

202

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

203

#

204

# The hash of the resource content. For example, the Docker digest.

205

"type": "A String", # Required. The type of hash that was performed.

206

"value": "A String", # Required. The hash value.

207

},

208

"uri": "A String", # Required. The unique URI of the resource. For example,

209

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

210

"name": "A String", # Deprecated, do not use. Use uri instead.

211

#

212

# The name of the resource. For example, the name of a Docker image -

213

# "Debian".

214

},

215

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

216

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

217

# attestation can be verified using the attached signature. If the verifier

218

# trusts the public key of the signer, then verifying the signature is

219

# sufficient to establish trust. In this circumstance, the authority to which

220

# this attestation is attached is primarily useful for look-up (how to find

221

# this attestation if you already know the authority and artifact to be

222

# verified) and intent (which authority was this attestation intended to sign

223

# for).

224

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

225

# This attestation must define the `serialized_payload` that the `signatures`

226

# verify and any metadata necessary to interpret that plaintext. The

227

# signatures should always be over the `serialized_payload` bytestring.

228

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

229

# The verifier must ensure that the provided type is one that the verifier

230

# supports, and that the attestation payload is a valid instantiation of that

231

# type (for example by validating a JSON schema).

232

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

233

# should consider this attestation message verified if at least one

234

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

235

# for more details on signature structure and verification.

236

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

237

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

238

# Typically this means that the verifier has been configured with a map from

239

# `public_key_id` to public key material (and any required parameters, e.g.

240

# signing algorithm).

241

#

242

# In particular, verification implementations MUST NOT treat the signature

243

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

244

# DOES NOT validate or authenticate a public key; it only provides a mechanism

245

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

246

# a trusted channel. Verification implementations MUST reject signatures in any

247

# of the following circumstances:

248

# * The `public_key_id` is not recognized by the verifier.

249

# * The public key that `public_key_id` refers to does not verify the

250

# signature with respect to the payload.

251

#

252

# The `signature` contents SHOULD NOT be "attached" (where the payload is

253

# included with the serialized `signature` bytes). Verifiers MUST ignore any

254

# "attached" payload and only verify signatures with respect to explicitly

255

# provided payload (e.g. a `payload` field on the proto message that holds

256

# this Signature, or the canonical serialization of the proto message that

257

# holds this signature).

258

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

259

# * The `public_key_id` is required.

260

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

261

# * When possible, the `public_key_id` SHOULD be an immutable reference,

262

# such as a cryptographic digest.

263

#

264

# Examples of valid `public_key_id`s:

265

#

266

# OpenPGP V4 public key fingerprint:

267

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

268

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

269

# details on this scheme.

270

#

271

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

272

# serialization):

273

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

274

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

275

"signature": "A String", # The content of the signature, an opaque bytestring.

276

# The payload that this signature verifies MUST be unambiguously provided

277

# with the Signature during verification. A wrapper message might provide

278

# the payload explicitly. Alternatively, a message might have a canonical

279

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

284

# The encoding and semantic meaning of this payload must match what is set in

285

# `content_type`.

286

},

287

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

288

# supports `ATTACHED` signatures, where the payload that is signed is included

289

# alongside the signature itself in the same file.

290

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

291

# (GPG) or equivalent. Since this message only supports attached signatures,

292

# the payload that was signed must be attached. While the signature format

293

# supported is dependent on the verification implementation, currently only

294

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

295

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

296

# --output=signature.gpg payload.json` will create the signature content

297

# expected in this field in `signature.gpg` for the `payload.json`

298

# attestation payload.

299

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

300

# The verifier must ensure that the provided type is one that the verifier

301

# supports, and that the attestation payload is a valid instantiation of that

302

# type (for example by validating a JSON schema).

303

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

304

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

305

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

306

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

307

# Implementations may choose to acknowledge "LONG", "SHORT", or other

308

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

309

# In gpg, the full fingerprint can be retrieved from the `fpr` field

310

# returned when calling --list-keys with --with-colons. For example:

311

# ```

312

# gpg --with-colons --with-fingerprint --force-v4-certs \

313

# --list-keys attester@example.com

314

# tru::1:1513631572:0:3:1:5

315

# pub:...<SNIP>...

316

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

317

# ```

318

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

323

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

324

"undeployTime": "A String", # End of the lifetime of this deployment.

325

"userEmail": "A String", # Identity of the user that triggered this deployment.

326

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

327

# the deployable field with the same name.

328

"A String",

329

],

330

"platform": "A String", # Platform hosting this deployment.

331

"config": "A String", # Configuration used to create this deployment.

332

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

333

"address": "A String", # Address of the runtime element hosting this deployment.

334

},

335

},

336

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

337

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

338

# used as a filter in list requests.

339

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

340

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

341

# system.

342

"name": "A String", # Output only. The name of the installed package.

343

"location": [ # Required. All of the places within the filesystem versions of this package

344

# have been found.

345

{ # An occurrence of a particular package installation found within a system's

346

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

347

"path": "A String", # The path from which we gathered that this package/version is installed.

348

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

349

# denoting the package manager version distributing a package.

350

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

351

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

352

# versions.

353

"revision": "A String", # The iteration of the package build from the above version.

354

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

355

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

363

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

364

"relatedUrls": [ # Output only. URLs related to this vulnerability.

365

{ # Metadata for any related URL information.

366

"url": "A String", # Specific URL associated with the resource.

367

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

368

},

369

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

370

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

371

# available, and note provider assigned severity when distro has not yet

372

# assigned a severity for this vulnerability.

373

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

374

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

375

# packages etc)

376

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

377

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

378

# scale of 0-10 where 0 indicates low severity and 10 indicates high

379

# severity.

380

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

381

# within the associated resource.

382

{ # This message wraps a location affected by a vulnerability and its

383

# associated fix (if one is available).

384

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

385

"package": "A String", # Required. The package being described.

386

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

387

# format. Examples include distro or storage location for vulnerable jar.

388

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

389

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

390

# versions.

391

"revision": "A String", # The iteration of the package build from the above version.

392

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

393

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

398

# The severity (e.g., distro assigned severity) for this vulnerability.

399

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

400

"package": "A String", # Required. The package being described.

401

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

402

# format. Examples include distro or storage location for vulnerable jar.

403

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

404

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

405

# versions.

406

"revision": "A String", # The iteration of the package build from the above version.

407

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

408

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

416

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

417

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

418

# Deprecated, do not use.

419

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

420

# details to show to the user. The LocalizedMessage is output only and

421

# populated by the API.

422

# different programming environments, including REST APIs and RPC APIs. It is

423

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

424

# three pieces of data: error code, error message, and error details.

425

#

426

# You can find out more about this error model and how to work with it in the

427

# [API Design Guide](https://cloud.google.com/apis/design/errors).

428

"message": "A String", # A developer-facing error message, which should be in English. Any

429

# user-facing error message should be localized and sent in the

430

# google.rpc.Status.details field, or localized by the client.

431

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

432

"details": [ # A list of messages that carry the error details. There is a common set of

433

# message types for APIs to use.

434

{

435

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

440

"analysisStatus": "A String", # The status of discovery for the resource.

441

},

442

},

443

"updateTime": "A String", # Output only. The time this occurrence was last updated.

444

"build": { # Details of a build occurrence. # Describes a verifiable build.

445

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

446

# details about the build from source to completion.

447

"endTime": "A String", # Time at which execution of the build was finished.

448

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

449

"startTime": "A String", # Time at which execution of the build was started.

450

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

451

# user's e-mail address at the time the build was initiated; this address may

452

# not represent the same end-user for all time.

453

"logsUri": "A String", # URI where any logs for this provenance were written.

454

"builtArtifacts": [ # Output of the build.

455

{ # Artifact describes a build product.

456

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

457

# the case of a container build, the name used to push the container image to

458

# Google Container Registry, as presented to `docker push`. Note that a

459

# single Artifact ID can have multiple names, for example if two tags are

460

# applied to one image.

461

"A String",

462

],

463

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

464

# like `gcr.io/projectID/imagename@sha256:123456`.

465

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

470

# build providers can enter any desired additional details.

471

"a_key": "A String",

472

},

473

"id": "A String", # Required. Unique identifier of the build.

474

"projectId": "A String", # ID of the project.

475

"commands": [ # Commands requested by the build.

476

{ # Command describes a step performed as part of the build pipeline.

477

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

478

"A String",

479

],

480

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

481

# this command as a dependency.

482

"dir": "A String", # Working directory (relative to project source root) used when running this

483

# command.

484

"args": [ # Command-line arguments used when executing this command.

485

"A String",

486

],

487

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

488

# command is packaged as a Docker container, as presented to `docker pull`.

489

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

495

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

496

# with a path point to a unique revision of a single file or directory.

497

"labels": { # Labels with user defined metadata.

498

"a_key": "A String",

499

},

500

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

501

"hostUri": "A String", # The URI of a running Gerrit instance.

502

"revisionId": "A String", # A revision (commit) ID.

503

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

504

# "project/subproject" is a valid project name. The "repo name" is the

505

# hostURI/project.

506

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

507

"kind": "A String", # The alias kind.

508

"name": "A String", # The alias name.

509

},

510

},

511

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

512

# repository (e.g., GitHub).

513

"revisionId": "A String", # Git commit hash.

514

"url": "A String", # Git repository URL.

515

},

516

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

517

# Source Repo.

518

"revisionId": "A String", # A revision ID.

519

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

520

"uid": "A String", # A server-assigned, globally unique identifier.

521

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

522

# winged-cargo-31) and a repo name within that project.

523

"projectId": "A String", # The ID of the project.

524

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

525

},

526

},

527

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

528

"kind": "A String", # The alias kind.

529

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

534

# location.

535

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

536

# source integrity was maintained in the build.

537

#

538

# The keys to this map are file paths used as build source and the values

539

# contain the hash values for those files.

540

#

541

# If the build source came in a single package such as a gzipped tarfile

542

# (.tar.gz), the FileHash will be for the single path to that file.

543

"a_key": { # Container message for hashes of byte content of files, used in source

544

# messages to verify integrity of source input to the build.

545

"fileHash": [ # Required. Collection of file hashes.

546

{ # Container message for hash values.

547

"type": "A String", # Required. The type of hash that was performed.

548

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

554

# these locations, in the case where the source repository had multiple

555

# remotes or submodules. This list will not include the context specified in

556

# the context field.

557

{ # A SourceContext is a reference to a tree of files. A SourceContext together

558

# with a path point to a unique revision of a single file or directory.

559

"labels": { # Labels with user defined metadata.

560

"a_key": "A String",

561

},

562

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

563

"hostUri": "A String", # The URI of a running Gerrit instance.

564

"revisionId": "A String", # A revision (commit) ID.

565

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

566

# "project/subproject" is a valid project name. The "repo name" is the

567

# hostURI/project.

568

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

569

"kind": "A String", # The alias kind.

570

"name": "A String", # The alias name.

571

},

572

},

573

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

574

# repository (e.g., GitHub).

575

"revisionId": "A String", # Git commit hash.

576

"url": "A String", # Git repository URL.

577

},

578

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

579

# Source Repo.

580

"revisionId": "A String", # A revision ID.

581

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

582

"uid": "A String", # A server-assigned, globally unique identifier.

583

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

584

# winged-cargo-31) and a repo name within that project.

585

"projectId": "A String", # The ID of the project.

586

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

587

},

588

},

589

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

590

"kind": "A String", # The alias kind.

591

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

598

"createTime": "A String", # Time at which the build was created.

599

},

600

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

601

# build signature in the corresponding build note. After verifying the

602

# signature, `provenance_bytes` can be unmarshalled and compared to the

603

# provenance to confirm that it is unchanged. A base64-encoded string

604

# representation of the provenance bytes is used for the signature in order

605

# to interoperate with openssl which expects this format for signature

606

# verification.

607

#

608

# The serialized form is captured both to avoid ambiguity in how the

609

# provenance is marshalled to json as well to prevent incompatibilities with

610

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

611

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

612

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

613

# note.

614

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

615

# relationship. This image would be produced from a Dockerfile with FROM

616

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

617

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

618

# occurrence.

619

"distance": 42, # Output only. The number of layers by which this image differs from the

620

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

621

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

622

# "distance" and is ordered with [distance] being the layer immediately

623

# following the base image and [1] being the final layer.

624

{ # Layer holds metadata specific to a layer of a Docker image.

625

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

626

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

627

},

628

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

629

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

630

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

631

# representation.

632

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

633

"A String",

634

],

635

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

636

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

637

# Only the name of the final blob is kept.

638

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

639

},

640

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

641

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

642

# specified. This field can be used as a filter in list requests.

643

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

655

656

{ # Response for creating occurrences in batch.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

657

"occurrences": [ # The occurrences that were created.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

658

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

659

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

660

"name": "A String", # Output only. The name of the occurrence in the form of

661

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

662

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

663

# signatures and the in-toto link itself. This is used for occurrences of a

664

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

665

"signatures": [

666

{ # A signature object consists of the KeyID used and the signature itself.

667

"sig": "A String",

668

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

669

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

670

],

671

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

672

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

673

# environment. It is suggested for this field to contain information that

674

# details environment variables, filesystem information, and the present

675

# working directory. The recommended structure of this field is:

676

# "environment": {

677

# "custom_values": {

678

# "variables": "<ENV>",

679

# "filesystem": "<FS>",

680

# "workdir": "<CWD>",

681

# "<ANY OTHER RELEVANT FIELDS>": "..."

682

# }

683

# }

684

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

690

# for the operation performed. The key of the map is the path of the artifact

691

# and the structure contains the recorded hash information. An example is:

692

# "materials": [

693

# {

694

# "resource_uri": "foo/bar",

695

# "hashes": {

696

# "sha256": "ebebf...",

697

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

703

"sha256": "A String",

704

},

705

"resourceUri": "A String",

706

},

707

],

708

"products": [ # Products are the supply chain artifacts generated as a result of the step.

709

# The structure is identical to that of materials.

710

{

711

"hashes": { # Defines a hash object for use in Materials and Products.

712

"sha256": "A String",

713

},

714

"resourceUri": "A String",

715

},

716

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

717

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

718

# are not the actual result of the step.

719

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

725

# be empty if links are generated for operations that aren't directly mapped

726

# to a specific command. Each term in the command is an independent string

727

# in the list. An example of a command in the in-toto metadata field is:

728

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

729

"A String",

730

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

731

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

732

},

733

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

734

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

735

#

736

# The hash of the resource content. For example, the Docker digest.

737

"type": "A String", # Required. The type of hash that was performed.

738

"value": "A String", # Required. The hash value.

739

},

740

"uri": "A String", # Required. The unique URI of the resource. For example,

741

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

742

"name": "A String", # Deprecated, do not use. Use uri instead.

743

#

744

# The name of the resource. For example, the name of a Docker image -

745

# "Debian".

746

},

747

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

748

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

749

# attestation can be verified using the attached signature. If the verifier

750

# trusts the public key of the signer, then verifying the signature is

751

# sufficient to establish trust. In this circumstance, the authority to which

752

# this attestation is attached is primarily useful for look-up (how to find

753

# this attestation if you already know the authority and artifact to be

754

# verified) and intent (which authority was this attestation intended to sign

755

# for).

756

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

757

# This attestation must define the `serialized_payload` that the `signatures`

758

# verify and any metadata necessary to interpret that plaintext. The

759

# signatures should always be over the `serialized_payload` bytestring.

760

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

761

# The verifier must ensure that the provided type is one that the verifier

762

# supports, and that the attestation payload is a valid instantiation of that

763

# type (for example by validating a JSON schema).

764

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

765

# should consider this attestation message verified if at least one

766

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

767

# for more details on signature structure and verification.

768

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

769

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

770

# Typically this means that the verifier has been configured with a map from

771

# `public_key_id` to public key material (and any required parameters, e.g.

772

# signing algorithm).

773

#

774

# In particular, verification implementations MUST NOT treat the signature

775

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

776

# DOES NOT validate or authenticate a public key; it only provides a mechanism

777

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

778

# a trusted channel. Verification implementations MUST reject signatures in any

779

# of the following circumstances:

780

# * The `public_key_id` is not recognized by the verifier.

781

# * The public key that `public_key_id` refers to does not verify the

782

# signature with respect to the payload.

783

#

784

# The `signature` contents SHOULD NOT be "attached" (where the payload is

785

# included with the serialized `signature` bytes). Verifiers MUST ignore any

786

# "attached" payload and only verify signatures with respect to explicitly

787

# provided payload (e.g. a `payload` field on the proto message that holds

788

# this Signature, or the canonical serialization of the proto message that

789

# holds this signature).

790

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

791

# * The `public_key_id` is required.

792

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

793

# * When possible, the `public_key_id` SHOULD be an immutable reference,

794

# such as a cryptographic digest.

795

#

796

# Examples of valid `public_key_id`s:

797

#

798

# OpenPGP V4 public key fingerprint:

799

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

800

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

801

# details on this scheme.

802

#

803

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

804

# serialization):

805

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

806

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

807

"signature": "A String", # The content of the signature, an opaque bytestring.

808

# The payload that this signature verifies MUST be unambiguously provided

809

# with the Signature during verification. A wrapper message might provide

810

# the payload explicitly. Alternatively, a message might have a canonical

811

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

816

# The encoding and semantic meaning of this payload must match what is set in

817

# `content_type`.

818

},

819

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

820

# supports `ATTACHED` signatures, where the payload that is signed is included

821

# alongside the signature itself in the same file.

822

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

823

# (GPG) or equivalent. Since this message only supports attached signatures,

824

# the payload that was signed must be attached. While the signature format

825

# supported is dependent on the verification implementation, currently only

826

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

827

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

828

# --output=signature.gpg payload.json` will create the signature content

829

# expected in this field in `signature.gpg` for the `payload.json`

830

# attestation payload.

831

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

832

# The verifier must ensure that the provided type is one that the verifier

833

# supports, and that the attestation payload is a valid instantiation of that

834

# type (for example by validating a JSON schema).

835

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

836

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

837

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

838

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

839

# Implementations may choose to acknowledge "LONG", "SHORT", or other

840

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

841

# In gpg, the full fingerprint can be retrieved from the `fpr` field

842

# returned when calling --list-keys with --with-colons. For example:

843

# ```

844

# gpg --with-colons --with-fingerprint --force-v4-certs \

845

# --list-keys attester@example.com

846

# tru::1:1513631572:0:3:1:5

847

# pub:...<SNIP>...

848

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

849

# ```

850

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

855

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

856

"undeployTime": "A String", # End of the lifetime of this deployment.

857

"userEmail": "A String", # Identity of the user that triggered this deployment.

858

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

859

# the deployable field with the same name.

860

"A String",

861

],

862

"platform": "A String", # Platform hosting this deployment.

863

"config": "A String", # Configuration used to create this deployment.

864

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

865

"address": "A String", # Address of the runtime element hosting this deployment.

866

},

867

},

868

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

869

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

870

# used as a filter in list requests.

871

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

872

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

873

# system.

874

"name": "A String", # Output only. The name of the installed package.

875

"location": [ # Required. All of the places within the filesystem versions of this package

876

# have been found.

877

{ # An occurrence of a particular package installation found within a system's

878

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

879

"path": "A String", # The path from which we gathered that this package/version is installed.

880

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

881

# denoting the package manager version distributing a package.

882

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

883

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

884

# versions.

885

"revision": "A String", # The iteration of the package build from the above version.

886

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

887

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

895

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

896

"relatedUrls": [ # Output only. URLs related to this vulnerability.

897

{ # Metadata for any related URL information.

898

"url": "A String", # Specific URL associated with the resource.

899

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

900

},

901

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

902

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

903

# available, and note provider assigned severity when distro has not yet

904

# assigned a severity for this vulnerability.

905

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

906

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

907

# packages etc)

908

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

909

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

910

# scale of 0-10 where 0 indicates low severity and 10 indicates high

911

# severity.

912

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

913

# within the associated resource.

914

{ # This message wraps a location affected by a vulnerability and its

915

# associated fix (if one is available).

916

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

917

"package": "A String", # Required. The package being described.

918

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

919

# format. Examples include distro or storage location for vulnerable jar.

920

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

921

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

922

# versions.

923

"revision": "A String", # The iteration of the package build from the above version.

924

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

925

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

930

# The severity (e.g., distro assigned severity) for this vulnerability.

931

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

932

"package": "A String", # Required. The package being described.

933

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

934

# format. Examples include distro or storage location for vulnerable jar.

935

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

936

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

937

# versions.

938

"revision": "A String", # The iteration of the package build from the above version.

939

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

940

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

948

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

949

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

950

# Deprecated, do not use.

951

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

952

# details to show to the user. The LocalizedMessage is output only and

953

# populated by the API.

954

# different programming environments, including REST APIs and RPC APIs. It is

955

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

956

# three pieces of data: error code, error message, and error details.

957

#

958

# You can find out more about this error model and how to work with it in the

959

# [API Design Guide](https://cloud.google.com/apis/design/errors).

960

"message": "A String", # A developer-facing error message, which should be in English. Any

961

# user-facing error message should be localized and sent in the

962

# google.rpc.Status.details field, or localized by the client.

963

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

964

"details": [ # A list of messages that carry the error details. There is a common set of

965

# message types for APIs to use.

966

{

967

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

972

"analysisStatus": "A String", # The status of discovery for the resource.

973

},

974

},

975

"updateTime": "A String", # Output only. The time this occurrence was last updated.

976

"build": { # Details of a build occurrence. # Describes a verifiable build.

977

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

978

# details about the build from source to completion.

979

"endTime": "A String", # Time at which execution of the build was finished.

980

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

981

"startTime": "A String", # Time at which execution of the build was started.

982

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

983

# user's e-mail address at the time the build was initiated; this address may

984

# not represent the same end-user for all time.

985

"logsUri": "A String", # URI where any logs for this provenance were written.

986

"builtArtifacts": [ # Output of the build.

987

{ # Artifact describes a build product.

988

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

989

# the case of a container build, the name used to push the container image to

990

# Google Container Registry, as presented to `docker push`. Note that a

991

# single Artifact ID can have multiple names, for example if two tags are

992

# applied to one image.

993

"A String",

994

],

995

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

996

# like `gcr.io/projectID/imagename@sha256:123456`.

997

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

1002

# build providers can enter any desired additional details.

1003

"a_key": "A String",

1004

},

1005

"id": "A String", # Required. Unique identifier of the build.

1006

"projectId": "A String", # ID of the project.

1007

"commands": [ # Commands requested by the build.

1008

{ # Command describes a step performed as part of the build pipeline.

1009

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

1010

"A String",

1011

],

1012

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

1013

# this command as a dependency.

1014

"dir": "A String", # Working directory (relative to project source root) used when running this

1015

# command.

1016

"args": [ # Command-line arguments used when executing this command.

1017

"A String",

1018

],

1019

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

1020

# command is packaged as a Docker container, as presented to `docker pull`.

1021

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

1027

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

1028

# with a path point to a unique revision of a single file or directory.

1029

"labels": { # Labels with user defined metadata.

1030

"a_key": "A String",

1031

},

1032

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1033

"hostUri": "A String", # The URI of a running Gerrit instance.

1034

"revisionId": "A String", # A revision (commit) ID.

1035

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1036

# "project/subproject" is a valid project name. The "repo name" is the

1037

# hostURI/project.

1038

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1039

"kind": "A String", # The alias kind.

1040

"name": "A String", # The alias name.

1041

},

1042

},

1043

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1044

# repository (e.g., GitHub).

1045

"revisionId": "A String", # Git commit hash.

1046

"url": "A String", # Git repository URL.

1047

},

1048

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1049

# Source Repo.

1050

"revisionId": "A String", # A revision ID.

1051

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1052

"uid": "A String", # A server-assigned, globally unique identifier.

1053

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1054

# winged-cargo-31) and a repo name within that project.

1055

"projectId": "A String", # The ID of the project.

1056

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1057

},

1058

},

1059

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1060

"kind": "A String", # The alias kind.

1061

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

1066

# location.

1067

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

1068

# source integrity was maintained in the build.

1069

#

1070

# The keys to this map are file paths used as build source and the values

1071

# contain the hash values for those files.

1072

#

1073

# If the build source came in a single package such as a gzipped tarfile

1074

# (.tar.gz), the FileHash will be for the single path to that file.

1075

"a_key": { # Container message for hashes of byte content of files, used in source

1076

# messages to verify integrity of source input to the build.

1077

"fileHash": [ # Required. Collection of file hashes.

1078

{ # Container message for hash values.

1079

"type": "A String", # Required. The type of hash that was performed.

1080

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

1086

# these locations, in the case where the source repository had multiple

1087

# remotes or submodules. This list will not include the context specified in

1088

# the context field.

1089

{ # A SourceContext is a reference to a tree of files. A SourceContext together

1090

# with a path point to a unique revision of a single file or directory.

1091

"labels": { # Labels with user defined metadata.

1092

"a_key": "A String",

1093

},

1094

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1095

"hostUri": "A String", # The URI of a running Gerrit instance.

1096

"revisionId": "A String", # A revision (commit) ID.

1097

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1098

# "project/subproject" is a valid project name. The "repo name" is the

1099

# hostURI/project.

1100

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1101

"kind": "A String", # The alias kind.

1102

"name": "A String", # The alias name.

1103

},

1104

},

1105

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1106

# repository (e.g., GitHub).

1107

"revisionId": "A String", # Git commit hash.

1108

"url": "A String", # Git repository URL.

1109

},

1110

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1111

# Source Repo.

1112

"revisionId": "A String", # A revision ID.

1113

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1114

"uid": "A String", # A server-assigned, globally unique identifier.

1115

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1116

# winged-cargo-31) and a repo name within that project.

1117

"projectId": "A String", # The ID of the project.

1118

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1119

},

1120

},

1121

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1122

"kind": "A String", # The alias kind.

1123

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

1130

"createTime": "A String", # Time at which the build was created.

1131

},

1132

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

1133

# build signature in the corresponding build note. After verifying the

1134

# signature, `provenance_bytes` can be unmarshalled and compared to the

1135

# provenance to confirm that it is unchanged. A base64-encoded string

1136

# representation of the provenance bytes is used for the signature in order

1137

# to interoperate with openssl which expects this format for signature

1138

# verification.

1139

#

1140

# The serialized form is captured both to avoid ambiguity in how the

1141

# provenance is marshalled to json as well to prevent incompatibilities with

1142

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1143

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1144

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

1145

# note.

1146

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

1147

# relationship. This image would be produced from a Dockerfile with FROM

1148

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1149

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

1150

# occurrence.

1151

"distance": 42, # Output only. The number of layers by which this image differs from the

1152

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1153

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

1154

# "distance" and is ordered with [distance] being the layer immediately

1155

# following the base image and [1] being the final layer.

1156

{ # Layer holds metadata specific to a layer of a Docker image.

1157

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

1158

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

1159

},

1160

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1161

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

1162

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1163

# representation.

1164

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1165

"A String",

1166

],

1167

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1168

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1169

# Only the name of the final blob is kept.

1170

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1171

},

1172

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1173

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

1174

# specified. This field can be used as a filter in list requests.

1175

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1182

<code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1183

<pre>Creates a new occurrence.

1184

1185

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1186

parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1187

the occurrence is to be created. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1188

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1189

The object takes the form of:

1190

1191

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1192

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1193

"name": "A String", # Output only. The name of the occurrence in the form of

1194

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1195

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

1196

# signatures and the in-toto link itself. This is used for occurrences of a

1197

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1198

"signatures": [

1199

{ # A signature object consists of the KeyID used and the signature itself.

1200

"sig": "A String",

1201

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1202

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1203

],

1204

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1205

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

1206

# environment. It is suggested for this field to contain information that

1207

# details environment variables, filesystem information, and the present

1208

# working directory. The recommended structure of this field is:

1209

# "environment": {

1210

# "custom_values": {

1211

# "variables": "<ENV>",

1212

# "filesystem": "<FS>",

1213

# "workdir": "<CWD>",

1214

# "<ANY OTHER RELEVANT FIELDS>": "..."

1215

# }

1216

# }

1217

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

1223

# for the operation performed. The key of the map is the path of the artifact

1224

# and the structure contains the recorded hash information. An example is:

1225

# "materials": [

1226

# {

1227

# "resource_uri": "foo/bar",

1228

# "hashes": {

1229

# "sha256": "ebebf...",

1230

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

1236

"sha256": "A String",

1237

},

1238

"resourceUri": "A String",

1239

},

1240

],

1241

"products": [ # Products are the supply chain artifacts generated as a result of the step.

1242

# The structure is identical to that of materials.

1243

{

1244

"hashes": { # Defines a hash object for use in Materials and Products.

1245

"sha256": "A String",

1246

},

1247

"resourceUri": "A String",

1248

},

1249

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1250

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

1251

# are not the actual result of the step.

1252

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

1258

# be empty if links are generated for operations that aren't directly mapped

1259

# to a specific command. Each term in the command is an independent string

1260

# in the list. An example of a command in the in-toto metadata field is:

1261

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

1262

"A String",

1263

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1264

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1265

},

1266

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

1267

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

1268

#

1269

# The hash of the resource content. For example, the Docker digest.

1270

"type": "A String", # Required. The type of hash that was performed.

1271

"value": "A String", # Required. The hash value.

1272

},

1273

"uri": "A String", # Required. The unique URI of the resource. For example,

1274

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

1275

"name": "A String", # Deprecated, do not use. Use uri instead.

1276

#

1277

# The name of the resource. For example, the name of a Docker image -

1278

# "Debian".

1279

},

1280

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

1281

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

1282

# attestation can be verified using the attached signature. If the verifier

1283

# trusts the public key of the signer, then verifying the signature is

1284

# sufficient to establish trust. In this circumstance, the authority to which

1285

# this attestation is attached is primarily useful for look-up (how to find

1286

# this attestation if you already know the authority and artifact to be

1287

# verified) and intent (which authority was this attestation intended to sign

1288

# for).

1289

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

1290

# This attestation must define the `serialized_payload` that the `signatures`

1291

# verify and any metadata necessary to interpret that plaintext. The

1292

# signatures should always be over the `serialized_payload` bytestring.

1293

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1294

# The verifier must ensure that the provided type is one that the verifier

1295

# supports, and that the attestation payload is a valid instantiation of that

1296

# type (for example by validating a JSON schema).

1297

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

1298

# should consider this attestation message verified if at least one

1299

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

1300

# for more details on signature structure and verification.

1301

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

1302

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

1303

# Typically this means that the verifier has been configured with a map from

1304

# `public_key_id` to public key material (and any required parameters, e.g.

1305

# signing algorithm).

1306

#

1307

# In particular, verification implementations MUST NOT treat the signature

1308

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

1309

# DOES NOT validate or authenticate a public key; it only provides a mechanism

1310

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

1311

# a trusted channel. Verification implementations MUST reject signatures in any

1312

# of the following circumstances:

1313

# * The `public_key_id` is not recognized by the verifier.

1314

# * The public key that `public_key_id` refers to does not verify the

1315

# signature with respect to the payload.

1316

#

1317

# The `signature` contents SHOULD NOT be "attached" (where the payload is

1318

# included with the serialized `signature` bytes). Verifiers MUST ignore any

1319

# "attached" payload and only verify signatures with respect to explicitly

1320

# provided payload (e.g. a `payload` field on the proto message that holds

1321

# this Signature, or the canonical serialization of the proto message that

1322

# holds this signature).

1323

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

1324

# * The `public_key_id` is required.

1325

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

1326

# * When possible, the `public_key_id` SHOULD be an immutable reference,

1327

# such as a cryptographic digest.

1328

#

1329

# Examples of valid `public_key_id`s:

1330

#

1331

# OpenPGP V4 public key fingerprint:

1332

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

1333

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

1334

# details on this scheme.

1335

#

1336

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

1337

# serialization):

1338

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

1339

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

1340

"signature": "A String", # The content of the signature, an opaque bytestring.

1341

# The payload that this signature verifies MUST be unambiguously provided

1342

# with the Signature during verification. A wrapper message might provide

1343

# the payload explicitly. Alternatively, a message might have a canonical

1344

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

1349

# The encoding and semantic meaning of this payload must match what is set in

1350

# `content_type`.

1351

},

1352

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

1353

# supports `ATTACHED` signatures, where the payload that is signed is included

1354

# alongside the signature itself in the same file.

1355

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

1356

# (GPG) or equivalent. Since this message only supports attached signatures,

1357

# the payload that was signed must be attached. While the signature format

1358

# supported is dependent on the verification implementation, currently only

1359

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

1360

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

1361

# --output=signature.gpg payload.json` will create the signature content

1362

# expected in this field in `signature.gpg` for the `payload.json`

1363

# attestation payload.

1364

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1365

# The verifier must ensure that the provided type is one that the verifier

1366

# supports, and that the attestation payload is a valid instantiation of that

1367

# type (for example by validating a JSON schema).

1368

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

1369

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

1370

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

1371

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

1372

# Implementations may choose to acknowledge "LONG", "SHORT", or other

1373

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

1374

# In gpg, the full fingerprint can be retrieved from the `fpr` field

1375

# returned when calling --list-keys with --with-colons. For example:

1376

# ```

1377

# gpg --with-colons --with-fingerprint --force-v4-certs \

1378

# --list-keys attester@example.com

1379

# tru::1:1513631572:0:3:1:5

1380

# pub:...<SNIP>...

1381

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

1382

# ```

1383

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

1388

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

1389

"undeployTime": "A String", # End of the lifetime of this deployment.

1390

"userEmail": "A String", # Identity of the user that triggered this deployment.

1391

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

1392

# the deployable field with the same name.

1393

"A String",

1394

],

1395

"platform": "A String", # Platform hosting this deployment.

1396

"config": "A String", # Configuration used to create this deployment.

1397

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

1398

"address": "A String", # Address of the runtime element hosting this deployment.

1399

},

1400

},

1401

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

1402

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

1403

# used as a filter in list requests.

1404

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

1405

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

1406

# system.

1407

"name": "A String", # Output only. The name of the installed package.

1408

"location": [ # Required. All of the places within the filesystem versions of this package

1409

# have been found.

1410

{ # An occurrence of a particular package installation found within a system's

1411

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

1412

"path": "A String", # The path from which we gathered that this package/version is installed.

1413

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

1414

# denoting the package manager version distributing a package.

1415

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

1416

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1417

# versions.

1418

"revision": "A String", # The iteration of the package build from the above version.

1419

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1420

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

1428

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

1429

"relatedUrls": [ # Output only. URLs related to this vulnerability.

1430

{ # Metadata for any related URL information.

1431

"url": "A String", # Specific URL associated with the resource.

1432

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1433

},

1434

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1435

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

1436

# available, and note provider assigned severity when distro has not yet

1437

# assigned a severity for this vulnerability.

1438

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

1439

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

1440

# packages etc)

1441

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

1442

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

1443

# scale of 0-10 where 0 indicates low severity and 10 indicates high

1444

# severity.

1445

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

1446

# within the associated resource.

1447

{ # This message wraps a location affected by a vulnerability and its

1448

# associated fix (if one is available).

1449

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

1450

"package": "A String", # Required. The package being described.

1451

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1452

# format. Examples include distro or storage location for vulnerable jar.

1453

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1454

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1455

# versions.

1456

"revision": "A String", # The iteration of the package build from the above version.

1457

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1458

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

1463

# The severity (e.g., distro assigned severity) for this vulnerability.

1464

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

1465

"package": "A String", # Required. The package being described.

1466

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1467

# format. Examples include distro or storage location for vulnerable jar.

1468

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1469

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1470

# versions.

1471

"revision": "A String", # The iteration of the package build from the above version.

1472

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1473

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

1481

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

1482

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

1483

# Deprecated, do not use.

1484

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

1485

# details to show to the user. The LocalizedMessage is output only and

1486

# populated by the API.

1487

# different programming environments, including REST APIs and RPC APIs. It is

1488

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

1489

# three pieces of data: error code, error message, and error details.

1490

#

1491

# You can find out more about this error model and how to work with it in the

1492

# [API Design Guide](https://cloud.google.com/apis/design/errors).

1493

"message": "A String", # A developer-facing error message, which should be in English. Any

1494

# user-facing error message should be localized and sent in the

1495

# google.rpc.Status.details field, or localized by the client.

1496

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

1497

"details": [ # A list of messages that carry the error details. There is a common set of

1498

# message types for APIs to use.

1499

{

1500

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

1505

"analysisStatus": "A String", # The status of discovery for the resource.

1506

},

1507

},

1508

"updateTime": "A String", # Output only. The time this occurrence was last updated.

1509

"build": { # Details of a build occurrence. # Describes a verifiable build.

1510

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

1511

# details about the build from source to completion.

1512

"endTime": "A String", # Time at which execution of the build was finished.

1513

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

1514

"startTime": "A String", # Time at which execution of the build was started.

1515

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

1516

# user's e-mail address at the time the build was initiated; this address may

1517

# not represent the same end-user for all time.

1518

"logsUri": "A String", # URI where any logs for this provenance were written.

1519

"builtArtifacts": [ # Output of the build.

1520

{ # Artifact describes a build product.

1521

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

1522

# the case of a container build, the name used to push the container image to

1523

# Google Container Registry, as presented to `docker push`. Note that a

1524

# single Artifact ID can have multiple names, for example if two tags are

1525

# applied to one image.

1526

"A String",

1527

],

1528

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

1529

# like `gcr.io/projectID/imagename@sha256:123456`.

1530

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

1535

# build providers can enter any desired additional details.

1536

"a_key": "A String",

1537

},

1538

"id": "A String", # Required. Unique identifier of the build.

1539

"projectId": "A String", # ID of the project.

1540

"commands": [ # Commands requested by the build.

1541

{ # Command describes a step performed as part of the build pipeline.

1542

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

1543

"A String",

1544

],

1545

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

1546

# this command as a dependency.

1547

"dir": "A String", # Working directory (relative to project source root) used when running this

1548

# command.

1549

"args": [ # Command-line arguments used when executing this command.

1550

"A String",

1551

],

1552

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

1553

# command is packaged as a Docker container, as presented to `docker pull`.

1554

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

1560

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

1561

# with a path point to a unique revision of a single file or directory.

1562

"labels": { # Labels with user defined metadata.

1563

"a_key": "A String",

1564

},

1565

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1566

"hostUri": "A String", # The URI of a running Gerrit instance.

1567

"revisionId": "A String", # A revision (commit) ID.

1568

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1569

# "project/subproject" is a valid project name. The "repo name" is the

1570

# hostURI/project.

1571

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1572

"kind": "A String", # The alias kind.

1573

"name": "A String", # The alias name.

1574

},

1575

},

1576

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1577

# repository (e.g., GitHub).

1578

"revisionId": "A String", # Git commit hash.

1579

"url": "A String", # Git repository URL.

1580

},

1581

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1582

# Source Repo.

1583

"revisionId": "A String", # A revision ID.

1584

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1585

"uid": "A String", # A server-assigned, globally unique identifier.

1586

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1587

# winged-cargo-31) and a repo name within that project.

1588

"projectId": "A String", # The ID of the project.

1589

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1590

},

1591

},

1592

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1593

"kind": "A String", # The alias kind.

1594

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

1599

# location.

1600

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

1601

# source integrity was maintained in the build.

1602

#

1603

# The keys to this map are file paths used as build source and the values

1604

# contain the hash values for those files.

1605

#

1606

# If the build source came in a single package such as a gzipped tarfile

1607

# (.tar.gz), the FileHash will be for the single path to that file.

1608

"a_key": { # Container message for hashes of byte content of files, used in source

1609

# messages to verify integrity of source input to the build.

1610

"fileHash": [ # Required. Collection of file hashes.

1611

{ # Container message for hash values.

1612

"type": "A String", # Required. The type of hash that was performed.

1613

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

1619

# these locations, in the case where the source repository had multiple

1620

# remotes or submodules. This list will not include the context specified in

1621

# the context field.

1622

{ # A SourceContext is a reference to a tree of files. A SourceContext together

1623

# with a path point to a unique revision of a single file or directory.

1624

"labels": { # Labels with user defined metadata.

1625

"a_key": "A String",

1626

},

1627

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

1628

"hostUri": "A String", # The URI of a running Gerrit instance.

1629

"revisionId": "A String", # A revision (commit) ID.

1630

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

1631

# "project/subproject" is a valid project name. The "repo name" is the

1632

# hostURI/project.

1633

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1634

"kind": "A String", # The alias kind.

1635

"name": "A String", # The alias name.

1636

},

1637

},

1638

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

1639

# repository (e.g., GitHub).

1640

"revisionId": "A String", # Git commit hash.

1641

"url": "A String", # Git repository URL.

1642

},

1643

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

1644

# Source Repo.

1645

"revisionId": "A String", # A revision ID.

1646

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

1647

"uid": "A String", # A server-assigned, globally unique identifier.

1648

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

1649

# winged-cargo-31) and a repo name within that project.

1650

"projectId": "A String", # The ID of the project.

1651

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

1652

},

1653

},

1654

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

1655

"kind": "A String", # The alias kind.

1656

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

1663

"createTime": "A String", # Time at which the build was created.

1664

},

1665

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

1666

# build signature in the corresponding build note. After verifying the

1667

# signature, `provenance_bytes` can be unmarshalled and compared to the

1668

# provenance to confirm that it is unchanged. A base64-encoded string

1669

# representation of the provenance bytes is used for the signature in order

1670

# to interoperate with openssl which expects this format for signature

1671

# verification.

1672

#

1673

# The serialized form is captured both to avoid ambiguity in how the

1674

# provenance is marshalled to json as well to prevent incompatibilities with

1675

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1676

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1677

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

1678

# note.

1679

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

1680

# relationship. This image would be produced from a Dockerfile with FROM

1681

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1682

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

1683

# occurrence.

1684

"distance": 42, # Output only. The number of layers by which this image differs from the

1685

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1686

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

1687

# "distance" and is ordered with [distance] being the layer immediately

1688

# following the base image and [1] being the final layer.

1689

{ # Layer holds metadata specific to a layer of a Docker image.

1690

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

1691

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

1692

},

1693

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1694

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

1695

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

1696

# representation.

1697

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

1698

"A String",

1699

],

1700

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

1701

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

1702

# Only the name of the final blob is kept.

1703

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1704

},

1705

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1706

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

1707

# specified. This field can be used as a filter in list requests.

1708

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1709

}

1710

1711

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

1718

1719

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1720

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1721

"name": "A String", # Output only. The name of the occurrence in the form of

1722

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1723

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

1724

# signatures and the in-toto link itself. This is used for occurrences of a

1725

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1726

"signatures": [

1727

{ # A signature object consists of the KeyID used and the signature itself.

1728

"sig": "A String",

1729

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1730

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1731

],

1732

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1733

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

1734

# environment. It is suggested for this field to contain information that

1735

# details environment variables, filesystem information, and the present

1736

# working directory. The recommended structure of this field is:

1737

# "environment": {

1738

# "custom_values": {

1739

# "variables": "<ENV>",

1740

# "filesystem": "<FS>",

1741

# "workdir": "<CWD>",

1742

# "<ANY OTHER RELEVANT FIELDS>": "..."

1743

# }

1744

# }

1745

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

1751

# for the operation performed. The key of the map is the path of the artifact

1752

# and the structure contains the recorded hash information. An example is:

1753

# "materials": [

1754

# {

1755

# "resource_uri": "foo/bar",

1756

# "hashes": {

1757

# "sha256": "ebebf...",

1758

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

1764

"sha256": "A String",

1765

},

1766

"resourceUri": "A String",

1767

},

1768

],

1769

"products": [ # Products are the supply chain artifacts generated as a result of the step.

1770

# The structure is identical to that of materials.

1771

{

1772

"hashes": { # Defines a hash object for use in Materials and Products.

1773

"sha256": "A String",

1774

},

1775

"resourceUri": "A String",

1776

},

1777

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1778

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

1779

# are not the actual result of the step.

1780

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

1786

# be empty if links are generated for operations that aren't directly mapped

1787

# to a specific command. Each term in the command is an independent string

1788

# in the list. An example of a command in the in-toto metadata field is:

1789

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

1790

"A String",

1791

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1792

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1793

},

1794

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

1795

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

1796

#

1797

# The hash of the resource content. For example, the Docker digest.

1798

"type": "A String", # Required. The type of hash that was performed.

1799

"value": "A String", # Required. The hash value.

1800

},

1801

"uri": "A String", # Required. The unique URI of the resource. For example,

1802

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

1803

"name": "A String", # Deprecated, do not use. Use uri instead.

1804

#

1805

# The name of the resource. For example, the name of a Docker image -

1806

# "Debian".

1807

},

1808

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

1809

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

1810

# attestation can be verified using the attached signature. If the verifier

1811

# trusts the public key of the signer, then verifying the signature is

1812

# sufficient to establish trust. In this circumstance, the authority to which

1813

# this attestation is attached is primarily useful for look-up (how to find

1814

# this attestation if you already know the authority and artifact to be

1815

# verified) and intent (which authority was this attestation intended to sign

1816

# for).

1817

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

1818

# This attestation must define the `serialized_payload` that the `signatures`

1819

# verify and any metadata necessary to interpret that plaintext. The

1820

# signatures should always be over the `serialized_payload` bytestring.

1821

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1822

# The verifier must ensure that the provided type is one that the verifier

1823

# supports, and that the attestation payload is a valid instantiation of that

1824

# type (for example by validating a JSON schema).

1825

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

1826

# should consider this attestation message verified if at least one

1827

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

1828

# for more details on signature structure and verification.

1829

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

1830

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

1831

# Typically this means that the verifier has been configured with a map from

1832

# `public_key_id` to public key material (and any required parameters, e.g.

1833

# signing algorithm).

1834

#

1835

# In particular, verification implementations MUST NOT treat the signature

1836

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

1837

# DOES NOT validate or authenticate a public key; it only provides a mechanism

1838

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

1839

# a trusted channel. Verification implementations MUST reject signatures in any

1840

# of the following circumstances:

1841

# * The `public_key_id` is not recognized by the verifier.

1842

# * The public key that `public_key_id` refers to does not verify the

1843

# signature with respect to the payload.

1844

#

1845

# The `signature` contents SHOULD NOT be "attached" (where the payload is

1846

# included with the serialized `signature` bytes). Verifiers MUST ignore any

1847

# "attached" payload and only verify signatures with respect to explicitly

1848

# provided payload (e.g. a `payload` field on the proto message that holds

1849

# this Signature, or the canonical serialization of the proto message that

1850

# holds this signature).

1851

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

1852

# * The `public_key_id` is required.

1853

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

1854

# * When possible, the `public_key_id` SHOULD be an immutable reference,

1855

# such as a cryptographic digest.

1856

#

1857

# Examples of valid `public_key_id`s:

1858

#

1859

# OpenPGP V4 public key fingerprint:

1860

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

1861

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

1862

# details on this scheme.

1863

#

1864

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

1865

# serialization):

1866

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

1867

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

1868

"signature": "A String", # The content of the signature, an opaque bytestring.

1869

# The payload that this signature verifies MUST be unambiguously provided

1870

# with the Signature during verification. A wrapper message might provide

1871

# the payload explicitly. Alternatively, a message might have a canonical

1872

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

1877

# The encoding and semantic meaning of this payload must match what is set in

1878

# `content_type`.

1879

},

1880

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

1881

# supports `ATTACHED` signatures, where the payload that is signed is included

1882

# alongside the signature itself in the same file.

1883

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

1884

# (GPG) or equivalent. Since this message only supports attached signatures,

1885

# the payload that was signed must be attached. While the signature format

1886

# supported is dependent on the verification implementation, currently only

1887

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

1888

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

1889

# --output=signature.gpg payload.json` will create the signature content

1890

# expected in this field in `signature.gpg` for the `payload.json`

1891

# attestation payload.

1892

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

1893

# The verifier must ensure that the provided type is one that the verifier

1894

# supports, and that the attestation payload is a valid instantiation of that

1895

# type (for example by validating a JSON schema).

1896

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

1897

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

1898

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

1899

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

1900

# Implementations may choose to acknowledge "LONG", "SHORT", or other

1901

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

1902

# In gpg, the full fingerprint can be retrieved from the `fpr` field

1903

# returned when calling --list-keys with --with-colons. For example:

1904

# ```

1905

# gpg --with-colons --with-fingerprint --force-v4-certs \

1906

# --list-keys attester@example.com

1907

# tru::1:1513631572:0:3:1:5

1908

# pub:...<SNIP>...

1909

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

1910

# ```

1911

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

1916

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

1917

"undeployTime": "A String", # End of the lifetime of this deployment.

1918

"userEmail": "A String", # Identity of the user that triggered this deployment.

1919

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

1920

# the deployable field with the same name.

1921

"A String",

1922

],

1923

"platform": "A String", # Platform hosting this deployment.

1924

"config": "A String", # Configuration used to create this deployment.

1925

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

1926

"address": "A String", # Address of the runtime element hosting this deployment.

1927

},

1928

},

1929

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

1930

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

1931

# used as a filter in list requests.

1932

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

1933

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

1934

# system.

1935

"name": "A String", # Output only. The name of the installed package.

1936

"location": [ # Required. All of the places within the filesystem versions of this package

1937

# have been found.

1938

{ # An occurrence of a particular package installation found within a system's

1939

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

1940

"path": "A String", # The path from which we gathered that this package/version is installed.

1941

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

1942

# denoting the package manager version distributing a package.

1943

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

1944

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1945

# versions.

1946

"revision": "A String", # The iteration of the package build from the above version.

1947

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1948

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

1956

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

1957

"relatedUrls": [ # Output only. URLs related to this vulnerability.

1958

{ # Metadata for any related URL information.

1959

"url": "A String", # Specific URL associated with the resource.

1960

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1961

},

1962

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

1963

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

1964

# available, and note provider assigned severity when distro has not yet

1965

# assigned a severity for this vulnerability.

1966

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

1967

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

1968

# packages etc)

1969

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

1970

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

1971

# scale of 0-10 where 0 indicates low severity and 10 indicates high

1972

# severity.

1973

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

1974

# within the associated resource.

1975

{ # This message wraps a location affected by a vulnerability and its

1976

# associated fix (if one is available).

1977

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

1978

"package": "A String", # Required. The package being described.

1979

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1980

# format. Examples include distro or storage location for vulnerable jar.

1981

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1982

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1983

# versions.

1984

"revision": "A String", # The iteration of the package build from the above version.

1985

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

1986

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

1991

# The severity (e.g., distro assigned severity) for this vulnerability.

1992

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

1993

"package": "A String", # Required. The package being described.

1994

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

1995

# format. Examples include distro or storage location for vulnerable jar.

1996

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

1997

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

1998

# versions.

1999

"revision": "A String", # The iteration of the package build from the above version.

2000

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2001

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

2009

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

2010

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

2011

# Deprecated, do not use.

2012

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

2013

# details to show to the user. The LocalizedMessage is output only and

2014

# populated by the API.

2015

# different programming environments, including REST APIs and RPC APIs. It is

2016

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

2017

# three pieces of data: error code, error message, and error details.

2018

#

2019

# You can find out more about this error model and how to work with it in the

2020

# [API Design Guide](https://cloud.google.com/apis/design/errors).

2021

"message": "A String", # A developer-facing error message, which should be in English. Any

2022

# user-facing error message should be localized and sent in the

2023

# google.rpc.Status.details field, or localized by the client.

2024

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

2025

"details": [ # A list of messages that carry the error details. There is a common set of

2026

# message types for APIs to use.

2027

{

2028

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

2033

"analysisStatus": "A String", # The status of discovery for the resource.

2034

},

2035

},

2036

"updateTime": "A String", # Output only. The time this occurrence was last updated.

2037

"build": { # Details of a build occurrence. # Describes a verifiable build.

2038

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

2039

# details about the build from source to completion.

2040

"endTime": "A String", # Time at which execution of the build was finished.

2041

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

2042

"startTime": "A String", # Time at which execution of the build was started.

2043

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

2044

# user's e-mail address at the time the build was initiated; this address may

2045

# not represent the same end-user for all time.

2046

"logsUri": "A String", # URI where any logs for this provenance were written.

2047

"builtArtifacts": [ # Output of the build.

2048

{ # Artifact describes a build product.

2049

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

2050

# the case of a container build, the name used to push the container image to

2051

# Google Container Registry, as presented to `docker push`. Note that a

2052

# single Artifact ID can have multiple names, for example if two tags are

2053

# applied to one image.

2054

"A String",

2055

],

2056

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

2057

# like `gcr.io/projectID/imagename@sha256:123456`.

2058

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

2063

# build providers can enter any desired additional details.

2064

"a_key": "A String",

2065

},

2066

"id": "A String", # Required. Unique identifier of the build.

2067

"projectId": "A String", # ID of the project.

2068

"commands": [ # Commands requested by the build.

2069

{ # Command describes a step performed as part of the build pipeline.

2070

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

2071

"A String",

2072

],

2073

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

2074

# this command as a dependency.

2075

"dir": "A String", # Working directory (relative to project source root) used when running this

2076

# command.

2077

"args": [ # Command-line arguments used when executing this command.

2078

"A String",

2079

],

2080

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

2081

# command is packaged as a Docker container, as presented to `docker pull`.

2082

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

2088

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

2089

# with a path point to a unique revision of a single file or directory.

2090

"labels": { # Labels with user defined metadata.

2091

"a_key": "A String",

2092

},

2093

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2094

"hostUri": "A String", # The URI of a running Gerrit instance.

2095

"revisionId": "A String", # A revision (commit) ID.

2096

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2097

# "project/subproject" is a valid project name. The "repo name" is the

2098

# hostURI/project.

2099

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2100

"kind": "A String", # The alias kind.

2101

"name": "A String", # The alias name.

2102

},

2103

},

2104

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2105

# repository (e.g., GitHub).

2106

"revisionId": "A String", # Git commit hash.

2107

"url": "A String", # Git repository URL.

2108

},

2109

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2110

# Source Repo.

2111

"revisionId": "A String", # A revision ID.

2112

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2113

"uid": "A String", # A server-assigned, globally unique identifier.

2114

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2115

# winged-cargo-31) and a repo name within that project.

2116

"projectId": "A String", # The ID of the project.

2117

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2118

},

2119

},

2120

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2121

"kind": "A String", # The alias kind.

2122

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

2127

# location.

2128

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

2129

# source integrity was maintained in the build.

2130

#

2131

# The keys to this map are file paths used as build source and the values

2132

# contain the hash values for those files.

2133

#

2134

# If the build source came in a single package such as a gzipped tarfile

2135

# (.tar.gz), the FileHash will be for the single path to that file.

2136

"a_key": { # Container message for hashes of byte content of files, used in source

2137

# messages to verify integrity of source input to the build.

2138

"fileHash": [ # Required. Collection of file hashes.

2139

{ # Container message for hash values.

2140

"type": "A String", # Required. The type of hash that was performed.

2141

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

2147

# these locations, in the case where the source repository had multiple

2148

# remotes or submodules. This list will not include the context specified in

2149

# the context field.

2150

{ # A SourceContext is a reference to a tree of files. A SourceContext together

2151

# with a path point to a unique revision of a single file or directory.

2152

"labels": { # Labels with user defined metadata.

2153

"a_key": "A String",

2154

},

2155

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2156

"hostUri": "A String", # The URI of a running Gerrit instance.

2157

"revisionId": "A String", # A revision (commit) ID.

2158

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2159

# "project/subproject" is a valid project name. The "repo name" is the

2160

# hostURI/project.

2161

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2162

"kind": "A String", # The alias kind.

2163

"name": "A String", # The alias name.

2164

},

2165

},

2166

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2167

# repository (e.g., GitHub).

2168

"revisionId": "A String", # Git commit hash.

2169

"url": "A String", # Git repository URL.

2170

},

2171

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2172

# Source Repo.

2173

"revisionId": "A String", # A revision ID.

2174

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2175

"uid": "A String", # A server-assigned, globally unique identifier.

2176

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2177

# winged-cargo-31) and a repo name within that project.

2178

"projectId": "A String", # The ID of the project.

2179

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2180

},

2181

},

2182

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2183

"kind": "A String", # The alias kind.

2184

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

2191

"createTime": "A String", # Time at which the build was created.

2192

},

2193

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

2194

# build signature in the corresponding build note. After verifying the

2195

# signature, `provenance_bytes` can be unmarshalled and compared to the

2196

# provenance to confirm that it is unchanged. A base64-encoded string

2197

# representation of the provenance bytes is used for the signature in order

2198

# to interoperate with openssl which expects this format for signature

2199

# verification.

2200

#

2201

# The serialized form is captured both to avoid ambiguity in how the

2202

# provenance is marshalled to json as well to prevent incompatibilities with

2203

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2204

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2205

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

2206

# note.

2207

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

2208

# relationship. This image would be produced from a Dockerfile with FROM

2209

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2210

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

2211

# occurrence.

2212

"distance": 42, # Output only. The number of layers by which this image differs from the

2213

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2214

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

2215

# "distance" and is ordered with [distance] being the layer immediately

2216

# following the base image and [1] being the final layer.

2217

{ # Layer holds metadata specific to a layer of a Docker image.

2218

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

2219

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

2220

},

2221

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2222

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

2223

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2224

# representation.

2225

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2226

"A String",

2227

],

2228

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2229

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2230

# Only the name of the final blob is kept.

2231

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2232

},

2233

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2234

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

2235

# specified. This field can be used as a filter in list requests.

2236

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

2242

<pre>Deletes the specified occurrence. For example, use this method to delete an

2243

occurrence when the occurrence is no longer applicable for the given

2244

resource.

2245

2246

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2247

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2248

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

2249

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2256

2257

{ # A generic empty message that you can re-use to avoid defining duplicated

2258

# empty messages in your APIs. A typical example is to use it as the request

2259

# or the response type of an API method. For instance:

2260

#

2261

# service Foo {

2262

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

2263

# }

2264

#

2265

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

2271

<pre>Gets the specified occurrence.

2272

2273

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2274

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2275

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

2276

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2283

2284

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2285

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2286

"name": "A String", # Output only. The name of the occurrence in the form of

2287

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2288

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

2289

# signatures and the in-toto link itself. This is used for occurrences of a

2290

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2291

"signatures": [

2292

{ # A signature object consists of the KeyID used and the signature itself.

2293

"sig": "A String",

2294

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2295

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2296

],

2297

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2298

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

2299

# environment. It is suggested for this field to contain information that

2300

# details environment variables, filesystem information, and the present

2301

# working directory. The recommended structure of this field is:

2302

# "environment": {

2303

# "custom_values": {

2304

# "variables": "<ENV>",

2305

# "filesystem": "<FS>",

2306

# "workdir": "<CWD>",

2307

# "<ANY OTHER RELEVANT FIELDS>": "..."

2308

# }

2309

# }

2310

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

2316

# for the operation performed. The key of the map is the path of the artifact

2317

# and the structure contains the recorded hash information. An example is:

2318

# "materials": [

2319

# {

2320

# "resource_uri": "foo/bar",

2321

# "hashes": {

2322

# "sha256": "ebebf...",

2323

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

2329

"sha256": "A String",

2330

},

2331

"resourceUri": "A String",

2332

},

2333

],

2334

"products": [ # Products are the supply chain artifacts generated as a result of the step.

2335

# The structure is identical to that of materials.

2336

{

2337

"hashes": { # Defines a hash object for use in Materials and Products.

2338

"sha256": "A String",

2339

},

2340

"resourceUri": "A String",

2341

},

2342

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2343

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

2344

# are not the actual result of the step.

2345

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

2351

# be empty if links are generated for operations that aren't directly mapped

2352

# to a specific command. Each term in the command is an independent string

2353

# in the list. An example of a command in the in-toto metadata field is:

2354

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

2355

"A String",

2356

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2357

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2358

},

2359

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

2360

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

2361

#

2362

# The hash of the resource content. For example, the Docker digest.

2363

"type": "A String", # Required. The type of hash that was performed.

2364

"value": "A String", # Required. The hash value.

2365

},

2366

"uri": "A String", # Required. The unique URI of the resource. For example,

2367

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

2368

"name": "A String", # Deprecated, do not use. Use uri instead.

2369

#

2370

# The name of the resource. For example, the name of a Docker image -

2371

# "Debian".

2372

},

2373

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

2374

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

2375

# attestation can be verified using the attached signature. If the verifier

2376

# trusts the public key of the signer, then verifying the signature is

2377

# sufficient to establish trust. In this circumstance, the authority to which

2378

# this attestation is attached is primarily useful for look-up (how to find

2379

# this attestation if you already know the authority and artifact to be

2380

# verified) and intent (which authority was this attestation intended to sign

2381

# for).

2382

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

2383

# This attestation must define the `serialized_payload` that the `signatures`

2384

# verify and any metadata necessary to interpret that plaintext. The

2385

# signatures should always be over the `serialized_payload` bytestring.

2386

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

2387

# The verifier must ensure that the provided type is one that the verifier

2388

# supports, and that the attestation payload is a valid instantiation of that

2389

# type (for example by validating a JSON schema).

2390

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

2391

# should consider this attestation message verified if at least one

2392

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

2393

# for more details on signature structure and verification.

2394

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

2395

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

2396

# Typically this means that the verifier has been configured with a map from

2397

# `public_key_id` to public key material (and any required parameters, e.g.

2398

# signing algorithm).

2399

#

2400

# In particular, verification implementations MUST NOT treat the signature

2401

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

2402

# DOES NOT validate or authenticate a public key; it only provides a mechanism

2403

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

2404

# a trusted channel. Verification implementations MUST reject signatures in any

2405

# of the following circumstances:

2406

# * The `public_key_id` is not recognized by the verifier.

2407

# * The public key that `public_key_id` refers to does not verify the

2408

# signature with respect to the payload.

2409

#

2410

# The `signature` contents SHOULD NOT be "attached" (where the payload is

2411

# included with the serialized `signature` bytes). Verifiers MUST ignore any

2412

# "attached" payload and only verify signatures with respect to explicitly

2413

# provided payload (e.g. a `payload` field on the proto message that holds

2414

# this Signature, or the canonical serialization of the proto message that

2415

# holds this signature).

2416

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

2417

# * The `public_key_id` is required.

2418

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

2419

# * When possible, the `public_key_id` SHOULD be an immutable reference,

2420

# such as a cryptographic digest.

2421

#

2422

# Examples of valid `public_key_id`s:

2423

#

2424

# OpenPGP V4 public key fingerprint:

2425

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

2426

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

2427

# details on this scheme.

2428

#

2429

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

2430

# serialization):

2431

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

2432

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

2433

"signature": "A String", # The content of the signature, an opaque bytestring.

2434

# The payload that this signature verifies MUST be unambiguously provided

2435

# with the Signature during verification. A wrapper message might provide

2436

# the payload explicitly. Alternatively, a message might have a canonical

2437

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

2442

# The encoding and semantic meaning of this payload must match what is set in

2443

# `content_type`.

2444

},

2445

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

2446

# supports `ATTACHED` signatures, where the payload that is signed is included

2447

# alongside the signature itself in the same file.

2448

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

2449

# (GPG) or equivalent. Since this message only supports attached signatures,

2450

# the payload that was signed must be attached. While the signature format

2451

# supported is dependent on the verification implementation, currently only

2452

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

2453

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

2454

# --output=signature.gpg payload.json` will create the signature content

2455

# expected in this field in `signature.gpg` for the `payload.json`

2456

# attestation payload.

2457

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

2458

# The verifier must ensure that the provided type is one that the verifier

2459

# supports, and that the attestation payload is a valid instantiation of that

2460

# type (for example by validating a JSON schema).

2461

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

2462

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

2463

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

2464

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

2465

# Implementations may choose to acknowledge "LONG", "SHORT", or other

2466

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

2467

# In gpg, the full fingerprint can be retrieved from the `fpr` field

2468

# returned when calling --list-keys with --with-colons. For example:

2469

# ```

2470

# gpg --with-colons --with-fingerprint --force-v4-certs \

2471

# --list-keys attester@example.com

2472

# tru::1:1513631572:0:3:1:5

2473

# pub:...<SNIP>...

2474

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

2475

# ```

2476

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

2481

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

2482

"undeployTime": "A String", # End of the lifetime of this deployment.

2483

"userEmail": "A String", # Identity of the user that triggered this deployment.

2484

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

2485

# the deployable field with the same name.

2486

"A String",

2487

],

2488

"platform": "A String", # Platform hosting this deployment.

2489

"config": "A String", # Configuration used to create this deployment.

2490

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

2491

"address": "A String", # Address of the runtime element hosting this deployment.

2492

},

2493

},

2494

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

2495

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

2496

# used as a filter in list requests.

2497

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

2498

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

2499

# system.

2500

"name": "A String", # Output only. The name of the installed package.

2501

"location": [ # Required. All of the places within the filesystem versions of this package

2502

# have been found.

2503

{ # An occurrence of a particular package installation found within a system's

2504

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

2505

"path": "A String", # The path from which we gathered that this package/version is installed.

2506

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

2507

# denoting the package manager version distributing a package.

2508

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

2509

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2510

# versions.

2511

"revision": "A String", # The iteration of the package build from the above version.

2512

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2513

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

2521

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

2522

"relatedUrls": [ # Output only. URLs related to this vulnerability.

2523

{ # Metadata for any related URL information.

2524

"url": "A String", # Specific URL associated with the resource.

2525

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2526

},

2527

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2528

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

2529

# available, and note provider assigned severity when distro has not yet

2530

# assigned a severity for this vulnerability.

2531

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

2532

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

2533

# packages etc)

2534

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

2535

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

2536

# scale of 0-10 where 0 indicates low severity and 10 indicates high

2537

# severity.

2538

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

2539

# within the associated resource.

2540

{ # This message wraps a location affected by a vulnerability and its

2541

# associated fix (if one is available).

2542

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

2543

"package": "A String", # Required. The package being described.

2544

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2545

# format. Examples include distro or storage location for vulnerable jar.

2546

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2547

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2548

# versions.

2549

"revision": "A String", # The iteration of the package build from the above version.

2550

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2551

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

2556

# The severity (e.g., distro assigned severity) for this vulnerability.

2557

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

2558

"package": "A String", # Required. The package being described.

2559

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

2560

# format. Examples include distro or storage location for vulnerable jar.

2561

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

2562

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

2563

# versions.

2564

"revision": "A String", # The iteration of the package build from the above version.

2565

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

2566

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

2574

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

2575

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

2576

# Deprecated, do not use.

2577

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

2578

# details to show to the user. The LocalizedMessage is output only and

2579

# populated by the API.

2580

# different programming environments, including REST APIs and RPC APIs. It is

2581

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

2582

# three pieces of data: error code, error message, and error details.

2583

#

2584

# You can find out more about this error model and how to work with it in the

2585

# [API Design Guide](https://cloud.google.com/apis/design/errors).

2586

"message": "A String", # A developer-facing error message, which should be in English. Any

2587

# user-facing error message should be localized and sent in the

2588

# google.rpc.Status.details field, or localized by the client.

2589

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

2590

"details": [ # A list of messages that carry the error details. There is a common set of

2591

# message types for APIs to use.

2592

{

2593

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

2598

"analysisStatus": "A String", # The status of discovery for the resource.

2599

},

2600

},

2601

"updateTime": "A String", # Output only. The time this occurrence was last updated.

2602

"build": { # Details of a build occurrence. # Describes a verifiable build.

2603

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

2604

# details about the build from source to completion.

2605

"endTime": "A String", # Time at which execution of the build was finished.

2606

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

2607

"startTime": "A String", # Time at which execution of the build was started.

2608

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

2609

# user's e-mail address at the time the build was initiated; this address may

2610

# not represent the same end-user for all time.

2611

"logsUri": "A String", # URI where any logs for this provenance were written.

2612

"builtArtifacts": [ # Output of the build.

2613

{ # Artifact describes a build product.

2614

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

2615

# the case of a container build, the name used to push the container image to

2616

# Google Container Registry, as presented to `docker push`. Note that a

2617

# single Artifact ID can have multiple names, for example if two tags are

2618

# applied to one image.

2619

"A String",

2620

],

2621

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

2622

# like `gcr.io/projectID/imagename@sha256:123456`.

2623

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

2628

# build providers can enter any desired additional details.

2629

"a_key": "A String",

2630

},

2631

"id": "A String", # Required. Unique identifier of the build.

2632

"projectId": "A String", # ID of the project.

2633

"commands": [ # Commands requested by the build.

2634

{ # Command describes a step performed as part of the build pipeline.

2635

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

2636

"A String",

2637

],

2638

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

2639

# this command as a dependency.

2640

"dir": "A String", # Working directory (relative to project source root) used when running this

2641

# command.

2642

"args": [ # Command-line arguments used when executing this command.

2643

"A String",

2644

],

2645

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

2646

# command is packaged as a Docker container, as presented to `docker pull`.

2647

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

2653

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

2654

# with a path point to a unique revision of a single file or directory.

2655

"labels": { # Labels with user defined metadata.

2656

"a_key": "A String",

2657

},

2658

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2659

"hostUri": "A String", # The URI of a running Gerrit instance.

2660

"revisionId": "A String", # A revision (commit) ID.

2661

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2662

# "project/subproject" is a valid project name. The "repo name" is the

2663

# hostURI/project.

2664

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2665

"kind": "A String", # The alias kind.

2666

"name": "A String", # The alias name.

2667

},

2668

},

2669

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2670

# repository (e.g., GitHub).

2671

"revisionId": "A String", # Git commit hash.

2672

"url": "A String", # Git repository URL.

2673

},

2674

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2675

# Source Repo.

2676

"revisionId": "A String", # A revision ID.

2677

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2678

"uid": "A String", # A server-assigned, globally unique identifier.

2679

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2680

# winged-cargo-31) and a repo name within that project.

2681

"projectId": "A String", # The ID of the project.

2682

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2683

},

2684

},

2685

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2686

"kind": "A String", # The alias kind.

2687

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

2692

# location.

2693

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

2694

# source integrity was maintained in the build.

2695

#

2696

# The keys to this map are file paths used as build source and the values

2697

# contain the hash values for those files.

2698

#

2699

# If the build source came in a single package such as a gzipped tarfile

2700

# (.tar.gz), the FileHash will be for the single path to that file.

2701

"a_key": { # Container message for hashes of byte content of files, used in source

2702

# messages to verify integrity of source input to the build.

2703

"fileHash": [ # Required. Collection of file hashes.

2704

{ # Container message for hash values.

2705

"type": "A String", # Required. The type of hash that was performed.

2706

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

2712

# these locations, in the case where the source repository had multiple

2713

# remotes or submodules. This list will not include the context specified in

2714

# the context field.

2715

{ # A SourceContext is a reference to a tree of files. A SourceContext together

2716

# with a path point to a unique revision of a single file or directory.

2717

"labels": { # Labels with user defined metadata.

2718

"a_key": "A String",

2719

},

2720

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

2721

"hostUri": "A String", # The URI of a running Gerrit instance.

2722

"revisionId": "A String", # A revision (commit) ID.

2723

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

2724

# "project/subproject" is a valid project name. The "repo name" is the

2725

# hostURI/project.

2726

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2727

"kind": "A String", # The alias kind.

2728

"name": "A String", # The alias name.

2729

},

2730

},

2731

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

2732

# repository (e.g., GitHub).

2733

"revisionId": "A String", # Git commit hash.

2734

"url": "A String", # Git repository URL.

2735

},

2736

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

2737

# Source Repo.

2738

"revisionId": "A String", # A revision ID.

2739

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

2740

"uid": "A String", # A server-assigned, globally unique identifier.

2741

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

2742

# winged-cargo-31) and a repo name within that project.

2743

"projectId": "A String", # The ID of the project.

2744

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

2745

},

2746

},

2747

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

2748

"kind": "A String", # The alias kind.

2749

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

2756

"createTime": "A String", # Time at which the build was created.

2757

},

2758

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

2759

# build signature in the corresponding build note. After verifying the

2760

# signature, `provenance_bytes` can be unmarshalled and compared to the

2761

# provenance to confirm that it is unchanged. A base64-encoded string

2762

# representation of the provenance bytes is used for the signature in order

2763

# to interoperate with openssl which expects this format for signature

2764

# verification.

2765

#

2766

# The serialized form is captured both to avoid ambiguity in how the

2767

# provenance is marshalled to json as well to prevent incompatibilities with

2768

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2769

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2770

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

2771

# note.

2772

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

2773

# relationship. This image would be produced from a Dockerfile with FROM

2774

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2775

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

2776

# occurrence.

2777

"distance": 42, # Output only. The number of layers by which this image differs from the

2778

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2779

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

2780

# "distance" and is ordered with [distance] being the layer immediately

2781

# following the base image and [1] being the final layer.

2782

{ # Layer holds metadata specific to a layer of a Docker image.

2783

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

2784

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

2785

},

2786

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2787

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

2788

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

2789

# representation.

2790

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

2791

"A String",

2792

],

2793

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

2794

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

2795

# Only the name of the final blob is kept.

2796

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2797

},

2798

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2799

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

2800

# specified. This field can be used as a filter in list requests.

2801

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code>

2807

<pre>Gets the access control policy for a note or an occurrence resource.

2808

Requires `containeranalysis.notes.setIamPolicy` or

2809

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

2810

a note or occurrence, respectively.

2811

2812

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

2813

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being requested.

2818

See the operation documentation for the appropriate value for this field. (required)

2819

body: object, The request body.

2820

The object takes the form of:

2821

2822

{ # Request message for `GetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2823

"options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2824

# `GetIamPolicy`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2825

"requestedPolicyVersion": 42, # Optional. The policy format version to be returned.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2826

#

2827

# Valid values are 0, 1, and 3. Requests specifying an invalid value will be

2828

# rejected.

2829

#

2830

# Requests for policies with any conditional bindings must specify version 3.

2831

# Policies without any conditional bindings may specify any valid value or

2832

# leave the field unset.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2833

#

2834

# To learn which resources support conditions in their IAM policies, see the

2835

# [IAM

2836

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2837

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2838

}

2839

2840

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2847

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2848

{ # An Identity and Access Management (IAM) policy, which specifies access

2849

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2850

#

2851

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2852

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

2853

# `members` to a single `role`. Members can be user accounts, service accounts,

2854

# Google groups, and domains (such as G Suite). A `role` is a named list of

2855

# permissions; each `role` can be an IAM predefined role or a user-created

2856

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2857

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2858

# For some types of Google Cloud resources, a `binding` can also specify a

2859

# `condition`, which is a logical expression that allows access to a resource

2860

# only if the expression evaluates to `true`. A condition can add constraints

2861

# based on attributes of the request, the resource, or both. To learn which

2862

# resources support conditions in their IAM policies, see the

2863

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2864

#

2865

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2866

#

2867

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2868

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2869

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2870

# "role": "roles/resourcemanager.organizationAdmin",

2871

# "members": [

2872

# "user:mike@example.com",

2873

# "group:admins@example.com",

2874

# "domain:google.com",

2875

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2876

# ]

2877

# },

2878

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2879

# "role": "roles/resourcemanager.organizationViewer",

2880

# "members": [

2881

# "user:eve@example.com"

2882

# ],

2883

# "condition": {

2884

# "title": "expirable access",

2885

# "description": "Does not grant access after Sep 2020",

2886

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2887

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2888

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2889

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2890

# "etag": "BwWWja0YfJA=",

2891

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2892

# }

2893

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2894

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

2899

# - group:admins@example.com

2900

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2901

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

2902

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2903

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2904

# - user:eve@example.com

2905

# role: roles/resourcemanager.organizationViewer

2906

# condition:

2907

# title: expirable access

2908

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2909

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2910

# - etag: BwWWja0YfJA=

2911

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2912

#

2913

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2914

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2915

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

2916

# prevent simultaneous updates of a policy from overwriting each other.

2917

# It is strongly suggested that systems make use of the `etag` in the

2918

# read-modify-write cycle to perform policy updates in order to avoid race

2919

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

2920

# systems are expected to put that etag in the request to `setIamPolicy` to

2921

# ensure that their change will be applied to the same version of the policy.

2922

#

2923

# **Important:** If you use IAM Conditions, you must include the `etag` field

2924

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2925

# you to overwrite a version `3` policy with a version `1` policy, and all of

2926

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2927

"version": 42, # Specifies the format of the policy.

2928

#

2929

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

2930

# are rejected.

2931

#

2932

# Any operation that affects conditional role bindings must specify version

2933

# `3`. This requirement applies to the following operations:

2934

#

2935

# * Getting a policy that includes a conditional role binding

2936

# * Adding a conditional role binding to a policy

2937

# * Changing a conditional role binding in a policy

2938

# * Removing any role binding, with or without a condition, from a policy

2939

# that includes conditions

2940

#

2941

# **Important:** If you use IAM Conditions, you must include the `etag` field

2942

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

2943

# you to overwrite a version `3` policy with a version `1` policy, and all of

2944

# the conditions in the version `3` policy are lost.

2945

#

2946

# If a policy does not include any conditions, operations on that policy may

2947

# specify any valid version or leave the field unset.

2948

#

2949

# To learn which resources support conditions in their IAM policies, see the

2950

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

2951

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2952

# `condition` that determines how and when the `bindings` are applied. Each

2953

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2954

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

2955

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

2956

# `members` can have the following values:

2957

#

2958

# * `allUsers`: A special identifier that represents anyone who is

2959

# on the internet; with or without a Google account.

2960

#

2961

# * `allAuthenticatedUsers`: A special identifier that represents anyone

2962

# who is authenticated with a Google account or a service account.

2963

#

2964

# * `user:{emailid}`: An email address that represents a specific Google

2965

# account. For example, `alice@example.com` .

2966

#

2967

#

2968

# * `serviceAccount:{emailid}`: An email address that represents a service

2969

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

2970

#

2971

# * `group:{emailid}`: An email address that represents a Google group.

2972

# For example, `admins@example.com`.

2973

#

2974

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

2975

# identifier) representing a user that has been recently deleted. For

2976

# example, `alice@example.com?uid=123456789012345678901`. If the user is

2977

# recovered, this value reverts to `user:{emailid}` and the recovered user

2978

# retains the role in the binding.

2979

#

2980

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

2981

# unique identifier) representing a service account that has been recently

2982

# deleted. For example,

2983

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

2984

# If the service account is undeleted, this value reverts to

2985

# `serviceAccount:{emailid}` and the undeleted service account retains the

2986

# role in the binding.

2987

#

2988

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

2989

# identifier) representing a Google group that has been recently

2990

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

2991

# the group is recovered, this value reverts to `group:{emailid}` and the

2992

# recovered group retains the role in the binding.

2993

#

2994

#

2995

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

2996

# users of that domain. For example, `google.com` or `example.com`.

2997

#

2998

"A String",

2999

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3000

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

3001

#

3002

# If the condition evaluates to `true`, then this binding applies to the

3003

# current request.

3004

#

3005

# If the condition evaluates to `false`, then this binding does not apply to

3006

# the current request. However, a different role binding might grant the same

3007

# role to one or more of the members in this binding.

3008

#

3009

# To learn which resources support conditions in their IAM policies, see the

3010

# [IAM

3011

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

3012

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

3013

# are documented at https://github.com/google/cel-spec.

3014

#

3015

# Example (Comparison):

3016

#

3017

# title: "Summary size limit"

3018

# description: "Determines if a summary is less than 100 chars"

3019

# expression: "document.summary.size() < 100"

3020

#

3021

# Example (Equality):

3022

#

3023

# title: "Requestor is owner"

3024

# description: "Determines if requestor is the document owner"

3025

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

3030

# description: "Determine whether the document should be publicly visible"

3031

# expression: "document.type != 'private' && document.type != 'internal'"

3032

#

3033

# Example (Data Manipulation):

3034

#

3035

# title: "Notification string"

3036

# description: "Create a notification string with a timestamp."

3037

# expression: "'New message received at ' + string(document.create_time)"

3038

#

3039

# The exact variables and functions that may be referenced within an expression

3040

# are determined by the service that evaluates it. See the service

3041

# documentation for additional information.

3042

"description": "A String", # Optional. Description of the expression. This is a longer text which

3043

# describes the expression, e.g. when hovered over it in a UI.

3044

"expression": "A String", # Textual representation of an expression in Common Expression Language

3045

# syntax.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3046

"location": "A String", # Optional. String indicating the location of the expression for error

3047

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3048

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

3049

# its purpose. This can be used e.g. in UIs which allow to enter the

3050

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3051

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3052

"role": "A String", # Role that is assigned to `members`.

3053

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3054

},

3055

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="getNotes">getNotes(name, x__xgafv=None)</code>

3061

<pre>Gets the note attached to the specified occurrence. Consumer projects can

3062

use this method to get a note that belongs to a provider project.

3063

3064

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3065

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3066

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

3067

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

3074

3075

{ # A type of analysis that can be done for a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3076

"discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.

3077

# exists in a provider's project. A `Discovery` occurrence is created in a

3078

# consumer's project at the start of analysis.

3079

"analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this

3080

# discovery.

3081

},

3082

"name": "A String", # Output only. The name of the note in the form of

3083

# `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3084

"attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.

3085

# example, an organization might have one `Authority` for "QA" and one for

3086

# "build". This note is intended to act strictly as a grouping mechanism for

3087

# the attached occurrences (Attestations). This grouping mechanism also

3088

# provides a security boundary, since IAM ACLs gate the ability for a principle

3089

# to attach an occurrence to a given note. It also provides a single point of

3090

# lookup to find all attached attestation occurrences, even if they don't all

3091

# live in the same project.

3092

"hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.

3093

# authority. Because the name of a note acts as its resource reference, it is

3094

# important to disambiguate the canonical name of the Note (which might be a

3095

# UUID for security purposes) from "readable" names more suitable for debug

3096

# output. Note that these hints should not be used to look up authorities in

3097

# security sensitive contexts, such as when looking up attestations to

3098

# verify.

3099

"humanReadableName": "A String", # Required. The human readable name of this attestation authority, for

3100

# example "qa".

3101

},

3102

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3103

"intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.

3104

# chain step in an in-toto layout. This information goes into a Grafeas note.

3105

"expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the

3106

# artifacts that enter this supply chain step, and exit the supply chain

3107

# step, i.e. materials and products of the step.

3108

{ # Defines an object to declare an in-toto artifact rule

3109

"artifactRule": [

3110

"A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3111

],

3112

},

3113

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3114

"expectedProducts": [

3115

{ # Defines an object to declare an in-toto artifact rule

"artifactRule": [

"A String",

],

},

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3121

"signingKeys": [ # This field contains the public keys that can be used to verify the

3122

# signatures on the step metadata.

3123

{ # This defines the format used to record keys used in the software supply

3124

# chain. An in-toto link is attested using one or more keys defined in the

3125

# in-toto layout. An example of this is:

3126

# {

3127

# "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",

3128

# "key_type": "rsa",

3129

# "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",

3130

# "key_scheme": "rsassa-pss-sha256"

3131

# }

3132

# The format for in-toto's key definition can be found in section 4.2 of the

3133

# in-toto specification.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3134

"keyScheme": "A String", # This field contains the corresponding signature scheme.

3135

# Eg: "rsassa-pss-sha256".

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3136

"keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",

3137

# and "ecdsa".

3138

"keyId": "A String", # key_id is an identifier for the signing key.

3139

"publicKeyValue": "A String", # This field contains the actual public key.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3140

},

3141

],

3142

"threshold": "A String", # This field contains a value that indicates the minimum number of keys that

3143

# need to be used to sign the step's in-toto link.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3144

"stepName": "A String", # This field identifies the name of the step in the supply chain.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3145

"expectedCommand": [ # This field contains the expected command used to perform the step.

3146

"A String",

3147

],

3148

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3149

"kind": "A String", # Output only. The type of analysis. This field can be used as a filter in

3150

# list requests.

3151

"longDescription": "A String", # A detailed description of this note.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3152

"baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.

3153

# relationship. Linked occurrences are derived from this or an

3154

# equivalent image via:

3155

# FROM <Basis.resource_url>

3156

# Or an equivalent reference, e.g. a tag of the resource_url.

3157

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3158

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

3159

# representation.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3160

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

3161

"A String",

3162

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3163

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

3164

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

3165

# Only the name of the final blob is kept.

3166

},

3167

"resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the

3168

# basis of associated occurrence images.

3169

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3170

"updateTime": "A String", # Output only. The time this note was last updated. This field can be used as

3171

# a filter in list requests.

3172

"build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.

3173

# provenance message in the build details occurrence.

3174

"builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.

3175

"signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note

3176

# containing build details.

3177

"publicKey": "A String", # Public key of the builder which can be used to verify that the related

3178

# findings are valid and unchanged. If `key_type` is empty, this defaults

3179

# to PEM encoded public keys.

3180

#

3181

# This field may be empty if `key_id` references an external key.

3182

#

3183

# For Cloud Build based signatures, this is a PEM encoded public

3184

# key. To verify the Cloud Build signature, place the contents of

3185

# this field into a file (public.pem). The signature field is base64-decoded

3186

# into its binary representation in signature.bin, and the provenance bytes

3187

# from `BuildDetails` are base64-decoded into a binary representation in

3188

# signed.bin. OpenSSL can then verify the signature:

3189

# `openssl sha256 -verify public.pem -signature signature.bin signed.bin`

3190

"keyType": "A String", # The type of the key, either stored in `public_key` or referenced in

3191

# `key_id`.

3192

"signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is

3193

# base-64 encoded.

3194

"keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key

3195

# stored in `public_key` (such as the ID or fingerprint for a PGP key, or the

3196

# CN for a cert), or a reference to an external key (such as a reference to a

3197

# key in Cloud Key Management Service).

3198

},

3199

},

3200

"expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.

3201

"relatedUrl": [ # URLs associated with this note.

3202

{ # Metadata for any related URL information.

3203

"url": "A String", # Specific URL associated with the resource.

3204

"label": "A String", # Label to describe usage of the URL.

3205

},

3206

],

3207

"vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.

3208

"cvssScore": 3.14, # The CVSS score for this vulnerability.

3209

"windowsDetails": [ # Windows details get their own format because the information format and

3210

# model don't match a normal detail. Specifically Windows updates are done as

3211

# patches, thus Windows vulnerabilities really are a missing package, rather

3212

# than a package being at an incorrect version.

3213

{

3214

"name": "A String", # Required. The name of the vulnerability.

3215

"cpeUri": "A String", # Required. The CPE URI in

3216

# [cpe format](https://cpe.mitre.org/specification/) in which the

3217

# vulnerability manifests. Examples include distro or storage location for

3218

# vulnerable jar.

3219

"fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this

3220

# vulnerability. Note that there may be multiple hotfixes (and thus

3221

# multiple KBs) that mitigate a given vulnerability. Currently any listed

3222

# kb's presence is considered a fix.

3223

{

3224

"name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).

3225

"url": "A String", # A link to the KB in the Windows update catalog -

3226

# https://www.catalog.update.microsoft.com/

3227

},

3228

],

3229

"description": "A String", # The description of the vulnerability.

3230

},

3231

],

3232

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

3233

# upstream timestamp from the underlying information source - e.g. Ubuntu

3234

# security tracker.

3235

"severity": "A String", # Note provider assigned impact of the vulnerability.

3236

"details": [ # All information about the package to specifically identify this

3237

# vulnerability. One entry per (version range and cpe_uri) the package

3238

# vulnerability has manifested in.

3239

{ # Identifies all appearances of this vulnerability in the package for a

3240

# specific distro/location. For example: glibc in

3241

# cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

3242

"sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an

3243

# upstream timestamp from the underlying information source - e.g. Ubuntu

3244

# security tracker.

3245

"packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js

3246

# packages etc).

3247

"fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.

3248

"package": "A String", # Required. The package being described.

3249

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3250

# format. Examples include distro or storage location for vulnerable jar.

3251

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3252

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3253

# versions.

3254

"revision": "A String", # The iteration of the package build from the above version.

3255

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3256

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.

3261

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3262

# versions.

3263

"revision": "A String", # The iteration of the package build from the above version.

3264

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3265

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3266

# name.

3267

},

3268

"cpeUri": "A String", # Required. The CPE URI in

3269

# [cpe format](https://cpe.mitre.org/specification/) in which the

3270

# vulnerability manifests. Examples include distro or storage location for

3271

# vulnerable jar.

3272

"isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to

3273

# obsolete details.

3274

"description": "A String", # A vendor-specific description of this note.

3275

"maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.

3276

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3277

# versions.

3278

"revision": "A String", # The iteration of the package build from the above version.

3279

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3280

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3281

# name.

3282

},

3283

"package": "A String", # Required. The name of the package where the vulnerability was found.

3284

"severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.

3285

},

3286

],

3287

"cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.

3288

# For details, see https://www.first.org/cvss/specification-document

3289

"baseScore": 3.14, # The base score is a function of the base metric scores.

3290

"confidentialityImpact": "A String",

3291

"availabilityImpact": "A String",

3292

"attackVector": "A String", # Base Metrics

3293

# Represents the intrinsic characteristics of a vulnerability that are

3294

# constant over time and across user environments.

3295

"privilegesRequired": "A String",

3296

"impactScore": 3.14,

3297

"attackComplexity": "A String",

3298

"scope": "A String",

3299

"exploitabilityScore": 3.14,

3300

"userInteraction": "A String",

3301

"integrityImpact": "A String",

3302

},

3303

},

3304

"shortDescription": "A String", # A one sentence description of this note.

3305

"relatedNoteNames": [ # Other notes related to this note.

3306

"A String",

3307

],

3308

"createTime": "A String", # Output only. The time this note was created. This field can be used as a

3309

# filter in list requests.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3310

"deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.

3311

"resourceUri": [ # Required. Resource URI for the artifact being deployed.

3312

"A String",

3313

],

3314

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3315

"package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.

3316

# channels. E.g., glibc (aka libc6) is distributed by many, at various

3317

# versions.

3318

"distribution": [ # The various channels by which a package is distributed.

3319

{ # This represents a particular channel of distribution for a given package.

3320

# E.g., Debian's jessie-backports dpkg mirror.

3321

"latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.

3322

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3323

# versions.

3324

"revision": "A String", # The iteration of the package build from the above version.

3325

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3326

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

3327

# name.

3328

},

3329

"url": "A String", # The distribution channel-specific homepage for this package.

3330

"cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)

3331

# denoting the package manager version distributing a package.

3332

"description": "A String", # The distribution channel-specific description of this package.

3333

"architecture": "A String", # The CPU architecture for which packages in this distribution channel were

3334

# built.

3335

"maintainer": "A String", # A freeform string denoting the maintainer of this package.

3336

},

3337

],

3338

"name": "A String", # Required. Immutable. The name of the package.

3339

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3344

<code class="details" id="getVulnerabilitySummary">getVulnerabilitySummary(parent, filter=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3345

<pre>Gets a summary of the number and severity of occurrences.

3346

3347

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3348

parent: string, Required. The name of the project to get a vulnerability summary for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3349

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3350

filter: string, The filter expression.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3351

x__xgafv: string, V1 error format.

3352

Allowed values

3353

1 - v1 error format

3354

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3355

3356

Returns:

3357

An object of the form:

3358

3359

{ # A summary of how many vulnerability occurrences there are per resource and

3360

# severity type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3361

"counts": [ # A listing by resource of the number of fixable and total vulnerabilities.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3362

{ # Per resource and severity counts of fixable and total vulnerabilities.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3363

"severity": "A String", # The severity for this count. SEVERITY_UNSPECIFIED indicates total across

3364

# all severities.

3365

"fixableCount": "A String", # The number of fixable vulnerabilities associated with this resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3366

"resource": { # An entity that can have metadata. For example, a Docker image. # The affected resource.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3367

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

3368

#

3369

# The hash of the resource content. For example, the Docker digest.

3370

"type": "A String", # Required. The type of hash that was performed.

3371

"value": "A String", # Required. The hash value.

3372

},

3373

"uri": "A String", # Required. The unique URI of the resource. For example,

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3374

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3375

"name": "A String", # Deprecated, do not use. Use uri instead.

3376

#

3377

# The name of the resource. For example, the name of a Docker image -

3378

# "Debian".

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3379

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3380

"totalCount": "A String", # The total number of vulnerabilities associated with this resource.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3387

<code class="details" id="list">list(parent, filter=None, pageToken=None, pageSize=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3388

<pre>Lists occurrences for the specified project.

3389

3390

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3391

parent: string, Required. The name of the project to list occurrences for in the form of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3392

`projects/[PROJECT_ID]`. (required)

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3393

filter: string, The filter expression.

3394

pageToken: string, Token to provide to skip to a particular spot in the list.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3395

pageSize: integer, Number of occurrences to return in the list. Must be positive. Max allowed

3396

page size is 1000. If not specified, page size defaults to 20.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3397

x__xgafv: string, V1 error format.

3398

Allowed values

3399

1 - v1 error format

3400

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3401

3402

Returns:

3403

An object of the form:

3404

3405

{ # Response for listing occurrences.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3406

"nextPageToken": "A String", # The next pagination token in the list response. It should be used as

3407

# `page_token` for the following request. An empty value means no more

3408

# results.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3409

"occurrences": [ # The occurrences requested.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3410

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3411

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3412

"name": "A String", # Output only. The name of the occurrence in the form of

3413

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3414

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

3415

# signatures and the in-toto link itself. This is used for occurrences of a

3416

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3417

"signatures": [

3418

{ # A signature object consists of the KeyID used and the signature itself.

3419

"sig": "A String",

3420

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3421

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3422

],

3423

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3424

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

3425

# environment. It is suggested for this field to contain information that

3426

# details environment variables, filesystem information, and the present

3427

# working directory. The recommended structure of this field is:

3428

# "environment": {

3429

# "custom_values": {

3430

# "variables": "<ENV>",

3431

# "filesystem": "<FS>",

3432

# "workdir": "<CWD>",

3433

# "<ANY OTHER RELEVANT FIELDS>": "..."

3434

# }

3435

# }

3436

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

3442

# for the operation performed. The key of the map is the path of the artifact

3443

# and the structure contains the recorded hash information. An example is:

3444

# "materials": [

3445

# {

3446

# "resource_uri": "foo/bar",

3447

# "hashes": {

3448

# "sha256": "ebebf...",

3449

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

3455

"sha256": "A String",

3456

},

3457

"resourceUri": "A String",

3458

},

3459

],

3460

"products": [ # Products are the supply chain artifacts generated as a result of the step.

3461

# The structure is identical to that of materials.

3462

{

3463

"hashes": { # Defines a hash object for use in Materials and Products.

3464

"sha256": "A String",

3465

},

3466

"resourceUri": "A String",

3467

},

3468

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3469

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

3470

# are not the actual result of the step.

3471

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

3477

# be empty if links are generated for operations that aren't directly mapped

3478

# to a specific command. Each term in the command is an independent string

3479

# in the list. An example of a command in the in-toto metadata field is:

3480

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

3481

"A String",

3482

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3483

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3484

},

3485

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

3486

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

3487

#

3488

# The hash of the resource content. For example, the Docker digest.

3489

"type": "A String", # Required. The type of hash that was performed.

3490

"value": "A String", # Required. The hash value.

3491

},

3492

"uri": "A String", # Required. The unique URI of the resource. For example,

3493

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

3494

"name": "A String", # Deprecated, do not use. Use uri instead.

3495

#

3496

# The name of the resource. For example, the name of a Docker image -

3497

# "Debian".

3498

},

3499

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

3500

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

3501

# attestation can be verified using the attached signature. If the verifier

3502

# trusts the public key of the signer, then verifying the signature is

3503

# sufficient to establish trust. In this circumstance, the authority to which

3504

# this attestation is attached is primarily useful for look-up (how to find

3505

# this attestation if you already know the authority and artifact to be

3506

# verified) and intent (which authority was this attestation intended to sign

3507

# for).

3508

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

3509

# This attestation must define the `serialized_payload` that the `signatures`

3510

# verify and any metadata necessary to interpret that plaintext. The

3511

# signatures should always be over the `serialized_payload` bytestring.

3512

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

3513

# The verifier must ensure that the provided type is one that the verifier

3514

# supports, and that the attestation payload is a valid instantiation of that

3515

# type (for example by validating a JSON schema).

3516

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

3517

# should consider this attestation message verified if at least one

3518

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

3519

# for more details on signature structure and verification.

3520

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

3521

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

3522

# Typically this means that the verifier has been configured with a map from

3523

# `public_key_id` to public key material (and any required parameters, e.g.

3524

# signing algorithm).

3525

#

3526

# In particular, verification implementations MUST NOT treat the signature

3527

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

3528

# DOES NOT validate or authenticate a public key; it only provides a mechanism

3529

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

3530

# a trusted channel. Verification implementations MUST reject signatures in any

3531

# of the following circumstances:

3532

# * The `public_key_id` is not recognized by the verifier.

3533

# * The public key that `public_key_id` refers to does not verify the

3534

# signature with respect to the payload.

3535

#

3536

# The `signature` contents SHOULD NOT be "attached" (where the payload is

3537

# included with the serialized `signature` bytes). Verifiers MUST ignore any

3538

# "attached" payload and only verify signatures with respect to explicitly

3539

# provided payload (e.g. a `payload` field on the proto message that holds

3540

# this Signature, or the canonical serialization of the proto message that

3541

# holds this signature).

3542

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

3543

# * The `public_key_id` is required.

3544

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

3545

# * When possible, the `public_key_id` SHOULD be an immutable reference,

3546

# such as a cryptographic digest.

3547

#

3548

# Examples of valid `public_key_id`s:

3549

#

3550

# OpenPGP V4 public key fingerprint:

3551

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

3552

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

3553

# details on this scheme.

3554

#

3555

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

3556

# serialization):

3557

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

3558

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

3559

"signature": "A String", # The content of the signature, an opaque bytestring.

3560

# The payload that this signature verifies MUST be unambiguously provided

3561

# with the Signature during verification. A wrapper message might provide

3562

# the payload explicitly. Alternatively, a message might have a canonical

3563

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

3568

# The encoding and semantic meaning of this payload must match what is set in

3569

# `content_type`.

3570

},

3571

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

3572

# supports `ATTACHED` signatures, where the payload that is signed is included

3573

# alongside the signature itself in the same file.

3574

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

3575

# (GPG) or equivalent. Since this message only supports attached signatures,

3576

# the payload that was signed must be attached. While the signature format

3577

# supported is dependent on the verification implementation, currently only

3578

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

3579

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

3580

# --output=signature.gpg payload.json` will create the signature content

3581

# expected in this field in `signature.gpg` for the `payload.json`

3582

# attestation payload.

3583

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

3584

# The verifier must ensure that the provided type is one that the verifier

3585

# supports, and that the attestation payload is a valid instantiation of that

3586

# type (for example by validating a JSON schema).

3587

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

3588

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

3589

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

3590

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

3591

# Implementations may choose to acknowledge "LONG", "SHORT", or other

3592

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

3593

# In gpg, the full fingerprint can be retrieved from the `fpr` field

3594

# returned when calling --list-keys with --with-colons. For example:

3595

# ```

3596

# gpg --with-colons --with-fingerprint --force-v4-certs \

3597

# --list-keys attester@example.com

3598

# tru::1:1513631572:0:3:1:5

3599

# pub:...<SNIP>...

3600

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

3601

# ```

3602

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

3607

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

3608

"undeployTime": "A String", # End of the lifetime of this deployment.

3609

"userEmail": "A String", # Identity of the user that triggered this deployment.

3610

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

3611

# the deployable field with the same name.

3612

"A String",

3613

],

3614

"platform": "A String", # Platform hosting this deployment.

3615

"config": "A String", # Configuration used to create this deployment.

3616

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

3617

"address": "A String", # Address of the runtime element hosting this deployment.

3618

},

3619

},

3620

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

3621

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

3622

# used as a filter in list requests.

3623

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

3624

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

3625

# system.

3626

"name": "A String", # Output only. The name of the installed package.

3627

"location": [ # Required. All of the places within the filesystem versions of this package

3628

# have been found.

3629

{ # An occurrence of a particular package installation found within a system's

3630

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

3631

"path": "A String", # The path from which we gathered that this package/version is installed.

3632

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

3633

# denoting the package manager version distributing a package.

3634

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

3635

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3636

# versions.

3637

"revision": "A String", # The iteration of the package build from the above version.

3638

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3639

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

3647

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

3648

"relatedUrls": [ # Output only. URLs related to this vulnerability.

3649

{ # Metadata for any related URL information.

3650

"url": "A String", # Specific URL associated with the resource.

3651

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3652

},

3653

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3654

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

3655

# available, and note provider assigned severity when distro has not yet

3656

# assigned a severity for this vulnerability.

3657

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

3658

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

3659

# packages etc)

3660

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

3661

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

3662

# scale of 0-10 where 0 indicates low severity and 10 indicates high

3663

# severity.

3664

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

3665

# within the associated resource.

3666

{ # This message wraps a location affected by a vulnerability and its

3667

# associated fix (if one is available).

3668

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

3669

"package": "A String", # Required. The package being described.

3670

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3671

# format. Examples include distro or storage location for vulnerable jar.

3672

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3673

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3674

# versions.

3675

"revision": "A String", # The iteration of the package build from the above version.

3676

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3677

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

3682

# The severity (e.g., distro assigned severity) for this vulnerability.

3683

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

3684

"package": "A String", # Required. The package being described.

3685

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

3686

# format. Examples include distro or storage location for vulnerable jar.

3687

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

3688

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

3689

# versions.

3690

"revision": "A String", # The iteration of the package build from the above version.

3691

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

3692

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

3700

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

3701

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

3702

# Deprecated, do not use.

3703

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

3704

# details to show to the user. The LocalizedMessage is output only and

3705

# populated by the API.

3706

# different programming environments, including REST APIs and RPC APIs. It is

3707

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

3708

# three pieces of data: error code, error message, and error details.

3709

#

3710

# You can find out more about this error model and how to work with it in the

3711

# [API Design Guide](https://cloud.google.com/apis/design/errors).

3712

"message": "A String", # A developer-facing error message, which should be in English. Any

3713

# user-facing error message should be localized and sent in the

3714

# google.rpc.Status.details field, or localized by the client.

3715

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

3716

"details": [ # A list of messages that carry the error details. There is a common set of

3717

# message types for APIs to use.

3718

{

3719

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

3724

"analysisStatus": "A String", # The status of discovery for the resource.

3725

},

3726

},

3727

"updateTime": "A String", # Output only. The time this occurrence was last updated.

3728

"build": { # Details of a build occurrence. # Describes a verifiable build.

3729

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

3730

# details about the build from source to completion.

3731

"endTime": "A String", # Time at which execution of the build was finished.

3732

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

3733

"startTime": "A String", # Time at which execution of the build was started.

3734

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

3735

# user's e-mail address at the time the build was initiated; this address may

3736

# not represent the same end-user for all time.

3737

"logsUri": "A String", # URI where any logs for this provenance were written.

3738

"builtArtifacts": [ # Output of the build.

3739

{ # Artifact describes a build product.

3740

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

3741

# the case of a container build, the name used to push the container image to

3742

# Google Container Registry, as presented to `docker push`. Note that a

3743

# single Artifact ID can have multiple names, for example if two tags are

3744

# applied to one image.

3745

"A String",

3746

],

3747

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

3748

# like `gcr.io/projectID/imagename@sha256:123456`.

3749

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

3754

# build providers can enter any desired additional details.

3755

"a_key": "A String",

3756

},

3757

"id": "A String", # Required. Unique identifier of the build.

3758

"projectId": "A String", # ID of the project.

3759

"commands": [ # Commands requested by the build.

3760

{ # Command describes a step performed as part of the build pipeline.

3761

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

3762

"A String",

3763

],

3764

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

3765

# this command as a dependency.

3766

"dir": "A String", # Working directory (relative to project source root) used when running this

3767

# command.

3768

"args": [ # Command-line arguments used when executing this command.

3769

"A String",

3770

],

3771

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

3772

# command is packaged as a Docker container, as presented to `docker pull`.

3773

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

3779

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

3780

# with a path point to a unique revision of a single file or directory.

3781

"labels": { # Labels with user defined metadata.

3782

"a_key": "A String",

3783

},

3784

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

3785

"hostUri": "A String", # The URI of a running Gerrit instance.

3786

"revisionId": "A String", # A revision (commit) ID.

3787

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

3788

# "project/subproject" is a valid project name. The "repo name" is the

3789

# hostURI/project.

3790

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3791

"kind": "A String", # The alias kind.

3792

"name": "A String", # The alias name.

3793

},

3794

},

3795

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

3796

# repository (e.g., GitHub).

3797

"revisionId": "A String", # Git commit hash.

3798

"url": "A String", # Git repository URL.

3799

},

3800

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

3801

# Source Repo.

3802

"revisionId": "A String", # A revision ID.

3803

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

3804

"uid": "A String", # A server-assigned, globally unique identifier.

3805

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

3806

# winged-cargo-31) and a repo name within that project.

3807

"projectId": "A String", # The ID of the project.

3808

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

3809

},

3810

},

3811

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3812

"kind": "A String", # The alias kind.

3813

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

3818

# location.

3819

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

3820

# source integrity was maintained in the build.

3821

#

3822

# The keys to this map are file paths used as build source and the values

3823

# contain the hash values for those files.

3824

#

3825

# If the build source came in a single package such as a gzipped tarfile

3826

# (.tar.gz), the FileHash will be for the single path to that file.

3827

"a_key": { # Container message for hashes of byte content of files, used in source

3828

# messages to verify integrity of source input to the build.

3829

"fileHash": [ # Required. Collection of file hashes.

3830

{ # Container message for hash values.

3831

"type": "A String", # Required. The type of hash that was performed.

3832

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

3838

# these locations, in the case where the source repository had multiple

3839

# remotes or submodules. This list will not include the context specified in

3840

# the context field.

3841

{ # A SourceContext is a reference to a tree of files. A SourceContext together

3842

# with a path point to a unique revision of a single file or directory.

3843

"labels": { # Labels with user defined metadata.

3844

"a_key": "A String",

3845

},

3846

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

3847

"hostUri": "A String", # The URI of a running Gerrit instance.

3848

"revisionId": "A String", # A revision (commit) ID.

3849

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

3850

# "project/subproject" is a valid project name. The "repo name" is the

3851

# hostURI/project.

3852

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3853

"kind": "A String", # The alias kind.

3854

"name": "A String", # The alias name.

3855

},

3856

},

3857

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

3858

# repository (e.g., GitHub).

3859

"revisionId": "A String", # Git commit hash.

3860

"url": "A String", # Git repository URL.

3861

},

3862

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

3863

# Source Repo.

3864

"revisionId": "A String", # A revision ID.

3865

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

3866

"uid": "A String", # A server-assigned, globally unique identifier.

3867

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

3868

# winged-cargo-31) and a repo name within that project.

3869

"projectId": "A String", # The ID of the project.

3870

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

3871

},

3872

},

3873

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

3874

"kind": "A String", # The alias kind.

3875

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

3882

"createTime": "A String", # Time at which the build was created.

3883

},

3884

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

3885

# build signature in the corresponding build note. After verifying the

3886

# signature, `provenance_bytes` can be unmarshalled and compared to the

3887

# provenance to confirm that it is unchanged. A base64-encoded string

3888

# representation of the provenance bytes is used for the signature in order

3889

# to interoperate with openssl which expects this format for signature

3890

# verification.

3891

#

3892

# The serialized form is captured both to avoid ambiguity in how the

3893

# provenance is marshalled to json as well to prevent incompatibilities with

3894

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3895

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3896

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

3897

# note.

3898

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

3899

# relationship. This image would be produced from a Dockerfile with FROM

3900

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3901

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

3902

# occurrence.

3903

"distance": 42, # Output only. The number of layers by which this image differs from the

3904

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3905

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

3906

# "distance" and is ordered with [distance] being the layer immediately

3907

# following the base image and [1] being the final layer.

3908

{ # Layer holds metadata specific to a layer of a Docker image.

3909

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

3910

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

3911

},

3912

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3913

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

3914

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

3915

# representation.

3916

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

3917

"A String",

3918

],

3919

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

3920

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

3921

# Only the name of the final blob is kept.

3922

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3923

},

3924

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3925

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

3926

# specified. This field can be used as a filter in list requests.

3927

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

3935

<pre>Retrieves the next page of results.

3936

3937

Args:

3938

previous_request: The request for the previous page. (required)

3939

previous_response: The response from the request for the previous page. (required)

3940

3941

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3942

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3943

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3948

<code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3949

<pre>Updates the specified occurrence.

3950

3951

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3952

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3953

`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3954

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3955

The object takes the form of:

3956

3957

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3958

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3959

"name": "A String", # Output only. The name of the occurrence in the form of

3960

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3961

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

3962

# signatures and the in-toto link itself. This is used for occurrences of a

3963

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3964

"signatures": [

3965

{ # A signature object consists of the KeyID used and the signature itself.

3966

"sig": "A String",

3967

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3968

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

3969

],

3970

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3971

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

3972

# environment. It is suggested for this field to contain information that

3973

# details environment variables, filesystem information, and the present

3974

# working directory. The recommended structure of this field is:

3975

# "environment": {

3976

# "custom_values": {

3977

# "variables": "<ENV>",

3978

# "filesystem": "<FS>",

3979

# "workdir": "<CWD>",

3980

# "<ANY OTHER RELEVANT FIELDS>": "..."

3981

# }

3982

# }

3983

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

3989

# for the operation performed. The key of the map is the path of the artifact

3990

# and the structure contains the recorded hash information. An example is:

3991

# "materials": [

3992

# {

3993

# "resource_uri": "foo/bar",

3994

# "hashes": {

3995

# "sha256": "ebebf...",

3996

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

4002

"sha256": "A String",

4003

},

4004

"resourceUri": "A String",

4005

},

4006

],

4007

"products": [ # Products are the supply chain artifacts generated as a result of the step.

4008

# The structure is identical to that of materials.

4009

{

4010

"hashes": { # Defines a hash object for use in Materials and Products.

4011

"sha256": "A String",

4012

},

4013

"resourceUri": "A String",

4014

},

4015

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4016

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

4017

# are not the actual result of the step.

4018

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

4024

# be empty if links are generated for operations that aren't directly mapped

4025

# to a specific command. Each term in the command is an independent string

4026

# in the list. An example of a command in the in-toto metadata field is:

4027

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

4028

"A String",

4029

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4030

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4031

},

4032

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

4033

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

4034

#

4035

# The hash of the resource content. For example, the Docker digest.

4036

"type": "A String", # Required. The type of hash that was performed.

4037

"value": "A String", # Required. The hash value.

4038

},

4039

"uri": "A String", # Required. The unique URI of the resource. For example,

4040

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

4041

"name": "A String", # Deprecated, do not use. Use uri instead.

4042

#

4043

# The name of the resource. For example, the name of a Docker image -

4044

# "Debian".

4045

},

4046

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

4047

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

4048

# attestation can be verified using the attached signature. If the verifier

4049

# trusts the public key of the signer, then verifying the signature is

4050

# sufficient to establish trust. In this circumstance, the authority to which

4051

# this attestation is attached is primarily useful for look-up (how to find

4052

# this attestation if you already know the authority and artifact to be

4053

# verified) and intent (which authority was this attestation intended to sign

4054

# for).

4055

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

4056

# This attestation must define the `serialized_payload` that the `signatures`

4057

# verify and any metadata necessary to interpret that plaintext. The

4058

# signatures should always be over the `serialized_payload` bytestring.

4059

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4060

# The verifier must ensure that the provided type is one that the verifier

4061

# supports, and that the attestation payload is a valid instantiation of that

4062

# type (for example by validating a JSON schema).

4063

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

4064

# should consider this attestation message verified if at least one

4065

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

4066

# for more details on signature structure and verification.

4067

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

4068

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

4069

# Typically this means that the verifier has been configured with a map from

4070

# `public_key_id` to public key material (and any required parameters, e.g.

4071

# signing algorithm).

4072

#

4073

# In particular, verification implementations MUST NOT treat the signature

4074

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

4075

# DOES NOT validate or authenticate a public key; it only provides a mechanism

4076

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

4077

# a trusted channel. Verification implementations MUST reject signatures in any

4078

# of the following circumstances:

4079

# * The `public_key_id` is not recognized by the verifier.

4080

# * The public key that `public_key_id` refers to does not verify the

4081

# signature with respect to the payload.

4082

#

4083

# The `signature` contents SHOULD NOT be "attached" (where the payload is

4084

# included with the serialized `signature` bytes). Verifiers MUST ignore any

4085

# "attached" payload and only verify signatures with respect to explicitly

4086

# provided payload (e.g. a `payload` field on the proto message that holds

4087

# this Signature, or the canonical serialization of the proto message that

4088

# holds this signature).

4089

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

4090

# * The `public_key_id` is required.

4091

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

4092

# * When possible, the `public_key_id` SHOULD be an immutable reference,

4093

# such as a cryptographic digest.

4094

#

4095

# Examples of valid `public_key_id`s:

4096

#

4097

# OpenPGP V4 public key fingerprint:

4098

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

4099

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

4100

# details on this scheme.

4101

#

4102

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

4103

# serialization):

4104

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

4105

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

4106

"signature": "A String", # The content of the signature, an opaque bytestring.

4107

# The payload that this signature verifies MUST be unambiguously provided

4108

# with the Signature during verification. A wrapper message might provide

4109

# the payload explicitly. Alternatively, a message might have a canonical

4110

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

4115

# The encoding and semantic meaning of this payload must match what is set in

4116

# `content_type`.

4117

},

4118

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

4119

# supports `ATTACHED` signatures, where the payload that is signed is included

4120

# alongside the signature itself in the same file.

4121

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

4122

# (GPG) or equivalent. Since this message only supports attached signatures,

4123

# the payload that was signed must be attached. While the signature format

4124

# supported is dependent on the verification implementation, currently only

4125

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

4126

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

4127

# --output=signature.gpg payload.json` will create the signature content

4128

# expected in this field in `signature.gpg` for the `payload.json`

4129

# attestation payload.

4130

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4131

# The verifier must ensure that the provided type is one that the verifier

4132

# supports, and that the attestation payload is a valid instantiation of that

4133

# type (for example by validating a JSON schema).

4134

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

4135

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

4136

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

4137

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

4138

# Implementations may choose to acknowledge "LONG", "SHORT", or other

4139

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

4140

# In gpg, the full fingerprint can be retrieved from the `fpr` field

4141

# returned when calling --list-keys with --with-colons. For example:

4142

# ```

4143

# gpg --with-colons --with-fingerprint --force-v4-certs \

4144

# --list-keys attester@example.com

4145

# tru::1:1513631572:0:3:1:5

4146

# pub:...<SNIP>...

4147

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

4148

# ```

4149

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

4154

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

4155

"undeployTime": "A String", # End of the lifetime of this deployment.

4156

"userEmail": "A String", # Identity of the user that triggered this deployment.

4157

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

4158

# the deployable field with the same name.

4159

"A String",

4160

],

4161

"platform": "A String", # Platform hosting this deployment.

4162

"config": "A String", # Configuration used to create this deployment.

4163

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

4164

"address": "A String", # Address of the runtime element hosting this deployment.

4165

},

4166

},

4167

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

4168

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

4169

# used as a filter in list requests.

4170

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

4171

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

4172

# system.

4173

"name": "A String", # Output only. The name of the installed package.

4174

"location": [ # Required. All of the places within the filesystem versions of this package

4175

# have been found.

4176

{ # An occurrence of a particular package installation found within a system's

4177

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

4178

"path": "A String", # The path from which we gathered that this package/version is installed.

4179

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

4180

# denoting the package manager version distributing a package.

4181

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

4182

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4183

# versions.

4184

"revision": "A String", # The iteration of the package build from the above version.

4185

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4186

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

4194

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

4195

"relatedUrls": [ # Output only. URLs related to this vulnerability.

4196

{ # Metadata for any related URL information.

4197

"url": "A String", # Specific URL associated with the resource.

4198

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4199

},

4200

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4201

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

4202

# available, and note provider assigned severity when distro has not yet

4203

# assigned a severity for this vulnerability.

4204

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

4205

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

4206

# packages etc)

4207

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

4208

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

4209

# scale of 0-10 where 0 indicates low severity and 10 indicates high

4210

# severity.

4211

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

4212

# within the associated resource.

4213

{ # This message wraps a location affected by a vulnerability and its

4214

# associated fix (if one is available).

4215

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

4216

"package": "A String", # Required. The package being described.

4217

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4218

# format. Examples include distro or storage location for vulnerable jar.

4219

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4220

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4221

# versions.

4222

"revision": "A String", # The iteration of the package build from the above version.

4223

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4224

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

4229

# The severity (e.g., distro assigned severity) for this vulnerability.

4230

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

4231

"package": "A String", # Required. The package being described.

4232

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4233

# format. Examples include distro or storage location for vulnerable jar.

4234

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4235

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4236

# versions.

4237

"revision": "A String", # The iteration of the package build from the above version.

4238

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4239

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

4247

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

4248

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

4249

# Deprecated, do not use.

4250

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

4251

# details to show to the user. The LocalizedMessage is output only and

4252

# populated by the API.

4253

# different programming environments, including REST APIs and RPC APIs. It is

4254

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

4255

# three pieces of data: error code, error message, and error details.

4256

#

4257

# You can find out more about this error model and how to work with it in the

4258

# [API Design Guide](https://cloud.google.com/apis/design/errors).

4259

"message": "A String", # A developer-facing error message, which should be in English. Any

4260

# user-facing error message should be localized and sent in the

4261

# google.rpc.Status.details field, or localized by the client.

4262

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

4263

"details": [ # A list of messages that carry the error details. There is a common set of

4264

# message types for APIs to use.

4265

{

4266

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

4271

"analysisStatus": "A String", # The status of discovery for the resource.

4272

},

4273

},

4274

"updateTime": "A String", # Output only. The time this occurrence was last updated.

4275

"build": { # Details of a build occurrence. # Describes a verifiable build.

4276

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

4277

# details about the build from source to completion.

4278

"endTime": "A String", # Time at which execution of the build was finished.

4279

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

4280

"startTime": "A String", # Time at which execution of the build was started.

4281

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

4282

# user's e-mail address at the time the build was initiated; this address may

4283

# not represent the same end-user for all time.

4284

"logsUri": "A String", # URI where any logs for this provenance were written.

4285

"builtArtifacts": [ # Output of the build.

4286

{ # Artifact describes a build product.

4287

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

4288

# the case of a container build, the name used to push the container image to

4289

# Google Container Registry, as presented to `docker push`. Note that a

4290

# single Artifact ID can have multiple names, for example if two tags are

4291

# applied to one image.

4292

"A String",

4293

],

4294

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

4295

# like `gcr.io/projectID/imagename@sha256:123456`.

4296

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

4301

# build providers can enter any desired additional details.

4302

"a_key": "A String",

4303

},

4304

"id": "A String", # Required. Unique identifier of the build.

4305

"projectId": "A String", # ID of the project.

4306

"commands": [ # Commands requested by the build.

4307

{ # Command describes a step performed as part of the build pipeline.

4308

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

4309

"A String",

4310

],

4311

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

4312

# this command as a dependency.

4313

"dir": "A String", # Working directory (relative to project source root) used when running this

4314

# command.

4315

"args": [ # Command-line arguments used when executing this command.

4316

"A String",

4317

],

4318

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

4319

# command is packaged as a Docker container, as presented to `docker pull`.

4320

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

4326

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

4327

# with a path point to a unique revision of a single file or directory.

4328

"labels": { # Labels with user defined metadata.

4329

"a_key": "A String",

4330

},

4331

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4332

"hostUri": "A String", # The URI of a running Gerrit instance.

4333

"revisionId": "A String", # A revision (commit) ID.

4334

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4335

# "project/subproject" is a valid project name. The "repo name" is the

4336

# hostURI/project.

4337

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4338

"kind": "A String", # The alias kind.

4339

"name": "A String", # The alias name.

4340

},

4341

},

4342

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4343

# repository (e.g., GitHub).

4344

"revisionId": "A String", # Git commit hash.

4345

"url": "A String", # Git repository URL.

4346

},

4347

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4348

# Source Repo.

4349

"revisionId": "A String", # A revision ID.

4350

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4351

"uid": "A String", # A server-assigned, globally unique identifier.

4352

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4353

# winged-cargo-31) and a repo name within that project.

4354

"projectId": "A String", # The ID of the project.

4355

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4356

},

4357

},

4358

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4359

"kind": "A String", # The alias kind.

4360

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

4365

# location.

4366

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

4367

# source integrity was maintained in the build.

4368

#

4369

# The keys to this map are file paths used as build source and the values

4370

# contain the hash values for those files.

4371

#

4372

# If the build source came in a single package such as a gzipped tarfile

4373

# (.tar.gz), the FileHash will be for the single path to that file.

4374

"a_key": { # Container message for hashes of byte content of files, used in source

4375

# messages to verify integrity of source input to the build.

4376

"fileHash": [ # Required. Collection of file hashes.

4377

{ # Container message for hash values.

4378

"type": "A String", # Required. The type of hash that was performed.

4379

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

4385

# these locations, in the case where the source repository had multiple

4386

# remotes or submodules. This list will not include the context specified in

4387

# the context field.

4388

{ # A SourceContext is a reference to a tree of files. A SourceContext together

4389

# with a path point to a unique revision of a single file or directory.

4390

"labels": { # Labels with user defined metadata.

4391

"a_key": "A String",

4392

},

4393

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4394

"hostUri": "A String", # The URI of a running Gerrit instance.

4395

"revisionId": "A String", # A revision (commit) ID.

4396

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4397

# "project/subproject" is a valid project name. The "repo name" is the

4398

# hostURI/project.

4399

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4400

"kind": "A String", # The alias kind.

4401

"name": "A String", # The alias name.

4402

},

4403

},

4404

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4405

# repository (e.g., GitHub).

4406

"revisionId": "A String", # Git commit hash.

4407

"url": "A String", # Git repository URL.

4408

},

4409

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4410

# Source Repo.

4411

"revisionId": "A String", # A revision ID.

4412

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4413

"uid": "A String", # A server-assigned, globally unique identifier.

4414

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4415

# winged-cargo-31) and a repo name within that project.

4416

"projectId": "A String", # The ID of the project.

4417

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4418

},

4419

},

4420

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4421

"kind": "A String", # The alias kind.

4422

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

4429

"createTime": "A String", # Time at which the build was created.

4430

},

4431

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

4432

# build signature in the corresponding build note. After verifying the

4433

# signature, `provenance_bytes` can be unmarshalled and compared to the

4434

# provenance to confirm that it is unchanged. A base64-encoded string

4435

# representation of the provenance bytes is used for the signature in order

4436

# to interoperate with openssl which expects this format for signature

4437

# verification.

4438

#

4439

# The serialized form is captured both to avoid ambiguity in how the

4440

# provenance is marshalled to json as well to prevent incompatibilities with

4441

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4442

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4443

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

4444

# note.

4445

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

4446

# relationship. This image would be produced from a Dockerfile with FROM

4447

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4448

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

4449

# occurrence.

4450

"distance": 42, # Output only. The number of layers by which this image differs from the

4451

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4452

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

4453

# "distance" and is ordered with [distance] being the layer immediately

4454

# following the base image and [1] being the final layer.

4455

{ # Layer holds metadata specific to a layer of a Docker image.

4456

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

4457

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

4458

},

4459

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4460

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

4461

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

4462

# representation.

4463

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

4464

"A String",

4465

],

4466

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

4467

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

4468

# Only the name of the final blob is kept.

4469

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4470

},

4471

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4472

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

4473

# specified. This field can be used as a filter in list requests.

4474

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4475

}

4476

4477

updateMask: string, The fields to update.

4478

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4485

4486

{ # An instance of an analysis type that has been found on a resource.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4487

"createTime": "A String", # Output only. The time this occurrence was created.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4488

"name": "A String", # Output only. The name of the occurrence in the form of

4489

# `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4490

"intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.

4491

# signatures and the in-toto link itself. This is used for occurrences of a

4492

# Grafeas in-toto note.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4493

"signatures": [

4494

{ # A signature object consists of the KeyID used and the signature itself.

4495

"sig": "A String",

4496

"keyid": "A String",

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4497

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4498

],

4499

"signed": { # This corresponds to an in-toto link.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4500

"environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the

4501

# environment. It is suggested for this field to contain information that

4502

# details environment variables, filesystem information, and the present

4503

# working directory. The recommended structure of this field is:

4504

# "environment": {

4505

# "custom_values": {

4506

# "variables": "<ENV>",

4507

# "filesystem": "<FS>",

4508

# "workdir": "<CWD>",

4509

# "<ANY OTHER RELEVANT FIELDS>": "..."

4510

# }

4511

# }

4512

# fields are "variables", "filesystem", and "workdir".

"customValues": {

"a_key": "A String",

},

},

"materials": [ # Materials are the supply chain artifacts that go into the step and are used

4518

# for the operation performed. The key of the map is the path of the artifact

4519

# and the structure contains the recorded hash information. An example is:

4520

# "materials": [

4521

# {

4522

# "resource_uri": "foo/bar",

4523

# "hashes": {

4524

# "sha256": "ebebf...",

4525

# <OTHER HASH ALGORITHMS>: <HASH VALUE>

# }

# }

# ]

{

"hashes": { # Defines a hash object for use in Materials and Products.

4531

"sha256": "A String",

4532

},

4533

"resourceUri": "A String",

4534

},

4535

],

4536

"products": [ # Products are the supply chain artifacts generated as a result of the step.

4537

# The structure is identical to that of materials.

4538

{

4539

"hashes": { # Defines a hash object for use in Materials and Products.

4540

"sha256": "A String",

4541

},

4542

"resourceUri": "A String",

4543

},

4544

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4545

"byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but

4546

# are not the actual result of the step.

4547

# fields are "stderr", "stdout", and "return-value".

"customValues": {

"a_key": "A String",

},

},

"command": [ # This field contains the full command executed for the step. This can also

4553

# be empty if links are generated for operations that aren't directly mapped

4554

# to a specific command. Each term in the command is an independent string

4555

# in the list. An example of a command in the in-toto metadata field is:

4556

# "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]

4557

"A String",

4558

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4559

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4560

},

4561

"resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.

4562

"contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.

4563

#

4564

# The hash of the resource content. For example, the Docker digest.

4565

"type": "A String", # Required. The type of hash that was performed.

4566

"value": "A String", # Required. The hash value.

4567

},

4568

"uri": "A String", # Required. The unique URI of the resource. For example,

4569

# `https://gcr.io/project/image@sha256:foo` for a Docker image.

4570

"name": "A String", # Deprecated, do not use. Use uri instead.

4571

#

4572

# The name of the resource. For example, the name of a Docker image -

4573

# "Debian".

4574

},

4575

"attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.

4576

"attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.

4577

# attestation can be verified using the attached signature. If the verifier

4578

# trusts the public key of the signer, then verifying the signature is

4579

# sufficient to establish trust. In this circumstance, the authority to which

4580

# this attestation is attached is primarily useful for look-up (how to find

4581

# this attestation if you already know the authority and artifact to be

4582

# verified) and intent (which authority was this attestation intended to sign

4583

# for).

4584

"genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.

4585

# This attestation must define the `serialized_payload` that the `signatures`

4586

# verify and any metadata necessary to interpret that plaintext. The

4587

# signatures should always be over the `serialized_payload` bytestring.

4588

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4589

# The verifier must ensure that the provided type is one that the verifier

4590

# supports, and that the attestation payload is a valid instantiation of that

4591

# type (for example by validating a JSON schema).

4592

"signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations

4593

# should consider this attestation message verified if at least one

4594

# `signature` verifies `serialized_payload`. See `Signature` in common.proto

4595

# for more details on signature structure and verification.

4596

{ # Verifiers (e.g. Kritis implementations) MUST verify signatures

4597

# with respect to the trust anchors defined in policy (e.g. a Kritis policy).

4598

# Typically this means that the verifier has been configured with a map from

4599

# `public_key_id` to public key material (and any required parameters, e.g.

4600

# signing algorithm).

4601

#

4602

# In particular, verification implementations MUST NOT treat the signature

4603

# `public_key_id` as anything more than a key lookup hint. The `public_key_id`

4604

# DOES NOT validate or authenticate a public key; it only provides a mechanism

4605

# for quickly selecting a public key ALREADY CONFIGURED on the verifier through

4606

# a trusted channel. Verification implementations MUST reject signatures in any

4607

# of the following circumstances:

4608

# * The `public_key_id` is not recognized by the verifier.

4609

# * The public key that `public_key_id` refers to does not verify the

4610

# signature with respect to the payload.

4611

#

4612

# The `signature` contents SHOULD NOT be "attached" (where the payload is

4613

# included with the serialized `signature` bytes). Verifiers MUST ignore any

4614

# "attached" payload and only verify signatures with respect to explicitly

4615

# provided payload (e.g. a `payload` field on the proto message that holds

4616

# this Signature, or the canonical serialization of the proto message that

4617

# holds this signature).

4618

"publicKeyId": "A String", # The identifier for the public key that verifies this signature.

4619

# * The `public_key_id` is required.

4620

# * The `public_key_id` SHOULD be an RFC3986 conformant URI.

4621

# * When possible, the `public_key_id` SHOULD be an immutable reference,

4622

# such as a cryptographic digest.

4623

#

4624

# Examples of valid `public_key_id`s:

4625

#

4626

# OpenPGP V4 public key fingerprint:

4627

# * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"

4628

# See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more

4629

# details on this scheme.

4630

#

4631

# RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER

4632

# serialization):

4633

# * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"

4634

# * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

4635

"signature": "A String", # The content of the signature, an opaque bytestring.

4636

# The payload that this signature verifies MUST be unambiguously provided

4637

# with the Signature during verification. A wrapper message might provide

4638

# the payload explicitly. Alternatively, a message might have a canonical

4639

# serialization that can always be unambiguously computed to derive the

# payload.

},

],

"serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.

4644

# The encoding and semantic meaning of this payload must match what is set in

4645

# `content_type`.

4646

},

4647

"pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.

4648

# supports `ATTACHED` signatures, where the payload that is signed is included

4649

# alongside the signature itself in the same file.

4650

"signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard

4651

# (GPG) or equivalent. Since this message only supports attached signatures,

4652

# the payload that was signed must be attached. While the signature format

4653

# supported is dependent on the verification implementation, currently only

4654

# ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than

4655

# `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor

4656

# --output=signature.gpg payload.json` will create the signature content

4657

# expected in this field in `signature.gpg` for the `payload.json`

4658

# attestation payload.

4659

"contentType": "A String", # Type (for example schema) of the attestation payload that was signed.

4660

# The verifier must ensure that the provided type is one that the verifier

4661

# supports, and that the attestation payload is a valid instantiation of that

4662

# type (for example by validating a JSON schema).

4663

"pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,

4664

# as output by, e.g. `gpg --list-keys`. This should be the version 4, full

4665

# 160-bit fingerprint, expressed as a 40 character hexidecimal string. See

4666

# https://tools.ietf.org/html/rfc4880#section-12.2 for details.

4667

# Implementations may choose to acknowledge "LONG", "SHORT", or other

4668

# abbreviated key IDs, but only the full fingerprint is guaranteed to work.

4669

# In gpg, the full fingerprint can be retrieved from the `fpr` field

4670

# returned when calling --list-keys with --with-colons. For example:

4671

# ```

4672

# gpg --with-colons --with-fingerprint --force-v4-certs \

4673

# --list-keys attester@example.com

4674

# tru::1:1513631572:0:3:1:5

4675

# pub:...<SNIP>...

4676

# fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:

4677

# ```

4678

# Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.

},

},

},

"deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.

4683

"deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.

4684

"undeployTime": "A String", # End of the lifetime of this deployment.

4685

"userEmail": "A String", # Identity of the user that triggered this deployment.

4686

"resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from

4687

# the deployable field with the same name.

4688

"A String",

4689

],

4690

"platform": "A String", # Platform hosting this deployment.

4691

"config": "A String", # Configuration used to create this deployment.

4692

"deployTime": "A String", # Required. Beginning of the lifetime of this deployment.

4693

"address": "A String", # Address of the runtime element hosting this deployment.

4694

},

4695

},

4696

"noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in

4697

# the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be

4698

# used as a filter in list requests.

4699

"installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.

4700

"installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.

4701

# system.

4702

"name": "A String", # Output only. The name of the installed package.

4703

"location": [ # Required. All of the places within the filesystem versions of this package

4704

# have been found.

4705

{ # An occurrence of a particular package installation found within a system's

4706

# filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.

4707

"path": "A String", # The path from which we gathered that this package/version is installed.

4708

"cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)

4709

# denoting the package manager version distributing a package.

4710

"version": { # Version contains structured information about the version of a package. # The version installed at this location.

4711

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4712

# versions.

4713

"revision": "A String", # The iteration of the package build from the above version.

4714

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4715

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

],

},

},

"vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.

4723

"shortDescription": "A String", # Output only. A one sentence description of this vulnerability.

4724

"relatedUrls": [ # Output only. URLs related to this vulnerability.

4725

{ # Metadata for any related URL information.

4726

"url": "A String", # Specific URL associated with the resource.

4727

"label": "A String", # Label to describe usage of the URL.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4728

},

4729

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4730

"effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is

4731

# available, and note provider assigned severity when distro has not yet

4732

# assigned a severity for this vulnerability.

4733

"severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.

4734

"type": "A String", # The type of package; whether native or non native(ruby gems, node.js

4735

# packages etc)

4736

"longDescription": "A String", # Output only. A detailed description of this vulnerability.

4737

"cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a

4738

# scale of 0-10 where 0 indicates low severity and 10 indicates high

4739

# severity.

4740

"packageIssue": [ # Required. The set of affected locations and their fixes (if available)

4741

# within the associated resource.

4742

{ # This message wraps a location affected by a vulnerability and its

4743

# associated fix (if one is available).

4744

"fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.

4745

"package": "A String", # Required. The package being described.

4746

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4747

# format. Examples include distro or storage location for vulnerable jar.

4748

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4749

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4750

# versions.

4751

"revision": "A String", # The iteration of the package build from the above version.

4752

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4753

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

"severityName": "A String", # Deprecated, use Details.effective_severity instead

4758

# The severity (e.g., distro assigned severity) for this vulnerability.

4759

"affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.

4760

"package": "A String", # Required. The package being described.

4761

"cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)

4762

# format. Examples include distro or storage location for vulnerable jar.

4763

"version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.

4764

"kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal

4765

# versions.

4766

"revision": "A String", # The iteration of the package build from the above version.

4767

"epoch": 42, # Used to correct mistakes in the version numbering scheme.

4768

"name": "A String", # Required only when version kind is NORMAL. The main part of the version

# name.

},

},

},

],

},

"discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.

4776

"discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.

4777

"lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.

4778

# Deprecated, do not use.

4779

"analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under

4780

# details to show to the user. The LocalizedMessage is output only and

4781

# populated by the API.

4782

# different programming environments, including REST APIs and RPC APIs. It is

4783

# used by [gRPC](https://github.com/grpc). Each `Status` message contains

4784

# three pieces of data: error code, error message, and error details.

4785

#

4786

# You can find out more about this error model and how to work with it in the

4787

# [API Design Guide](https://cloud.google.com/apis/design/errors).

4788

"message": "A String", # A developer-facing error message, which should be in English. Any

4789

# user-facing error message should be localized and sent in the

4790

# google.rpc.Status.details field, or localized by the client.

4791

"code": 42, # The status code, which should be an enum value of google.rpc.Code.

4792

"details": [ # A list of messages that carry the error details. There is a common set of

4793

# message types for APIs to use.

4794

{

4795

"a_key": "", # Properties of the object. Contains field @type with type URL.

},

],

},

"continuousAnalysis": "A String", # Whether the resource is continuously analyzed.

4800

"analysisStatus": "A String", # The status of discovery for the resource.

4801

},

4802

},

4803

"updateTime": "A String", # Output only. The time this occurrence was last updated.

4804

"build": { # Details of a build occurrence. # Describes a verifiable build.

4805

"provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.

4806

# details about the build from source to completion.

4807

"endTime": "A String", # Time at which execution of the build was finished.

4808

"builderVersion": "A String", # Version string of the builder at the time this build was executed.

4809

"startTime": "A String", # Time at which execution of the build was started.

4810

"creator": "A String", # E-mail address of the user who initiated this build. Note that this was the

4811

# user's e-mail address at the time the build was initiated; this address may

4812

# not represent the same end-user for all time.

4813

"logsUri": "A String", # URI where any logs for this provenance were written.

4814

"builtArtifacts": [ # Output of the build.

4815

{ # Artifact describes a build product.

4816

"names": [ # Related artifact names. This may be the path to a binary or jar file, or in

4817

# the case of a container build, the name used to push the container image to

4818

# Google Container Registry, as presented to `docker push`. Note that a

4819

# single Artifact ID can have multiple names, for example if two tags are

4820

# applied to one image.

4821

"A String",

4822

],

4823

"id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest

4824

# like `gcr.io/projectID/imagename@sha256:123456`.

4825

"checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a

# container.

},

],

"buildOptions": { # Special options applied to this build. This is a catch-all field where

4830

# build providers can enter any desired additional details.

4831

"a_key": "A String",

4832

},

4833

"id": "A String", # Required. Unique identifier of the build.

4834

"projectId": "A String", # ID of the project.

4835

"commands": [ # Commands requested by the build.

4836

{ # Command describes a step performed as part of the build pipeline.

4837

"waitFor": [ # The ID(s) of the command(s) that this command depends on.

4838

"A String",

4839

],

4840

"id": "A String", # Optional unique identifier for this command, used in wait_for to reference

4841

# this command as a dependency.

4842

"dir": "A String", # Working directory (relative to project source root) used when running this

4843

# command.

4844

"args": [ # Command-line arguments used when executing this command.

4845

"A String",

4846

],

4847

"name": "A String", # Required. Name of the command, as presented on the command line, or if the

4848

# command is packaged as a Docker container, as presented to `docker pull`.

4849

"env": [ # Environment variables set before running this command.

"A String",

],

},

],

"sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.

4855

"context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.

4856

# with a path point to a unique revision of a single file or directory.

4857

"labels": { # Labels with user defined metadata.

4858

"a_key": "A String",

4859

},

4860

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4861

"hostUri": "A String", # The URI of a running Gerrit instance.

4862

"revisionId": "A String", # A revision (commit) ID.

4863

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4864

# "project/subproject" is a valid project name. The "repo name" is the

4865

# hostURI/project.

4866

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4867

"kind": "A String", # The alias kind.

4868

"name": "A String", # The alias name.

4869

},

4870

},

4871

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4872

# repository (e.g., GitHub).

4873

"revisionId": "A String", # Git commit hash.

4874

"url": "A String", # Git repository URL.

4875

},

4876

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4877

# Source Repo.

4878

"revisionId": "A String", # A revision ID.

4879

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4880

"uid": "A String", # A server-assigned, globally unique identifier.

4881

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4882

# winged-cargo-31) and a repo name within that project.

4883

"projectId": "A String", # The ID of the project.

4884

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4885

},

4886

},

4887

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4888

"kind": "A String", # The alias kind.

4889

"name": "A String", # The alias name.

},

},

},

"artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this

4894

# location.

4895

"fileHashes": { # Hash(es) of the build source, which can be used to verify that the original

4896

# source integrity was maintained in the build.

4897

#

4898

# The keys to this map are file paths used as build source and the values

4899

# contain the hash values for those files.

4900

#

4901

# If the build source came in a single package such as a gzipped tarfile

4902

# (.tar.gz), the FileHash will be for the single path to that file.

4903

"a_key": { # Container message for hashes of byte content of files, used in source

4904

# messages to verify integrity of source input to the build.

4905

"fileHash": [ # Required. Collection of file hashes.

4906

{ # Container message for hash values.

4907

"type": "A String", # Required. The type of hash that was performed.

4908

"value": "A String", # Required. The hash value.

},

],

},

},

"additionalContexts": [ # If provided, some of the source code used for the build may be found in

4914

# these locations, in the case where the source repository had multiple

4915

# remotes or submodules. This list will not include the context specified in

4916

# the context field.

4917

{ # A SourceContext is a reference to a tree of files. A SourceContext together

4918

# with a path point to a unique revision of a single file or directory.

4919

"labels": { # Labels with user defined metadata.

4920

"a_key": "A String",

4921

},

4922

"gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.

4923

"hostUri": "A String", # The URI of a running Gerrit instance.

4924

"revisionId": "A String", # A revision (commit) ID.

4925

"gerritProject": "A String", # The full project name within the host. Projects may be nested, so

4926

# "project/subproject" is a valid project name. The "repo name" is the

4927

# hostURI/project.

4928

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4929

"kind": "A String", # The alias kind.

4930

"name": "A String", # The alias name.

4931

},

4932

},

4933

"git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).

4934

# repository (e.g., GitHub).

4935

"revisionId": "A String", # Git commit hash.

4936

"url": "A String", # Git repository URL.

4937

},

4938

"cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.

4939

# Source Repo.

4940

"revisionId": "A String", # A revision ID.

4941

"repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.

4942

"uid": "A String", # A server-assigned, globally unique identifier.

4943

"projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.

4944

# winged-cargo-31) and a repo name within that project.

4945

"projectId": "A String", # The ID of the project.

4946

"repoName": "A String", # The name of the repo. Leave empty for the default repo.

4947

},

4948

},

4949

"aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.

4950

"kind": "A String", # The alias kind.

4951

"name": "A String", # The alias name.

},

},

},

],

},

"triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.

4958

"createTime": "A String", # Time at which the build was created.

4959

},

4960

"provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the

4961

# build signature in the corresponding build note. After verifying the

4962

# signature, `provenance_bytes` can be unmarshalled and compared to the

4963

# provenance to confirm that it is unchanged. A base64-encoded string

4964

# representation of the provenance bytes is used for the signature in order

4965

# to interoperate with openssl which expects this format for signature

4966

# verification.

4967

#

4968

# The serialized form is captured both to avoid ambiguity in how the

4969

# provenance is marshalled to json as well to prevent incompatibilities with

4970

# future changes.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4971

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4972

"derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated

4973

# note.

4974

"derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.

4975

# relationship. This image would be produced from a Dockerfile with FROM

4976

# <DockerImage.Basis in attached Note>.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4977

"baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image

4978

# occurrence.

4979

"distance": 42, # Output only. The number of layers by which this image differs from the

4980

# associated image basis.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4981

"layerInfo": [ # This contains layer-specific metadata, if populated it has length

4982

# "distance" and is ordered with [distance] being the layer immediately

4983

# following the base image and [1] being the final layer.

4984

{ # Layer holds metadata specific to a layer of a Docker image.

4985

"directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.

4986

"arguments": "A String", # The recovered arguments to the Dockerfile directive.

4987

},

4988

],

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

4989

"fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.

4990

"v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1

4991

# representation.

4992

"v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.

4993

"A String",

4994

],

4995

"v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:

4996

# [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])

4997

# Only the name of the final blob is kept.

4998

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4999

},

5000

},

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

5001

"kind": "A String", # Output only. This explicitly denotes which of the occurrence details are

5002

# specified. This field can be used as a filter in list requests.

5003

"remediation": "A String", # A description of actions that can be taken to remedy the note.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5008

<code class="details" id="setIamPolicy">setIamPolicy(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5009

<pre>Sets the access control policy on the specified note or occurrence.

5010

Requires `containeranalysis.notes.setIamPolicy` or

5011

`containeranalysis.occurrences.setIamPolicy` permission if the resource is

5012

a note or an occurrence, respectively.

5013

5014

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

5015

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy is being specified.

5020

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5021

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5022

The object takes the form of:

5023

5024

{ # Request message for `SetIamPolicy` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5025

"policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5026

# the policy is limited to a few 10s of KB. An empty policy is a

5027

# valid policy but certain Cloud Platform services (such as Projects)

5028

# might reject them.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5029

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5030

#

5031

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5032

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

5033

# `members` to a single `role`. Members can be user accounts, service accounts,

5034

# Google groups, and domains (such as G Suite). A `role` is a named list of

5035

# permissions; each `role` can be an IAM predefined role or a user-created

5036

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5037

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5038

# For some types of Google Cloud resources, a `binding` can also specify a

5039

# `condition`, which is a logical expression that allows access to a resource

5040

# only if the expression evaluates to `true`. A condition can add constraints

5041

# based on attributes of the request, the resource, or both. To learn which

5042

# resources support conditions in their IAM policies, see the

5043

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5044

#

5045

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5046

#

5047

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5048

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5049

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5050

# "role": "roles/resourcemanager.organizationAdmin",

5051

# "members": [

5052

# "user:mike@example.com",

5053

# "group:admins@example.com",

5054

# "domain:google.com",

5055

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5056

# ]

5057

# },

5058

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5059

# "role": "roles/resourcemanager.organizationViewer",

5060

# "members": [

5061

# "user:eve@example.com"

5062

# ],

5063

# "condition": {

5064

# "title": "expirable access",

5065

# "description": "Does not grant access after Sep 2020",

5066

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5067

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5068

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5069

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5070

# "etag": "BwWWja0YfJA=",

5071

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5072

# }

5073

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5074

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

5079

# - group:admins@example.com

5080

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5081

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

5082

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5083

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5084

# - user:eve@example.com

5085

# role: roles/resourcemanager.organizationViewer

5086

# condition:

5087

# title: expirable access

5088

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5089

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5090

# - etag: BwWWja0YfJA=

5091

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5092

#

5093

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5094

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5095

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

5096

# prevent simultaneous updates of a policy from overwriting each other.

5097

# It is strongly suggested that systems make use of the `etag` in the

5098

# read-modify-write cycle to perform policy updates in order to avoid race

5099

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

5100

# systems are expected to put that etag in the request to `setIamPolicy` to

5101

# ensure that their change will be applied to the same version of the policy.

5102

#

5103

# **Important:** If you use IAM Conditions, you must include the `etag` field

5104

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5105

# you to overwrite a version `3` policy with a version `1` policy, and all of

5106

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5107

"version": 42, # Specifies the format of the policy.

5108

#

5109

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

5110

# are rejected.

5111

#

5112

# Any operation that affects conditional role bindings must specify version

5113

# `3`. This requirement applies to the following operations:

5114

#

5115

# * Getting a policy that includes a conditional role binding

5116

# * Adding a conditional role binding to a policy

5117

# * Changing a conditional role binding in a policy

5118

# * Removing any role binding, with or without a condition, from a policy

5119

# that includes conditions

5120

#

5121

# **Important:** If you use IAM Conditions, you must include the `etag` field

5122

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5123

# you to overwrite a version `3` policy with a version `1` policy, and all of

5124

# the conditions in the version `3` policy are lost.

5125

#

5126

# If a policy does not include any conditions, operations on that policy may

5127

# specify any valid version or leave the field unset.

5128

#

5129

# To learn which resources support conditions in their IAM policies, see the

5130

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5131

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5132

# `condition` that determines how and when the `bindings` are applied. Each

5133

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5134

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

5135

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

5136

# `members` can have the following values:

5137

#

5138

# * `allUsers`: A special identifier that represents anyone who is

5139

# on the internet; with or without a Google account.

5140

#

5141

# * `allAuthenticatedUsers`: A special identifier that represents anyone

5142

# who is authenticated with a Google account or a service account.

5143

#

5144

# * `user:{emailid}`: An email address that represents a specific Google

5145

# account. For example, `alice@example.com` .

5146

#

5147

#

5148

# * `serviceAccount:{emailid}`: An email address that represents a service

5149

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

5150

#

5151

# * `group:{emailid}`: An email address that represents a Google group.

5152

# For example, `admins@example.com`.

5153

#

5154

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

5155

# identifier) representing a user that has been recently deleted. For

5156

# example, `alice@example.com?uid=123456789012345678901`. If the user is

5157

# recovered, this value reverts to `user:{emailid}` and the recovered user

5158

# retains the role in the binding.

5159

#

5160

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

5161

# unique identifier) representing a service account that has been recently

5162

# deleted. For example,

5163

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

5164

# If the service account is undeleted, this value reverts to

5165

# `serviceAccount:{emailid}` and the undeleted service account retains the

5166

# role in the binding.

5167

#

5168

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

5169

# identifier) representing a Google group that has been recently

5170

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

5171

# the group is recovered, this value reverts to `group:{emailid}` and the

5172

# recovered group retains the role in the binding.

5173

#

5174

#

5175

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

5176

# users of that domain. For example, `google.com` or `example.com`.

5177

#

5178

"A String",

5179

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5180

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

5181

#

5182

# If the condition evaluates to `true`, then this binding applies to the

5183

# current request.

5184

#

5185

# If the condition evaluates to `false`, then this binding does not apply to

5186

# the current request. However, a different role binding might grant the same

5187

# role to one or more of the members in this binding.

5188

#

5189

# To learn which resources support conditions in their IAM policies, see the

5190

# [IAM

5191

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5192

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

5193

# are documented at https://github.com/google/cel-spec.

5194

#

5195

# Example (Comparison):

5196

#

5197

# title: "Summary size limit"

5198

# description: "Determines if a summary is less than 100 chars"

5199

# expression: "document.summary.size() < 100"

5200

#

5201

# Example (Equality):

5202

#

5203

# title: "Requestor is owner"

5204

# description: "Determines if requestor is the document owner"

5205

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

5210

# description: "Determine whether the document should be publicly visible"

5211

# expression: "document.type != 'private' && document.type != 'internal'"

5212

#

5213

# Example (Data Manipulation):

5214

#

5215

# title: "Notification string"

5216

# description: "Create a notification string with a timestamp."

5217

# expression: "'New message received at ' + string(document.create_time)"

5218

#

5219

# The exact variables and functions that may be referenced within an expression

5220

# are determined by the service that evaluates it. See the service

5221

# documentation for additional information.

5222

"description": "A String", # Optional. Description of the expression. This is a longer text which

5223

# describes the expression, e.g. when hovered over it in a UI.

5224

"expression": "A String", # Textual representation of an expression in Common Expression Language

5225

# syntax.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

5226

"location": "A String", # Optional. String indicating the location of the expression for error

5227

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5228

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

5229

# its purpose. This can be used e.g. in UIs which allow to enter the

5230

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5231

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5232

"role": "A String", # Role that is assigned to `members`.

5233

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5234

},

5235

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5236

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5237

}

5238

5239

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

5246

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5247

{ # An Identity and Access Management (IAM) policy, which specifies access

5248

# controls for Google Cloud resources.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5249

#

5250

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5251

# A `Policy` is a collection of `bindings`. A `binding` binds one or more

5252

# `members` to a single `role`. Members can be user accounts, service accounts,

5253

# Google groups, and domains (such as G Suite). A `role` is a named list of

5254

# permissions; each `role` can be an IAM predefined role or a user-created

5255

# custom role.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5256

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5257

# For some types of Google Cloud resources, a `binding` can also specify a

5258

# `condition`, which is a logical expression that allows access to a resource

5259

# only if the expression evaluates to `true`. A condition can add constraints

5260

# based on attributes of the request, the resource, or both. To learn which

5261

# resources support conditions in their IAM policies, see the

5262

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5263

#

5264

# **JSON example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5265

#

5266

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5267

# "bindings": [

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5268

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5269

# "role": "roles/resourcemanager.organizationAdmin",

5270

# "members": [

5271

# "user:mike@example.com",

5272

# "group:admins@example.com",

5273

# "domain:google.com",

5274

# "serviceAccount:my-project-id@appspot.gserviceaccount.com"

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5275

# ]

5276

# },

5277

# {

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5278

# "role": "roles/resourcemanager.organizationViewer",

5279

# "members": [

5280

# "user:eve@example.com"

5281

# ],

5282

# "condition": {

5283

# "title": "expirable access",

5284

# "description": "Does not grant access after Sep 2020",

5285

# "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5286

# }

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5287

# }

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5288

# ],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5289

# "etag": "BwWWja0YfJA=",

5290

# "version": 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5291

# }

5292

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5293

# **YAML example:**

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

#

# bindings:

# - members:

# - user:mike@example.com

5298

# - group:admins@example.com

5299

# - domain:google.com

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5300

# - serviceAccount:my-project-id@appspot.gserviceaccount.com

5301

# role: roles/resourcemanager.organizationAdmin

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5302

# - members:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5303

# - user:eve@example.com

5304

# role: roles/resourcemanager.organizationViewer

5305

# condition:

5306

# title: expirable access

5307

# description: Does not grant access after Sep 2020

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5308

# expression: request.time < timestamp('2020-10-01T00:00:00.000Z')

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5309

# - etag: BwWWja0YfJA=

5310

# - version: 3

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5311

#

5312

# For a description of IAM and its features, see the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5313

# [IAM documentation](https://cloud.google.com/iam/docs/).

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5314

"etag": "A String", # `etag` is used for optimistic concurrency control as a way to help

5315

# prevent simultaneous updates of a policy from overwriting each other.

5316

# It is strongly suggested that systems make use of the `etag` in the

5317

# read-modify-write cycle to perform policy updates in order to avoid race

5318

# conditions: An `etag` is returned in the response to `getIamPolicy`, and

5319

# systems are expected to put that etag in the request to `setIamPolicy` to

5320

# ensure that their change will be applied to the same version of the policy.

5321

#

5322

# **Important:** If you use IAM Conditions, you must include the `etag` field

5323

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5324

# you to overwrite a version `3` policy with a version `1` policy, and all of

5325

# the conditions in the version `3` policy are lost.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5326

"version": 42, # Specifies the format of the policy.

5327

#

5328

# Valid values are `0`, `1`, and `3`. Requests that specify an invalid value

5329

# are rejected.

5330

#

5331

# Any operation that affects conditional role bindings must specify version

5332

# `3`. This requirement applies to the following operations:

5333

#

5334

# * Getting a policy that includes a conditional role binding

5335

# * Adding a conditional role binding to a policy

5336

# * Changing a conditional role binding in a policy

5337

# * Removing any role binding, with or without a condition, from a policy

5338

# that includes conditions

5339

#

5340

# **Important:** If you use IAM Conditions, you must include the `etag` field

5341

# whenever you call `setIamPolicy`. If you omit this field, then IAM allows

5342

# you to overwrite a version `3` policy with a version `1` policy, and all of

5343

# the conditions in the version `3` policy are lost.

5344

#

5345

# If a policy does not include any conditions, operations on that policy may

5346

# specify any valid version or leave the field unset.

5347

#

5348

# To learn which resources support conditions in their IAM policies, see the

5349

# [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5350

"bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5351

# `condition` that determines how and when the `bindings` are applied. Each

5352

# of the `bindings` must contain at least one member.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5353

{ # Associates `members` with a `role`.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

5354

"members": [ # Specifies the identities requesting access for a Cloud Platform resource.

5355

# `members` can have the following values:

5356

#

5357

# * `allUsers`: A special identifier that represents anyone who is

5358

# on the internet; with or without a Google account.

5359

#

5360

# * `allAuthenticatedUsers`: A special identifier that represents anyone

5361

# who is authenticated with a Google account or a service account.

5362

#

5363

# * `user:{emailid}`: An email address that represents a specific Google

5364

# account. For example, `alice@example.com` .

5365

#

5366

#

5367

# * `serviceAccount:{emailid}`: An email address that represents a service

5368

# account. For example, `my-other-app@appspot.gserviceaccount.com`.

5369

#

5370

# * `group:{emailid}`: An email address that represents a Google group.

5371

# For example, `admins@example.com`.

5372

#

5373

# * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique

5374

# identifier) representing a user that has been recently deleted. For

5375

# example, `alice@example.com?uid=123456789012345678901`. If the user is

5376

# recovered, this value reverts to `user:{emailid}` and the recovered user

5377

# retains the role in the binding.

5378

#

5379

# * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus

5380

# unique identifier) representing a service account that has been recently

5381

# deleted. For example,

5382

# `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.

5383

# If the service account is undeleted, this value reverts to

5384

# `serviceAccount:{emailid}` and the undeleted service account retains the

5385

# role in the binding.

5386

#

5387

# * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique

5388

# identifier) representing a Google group that has been recently

5389

# deleted. For example, `admins@example.com?uid=123456789012345678901`. If

5390

# the group is recovered, this value reverts to `group:{emailid}` and the

5391

# recovered group retains the role in the binding.

5392

#

5393

#

5394

# * `domain:{domain}`: The G Suite domain (primary) that represents all the

5395

# users of that domain. For example, `google.com` or `example.com`.

5396

#

5397

"A String",

5398

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5399

"condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.

5400

#

5401

# If the condition evaluates to `true`, then this binding applies to the

5402

# current request.

5403

#

5404

# If the condition evaluates to `false`, then this binding does not apply to

5405

# the current request. However, a different role binding might grant the same

5406

# role to one or more of the members in this binding.

5407

#

5408

# To learn which resources support conditions in their IAM policies, see the

5409

# [IAM

5410

# documentation](https://cloud.google.com/iam/help/conditions/resource-policies).

5411

# syntax. CEL is a C-like expression language. The syntax and semantics of CEL

5412

# are documented at https://github.com/google/cel-spec.

5413

#

5414

# Example (Comparison):

5415

#

5416

# title: "Summary size limit"

5417

# description: "Determines if a summary is less than 100 chars"

5418

# expression: "document.summary.size() < 100"

5419

#

5420

# Example (Equality):

5421

#

5422

# title: "Requestor is owner"

5423

# description: "Determines if requestor is the document owner"

5424

# expression: "document.owner == request.auth.claims.email"

#

# Example (Logic):

#

# title: "Public documents"

5429

# description: "Determine whether the document should be publicly visible"

5430

# expression: "document.type != 'private' && document.type != 'internal'"

5431

#

5432

# Example (Data Manipulation):

5433

#

5434

# title: "Notification string"

5435

# description: "Create a notification string with a timestamp."

5436

# expression: "'New message received at ' + string(document.create_time)"

5437

#

5438

# The exact variables and functions that may be referenced within an expression

5439

# are determined by the service that evaluates it. See the service

5440

# documentation for additional information.

5441

"description": "A String", # Optional. Description of the expression. This is a longer text which

5442

# describes the expression, e.g. when hovered over it in a UI.

5443

"expression": "A String", # Textual representation of an expression in Common Expression Language

5444

# syntax.

Bu Sun Kim

2020-07-22 17:02:09 -0700

[diff] [blame^]

5445

"location": "A String", # Optional. String indicating the location of the expression for error

5446

# reporting, e.g. a file name and a position in the file.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5447

"title": "A String", # Optional. Title for the expression, i.e. a short string describing

5448

# its purpose. This can be used e.g. in UIs which allow to enter the

5449

# expression.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5450

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5451

"role": "A String", # Role that is assigned to `members`.

5452

# For example, `roles/viewer`, `roles/editor`, or `roles/owner`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5453

},

5454

],

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5459

<code class="details" id="testIamPermissions">testIamPermissions(resource, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5460

<pre>Returns the permissions that a caller has on the specified note or

5461

occurrence. Requires list permission on the project (for example,

5462

`containeranalysis.notes.list`).

5463

5464

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for

5465

notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for

occurrences.

Args:

resource: string, REQUIRED: The resource for which the policy detail is being requested.

5470

See the operation documentation for the appropriate value for this field. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5471

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5472

The object takes the form of:

5473

5474

{ # Request message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5475

"permissions": [ # The set of permissions to check for the `resource`. Permissions with

5476

# wildcards (such as '*' or 'storage.*') are not allowed. For more

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5477

# information see

5478

# [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5479

"A String",

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

],

}

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

5490

5491

{ # Response message for `TestIamPermissions` method.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5492

"permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5493

# allowed.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5494

"A String",

Bu Sun Kim