[][src]Crate google_containeranalysis1_beta1

This documentation was generated from Container Analysis crate version 1.0.10+20190625, where 20190625 is the exact revision of the containeranalysis:v1beta1 schema built by the mako code generator v1.0.10.

Everything else about the Container Analysis v1_beta1 API can be found at the official documentation site. The original source code is on github.


Handle the following Resources with ease from the central hub ...

Not what you are looking for ? Find all other Google APIs in their Rust documentation index.

Structure of this Library

The API is structured into the following primary items:

  • Hub
    • a central object to maintain state and allow accessing all Activities
    • creates Method Builders which in turn allow access to individual Call Builders
  • Resources
    • primary types that you can apply Activities to
    • a collection of properties and Parts
    • Parts
      • a collection of properties
      • never directly used in Activities
  • Activities
    • operations to apply to Resources

All structures are marked with applicable traits to further categorize them and ease browsing.

Generally speaking, you can invoke Activities like this:

let r = hub.resource().activity(...).doit()

Or specifically ...

This example is not tested
let r = hub.projects().notes_patch(...).doit()
let r = hub.projects().notes_create(...).doit()
let r = hub.projects().notes_get(...).doit()
let r = hub.projects().occurrences_get_notes(...).doit()

The resource() and activity(...) calls create builders. The second one dealing with Activities supports various methods to configure the impending operation (not shown here). It is made such that all required arguments have to be specified right away (i.e. (...)), whereas all optional ones can be build up as desired. The doit() method performs the actual communication with the server and returns the respective result.


Setting up your Project

To use this library, you would put the following lines into your Cargo.toml file:

google-containeranalysis1_beta1 = "*"
# This project intentionally uses an old version of Hyper. See
# https://github.com/Byron/google-apis-rs/issues/173 for more
# information.
hyper = "^0.10"
hyper-rustls = "^0.6"
serde = "^1.0"
serde_json = "^1.0"
yup-oauth2 = "^1.0"

A complete example

extern crate hyper;
extern crate hyper_rustls;
extern crate yup_oauth2 as oauth2;
extern crate google_containeranalysis1_beta1 as containeranalysis1_beta1;
use containeranalysis1_beta1::Note;
use containeranalysis1_beta1::{Result, Error};
use std::default::Default;
use oauth2::{Authenticator, DefaultAuthenticatorDelegate, ApplicationSecret, MemoryStorage};
use containeranalysis1_beta1::ContainerAnalysis;
// Get an ApplicationSecret instance by some means. It contains the `client_id` and 
// `client_secret`, among other things.
let secret: ApplicationSecret = Default::default();
// Instantiate the authenticator. It will choose a suitable authentication flow for you, 
// unless you replace  `None` with the desired Flow.
// Provide your own `AuthenticatorDelegate` to adjust the way it operates and get feedback about 
// what's going on. You probably want to bring in your own `TokenStorage` to persist tokens and
// retrieve them from storage.
let auth = Authenticator::new(&secret, DefaultAuthenticatorDelegate,
                              <MemoryStorage as Default>::default(), None);
let mut hub = ContainerAnalysis::new(hyper::Client::with_connector(hyper::net::HttpsConnector::new(hyper_rustls::TlsClient::new())), auth);
// As the method needs a request, you would usually fill it with the desired information
// into the respective structure. Some of the parts shown here might not be applicable !
// Values shown here are possibly random and not representative !
let mut req = Note::default();
// You can configure optional parameters by calling the respective setters at will, and
// execute the final call using `doit()`.
// Values shown here are possibly random and not representative !
let result = hub.projects().notes_patch(req, "name")
match result {
    Err(e) => match e {
        // The Error enum provides details about what exactly happened.
        // You can also just use its `Debug`, `Display` or `Error` traits
        |Error::UploadSizeLimitExceeded(_, _)
        |Error::JsonDecodeError(_, _) => println!("{}", e),
    Ok(res) => println!("Success: {:?}", res),

Handling Errors

All errors produced by the system are provided either as Result enumeration as return value of the doit() methods, or handed as possibly intermediate results to either the Hub Delegate, or the Authenticator Delegate.

When delegates handle errors or intermediate values, they may have a chance to instruct the system to retry. This makes the system potentially resilient to all kinds of errors.

Uploads and Downloads

If a method supports downloads, the response body, which is part of the Result, should be read by you to obtain the media. If such a method also supports a Response Result, it will return that by default. You can see it as meta-data for the actual media. To trigger a media download, you will have to set up the builder by making this call: .param("alt", "media").

Methods supporting uploads can do so using up to 2 different protocols: simple and resumable. The distinctiveness of each is represented by customized doit(...) methods, which are then named upload(...) and upload_resumable(...) respectively.

Customization and Callbacks

You may alter the way an doit() method is called by providing a delegate to the Method Builder before making the final doit() call. Respective methods will be called to provide progress information, as well as determine whether the system should retry on failure.

The delegate trait is default-implemented, allowing you to customize it with minimal effort.

Optional Parts in Server-Requests

All structures provided by this library are made to be enocodable and decodable via json. Optionals are used to indicate that partial requests are responses are valid. Most optionals are are considered Parts which are identifiable by name, which will be sent to the server to indicate either the set parts of the request or the desired parts in the response.

Builder Arguments

Using method builders, you are able to prepare an action call by repeatedly calling it's methods. These will always take a single argument, for which the following statements are true.

Arguments will always be copied or cloned into the builder, to make them independent of their original life times.



An alias to a repo revision.


Artifact describes a build product.


Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for look-up (how to find this attestation if you already know the authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).


Specifies the audit configuration for a service. The configuration determines which permission types are logged, and what identities, if any, are exempted from logging. An AuditConfig must have one or more AuditLogConfigs.


Provides the configuration for logging a type of permissions. Example:


Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.


Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g. a tag of the resource_url.


Request to create notes in batch.


Response for creating notes in batch.


Request to create occurrences in batch.


Response for creating occurrences in batch.


Associates members with a role.


Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.


Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.


Message encapsulating the signature of the verified build.


Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document


A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.


Command describes a step performed as part of the build pipeline.


Central instance to access all ContainerAnalysis related resource activities


Implements the Content-Range header, for serialization only


A delegate with a conservative default implementation, which is used if no other delegate is set.


An artifact that can be deployed in some runtime.


The period during which some deployable was active in a runtime.


Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM <DockerImage.Basis in attached Note>.


Identifies all appearances of this vulnerability in the package for a specific distro/location. For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2


Details of an attestation occurrence.


Provides information about the analysis status of a discovered resource.


A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.


This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.


A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:


A utility to represent detailed errors we might see in case there are BadRequests. The latter happen if the sent parameters or request structures are unsound


Represents an expression text. Example:


Container message for hashes of byte content of files, used in source messages to verify integrity of source input to the build.


A set of properties that uniquely identify a given Docker image.


Per resource and severity counts of fixable and total vulnerabilities.


An attestation wrapper that uses the Grafeas Signature message. This attestation must define the serialized_payload that the signatures verify and any metadata necessary to interpret that plaintext. The signatures should always be over the serialized_payload bytestring.


A SourceContext referring to a Gerrit project.


Request message for GetIamPolicy method.


A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).


Details of a vulnerability Occurrence.


Details of a discovery occurrence.


Details of a build occurrence.


Details of a deployment occurrence.


Details of an image occurrence.


Details of a package occurrence.


Container message for hash values.


This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.


This represents how a particular software package may be installed on a system.


A utility type which can decode a server response that indicates error


There is no detailed description.


Layer holds metadata specific to a layer of a Docker image.


Response for listing occurrences for a note.


Response for listing notes.


Response for listing occurrences.


Response for listing scan configurations.


An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.


Contains information about an API request.


Provides a Read interface that converts multiple parts into the protocol identified by RFC2387. Note: This implementation is just as rich as it needs to be to perform uploads to google APIs, and might not be a fully-featured implementation.


A type of analysis that can be done for a resource.


An instance of an analysis type that has been found on a resource.


This represents a particular package that is distributed over various channels. E.g., glibc (aka libc6) is distributed by many, at various versions.


This message wraps a location affected by a vulnerability and its associated fix (if one is available).


An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.


Defines an Identity and Access Management (IAM) policy. It is used to specify access control policies for Cloud Platform resources.


A builder providing access to all methods supported on project resources. It is not used directly, but through the ContainerAnalysis hub.


Creates new notes in batch.


Creates a new note.


Deletes the specified note.


Gets the specified note.


Gets the access control policy for a note or an occurrence resource. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or occurrence, respectively.


Lists notes for the specified project.


Lists occurrences referencing the specified note. Provider projects can use this method to get all occurrences across consumer projects referencing the specified note.


Updates the specified note.


Sets the access control policy on the specified note or occurrence. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or an occurrence, respectively.


Returns the permissions that a caller has on the specified note or occurrence. Requires list permission on the project (for example, containeranalysis.notes.list).


Creates new occurrences in batch.


Creates a new occurrence.


Deletes the specified occurrence. For example, use this method to delete an occurrence when the occurrence is no longer applicable for the given resource.


Gets the specified occurrence.


Gets the access control policy for a note or an occurrence resource. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or occurrence, respectively.


Gets the note attached to the specified occurrence. Consumer projects can use this method to get a note that belongs to a provider project.


Gets a summary of the number and severity of occurrences.


Lists occurrences for the specified project.


Updates the specified occurrence.


Sets the access control policy on the specified note or occurrence. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or an occurrence, respectively.


Returns the permissions that a caller has on the specified note or occurrence. Requires list permission on the project (for example, containeranalysis.notes.list).


Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.


Gets the specified scan configuration.


Lists scan configurations for the specified project.


Updates the specified scan configuration.


Metadata for any related URL information.


A unique identifier for a Cloud Repo.


An entity that can have metadata. For example, a Docker image.


A utility type to perform a resumable upload from start to end.


A scan configuration specifies whether Cloud components in a project have a particular type of analysis being run. For example, it can configure whether vulnerability scanning is being done on Docker images or not.


Request message for SetIamPolicy method.


Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm).


Source describes the location of the source used for the build.


A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.


The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details.


Request message for TestIamPermissions method.


Response message for TestIamPermissions method.


Version contains structured information about the version of a package.


Vulnerability provides metadata about a security vulnerability in a Note.


The location of the vulnerability.


A summary of how many vulnerability occurrences there are per resource and severity type.


There is no detailed description.


The X-Upload-Content-Type header.



Identifies the an OAuth2 authorization scope. A scope is needed when requesting an authorization token.



Identifies types which represent builders for a particular resource method


A trait specifying functionality to help controlling any request performed by the API. The trait has a conservative default implementation.


Identifies the Hub. There is only one per library, this trait is supposed to make intended use more explicit. The hub allows to access all resource methods more easily.


Identifies types for building methods of a particular resource type


Identifies types which are only used by other types internally. They have no special meaning, this trait just marks them for completeness.


Identifies types which are only used as part of other types, which usually are carrying the Resource trait.


A utility to specify reader types which provide seeking capabilities too


Identifies types which are used in API requests.


Identifies types which can be inserted and deleted. Types with this trait are most commonly used by clients of this API.


Identifies types which are used in API responses.


A trait for all types that can convert themselves into a parts string


Identifies types which are not actually used by the API This might be a bug within the google API schema.



Type Definitions


A universal result type used as return for all calls.