package google.devtools.containeranalysis.v1alpha1
Get desktop application:
View/edit binary Protocol Buffers messages
Retrieves the results of vulnerability scanning of cloud components such as container images. The Container Analysis API is an implementation of the [Grafeas](grafeas.io) API. The vulnerability results are stored as a series of Occurrences. An `Occurrence` contains information about a specific vulnerability in a resource. An `Occurrence` references a `Note`. A `Note` contains details about the vulnerability and is stored in a stored in a separate project. Multiple `Occurrences` can reference the same `Note`. For example, an SSL vulnerability could affect multiple packages in an image. In this case, there would be one `Note` for the vulnerability and an `Occurrence` for each package with the vulnerability referencing that `Note`.
Returns the requested `Occurrence`.
message
containeranalysis.proto:710Request to get a Occurrence.
string name = 1
The name of the occurrence of the form "projects/{project_id}/occurrences/{OCCURRENCE_ID}"
Lists active `Occurrences` for a given project matching the filters.
message
containeranalysis.proto:717Request to list occurrences.
string name = 1
The name field contains the project Id. For example: "projects/{project_id} @Deprecated
string parent = 5
This contains the project Id for example: projects/{project_id}.
string filter = 2
The filter expression.
int32 page_size = 3
Number of occurrences to return in the list.
string page_token = 4
Token to provide to skip to a particular spot in the list.
Note.Kind kind = 6
The kind of occurrences to filter on.
message
containeranalysis.proto:740Response including listed active occurrences.
repeated occurrences = 1
The occurrences requested.
string next_page_token = 2
The next pagination token in the list response. It should be used as `page_token` for the following request. An empty value means no more results.
Deletes the given `Occurrence` from the system. Use this when an `Occurrence` is no longer applicable for the given resource.
message
containeranalysis.proto:751Request to delete a occurrence
string name = 1
The name of the occurrence in the form of "projects/{project_id}/occurrences/{OCCURRENCE_ID}"
Creates a new `Occurrence`. Use this method to create `Occurrences` for a resource.
message
containeranalysis.proto:758Request to insert a new occurrence.
string name = 1
The name of the project. Should be of the form "projects/{project_id}". @Deprecated
string parent = 3
This field contains the project Id for example: "projects/{project_id}"
optional occurrence = 2
The occurrence to be inserted
Updates an existing occurrence.
message
containeranalysis.proto:771Request to update an existing occurrence
string name = 1
The name of the occurrence. Should be of the form "projects/{project_id}/occurrences/{OCCURRENCE_ID}".
optional occurrence = 2
The updated occurrence.
optional update_mask = 3
The fields to update.
Gets the `Note` attached to the given `Occurrence`.
message
containeranalysis.proto:791Request to get the note to which this occurrence is attached.
string name = 1
The name of the occurrence in the form "projects/{project_id}/occurrences/{OCCURRENCE_ID}"
rpc GetNote (, )
containeranalysis.proto:100Returns the requested `Note`.
message
containeranalysis.proto:784Request to get a Note.
string name = 1
The name of the note in the form of "providers/{provider_id}/notes/{NOTE_ID}"
rpc ListNotes (, )
containeranalysis.proto:107Lists all `Notes` for a given project.
message
containeranalysis.proto:798Request to list notes.
string name = 1
The name field will contain the project Id for example: "providers/{provider_id} @Deprecated
string parent = 5
This field contains the project Id for example: "projects/{PROJECT_ID}".
string filter = 2
The filter expression.
int32 page_size = 3
Number of notes to return in the list.
string page_token = 4
Token to provide to skip to a particular spot in the list.
message
containeranalysis.proto:818Response including listed notes.
repeated notes = 1
The occurrences requested
string next_page_token = 2
The next pagination token in the list response. It should be used as page_token for the following request. An empty value means no more result.
Deletes the given `Note` from the system.
message
containeranalysis.proto:828Request to delete a note
string name = 1
The name of the note in the form of "providers/{provider_id}/notes/{NOTE_ID}"
Creates a new `Note`.
message
containeranalysis.proto:835Request to insert a new note
string name = 1
The name of the project. Should be of the form "providers/{provider_id}". @Deprecated
string parent = 4
This field contains the project Id for example: "projects/{project_id}
string note_id = 2
The ID to use for this note.
optional note = 3
The Note to be inserted
Updates an existing `Note`.
message
containeranalysis.proto:853Request to update an existing note
string name = 1
The name of the note. Should be of the form "projects/{provider_id}/notes/{note_id}".
optional note = 2
The updated note.
optional update_mask = 3
The fields to update.
Lists `Occurrences` referencing the specified `Note`. Use this method to get all occurrences referencing your `Note` across all your customer projects.
message
containeranalysis.proto:866Request to list occurrences.
string name = 1
The name field will contain the note name for example: "provider/{provider_id}/notes/{note_id}"
string filter = 2
The filter expression.
int32 page_size = 3
Number of notes to return in the list.
string page_token = 4
Token to provide to skip to a particular spot in the list.
message
containeranalysis.proto:882Response including listed occurrences for a note.
repeated occurrences = 1
The occurrences attached to the specified note.
string next_page_token = 2
Token to receive the next page of notes.
Gets a summary of the number and severity of occurrences.
message
containeranalysis.proto:925Request to get the vulnz summary for some set of vulnerability Occurrences.
string parent = 1
This contains the project Id for example: projects/{project_id}
string filter = 2
The filter expression.
message
containeranalysis.proto:936A summary of how many vulnz occurrences there are per severity type. counts by groups, or if we should have different summary messages like this.
repeated counts = 1
A map of how many occurrences were found for each severity.
Sets the access control policy on the specified `Note` or `Occurrence`. Requires `containeranalysis.notes.setIamPolicy` or `containeranalysis.occurrences.setIamPolicy` permission if the resource is a `Note` or an `Occurrence`, respectively. Attempting to call this method without these permissions will result in a ` `PERMISSION_DENIED` error. Attempting to call this method on a non-existent resource will result in a `NOT_FOUND` error if the user has `containeranalysis.notes.list` permission on a `Note` or `containeranalysis.occurrences.list` on an `Occurrence`, or a `PERMISSION_DENIED` error otherwise. The resource takes the following formats: `projects/{projectid}/occurrences/{occurrenceid}` for occurrences and projects/{projectid}/notes/{noteid} for notes
Gets the access control policy for a note or an `Occurrence` resource. Requires `containeranalysis.notes.setIamPolicy` or `containeranalysis.occurrences.setIamPolicy` permission if the resource is a note or occurrence, respectively. Attempting to call this method on a resource without the required permission will result in a `PERMISSION_DENIED` error. Attempting to call this method on a non-existent resource will result in a `NOT_FOUND` error if the user has list permission on the project, or a `PERMISSION_DENIED` error otherwise. The resource takes the following formats: `projects/{PROJECT_ID}/occurrences/{OCCURRENCE_ID}` for occurrences and projects/{PROJECT_ID}/notes/{NOTE_ID} for notes
Returns the permissions that a caller has on the specified note or occurrence resource. Requires list permission on the project (for example, "storage.objects.list" on the containing bucket for testing permission of an object). Attempting to call this method on a non-existent resource will result in a `NOT_FOUND` error if the user has list permission on the project, or a `PERMISSION_DENIED` error otherwise. The resource takes the following formats: `projects/{PROJECT_ID}/occurrences/{OCCURRENCE_ID}` for `Occurrences` and `projects/{PROJECT_ID}/notes/{NOTE_ID}` for `Notes`
Creates a new `Operation`.
message
containeranalysis.proto:891Request for creating an operation
string parent = 1
The project Id that this operation should be created under.
string operation_id = 2
The ID to use for this operation.
optional operation = 3
The operation to create.
Updates an existing operation returns an error if operation does not exist. The only valid operations are to update mark the done bit change the result.
message
containeranalysis.proto:903Request for updating an existing operation
string name = 1
The name of the Operation. Should be of the form "projects/{provider_id}/operations/{operation_id}".
optional operation = 3
The operation to create.
optional update_mask = 4
Gets a specific scan configuration for a project.
message
containeranalysis.proto:951Request to get a ScanConfig.
string name = 1
The name of the ScanConfig in the form projects/{project_id}/scan_configs/{ScanConfig_id} instead.
Lists scan configurations for a project.
message
containeranalysis.proto:959Request to list the available scan configurations.
string parent = 1
This containers the project Id i.e.: projects/{project_id} instead.
string filter = 2
The filter expression.
int32 page_size = 3
The number of items to return.
string page_token = 4
The page token to use for the next request.
message
containeranalysis.proto:975A list of ScanConfigs for the project.
repeated scan_configs = 1
The set of scan configs
string next_page_token = 2
A page token to pass in order to get more scans.
Updates the scan configuration to a new value.
message
containeranalysis.proto:984A request to update a ScanConfig.
string name = 1
The scan config to update of the form projects/{project_id}/scan_configs/{ScanConfig_id} instead.
optional scan_config = 2
The new scan configuration
optional update_mask = 3
message
source_context.proto:46An alias to a repo revision.
Used in: ,
AliasContext.Kind kind = 1
The alias kind.
string name = 2
The alias name.
The type of an alias.
Used in:
KIND_UNSPECIFIED = 0
Unknown.
FIXED = 1
Git tag.
MOVABLE = 2
Git branch.
OTHER = 4
Used to specify non-standard aliases. For example, if a Git repo has a ref named "refs/foo/bar".
message
provenance.proto:198Artifact describes a build product.
Used in:
string name = 1
Name of the artifact. This may be the path to a binary or jar file, or in the case of a container build, the name used to push the container image to Google Container Registry, as presented to `docker push`. This field is deprecated in favor of the plural `names` field; it continues to exist here to allow existing BuildProvenance serialized to json in google.devtools.containeranalysis.v1alpha1.BuildDetails.provenance_bytes to deserialize back into proto.
string checksum = 2
Hash or checksum value of a binary, or Docker Registry 2.0 digest of a container.
string id = 3
Artifact ID, if any; for container images, this will be a URL by digest like gcr.io/projectID/imagename@sha256:123456
repeated string names = 4
Related artifact names. This may be the path to a binary or jar file, or in the case of a container build, the name used to push the container image to Google Container Registry, as presented to `docker push`. Note that a single Artifact ID can have multiple names, for example if two tags are applied to one image.
message
containeranalysis.proto:644Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one `AttestationAuthority` for "QA" and one for "build". This Note is intended to act strictly as a grouping mechanism for the attached Occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an Occurrence to a given Note. It also provides a single point of lookup to find all attached Attestation Occurrences, even if they don't all live in the same project.
Used in:
optional hint = 1
message
containeranalysis.proto:665Occurrence that represents a single "attestation". The authenticity of an Attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the AttestationAuthority to which this Attestation is attached is primarily useful for look-up (how to find this Attestation if you already know the Authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).
Used in:
oneof signature
The signature, generally over the `resource_url`, that verifies this attestation. The semantics of the signature veracity are ultimately determined by the verification engine.
pgp_signed_attestation = 1
message
containeranalysis.proto:652This submessage provides human-readable hints about the purpose of the AttestationAuthority. Because the name of a Note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should NOT be used to look up AttestationAuthorities in security sensitive contexts, such as when looking up Attestations to verify.
Used in:
string human_readable_name = 1
The human readable name of this Attestation Authority, for example "qa".
message
containeranalysis.proto:678Message encapsulating build provenance details.
Used in:
optional provenance = 1
The actual provenance
string provenance_bytes = 2
Serialized JSON representation of the provenance, used in generating the `BuildSignature` in the corresponding Result. After verifying the signature, `provenance_bytes` can be unmarshalled and compared to the provenance to confirm that it is unchanged. A base64-encoded string representation of the provenance bytes is used for the signature in order to interoperate with openssl which expects this format for signature verification. The serialized form is captured both to avoid ambiguity in how the provenance is marshalled to json as well to prevent incompatibilities with future changes.
message
provenance.proto:30Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.
Used in:
string id = 1
Unique identifier of the build.
string project_id = 2
ID of the project.
repeated commands = 5
Commands requested by the build.
repeated built_artifacts = 6
Output of the build.
optional create_time = 7
Time at which the build was created.
optional start_time = 8
Time at which execution of the build was started.
optional finish_time = 9
Time at which execution of the build was finished.
string creator = 11
E-mail address of the user who initiated this build. Note that this was the user's e-mail address at the time the build was initiated; this address may not represent the same end-user for all time.
string logs_bucket = 13
Google Cloud Storage bucket where logs were written.
optional source_provenance = 14
Details of the Source input to the build.
string trigger_id = 15
Trigger identifier if the build was triggered automatically; empty if not.
map<string, string> build_options = 16
Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
string builder_version = 17
Version string of the builder at the time this build was executed.
message
containeranalysis.proto:532Message encapsulating the signature of the verified build.
Used in:
string public_key = 1
Public key of the builder which can be used to verify that the related findings are valid and unchanged. If `key_type` is empty, this defaults to PEM encoded public keys. This field may be empty if `key_id` references an external key. For Cloud Build based signatures, this is a PEM encoded public key. To verify the Cloud Build signature, place the contents of this field into a file (public.pem). The signature field is base64-decoded into its binary representation in signature.bin, and the provenance bytes from `BuildDetails` are base64-decoded into a binary representation in signed.bin. OpenSSL can then verify the signature: `openssl sha256 -verify public.pem -signature signature.bin signed.bin`
string signature = 2
Signature of the related `BuildProvenance`, encoded in a base64 string.
string key_id = 3
An Id for the key used to sign. This could be either an Id for the key stored in `public_key` (such as the Id or fingerprint for a PGP key, or the CN for a cert), or a reference to an external key (such as a reference to a key in Cloud Key Management Service).
BuildSignature.KeyType key_type = 4
The type of the key, either stored in `public_key` or referenced in `key_id`
Public key formats
Used in:
KEY_TYPE_UNSPECIFIED = 0
`KeyType` is not set.
PGP_ASCII_ARMORED = 1
`PGP ASCII Armored` public key.
PKIX_PEM = 2
`PKIX PEM` public key.
message
containeranalysis.proto:522Note holding the version of the provider's builder and the signature of the provenance message in linked BuildDetails.
Used in:
string builder_version = 1
Version of the builder which produced this Note.
optional signature = 2
Signature of the build in Occurrences pointing to the Note containing this `BuilderDetails`.
message
source_context.proto:72A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.
Used in:
optional repo_id = 1
The ID of the repo.
oneof revision
A revision in a Cloud Repo can be identified by either its revision ID or its alias.
string revision_id = 2
A revision ID.
alias_context = 3
An alias, which may be a branch or tag.
message
provenance.proto:174Command describes a step performed as part of the build pipeline.
Used in:
string name = 1
Name of the command, as presented on the command line, or if the command is packaged as a Docker container, as presented to `docker pull`.
repeated string env = 2
Environment variables set before running this Command.
repeated string args = 3
Command-line arguments used when executing this Command.
string dir = 4
Working directory (relative to project source root) used when running this Command.
string id = 5
Optional unique identifier for this Command, used in wait_for to reference this Command as a dependency.
repeated string wait_for = 6
The ID(s) of the Command(s) that this Command depends on.
message
containeranalysis.proto:429An artifact that can be deployed in some runtime.
Used in:
repeated string resource_uri = 1
Resource URI for the artifact being deployed.
message
containeranalysis.proto:431The period during which some deployable was active in a runtime.
Used in:
string user_email = 1
Identity of the user that triggered this deployment.
optional deploy_time = 2
Beginning of the lifetime of this deployment.
optional undeploy_time = 3
End of the lifetime of this deployment.
string config = 8
Configuration used to create this deployment.
string address = 5
Address of the runtime element hosting this deployment.
repeated string resource_uri = 6
Output only. Resource URI for the artifact being deployed taken from the deployable field with the same name.
Deployment.Platform platform = 7
Platform hosting this deployment.
Types of platforms.
Used in:
PLATFORM_UNSPECIFIED = 0
Unknown
GKE = 1
Google Container Engine
FLEX = 2
Google App Engine: Flexible Environment
CUSTOM = 3
Custom user-defined platform
message
containeranalysis.proto:479A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A `Discovery` occurrence is created in a consumer's project at the start of analysis. The occurrence's operation will indicate the status of the analysis. Absence of an occurrence linked to this note for a resource indicates that analysis hasn't started.
Used in:
Note.Kind analysis_kind = 1
The kind of analysis that is handled by this discovery.
message
containeranalysis.proto:481Provides information about the scan status of a discovered resource.
Used in:
optional operation = 1
Output only. An operation that indicates the status of the current scan.
Discovered.AnalysisStatus analysis_status = 5
The status of discovery for the resource.
optional analysis_status_error = 6
When an error is encountered this will contain a LocalizedMessage under details to show to the user. The LocalizedMessage output only and populated by the API.
Analysis status for a resource.
Used in:
ANALYSIS_STATUS_UNSPECIFIED = 0
Unknown
PENDING = 1
Resource is known but no action has been taken yet.
SCANNING = 2
Resource is being analyzed.
FINISHED_SUCCESS = 3
Analysis has finished successfully.
FINISHED_FAILED = 4
Analysis has finished unsuccessfully, the analysis itself is in a bad state.
UNSUPPORTED_RESOURCE = 5
Analysis will not happen, the resource is not supported.
message
image_basis.proto:28DockerImage holds types defining base image notes and derived image occurrences.
(message has no fields)
message
image_basis.proto:118Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g. a tag of the resource_url.
Used in:
string resource_url = 1
The resource_url for the resource representing the basis of associated occurrence images.
optional fingerprint = 2
The fingerprint of the base image.
message
image_basis.proto:130Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM <DockerImage.Basis in attached Note>.
Used in:
optional fingerprint = 1
The fingerprint of the derived image.
uint32 distance = 2
Output only. The number of layers by which this image differs from the associated image basis.
repeated layer_info = 3
This contains layer-specific metadata, if populated it has length "distance" and is ordered with [distance] being the layer immediately following the base image and [1] being the final layer.
string base_resource_url = 4
Output only. This contains the base image URL for the derived image occurrence.
message
image_basis.proto:96A set of properties that uniquely identify a given Docker image.
Used in: ,
string v1_name = 1
The layer-id of the final layer in the Docker image's v1 representation. This field can be used as a filter in list requests.
repeated string v2_blob = 2
The ordered list of v2 blobs that represent a given image.
string v2_name = 3
Output only. The name of the image's v2 blobs computed via: [bottom] := v2_blob[bottom] [N] := sha256(v2_blob[N] + " " + v2_name[N+1]) Only the name of the final blob is kept. This field can be used as a filter in list requests.
message
image_basis.proto:30Layer holds metadata specific to a layer of a Docker image.
Used in:
Layer.Directive directive = 1
The recovered Dockerfile directive used to construct this layer.
string arguments = 2
The recovered arguments to the Dockerfile directive.
Instructions from dockerfile
Used in:
DIRECTIVE_UNSPECIFIED = 0
Default value for unsupported/missing directive
MAINTAINER = 1
https://docs.docker.com/reference/builder/#maintainer
RUN = 2
https://docs.docker.com/reference/builder/#run
CMD = 3
https://docs.docker.com/reference/builder/#cmd
LABEL = 4
https://docs.docker.com/reference/builder/#label
EXPOSE = 5
https://docs.docker.com/reference/builder/#expose
ENV = 6
https://docs.docker.com/reference/builder/#env
ADD = 7
https://docs.docker.com/reference/builder/#add
COPY = 8
https://docs.docker.com/reference/builder/#copy
ENTRYPOINT = 9
https://docs.docker.com/reference/builder/#entrypoint
VOLUME = 10
https://docs.docker.com/reference/builder/#volume
USER = 11
https://docs.docker.com/reference/builder/#user
WORKDIR = 12
https://docs.docker.com/reference/builder/#workdir
ARG = 13
https://docs.docker.com/reference/builder/#arg
ONBUILD = 14
https://docs.docker.com/reference/builder/#onbuild
STOPSIGNAL = 15
https://docs.docker.com/reference/builder/#stopsignal
HEALTHCHECK = 16
https://docs.docker.com/reference/builder/#healthcheck
SHELL = 17
https://docs.docker.com/reference/builder/#shell
message
provenance.proto:112Container message for hashes of byte content of files, used in Source messages to verify integrity of source input to the build.
Used in:
repeated file_hash = 1
Collection of file hashes.
message
source_context.proto:88A SourceContext referring to a Gerrit project.
Used in:
string host_uri = 1
The URI of a running Gerrit instance.
string gerrit_project = 2
The full project name within the host. Projects may be nested, so "project/subproject" is a valid project name. The "repo name" is the hostURI/project.
oneof revision
A revision in a Gerrit project can be identified by either its revision ID or its alias.
string revision_id = 3
A revision (commit) ID.
alias_context = 4
An alias, which may be a branch or tag.
message
containeranalysis.proto:938The number of occurrences created for a specific severity.
Used in:
VulnerabilityType.Severity severity = 1
The severity of the occurrences.
int64 count = 2
The number of occurrences with the severity.
message
source_context.proto:110A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).
Used in:
string url = 1
Git repository URL.
string revision_id = 2
Required. Git commit hash.
message
provenance.proto:118Container message for hash values.
Used in: ,
Hash.HashType type = 1
The type of hash that was performed.
bytes value = 2
The hash value.
Specifies the hash algorithm, if any.
Used in:
NONE = 0
No hash requested.
SHA256 = 1
A sha256 hash.
message
containeranalysis.proto:337Provides a detailed description of a `Note`.
Used as response type in: ContainerAnalysis.CreateNote, ContainerAnalysis.GetNote, ContainerAnalysis.GetOccurrenceNote, ContainerAnalysis.UpdateNote
Used as field type in: , ,
string name = 1
The name of the note in the form "providers/{provider_id}/notes/{NOTE_ID}"
string short_description = 3
A one sentence description of this `Note`.
string long_description = 4
A detailed description of this `Note`.
Note.Kind kind = 9
Output only. This explicitly denotes which kind of note is specified. This field can be used as a filter in list requests.
oneof note_type
The type of note.
vulnerability_type = 6
A package vulnerability type of note.
build_type = 8
Build provenance type for a verifiable build.
base_image = 13
A note describing a base image.
package = 14
A note describing a package hosted by various package managers.
deployable = 17
A note describing something that can be deployed.
discovery = 18
A note describing a provider/analysis type.
attestation_authority = 19
A note describing an attestation role.
repeated related_url = 7
URLs associated with this note
optional expiration_time = 10
Time of expiration for this note, null if note does not expire.
optional create_time = 11
Output only. The time this note was created. This field can be used as a filter in list requests.
optional update_time = 12
Output only. The time this note was last updated. This field can be used as a filter in list requests.
This must be 1:1 with members of our oneofs, it can be used for filtering Note and Occurrence on their kind.
Used in: , , ,
KIND_UNSPECIFIED = 0
Unknown
PACKAGE_VULNERABILITY = 2
The note and occurrence represent a package vulnerability.
BUILD_DETAILS = 3
The note and occurrence assert build provenance.
IMAGE_BASIS = 4
This represents an image basis relationship.
PACKAGE_MANAGER = 5
This represents a package installed via a package manager.
DEPLOYABLE = 6
The note and occurrence track deployment events.
DISCOVERY = 7
The note and occurrence track the initial discovery status of a resource.
ATTESTATION_AUTHORITY = 8
This represents a logical "role" that can attest to artifacts.
message
containeranalysis.proto:339Metadata for any related URL information
Used in:
string url = 1
Specific URL to associate with the note
string label = 2
Label to describe usage of the URL
message
containeranalysis.proto:266`Occurrence` includes information about analysis occurrences for an image.
Used as response type in: ContainerAnalysis.CreateOccurrence, ContainerAnalysis.GetOccurrence, ContainerAnalysis.UpdateOccurrence
Used as field type in: , , ,
string name = 1
Output only. The name of the `Occurrence` in the form "projects/{project_id}/occurrences/{OCCURRENCE_ID}"
string resource_url = 2
The unique URL of the image or the container for which the `Occurrence` applies. For example, https://gcr.io/project/image@sha256:foo This field can be used as a filter in list requests.
optional resource = 17
The resource for which the `Occurrence` applies.
string note_name = 3
An analysis note associated with this image, in the form "providers/{provider_id}/notes/{NOTE_ID}" This field can be used as a filter in list requests.
Note.Kind kind = 6
Output only. This explicitly denotes which of the `Occurrence` details are specified. This field can be used as a filter in list requests.
oneof details
Describes the details of the vulnerability `Note` found in this resource.
vulnerability_details = 8
Details of a security vulnerability note.
build_details = 7
Build details for a verifiable build.
derived_image = 11
Describes how this resource derives from the basis in the associated note.
installation = 12
Describes the installation of a package on the linked resource.
deployment = 14
Describes the deployment of an artifact on a runtime.
discovered = 15
Describes the initial scan status for this resource.
attestation = 16
Describes an attestation of an artifact.
string remediation = 5
A description of actions that can be taken to remedy the `Note`
optional create_time = 9
Output only. The time this `Occurrence` was created.
optional update_time = 10
Output only. The time this `Occurrence` was last updated.
message
containeranalysis.proto:916Metadata for all operations used and required for all operations that created by Container Analysis Providers
optional create_time = 1
Output only. The time this operation was created.
optional end_time = 2
Output only. The time that this operation was marked completed or failed.
message
bill_of_materials.proto:28PackageManager provides metadata about available / installed packages.
(message has no fields)
Instruction set architectures supported by various package managers.
Used in:
ARCHITECTURE_UNSPECIFIED = 0
Unknown architecture
X86 = 1
X86 architecture
X64 = 2
X64 architecture
message
bill_of_materials.proto:31This represents a particular channel of distribution for a given package. e.g. Debian's jessie-backports dpkg mirror
Used in:
string cpe_uri = 1
The cpe_uri in [cpe format](https://cpe.mitre.org/specification/) denoting the package manager version distributing a package.
Architecture architecture = 2
The CPU architecture for which packages in this distribution channel were built
optional latest_version = 3
The latest available version of this package in this distribution channel.
string maintainer = 4
A freeform string denoting the maintainer of this package.
string url = 6
The distribution channel-specific homepage for this package.
string description = 7
The distribution channel-specific description of this package.
message
bill_of_materials.proto:82This represents how a particular software package may be installed on a system.
Used in:
string name = 1
Output only. The name of the installed package.
repeated location = 2
All of the places within the filesystem versions of this package have been found.
message
bill_of_materials.proto:57An occurrence of a particular package installation found within a system's filesystem. e.g. glibc was found in /var/lib/dpkg/status
Used in:
string cpe_uri = 1
The cpe_uri in [cpe format](https://cpe.mitre.org/specification/) denoting the package manager version distributing a package.
optional version = 2
The version installed at this location.
string path = 3
The path from which we gathered that this package/version is installed.
message
bill_of_materials.proto:72This represents a particular package that is distributed over various channels. e.g. glibc (aka libc6) is distributed by many, at various versions.
Used in:
string name = 1
The name of the package.
repeated distribution = 10
The various channels by which a package is distributed.
message
containeranalysis.proto:577An attestation wrapper with a PGP-compatible signature. This message only supports `ATTACHED` signatures, where the payload that is signed is included alongside the signature itself in the same file.
Used in:
string signature = 1
The raw content of the signature, as output by GNU Privacy Guard (GPG) or equivalent. Since this message only supports attached signatures, the payload that was signed must be attached. While the signature format supported is dependent on the verification implementation, currently only ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor --output=signature.gpg payload.json` will create the signature content expected in this field in `signature.gpg` for the `payload.json` attestation payload.
PgpSignedAttestation.ContentType content_type = 3
Type (for example schema) of the attestation payload that was signed. The verifier must ensure that the provided type is one that the verifier supports, and that the attestation payload is a valid instantiation of that type (for example by validating a JSON schema).
oneof key_id
This field is used by verifiers to select the public key used to validate the signature. Note that the policy of the verifier ultimately determines which public keys verify a signature based on the context of the verification. There is no guarantee validation will succeed if the verifier has no key matching this ID, even if it has a key under a different ID that would verify the signature. Note that this ID should also be present in the signature content above, but that is not expected to be used by the verifier.
string pgp_key_id = 2
The cryptographic fingerprint of the key used to generate the signature, as output by, e.g. `gpg --list-keys`. This should be the version 4, full 160-bit fingerprint, expressed as a 40 character hexadecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details. Implementations may choose to acknowledge "LONG", "SHORT", or other abbreviated key IDs, but only the full fingerprint is guaranteed to work. In gpg, the full fingerprint can be retrieved from the `fpr` field returned when calling --list-keys with --with-colons. For example: ``` gpg --with-colons --with-fingerprint --force-v4-certs \ --list-keys attester@example.com tru::1:1513631572:0:3:1:5 pub:...<SNIP>... fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: ``` Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
Type (for example schema) of the attestation payload that was signed.
Used in:
CONTENT_TYPE_UNSPECIFIED = 0
`ContentType` is not set.
SIMPLE_SIGNING_JSON = 1
Atomic format attestation signature. See https://github.com/containers/image/blob/8a5d2f82a6e3263290c8e0276c3e0f64e77723e7/docs/atomic-signature.md The payload extracted from `signature` is a JSON blob conforming to the linked schema.
message
source_context.proto:134Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.
Used in:
string project_id = 1
The ID of the project.
string repo_name = 2
The name of the repo. Leave empty for the default repo.
message
source_context.proto:120A unique identifier for a Cloud Repo.
Used in:
oneof id
A cloud repo can be identified by either its project ID and repository name combination, or its globally unique identifier.
project_repo_id = 1
A combination of a project ID and a repo name.
string uid = 2
A server-assigned, globally unique identifier.
message
provenance.proto:152RepoSource describes the location of the source in a Google Cloud Source Repository.
Used in:
string project_id = 1
ID of the project that owns the repo.
string repo_name = 2
Name of the repo.
oneof revision
A revision within the source repository must be specified in one of these ways.
string branch_name = 3
Name of the branch to build.
string tag_name = 4
Name of the tag to build.
string commit_sha = 5
Explicit commit SHA to build.
message
containeranalysis.proto:324Resource is an entity that can have metadata. E.g., a Docker image.
Used in:
string name = 1
The name of the resource. E.g., the name of a Docker image - "Debian".
string uri = 2
The unique URI of the resource. E.g., "https://gcr.io/project/image@sha256:foo" for a Docker image.
optional content_hash = 3
The hash of the resource content. E.g., the Docker digest.
message
containeranalysis.proto:697Indicates various scans and whether they are turned on or off.
Used as response type in: ContainerAnalysis.GetScanConfig, ContainerAnalysis.UpdateScanConfig
Used as field type in: ,
string name = 1
Output only. The name of the ScanConfig in the form “projects/{project_id}/ScanConfigs/{ScanConfig_id}".
string description = 2
Output only. A human-readable description of what the `ScanConfig` does.
bool enabled = 3
Indicates whether the Scan is enabled.
message
provenance.proto:75Source describes the location of the source used for the build.
Used in:
oneof source
Source location information.
storage_source = 1
If provided, get the source from this location in in Google Cloud Storage.
repo_source = 2
If provided, get source from this location in a Cloud Repo.
optional artifact_storage_source = 4
If provided, the input binary artifacts for the build came from this location.
map<string, > file_hashes = 3
Hash(es) of the build source, which can be used to verify that the original source integrity was maintained in the build. The keys to this map are file paths used as build source and the values contain the hash values for those files. If the build source came in a single package such as a gzipped tarfile (.tar.gz), the FileHash will be for the single path to that file.
optional context = 7
If provided, the source code used for the build came from this location.
repeated additional_contexts = 8
If provided, some of the source code used for the build may be found in these locations, in the case where the source repository had multiple remotes or submodules. This list will not include the context specified in the context field.
message
source_context.proto:28A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.
Used in:
oneof context
A SourceContext can refer any one of the following types of repositories.
cloud_repo = 1
A SourceContext referring to a revision in a Google Cloud Source Repo.
gerrit = 2
A SourceContext referring to a Gerrit project.
git = 3
A SourceContext referring to any third party Git repo (e.g., GitHub).
map<string, string> labels = 4
Labels with user defined metadata.
message
provenance.proto:137StorageSource describes the location of the source in an archive file in Google Cloud Storage.
Used in:
string bucket = 1
Google Cloud Storage bucket containing source (see [Bucket Name Requirements] (https://cloud.google.com/storage/docs/bucket-naming#requirements)).
string object = 2
Google Cloud Storage object containing source.
int64 generation = 3
Google Cloud Storage generation for the object.
message
package_vulnerability.proto:27VulnerabilityType provides metadata about a security vulnerability.
Used in:
float cvss_score = 2
The CVSS score for this Vulnerability.
VulnerabilityType.Severity severity = 3
Note provider assigned impact of the vulnerability
repeated details = 4
All information about the package to specifically identify this vulnerability. One entry per (version range and cpe_uri) the package vulnerability has manifested in.
message
package_vulnerability.proto:66Identifies all occurrences of this vulnerability in the package for a specific distro/location For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
Used in:
string cpe_uri = 1
The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) in which the vulnerability manifests. Examples include distro or storage location for vulnerable jar. This field can be used as a filter in list requests.
string package = 8
The name of the package where the vulnerability was found. This field can be used as a filter in list requests.
optional min_affected_version = 6
The min version of the package in which the vulnerability exists.
optional max_affected_version = 7
The max version of the package in which the vulnerability exists. This field can be used as a filter in list requests.
string severity_name = 4
The severity (eg: distro assigned severity) for this vulnerability.
string description = 9
A vendor-specific description of this note.
optional fixed_location = 5
The fix for this specific package version.
string package_type = 10
The type of package; whether native or non native(ruby gems, node.js packages etc)
bool is_obsolete = 11
Whether this Detail is obsolete. Occurrences are expected not to point to obsolete details.
message
package_vulnerability.proto:124This message wraps a location affected by a vulnerability and its associated fix (if one is available).
Used in:
optional affected_location = 1
The location of the vulnerability.
optional fixed_location = 2
The location of the available fix for vulnerability.
string severity_name = 3
The severity (eg: distro assigned severity) for this vulnerability.
Note provider-assigned severity/impact ranking
Used in: , ,
SEVERITY_UNSPECIFIED = 0
Unknown Impact
MINIMAL = 1
Minimal Impact
LOW = 2
Low Impact
MEDIUM = 3
Medium Impact
HIGH = 4
High Impact
CRITICAL = 5
Critical Impact
message
package_vulnerability.proto:33Version contains structured information about the version of the package. For a discussion of this in Debian/Ubuntu: http://serverfault.com/questions/604541/debian-packages-version-convention For a discussion of this in Redhat/Fedora/Centos: http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/
Used in: , , ,
int32 epoch = 1
Used to correct mistakes in the version numbering scheme.
string name = 2
The main part of the version name.
string revision = 3
The iteration of the package build from the above version.
Version.VersionKind kind = 5
Distinguish between sentinel MIN/MAX versions and normal versions. If kind is not NORMAL, then the other fields are ignored.
Whether this is an ordinary package version or a sentinel MIN/MAX version.
Used in:
NORMAL = 0
A standard package version, defined by the other fields.
MINIMUM = 1
A special version representing negative infinity, other fields are ignored.
MAXIMUM = 2
A special version representing positive infinity, other fields are ignored.
message
package_vulnerability.proto:104Used by Occurrence to point to where the vulnerability exists and how to fix it.
Used in:
string type = 3
The type of package; whether native or non native(ruby gems, node.js packages etc)
Severity severity = 4
Output only. The note provider assigned Severity of the vulnerability.
float cvss_score = 5
Output only. The CVSS score of this vulnerability. CVSS score is on a scale of 0-10 where 0 indicates low severity and 10 indicates high severity.
repeated package_issue = 6
The set of affected locations and their fixes (if available) within the associated resource.
message
package_vulnerability.proto:136The location of the vulnerability
Used in: ,
string cpe_uri = 1
The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) format. Examples include distro or storage location for vulnerable jar. This field can be used as a filter in list requests.
string package = 2
The package being described.
optional version = 4
The version of the package being described. This field can be used as a filter in list requests.