Namespace Google.Apis.ContainerAnalysis.v1beta1.Data

Classes

AnalysisCompleted

Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.

ArtifactHashes

Defines a hash object for use in Materials and Products.

ArtifactRule

Defines an object to declare an in-toto artifact rule

Assessment

Assessment provides all information that is related to a single vulnerability for this product.

Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for look-up (how to find this attestation if you already know the authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).

Authority

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

Basis

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.

BatchCreateNotesRequest

Request to create notes in batch.

BatchCreateNotesResponse

Response for creating notes in batch.

BatchCreateOccurrencesRequest

Request to create occurrences in batch.

BatchCreateOccurrencesResponse

Response for creating occurrences in batch.

Binding

Associates members, or principals, with a role.

Build

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

BuildDefinition

BuildMetadata

BuildProvenance

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

BuildSignature

Message encapsulating the signature of the verified build.

BuildStep

A step in the build pipeline. Next ID: 21

ByProducts

Defines an object for the byproducts field in in-toto links. The suggested fields are "stderr", "stdout", and "return-value".

CloudRepoSourceContext

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

Command

Command describes a step performed as part of the build pipeline.

ContaineranalysisGoogleDevtoolsCloudbuildV1ApprovalConfig

ApprovalConfig describes configuration for manual approval of a build.

ContaineranalysisGoogleDevtoolsCloudbuildV1ApprovalResult

ApprovalResult describes the decision and associated metadata of a manual approval of a build.

ContaineranalysisGoogleDevtoolsCloudbuildV1Artifacts

Artifacts produced by a build that should be uploaded upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsArtifactObjects

Files in the workspace to upload to Cloud Storage upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsMavenArtifact

A Maven artifact to upload to Artifact Registry upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsNpmPackage

Npm package to upload to Artifact Registry upon successful completion of all build steps.

ContaineranalysisGoogleDevtoolsCloudbuildV1ArtifactsPythonPackage

Python package to upload to Artifact Registry upon successful completion of all build steps. A package can encapsulate multiple objects to be uploaded to a single repository.

ContaineranalysisGoogleDevtoolsCloudbuildV1Build

A build resource in the Cloud Build API. At a high level, a Build describes where to find source code, how to build it (for example, the builder image to run on the source), and where to store the built artifacts. Fields can include the following variables, which will be expanded when the build is created: - $PROJECT_ID: the project ID of the build. - $PROJECT_NUMBER: the project number of the build. - $LOCATION: the location/region of the build. - $BUILD_ID: the autogenerated ID of the build. - $REPO_NAME: the source repository name specified by RepoSource. - $BRANCH_NAME: the branch name specified by RepoSource. - $TAG_NAME: the tag name specified by RepoSource. - $REVISION_ID or $COMMIT_SHA: the commit SHA specified by RepoSource or resolved from the specified branch or tag. - $SHORT_SHA: first 7 characters of $REVISION_ID or $COMMIT_SHA.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildApproval

BuildApproval describes a build's approval configuration, state, and result.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildFailureInfo

A fatal problem encountered during the execution of the build.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildOptions

Optional arguments to enable specific features of builds.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildOptionsPoolOption

Details about how a build should be executed on a WorkerPool. See running builds in a private pool for more information.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildStep

A step in the build pipeline.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuildWarning

A non-fatal problem encountered during the execution of the build.

ContaineranalysisGoogleDevtoolsCloudbuildV1BuiltImage

An image built by the pipeline.

ContaineranalysisGoogleDevtoolsCloudbuildV1ConnectedRepository

Location of the source in a 2nd-gen Google Cloud Build repository resource.

ContaineranalysisGoogleDevtoolsCloudbuildV1FileHashes

Container message for hashes of byte content of files, used in SourceProvenance messages to verify integrity of source input to the build.

ContaineranalysisGoogleDevtoolsCloudbuildV1GitSource

Location of the source in any accessible Git repository.

ContaineranalysisGoogleDevtoolsCloudbuildV1Hash

Container message for hash values.

ContaineranalysisGoogleDevtoolsCloudbuildV1InlineSecret

Pairs a set of secret environment variables mapped to encrypted values with the Cloud KMS key to use to decrypt the value.

ContaineranalysisGoogleDevtoolsCloudbuildV1RepoSource

Location of the source in a Google Cloud Source Repository.

ContaineranalysisGoogleDevtoolsCloudbuildV1Results

Artifacts created by the build pipeline.

ContaineranalysisGoogleDevtoolsCloudbuildV1Secret

Pairs a set of secret environment variables containing encrypted values with the Cloud KMS key to use to decrypt the value. Note: Use kmsKeyName with available_secrets instead of using kmsKeyName with secret. For instructions see: https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-credentials.

ContaineranalysisGoogleDevtoolsCloudbuildV1SecretManagerSecret

Pairs a secret environment variable with a SecretVersion in Secret Manager.

ContaineranalysisGoogleDevtoolsCloudbuildV1Secrets

Secrets and secret environment variables.

ContaineranalysisGoogleDevtoolsCloudbuildV1Source

Location of the source in a supported storage service.

ContaineranalysisGoogleDevtoolsCloudbuildV1SourceProvenance

Provenance of the source. Ways to find the original source, or verify that some source was used for this build.

ContaineranalysisGoogleDevtoolsCloudbuildV1StorageSource

Location of the source in an archive file in Cloud Storage.

ContaineranalysisGoogleDevtoolsCloudbuildV1StorageSourceManifest

Location of the source manifest in Cloud Storage. This feature is in Preview; see description here.

ContaineranalysisGoogleDevtoolsCloudbuildV1TimeSpan

Start and end times for a build execution phase.

ContaineranalysisGoogleDevtoolsCloudbuildV1UploadedMavenArtifact

A Maven artifact uploaded using the MavenArtifact directive.

ContaineranalysisGoogleDevtoolsCloudbuildV1UploadedNpmPackage

An npm package uploaded to Artifact Registry using the NpmPackage directive.

ContaineranalysisGoogleDevtoolsCloudbuildV1UploadedPythonPackage

Artifact uploaded using the PythonPackage directive.

ContaineranalysisGoogleDevtoolsCloudbuildV1Volume

Volume describes a Docker container volume which is mounted into build steps in order to persist files across build step execution.

CVSS

Common Vulnerability Scoring System. This message is compatible with CVSS v2 and v3. For CVSS v2 details, see https://www.first.org/cvss/v2/guide CVSS v2 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator For CVSS v3 details, see https://www.first.org/cvss/specification-document CVSS v3 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

CVSSv3

Deprecated. Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

Deployable

An artifact that can be deployed in some runtime.

Deployment

The period during which some deployable was active in a runtime.

Derived

Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Detail

Identifies all appearances of this vulnerability in the package for a specific distro/location. For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

Details

Details of an attestation occurrence.

Digest

Digest information.

Discovered

Provides information about the analysis status of a discovered resource.

Discovery

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

Distribution

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

DocumentNote

DocumentNote represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/

DocumentOccurrence

DocumentOccurrence represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/

Empty

A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }

Envelope

MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.

EnvelopeSignature

Environment

Defines an object for the environment field in in-toto links. The suggested fields are "variables", "filesystem", and "workdir".

ExportSBOMRequest

The request to a call of ExportSBOM

ExportSBOMResponse

The response from a call to ExportSBOM

Expr

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

ExternalRef

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

FileHashes

Container message for hashes of byte content of files, used in source messages to verify integrity of source input to the build.

FileNote

FileNote represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

FileOccurrence

FileOccurrence represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

Fingerprint

A set of properties that uniquely identify a given Docker image.

FixableTotalByDigest

Per resource and severity counts of fixable and total vulnerabilities.

GeneratePackagesSummaryRequest

GeneratePackagesSummaryRequest is the request body for the GeneratePackagesSummary API method. It just takes a single name argument, referring to the resource.

GenericSignedAttestation

An attestation wrapper that uses the Grafeas Signature message. This attestation must define the serialized_payload that the signatures verify and any metadata necessary to interpret that plaintext. The signatures should always be over the serialized_payload bytestring.

GerritSourceContext

A SourceContext referring to a Gerrit project.

GetIamPolicyRequest

Request message for GetIamPolicy method.

GetPolicyOptions

Encapsulates settings provided to GetIamPolicy.

GitSourceContext

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

GoogleDevtoolsContaineranalysisV1alpha1OperationMetadata

Metadata for all operations used and required for all operations that created by Container Analysis Providers

GrafeasV1beta1BuildDetails

Details of a build occurrence.

GrafeasV1beta1DeploymentDetails

Details of a deployment occurrence.

GrafeasV1beta1DiscoveryDetails

Details of a discovery occurrence.

GrafeasV1beta1ImageDetails

Details of an image occurrence.

GrafeasV1beta1IntotoArtifact

GrafeasV1beta1IntotoDetails

This corresponds to a signed in-toto link - it is made up of one or more signatures and the in-toto link itself. This is used for occurrences of a Grafeas in-toto note.

GrafeasV1beta1IntotoSignature

A signature object consists of the KeyID used and the signature itself.

GrafeasV1beta1PackageDetails

Details of a package occurrence.

GrafeasV1beta1VulnerabilityDetails

Details of a vulnerability Occurrence.

Hash

Container message for hash values.

Hint

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

Installation

This represents how a particular software package may be installed on a system.

InToto

This contains the fields corresponding to the definition of a software supply chain step in an in-toto layout. This information goes into a Grafeas note.

InTotoSlsaProvenanceV1

Justification

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

KnowledgeBase

Layer

Layer holds metadata specific to a layer of a Docker image.

License

License information.

LicensesSummary

Per license count

Link

This corresponds to an in-toto link.

ListNoteOccurrencesResponse

Response for listing occurrences for a note.

ListNotesResponse

Response for listing notes.

ListOccurrencesResponse

Response for listing occurrences.

Location

An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.

Note

A type of analysis that can be done for a resource.

Occurrence

An instance of an analysis type that has been found on a resource.

Package

Package represents a particular package version.

PackageInfoNote

PackageInfoNote represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

PackageInfoOccurrence

PackageInfoOccurrence represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

PackageIssue

This message wraps a location affected by a vulnerability and its associated fix (if one is available).

PackagesSummaryResponse

A summary of the packages found within the given resource.

PgpSignedAttestation

An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.

Policy

An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example:

{
"bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com",
"group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] },
{ "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": {
"title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time
&lt; timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }

YAML example:

bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com -
serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin -
members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable
access description: Does not grant access after Sep 2020 expression: request.time &lt;
timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3

For a description of IAM and its features, see the IAM documentation.

Product

Product contains information about a product and how to uniquely identify it.

ProjectRepoId

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

ProvenanceBuilder

Publisher

Publisher contains information about the publisher of this Note.

RelatedUrl

Metadata for any related URL information.

RelationshipNote

RelationshipNote represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

RelationshipOccurrence

RelationshipOccurrence represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

Remediation

Specifies details on how to handle (and presumably, fix) a vulnerability.

RepoId

A unique identifier for a Cloud Repo.

Resource

An entity that can have metadata. For example, a Docker image.

ResourceDescriptor

RunDetails

SbomReferenceIntotoPayload

The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.

SbomReferenceIntotoPredicate

A predicate which describes the SBOM being referenced.

SBOMReferenceNote

The note representing an SBOM reference.

SBOMReferenceOccurrence

The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.

SBOMStatus

The status of an SBOM generation.

SetIamPolicyRequest

Request message for SetIamPolicy method.

Signature

Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: * The public_key_id is not recognized by the verifier. * The public key that public_key_id refers to does not verify the signature with respect to the payload. The signature contents SHOULD NOT be "attached" (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).

SigningKey

This defines the format used to record keys used in the software supply chain. An in-toto link is attested using one or more keys defined in the in-toto layout. An example of this is: { "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...", "key_type": "rsa", "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...", "key_scheme": "rsassa-pss-sha256" } The format for in-toto's key definition can be found in section 4.2 of the in-toto specification.

SlsaProvenanceV1

Keep in sync with schema at https://github.com/slsa-framework/slsa/blob/main/docs/provenance/schema/v1/provenance.proto Builder renamed to ProvenanceBuilder because of Java conflicts.

Source

Source describes the location of the source used for the build.

SourceContext

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

Status

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.