Occurrence that represents a single “attestation”. The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for look-up (how to find this attestation if you already know the authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).
Note kind that represents a logical attestation “role” or “authority”. For example, an organization might have one Authority for “QA” and one for “build”. This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don’t all live in the same project.
Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.
Common Vulnerability Scoring System. This message is compatible with CVSS v2 and v3. For CVSS v2 details, see https://www.first.org/cvss/v2/guide CVSS v2 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator For CVSS v3 details, see https://www.first.org/cvss/specification-document CVSS v3 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Identifies all appearances of this vulnerability in the package for a specific distro/location. For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
A note that indicates a type of analysis a provider would perform. This note exists in a provider’s project. A Discovery occurrence is created in a consumer’s project at the start of analysis.
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: “Summary size limit” description: “Determines if a summary is less than 100 chars” expression: “document.summary.size() < 100” Example (Equality): title: “Requestor is owner” description: “Determines if requestor is the document owner” expression: “document.owner == request.auth.claims.email” Example (Logic): title: “Public documents” description: “Determine whether the document should be publicly visible” expression: “document.type != ‘private’ && document.type != ‘internal’” Example (Data Manipulation): title: “Notification string” description: “Create a notification string with a timestamp.” expression: “’New message received at ’ + string(document.create_time)” The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package
GeneratePackagesSummaryRequest is the request body for the GeneratePackagesSummary API method. It just takes a single name argument, referring to the resource.
An attestation wrapper that uses the Grafeas Signature message. This attestation must define the serialized_payload that the signatures verify and any metadata necessary to interpret that plaintext. The signatures should always be over the serialized_payload bytestring.
This corresponds to a signed in-toto link - it is made up of one or more signatures and the in-toto link itself. This is used for occurrences of a Grafeas in-toto note.
This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from “readable” names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.
This contains the fields corresponding to the definition of a software supply chain step in an in-toto layout. This information goes into a Grafeas note.
An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example:{ "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }YAML example:bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the IAM documentation.
Lists occurrences referencing the specified note. Provider projects can use this method to get all occurrences across consumer projects referencing the specified note.
Gets the access control policy for a note or an occurrence resource. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or occurrence, respectively. The resource takes the format projects/[PROJECT_ID]/notes/[NOTE_ID] for notes and projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID] for occurrences.
Lists occurrences referencing the specified note. Provider projects can use this method to get all occurrences across consumer projects referencing the specified note.
Sets the access control policy on the specified note or occurrence. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or an occurrence, respectively. The resource takes the format projects/[PROJECT_ID]/notes/[NOTE_ID] for notes and projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID] for occurrences.
Returns the permissions that a caller has on the specified note or occurrence. Requires list permission on the project (for example, containeranalysis.notes.list). The resource takes the format projects/[PROJECT_ID]/notes/[NOTE_ID] for notes and projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID] for occurrences.
Deletes the specified occurrence. For example, use this method to delete an occurrence when the occurrence is no longer applicable for the given resource.
Gets the access control policy for a note or an occurrence resource. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or occurrence, respectively. The resource takes the format projects/[PROJECT_ID]/notes/[NOTE_ID] for notes and projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID] for occurrences.
Sets the access control policy on the specified note or occurrence. Requires containeranalysis.notes.setIamPolicy or containeranalysis.occurrences.setIamPolicy permission if the resource is a note or an occurrence, respectively. The resource takes the format projects/[PROJECT_ID]/notes/[NOTE_ID] for notes and projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID] for occurrences.
Returns the permissions that a caller has on the specified note or occurrence. Requires list permission on the project (for example, containeranalysis.notes.list). The resource takes the format projects/[PROJECT_ID]/notes/[NOTE_ID] for notes and projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID] for occurrences.
The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.
The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.
Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: * The public_key_id is not recognized by the verifier. * The public key that public_key_id refers to does not verify the signature with respect to the payload. The signature contents SHOULD NOT be “attached” (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any “attached” payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).
This defines the format used to record keys used in the software supply chain. An in-toto link is attested using one or more keys defined in the in-toto layout. An example of this is: { “key_id”: “776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0…”, “key_type”: “rsa”, “public_key_value”: “—–BEGIN PUBLIC KEY—–\nMIIBojANBgkqhkiG9w0B…”, “key_scheme”: “rsassa-pss-sha256” } The format for in-toto’s key definition can be found in section 4.2 of the in-toto specification.
Keep in sync with schema at https://github.com/slsa-framework/slsa/blob/main/docs/provenance/schema/v1/provenance.proto Builder renamed to ProvenanceBuilder because of Java conflicts.
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.