Namespace Google.Apis.ContainerAnalysis.v1alpha1.Data

Classes

AnalysisCompleted

Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.

Assessment

Assessment provides all information that is related to a single vulnerability for this product.

Occurrence that represents a single "attestation". The authenticity of an Attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the AttestationAuthority to which this Attestation is attached is primarily useful for look-up (how to find this Attestation if you already know the Authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).

AttestationAuthority

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one AttestationAuthority for "QA" and one for "build". This Note is intended to act strictly as a grouping mechanism for the attached Occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an Occurrence to a given Note. It also provides a single point of lookup to find all attached Attestation Occurrences, even if they don't all live in the same project.

AttestationAuthorityHint

This submessage provides human-readable hints about the purpose of the AttestationAuthority. Because the name of a Note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should NOT be used to look up AttestationAuthorities in security sensitive contexts, such as when looking up Attestations to verify.

Basis

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.

Binding

Associates members, or principals, with a role.

BuildDefinition

BuildDetails

Message encapsulating build provenance details.

BuildMetadata

BuildProvenance

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

BuildSignature

Message encapsulating the signature of the verified build.

BuildStep

A step in the build pipeline. Next ID: 21

BuildType

Note holding the version of the provider's builder and the signature of the provenance message in linked BuildDetails.

BuilderConfig

CVSS

Common Vulnerability Scoring System. This message is compatible with CVSS v2 and v3. For CVSS v2 details, see https://www.first.org/cvss/v2/guide CVSS v2 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator For CVSS v3 details, see https://www.first.org/cvss/specification-document CVSS v3 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

CisBenchmark

A compliance check that is a CIS benchmark.

Command

Command describes a step performed as part of the build pipeline.

Completeness

Indicates that the builder claims certain fields in this message to be complete.

ComplianceNote

ComplianceNote encapsulates all information about a specific compliance check.

ComplianceOccurrence

An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.

ComplianceVersion

Describes the CIS benchmark version that is applicable to a given OS and os version.

ContaineranalysisGoogleDevtoolsCloudbuildV1ApprovalConfig

ApprovalConfig describes configuration for manual approval of a build.

ContaineranalysisGoogleDevtoolsCloudbuildV1ApprovalResult

ApprovalResult describes the decision and associated metadata of a manual approval of a build.

ContaineranalysisGoogleDevtoolsCloudbuildV1Artifacts

Artifacts produced by a build that should be uploaded upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsArtifactObjects

Files in the workspace to upload to Cloud Storage upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsMavenArtifact

A Maven artifact to upload to Artifact Registry upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsNpmPackage

Npm package to upload to Artifact Registry upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsPythonPackage

Python package to upload to Artifact Registry upon successful completion of all build steps. A package can encapsulate multiple objects to be uploaded to a single repository.

ContaineranalysisGoogleDevtoolsCloudbuildV1Build

A build resource in the Cloud Build API. At a high level, a Build describes where to find source code, how to build it (for example, the builder image to run on the source), and where to store the built artifacts. Fields can include the following variables, which will be expanded when the build is created: - $PROJECT_ID: the project ID of the build. - $PROJECT_NUMBER: the project number of the build. - $LOCATION: the location/region of the build. - $BUILD_ID: the autogenerated ID of the build. - $REPO_NAME: the source repository name specified by RepoSource. - $BRANCH_NAME: the branch name specified by RepoSource. - $TAG_NAME: the tag name specified by RepoSource. - $REVISION_ID or $COMMIT_SHA: the commit SHA specified by RepoSource or resolved from the specified branch or tag. - $SHORT_SHA: first 7 characters of $REVISION_ID or $COMMIT_SHA.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildApproval

BuildApproval describes a build's approval configuration, state, and result.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildFailureInfo

A fatal problem encountered during the execution of the build.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildOptions

Optional arguments to enable specific features of builds.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildOptionsPoolOption

Details about how a build should be executed on a WorkerPool. See running builds in a private pool for more information.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildStep

A step in the build pipeline.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildWarning

A non-fatal problem encountered during the execution of the build.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuiltImage

An image built by the pipeline.

ContaineranalysisGoogleDevtoolsCloudbuildV1ConnectedRepository

Location of the source in a 2nd-gen Google Cloud Build repository resource.

ContaineranalysisGoogleDevtoolsCloudbuildV1DeveloperConnectConfig

This config defines the location of a source through Developer Connect.

ContaineranalysisGoogleDevtoolsCloudbuildV1FileHashes

Container message for hashes of byte content of files, used in SourceProvenance messages to verify integrity of source input to the build.

ContaineranalysisGoogleDevtoolsCloudbuildV1GitConfig

GitConfig is a configuration for git operations.

ContaineranalysisGoogleDevtoolsCloudbuildV1GitConfigHttpConfig

HttpConfig is a configuration for HTTP related git operations.

ContaineranalysisGoogleDevtoolsCloudbuildV1GitSource

Location of the source in any accessible Git repository.

ContaineranalysisGoogleDevtoolsCloudbuildV1Hash

Container message for hash values.

ContaineranalysisGoogleDevtoolsCloudbuildV1InlineSecret

Pairs a set of secret environment variables mapped to encrypted values with the Cloud KMS key to use to decrypt the value.

ContaineranalysisGoogleDevtoolsCloudbuildV1RepoSource

Location of the source in a Google Cloud Source Repository.

ContaineranalysisGoogleDevtoolsCloudbuildV1Results

Artifacts created by the build pipeline.

ContaineranalysisGoogleDevtoolsCloudbuildV1Secret

Pairs a set of secret environment variables containing encrypted values with the Cloud KMS key to use to decrypt the value. Note: Use kmsKeyName with available_secrets instead of using kmsKeyName with secret. For instructions see: https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-credentials.

ContaineranalysisGoogleDevtoolsCloudbuildV1SecretManagerSecret

Pairs a secret environment variable with a SecretVersion in Secret Manager.

ContaineranalysisGoogleDevtoolsCloudbuildV1Secrets

Secrets and secret environment variables.

ContaineranalysisGoogleDevtoolsCloudbuildV1Source

Location of the source in a supported storage service.

ContaineranalysisGoogleDevtoolsCloudbuildV1SourceProvenance

Provenance of the source. Ways to find the original source, or verify that some source was used for this build.

ContaineranalysisGoogleDevtoolsCloudbuildV1StorageSource

Location of the source in an archive file in Cloud Storage.

ContaineranalysisGoogleDevtoolsCloudbuildV1StorageSourceManifest

Location of the source manifest in Cloud Storage. This feature is in Preview; see description here.

ContaineranalysisGoogleDevtoolsCloudbuildV1TimeSpan

Start and end times for a build execution phase.

ContaineranalysisGoogleDevtoolsCloudbuildV1UploadedMavenArtifact

A Maven artifact uploaded using the MavenArtifact directive.

ContaineranalysisGoogleDevtoolsCloudbuildV1UploadedNpmPackage

An npm package uploaded to Artifact Registry using the NpmPackage directive.

ContaineranalysisGoogleDevtoolsCloudbuildV1UploadedPythonPackage

Artifact uploaded using the PythonPackage directive.

ContaineranalysisGoogleDevtoolsCloudbuildV1Volume

Volume describes a Docker container volume which is mounted into build steps in order to persist files across build step execution.

CreateOperationRequest

Request for creating an operation

DSSEAttestationNote

A note describing an attestation

DSSEAttestationOccurrence

An occurrence describing an attestation on a resource

DSSEHint

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

Deployable

An artifact that can be deployed in some runtime.

Deployment

The period during which some deployable was active in a runtime.

Derived

Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Detail

Identifies all occurrences of this vulnerability in the package for a specific distro/location For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

Digest

Digest information.

Discovered

Provides information about the scan status of a discovered resource.

Discovery

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis. The occurrence's operation will indicate the status of the analysis. Absence of an occurrence linked to this note for a resource indicates that analysis hasn't started.

Distribution

This represents a particular channel of distribution for a given package. e.g. Debian's jessie-backports dpkg mirror

DocumentNote

DocumentNote represents an SPDX Document Creation Infromation section: https://spdx.github.io/spdx-spec/2-document-creation-information/

DocumentOccurrence

DocumentOccurrence represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/2-document-creation-information/

Empty

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }

Envelope

MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.

EnvelopeSignature

A DSSE signature

Expr

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

ExternalRef

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

FileHashes

Container message for hashes of byte content of files, used in Source messages to verify integrity of source input to the build.

FileLocation

Indicates the location at which a package was found.

FileNote

FileNote represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

FileOccurrence

FileOccurrence represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

Fingerprint

A set of properties that uniquely identify a given Docker image.

GetIamPolicyRequest

Request message for GetIamPolicy method.

GetPolicyOptions

Encapsulates settings provided to GetIamPolicy.

GetVulnzOccurrencesSummaryResponse

A summary of how many vulnz occurrences there are per severity type. counts by groups, or if we should have different summary messages like this.

GoogleDevtoolsContaineranalysisV1alpha1AliasContext

An alias to a repo revision.

GoogleDevtoolsContaineranalysisV1alpha1CloudRepoSourceContext

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

GoogleDevtoolsContaineranalysisV1alpha1GerritSourceContext

A SourceContext referring to a Gerrit project.

GoogleDevtoolsContaineranalysisV1alpha1GitSourceContext

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

GoogleDevtoolsContaineranalysisV1alpha1OperationMetadata

Metadata for all operations used and required for all operations that created by Container Analysis Providers

GoogleDevtoolsContaineranalysisV1alpha1ProjectRepoId

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

GoogleDevtoolsContaineranalysisV1alpha1RepoId

A unique identifier for a Cloud Repo.

GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaBuilder

Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance.

GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaCompleteness

Indicates that the builder claims certain fields in this message to be complete.

GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaConfigSource

Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.

GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaInvocation

Identifies the event that kicked off the build.

GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaMaterial

The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.

GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaMetadata

Other properties of the build.

GoogleDevtoolsContaineranalysisV1alpha1SourceContext

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

Hash

Container message for hash values.

IdentifierHelper

Helps in identifying the underlying product. This should be treated like a one-of field. Only one field should be set in this proto. This is a workaround because spanner indexes on one-of fields restrict addition and deletion of fields.

InTotoProvenance

InTotoSlsaProvenanceV1

InTotoStatement

Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".

Installation

This represents how a particular software package may be installed on a system.

Justification

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

Layer

Layer holds metadata specific to a layer of a Docker image.

License

License information.

ListNoteOccurrencesResponse

Response including listed occurrences for a note.

ListNotesResponse

Response including listed notes.

ListOccurrencesResponse

Response including listed active occurrences.

ListScanConfigsResponse

A list of scan configs for the project.

Location

An occurrence of a particular package installation found within a system's filesystem. e.g. glibc was found in /var/lib/dpkg/status

Material

Material is a material used in the generation of the provenance

Metadata

Other properties of the build.

NonCompliantFile

Details about files that caused a compliance check to fail.

Note

Provides a detailed description of a Note.

Occurrence

Occurrence includes information about analysis occurrences for an image.

Operation

This resource represents a long-running operation that is the result of a network API call.

Package

This represents a particular package that is distributed over various channels. e.g. glibc (aka libc6) is distributed by many, at various versions.

PackageInfoNote

PackageInfoNote represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

PackageInfoOccurrence

PackageInfoOccurrence represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

PackageIssue

This message wraps a location affected by a vulnerability and its associated fix (if one is available).

PgpSignedAttestation

An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.

Policy

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example:

{
"bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com",
"group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] },
{ "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": {
"title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time
&lt; timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }

YAML example:

bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com -
serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin -
members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable
access description: Does not grant access after Sep 2020 expression: request.time &lt;
timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3

For a description of IAM and its features, see the IAM documentation.

Product

Product contains information about a product and how to uniquely identify it.

ProvenanceBuilder

Publisher

Publisher contains information about the publisher of this Note.

Recipe

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

RelatedUrl

Metadata for any related URL information

RelationshipNote

RelationshipNote represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

RelationshipOccurrence

RelationshipOccurrence represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

Remediation

Specifies details on how to handle (and presumably, fix) a vulnerability.

RepoSource

RepoSource describes the location of the source in a Google Cloud Source Repository.

Resource

Resource is an entity that can have metadata. E.g., a Docker image.

ResourceDescriptor

RunDetails

SBOMReferenceNote

The note representing an SBOM reference.

SBOMReferenceOccurrence

The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.

SBOMStatus

The status of an SBOM generation.

SbomReferenceIntotoPayload

The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.

SbomReferenceIntotoPredicate

A predicate which describes the SBOM being referenced.

ScanConfig

Indicates various scans and whether they are turned on or off.

SetIamPolicyRequest

Request message for SetIamPolicy method.

SeverityCount

The number of occurrences created for a specific severity.

SlsaBuilder

SlsaBuilder encapsulates the identity of the builder of this provenance.

SlsaCompleteness

Indicates that the builder claims certain fields in this message to be complete.

SlsaMetadata

Other properties of the build.

SlsaProvenance

SlsaProvenance is the slsa provenance as defined by the slsa spec.

SlsaProvenanceV1

Keep in sync with schema at https://github.com/slsa-framework/slsa/blob/main/docs/provenance/schema/v1/provenance.proto Builder renamed to ProvenanceBuilder because of Java conflicts.

SlsaProvenanceZeroTwo

SlsaProvenanceZeroTwo is the slsa provenance as defined by the slsa spec. See full explanation of fields at slsa.dev/provenance/v0.2.

SlsaRecipe

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Source

Source describes the location of the source used for the build.

Status

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

StorageSource

StorageSource describes the location of the source in an archive file in Google Cloud Storage.

Subject

Subject refers to the subject of the intoto statement

TestIamPermissionsRequest

Request message for TestIamPermissions method.

TestIamPermissionsResponse

Response message for TestIamPermissions method.

TimeSpan

Start and end times for a build execution phase. Next ID: 3

URI

An URI message.

UpdateOperationRequest

Request for updating an existing operation

UpgradeDistribution

The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities.

UpgradeNote

An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be a Upgrade Note.

UpgradeOccurrence

An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability).

Version

Version contains structured information about the version of the package. For a discussion of this in Debian/Ubuntu: http://serverfault.com/questions/604541/debian-packages-version-convention For a discussion of this in Redhat/Fedora/Centos: http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/

VexAssessment

VexAssessment provides all publisher provided Vex information that is related to this vulnerability.

Volume

Volume describes a Docker container volume which is mounted into build steps in order to persist files across build step execution. Next ID: 3

VulnerabilityAssessmentNote

A single VulnerabilityAssessmentNote represents one particular product's vulnerability assessment for one CVE. Multiple VulnerabilityAssessmentNotes together form a Vex statement. Please go/sds-vex-example for a sample Vex statement in the CSAF format.