REST Resource: projects.occurrences

{
  "name": string,
  "resourceUri": string,
  "noteName": string,
  "kind": enum (NoteKind),
  "remediation": string,
  "createTime": string,
  "updateTime": string,
  "envelope": {
    object (Envelope)
  },

  // Union field details can be only one of the following:
  "vulnerability": {
    object (VulnerabilityOccurrence)
  },
  "build": {
    object (BuildOccurrence)
  },
  "image": {
    object (ImageOccurrence)
  },
  "package": {
    object (PackageOccurrence)
  },
  "deployment": {
    object (DeploymentOccurrence)
  },
  "discovery": {
    object (DiscoveryOccurrence)
  },
  "attestation": {
    object (AttestationOccurrence)
  },
  "upgrade": {
    object (UpgradeOccurrence)
  },
  "compliance": {
    object (ComplianceOccurrence)
  },
  "dsseAttestation": {
    object (DSSEAttestationOccurrence)
  },
  "sbomReference": {
    object (SBOMReferenceOccurrence)
  }
  // End of list of possible types for union field details.
}

string

Output only. The name of the occurrence in the form of projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID].

string

Required. Immutable. A URI that represents the resource for which the occurrence applies. For example, https://gcr.io/project/image@sha256:123abc for a Docker image.

string

Required. Immutable. The analysis note associated with this occurrence, in the form of projects/[PROVIDER_ID]/notes/[NOTE_ID]. This field can be used as a filter in list requests.

enum (NoteKind)

Output only. This explicitly denotes which of the occurrence details are specified. This field can be used as a filter in list requests.

string

A description of actions that can be taken to remedy the note.

string (Timestamp format)

Output only. The time this occurrence was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

Output only. The time this occurrence was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

object (Envelope)

https://github.com/secure-systems-lab/dsse

object (VulnerabilityOccurrence)

Describes a security vulnerability.

object (BuildOccurrence)

Describes a verifiable build.

object (ImageOccurrence)

Describes how this resource derives from the basis in the associated note.

object (PackageOccurrence)

Describes the installation of a package on the linked resource.

object (DeploymentOccurrence)

Describes the deployment of an artifact on a runtime.

object (DiscoveryOccurrence)

Describes when a resource was discovered.

object (AttestationOccurrence)

Describes an attestation of an artifact.

object (UpgradeOccurrence)

Describes an available package upgrade on the linked resource.

object (ComplianceOccurrence)

Describes a compliance violation on a linked resource.

object (DSSEAttestationOccurrence)

Describes an attestation of an artifact using dsse.

object (SBOMReferenceOccurrence)

Describes a specific SBOM reference occurrences.

{
  "type": string,
  "severity": enum (Severity),
  "cvssScore": number,
  "cvssv3": {
    object (CVSS)
  },
  "packageIssue": [
    {
      object (PackageIssue)
    }
  ],
  "shortDescription": string,
  "longDescription": string,
  "relatedUrls": [
    {
      object (RelatedUrl)
    }
  ],
  "effectiveSeverity": enum (Severity),
  "fixAvailable": boolean,
  "cvssVersion": enum (CVSSVersion),
  "cvssV2": {
    object (CVSS)
  },
  "vexAssessment": {
    object (VexAssessment)
  }
}

string

The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).

enum (Severity)

Output only. The note provider assigned severity of this vulnerability.

number

Output only. The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10 where 0 indicates low severity and 10 indicates high severity.

object (CVSS)

The cvss v3 score for the vulnerability.

object (PackageIssue)

Required. The set of affected locations and their fixes (if available) within the associated resource.

string

Output only. A one sentence description of this vulnerability.

string

Output only. A detailed description of this vulnerability.

object (RelatedUrl)

Output only. URLs related to this vulnerability.

enum (Severity)

The distro assigned severity for this vulnerability when it is available, otherwise this is the note provider assigned severity.

When there are multiple PackageIssues for this vulnerability, they can have different effective severities because some might be provided by the distro while others are provided by the language ecosystem for a language pack. For this reason, it is advised to use the effective severity on the PackageIssue level. In the case where multiple PackageIssues have differing effective severities, this field should be the highest severity for any of the PackageIssues.

boolean

Output only. Whether at least one of the affected packages has a fix available.

enum (CVSSVersion)

Output only. CVSS version used to populate cvssScore and severity.

object (CVSS)

The cvss v2 score for the vulnerability.

object (VexAssessment)

{
  "affectedCpeUri": string,
  "affectedPackage": string,
  "affectedVersion": {
    object (Version)
  },
  "fixedCpeUri": string,
  "fixedPackage": string,
  "fixedVersion": {
    object (Version)
  },
  "fixAvailable": boolean,
  "packageType": string,
  "effectiveSeverity": enum (Severity),
  "fileLocation": [
    {
      object (FileLocation)
    }
  ]
}

string

Required. The CPE URI this vulnerability was found in.

string

Required. The package this vulnerability was found in.

object (Version)

Required. The version of the package that is installed on the resource affected by this vulnerability.

string

The CPE URI this vulnerability was fixed in. It is possible for this to be different from the affectedCpeUri.

string

The package this vulnerability was fixed in. It is possible for this to be different from the affectedPackage.

object (Version)

Required. The version of the package this vulnerability was fixed in. Setting this to VersionKind.MAXIMUM means no fix is yet available.

boolean

Output only. Whether a fix is available for this package.

string

The type of package (e.g. OS, MAVEN, GO).

enum (Severity)

Output only. The distro or language system assigned severity for this vulnerability when that is available and note provider assigned severity when it is not available.

object (FileLocation)

The location at which this package was found.

{
  "filePath": string
}

string

For jars that are contained inside .war files, this filepath can indicate the path to war file combined with the path to jar file.

{
  "cve": string,
  "relatedUris": [
    {
      object (RelatedUrl)
    }
  ],
  "noteName": string,
  "state": enum (State),
  "impacts": [
    string
  ],
  "remediations": [
    {
      object (Remediation)
    }
  ],
  "justification": {
    object (Justification)
  }
}

string

Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.

object (RelatedUrl)

Holds a list of references associated with this vulnerability item and assessment.

string

The VulnerabilityAssessment note from which this VexAssessment was generated. This will be of the form: projects/[PROJECT_ID]/notes/[NOTE_ID].

enum (State)

Provides the state of this Vulnerability assessment.

string

Contains information about the impact of this vulnerability, this will change with time.

object (Remediation)

Specifies details on how to handle (and presumably, fix) a vulnerability.

object (Justification)

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

{
  "provenance": {
    object (BuildProvenance)
  },
  "provenanceBytes": string,
  "intotoProvenance": {
    object (InTotoProvenance)
  },
  "intotoStatement": {
    object (InTotoStatement)
  }
}

object (BuildProvenance)

The actual provenance for the build.

string

Serialized JSON representation of the provenance, used in generating the build signature in the corresponding build note. After verifying the signature, provenanceBytes can be unmarshalled and compared to the provenance to confirm that it is unchanged. A base64-encoded string representation of the provenance bytes is used for the signature in order to interoperate with openssl which expects this format for signature verification.

The serialized form is captured both to avoid ambiguity in how the provenance is marshalled to json as well to prevent incompatibilities with future changes.

object (InTotoProvenance)

Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.

object (InTotoStatement)

In-toto Statement representation as defined in spec. The intotoStatement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.

{
  "id": string,
  "projectId": string,
  "commands": [
    {
      object (Command)
    }
  ],
  "builtArtifacts": [
    {
      object (Artifact)
    }
  ],
  "createTime": string,
  "startTime": string,
  "endTime": string,
  "creator": string,
  "logsUri": string,
  "sourceProvenance": {
    object (Source)
  },
  "triggerId": string,
  "buildOptions": {
    string: string,
    ...
  },
  "builderVersion": string
}

string

Required. Unique identifier of the build.

string

ID of the project.

object (Command)

Commands requested by the build.

object (Artifact)

Output of the build.

string (Timestamp format)

Time at which the build was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

Time at which execution of the build was started.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

Time at which execution of the build was finished.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

E-mail address of the user who initiated this build. Note that this was the user's e-mail address at the time the build was initiated; this address may not represent the same end-user for all time.

string

URI where any logs for this provenance were written.

object (Source)

Details of the Source input to the build.

string

Trigger identifier if the build was triggered automatically; empty if not.

map (key: string, value: string)

Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string

Version string of the builder at the time this build was executed.

{
  "name": string,
  "env": [
    string
  ],
  "args": [
    string
  ],
  "dir": string,
  "id": string,
  "waitFor": [
    string
  ]
}

string

Required. Name of the command, as presented on the command line, or if the command is packaged as a Docker container, as presented to docker pull.

string

Environment variables set before running this command.

string

Command-line arguments used when executing this command.

string

Working directory (relative to project source root) used when running this command.

string

Optional unique identifier for this command, used in waitFor to reference this command as a dependency.

string

The ID(s) of the command(s) that this command depends on.

{
  "checksum": string,
  "id": string,
  "names": [
    string
  ]
}

string

Hash or checksum value of a binary, or Docker Registry 2.0 digest of a container.

string

Artifact ID, if any; for container images, this will be a URL by digest like gcr.io/projectID/imagename@sha256:123456.

string

Related artifact names. This may be the path to a binary or jar file, or in the case of a container build, the name used to push the container image to Google Container Registry, as presented to docker push. Note that a single Artifact ID can have multiple names, for example if two tags are applied to one image.

{
  "artifactStorageSourceUri": string,
  "fileHashes": {
    string: {
      object (FileHashes)
    },
    ...
  },
  "context": {
    object (SourceContext)
  },
  "additionalContexts": [
    {
      object (SourceContext)
    }
  ]
}

string

If provided, the input binary artifacts for the build came from this location.

map (key: string, value: object (FileHashes))

Hash(es) of the build source, which can be used to verify that the original source integrity was maintained in the build.

The keys to this map are file paths used as build source and the values contain the hash values for those files.

If the build source came in a single package such as a gzipped tarfile (.tar.gz), the FileHash will be for the single path to that file.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

object (SourceContext)

If provided, the source code used for the build came from this location.

object (SourceContext)

If provided, some of the source code used for the build may be found in these locations, in the case where the source repository had multiple remotes or submodules. This list will not include the context specified in the context field.

{
  "fileHash": [
    {
      object (Hash)
    }
  ]
}

object (Hash)

Required. Collection of file hashes.

{
  "type": string,
  "value": string
}

string

Required. The type of hash that was performed, e.g. "SHA-256".

string (bytes format)

Required. The hash value.

A base64-encoded string.

{
  "labels": {
    string: string,
    ...
  },

  // Union field context can be only one of the following:
  "cloudRepo": {
    object (CloudRepoSourceContext)
  },
  "gerrit": {
    object (GerritSourceContext)
  },
  "git": {
    object (GitSourceContext)
  }
  // End of list of possible types for union field context.
}

map (key: string, value: string)

Labels with user defined metadata.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

object (CloudRepoSourceContext)

A SourceContext referring to a revision in a Google Cloud Source Repo.

object (GerritSourceContext)

A SourceContext referring to a Gerrit project.

object (GitSourceContext)

A SourceContext referring to any third party Git repo (e.g., GitHub).

{
  "repoId": {
    object (RepoId)
  },

  // Union field revision can be only one of the following:
  "revisionId": string,
  "aliasContext": {
    object (AliasContext)
  }
  // End of list of possible types for union field revision.
}

object (RepoId)

The ID of the repo.

string

A revision ID.

object (AliasContext)

An alias, which may be a branch or tag.

{

  // Union field id can be only one of the following:
  "projectRepoId": {
    object (ProjectRepoId)
  },
  "uid": string
  // End of list of possible types for union field id.
}

object (ProjectRepoId)

A combination of a project ID and a repo name.

string

A server-assigned, globally unique identifier.

{
  "projectId": string,
  "repoName": string
}

string

The ID of the project.

string

The name of the repo. Leave empty for the default repo.

{
  "kind": enum (Kind),
  "name": string
}

enum (Kind)

The alias kind.

string

The alias name.

{
  "hostUri": string,
  "gerritProject": string,

  // Union field revision can be only one of the following:
  "revisionId": string,
  "aliasContext": {
    object (AliasContext)
  }
  // End of list of possible types for union field revision.
}

string

The URI of a running Gerrit instance.

string

The full project name within the host. Projects may be nested, so "project/subproject" is a valid project name. The "repo name" is the hostURI/project.

string

A revision (commit) ID.

object (AliasContext)

An alias, which may be a branch or tag.

{
  "url": string,
  "revisionId": string
}

string

Git repository URL.

string

Git commit hash.

{
  "builderConfig": {
    object (BuilderConfig)
  },
  "recipe": {
    object (Recipe)
  },
  "metadata": {
    object (Metadata)
  },
  "materials": [
    string
  ]
}

object (BuilderConfig)

required

object (Recipe)

Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required

object (Metadata)

string

The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.

{
  "id": string
}

string

{
  "type": string,
  "definedInMaterial": string,
  "entryPoint": string,
  "arguments": [
    {
      "@type": string,
      field1: ...,
      ...
    }
  ],
  "environment": [
    {
      "@type": string,
      field1: ...,
      ...
    }
  ]
}

string

URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.

string (int64 format)

Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.

string

String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.

object

Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

object

Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

{
  "buildInvocationId": string,
  "buildStartedOn": string,
  "buildFinishedOn": string,
  "completeness": {
    object (Completeness)
  },
  "reproducible": boolean
}

string

Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.

string (Timestamp format)

The timestamp of when the build started.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

The timestamp of when the build completed.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

object (Completeness)

Indicates that the builder claims certain fields in this message to be complete.

boolean

If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.

{
  "arguments": boolean,
  "environment": boolean,
  "materials": boolean
}

boolean

If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.

boolean

If true, the builder claims that recipe.environment is claimed to be complete.

boolean

If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".

{
  "_type": string,
  "subject": [
    {
      object (Subject)
    }
  ],
  "predicateType": string,

  // Union field predicate can be only one of the following:
  "provenance": {
    object (InTotoProvenance)
  },
  "slsaProvenance": {
    object (SlsaProvenance)
  },
  "slsaProvenanceZeroTwo": {
    object (SlsaProvenanceZeroTwo)
  }
  // End of list of possible types for union field predicate.
}

string

Always https://in-toto.io/Statement/v0.1.

object (Subject)

string

https://slsa.dev/provenance/v0.1 for SlsaProvenance.

object (InTotoProvenance)

object (SlsaProvenance)

object (SlsaProvenanceZeroTwo)

{
  "name": string,
  "digest": {
    string: string,
    ...
  }
}

string

map (key: string, value: string)

"<ALGORITHM>": "<HEX_VALUE>" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

{
  "builder": {
    object (SlsaBuilder)
  },
  "recipe": {
    object (SlsaRecipe)
  },
  "metadata": {
    object (SlsaMetadata)
  },
  "materials": [
    {
      object (Material)
    }
  ]
}

object (SlsaBuilder)

required

object (SlsaRecipe)

Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required

object (SlsaMetadata)

object (Material)

The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.

{
  "id": string
}

string

{
  "type": string,
  "definedInMaterial": string,
  "entryPoint": string,
  "arguments": {
    "@type": string,
    field1: ...,
    ...
  },
  "environment": {
    "@type": string,
    field1: ...,
    ...
  }
}

string

URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.

string (int64 format)

Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.

string

String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.

object

Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

object

Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

{
  "buildInvocationId": string,
  "buildStartedOn": string,
  "buildFinishedOn": string,
  "completeness": {
    object (SlsaCompleteness)
  },
  "reproducible": boolean
}

string

Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.

string (Timestamp format)

The timestamp of when the build started.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

The timestamp of when the build completed.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

object (SlsaCompleteness)

Indicates that the builder claims certain fields in this message to be complete.

boolean

If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.

{
  "arguments": boolean,
  "environment": boolean,
  "materials": boolean
}

boolean

If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.

boolean

If true, the builder claims that recipe.environment is claimed to be complete.

boolean

If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".

{
  "uri": string,
  "digest": {
    string: string,
    ...
  }
}

string

map (key: string, value: string)

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

{
  "builder": {
    object (SlsaBuilder)
  },
  "buildType": string,
  "invocation": {
    object (SlsaInvocation)
  },
  "buildConfig": {
    object
  },
  "metadata": {
    object (SlsaMetadata)
  },
  "materials": [
    {
      object (SlsaMaterial)
    }
  ]
}

object (SlsaBuilder)

string

object (SlsaInvocation)

object (Struct format)

object (SlsaMetadata)

object (SlsaMaterial)

{
  "id": string
}

string

{
  "configSource": {
    object (SlsaConfigSource)
  },
  "parameters": {
    object
  },
  "environment": {
    object
  }
}

object (SlsaConfigSource)

object (Struct format)

object (Struct format)

{
  "uri": string,
  "digest": {
    string: string,
    ...
  },
  "entryPoint": string
}

string

map (key: string, value: string)

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

string

{
  "buildInvocationId": string,
  "buildStartedOn": string,
  "buildFinishedOn": string,
  "completeness": {
    object (SlsaCompleteness)
  },
  "reproducible": boolean
}

string

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

object (SlsaCompleteness)

boolean

{
  "parameters": boolean,
  "environment": boolean,
  "materials": boolean
}

boolean

boolean

boolean

{
  "uri": string,
  "digest": {
    string: string,
    ...
  }
}

string

map (key: string, value: string)

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

{
  "fingerprint": {
    object (Fingerprint)
  },
  "distance": integer,
  "layerInfo": [
    {
      object (Layer)
    }
  ],
  "baseResourceUrl": string
}

object (Fingerprint)

Required. The fingerprint of the derived image.

integer

Output only. The number of layers by which this image differs from the associated image basis.

object (Layer)

This contains layer-specific metadata, if populated it has length "distance" and is ordered with [distance] being the layer immediately following the base image and [1] being the final layer.

string

Output only. This contains the base image URL for the derived image occurrence.

{
  "directive": string,
  "arguments": string
}

string

Required. The recovered Dockerfile directive used to construct this layer. See https://docs.docker.com/engine/reference/builder/ for more information.

string

The recovered arguments to the Dockerfile directive.

{
  "name": string,
  "location": [
    {
      object (Location)
    }
  ],
  "packageType": string,
  "cpeUri": string,
  "architecture": enum (Architecture),
  "license": {
    object (License)
  },
  "version": {
    object (Version)
  }
}

string

Required. Output only. The name of the installed package.

object (Location)

All of the places within the filesystem versions of this package have been found.

string

Output only. The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).

string

Output only. The cpeUri in CPE format denoting the package manager version distributing a package. The cpeUri will be blank for language packages.

enum (Architecture)

Output only. The CPU architecture for which packages in this distribution channel were built. Architecture will be blank for language packages.

object (License)

Licenses that have been declared by the authors of the package.

object (Version)

Output only. The version of the package.

{
  "cpeUri": string,
  "version": {
    object (Version)
  },
  "path": string
}

string

Deprecated. The CPE URI in CPE format

object (Version)

Deprecated. The version installed at this location.

string

The path from which we gathered that this package/version is installed.

{
  "userEmail": string,
  "deployTime": string,
  "undeployTime": string,
  "config": string,
  "address": string,
  "resourceUri": [
    string
  ],
  "platform": enum (Platform)
}

string

Identity of the user that triggered this deployment.

string (Timestamp format)

Required. Beginning of the lifetime of this deployment.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

End of the lifetime of this deployment.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string

Configuration used to create this deployment.

string

Address of the runtime element hosting this deployment.

string

Output only. Resource URI for the artifact being deployed taken from the deployable field with the same name.

enum (Platform)

Platform hosting this deployment.

{
  "continuousAnalysis": enum (ContinuousAnalysis),
  "analysisStatus": enum (AnalysisStatus),
  "analysisCompleted": {
    object (AnalysisCompleted)
  },
  "analysisError": [
    {
      object (Status)
    }
  ],
  "analysisStatusError": {
    object (Status)
  },
  "cpe": string,
  "lastScanTime": string,
  "archiveTime": string
}

enum (ContinuousAnalysis)

Whether the resource is continuously analyzed.

enum (AnalysisStatus)

The status of discovery for the resource.

object (AnalysisCompleted)

object (Status)

Indicates any errors encountered during analysis of a resource. There could be 0 or more of these errors.

object (Status)

When an error is encountered this will contain a LocalizedMessage under details to show to the user. The LocalizedMessage is output only and populated by the API.

string

The CPE of the resource being scanned.

string (Timestamp format)

The last time this resource was scanned.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

string (Timestamp format)

Output only. The time occurrences related to this discovery occurrence were archived.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

{
  "analysisType": [
    string
  ]
}

string

{
  "serializedPayload": string,
  "signatures": [
    {
      object (Signature)
    }
  ],
  "jwts": [
    {
      object (Jwt)
    }
  ]
}

string (bytes format)

Required. The serialized payload that is verified by one or more signatures.

A base64-encoded string.

object (Signature)

One or more signatures over serializedPayload. Verifier implementations should consider this attestation message verified if at least one signature verifies serializedPayload. See Signature in common.proto for more details on signature structure and verification.

object (Jwt)

One or more JWTs encoding a self-contained attestation. Each JWT encodes the payload that it verifies within the JWT itself. Verifier implementation SHOULD ignore the serializedPayload field when verifying these JWTs. If only JWTs are present on this AttestationOccurrence, then the serializedPayload SHOULD be left empty. Each JWT SHOULD encode a claim specific to the resourceUri of this Occurrence, but this is not validated by Grafeas metadata API implementations. The JWT itself is opaque to Grafeas.

{
  "signature": string,
  "publicKeyId": string
}

string (bytes format)

The content of the signature, an opaque bytestring. The payload that this signature verifies MUST be unambiguously provided with the Signature during verification. A wrapper message might provide the payload explicitly. Alternatively, a message might have a canonical serialization that can always be unambiguously computed to derive the payload.

A base64-encoded string.

string

The identifier for the public key that verifies this signature. * The publicKeyId is required. * The publicKeyId SHOULD be an RFC3986 conformant URI. * When possible, the publicKeyId SHOULD be an immutable reference, such as a cryptographic digest.

Examples of valid publicKeyIds:

OpenPGP V4 public key fingerprint: * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more details on this scheme.

RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER serialization): * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"

{
  "compactJwt": string
}

string

The compact encoding of a JWS, which is always three base64 encoded strings joined by periods. For details, see: https://tools.ietf.org/html/rfc7515.html#section-3.1

{
  "package": string,
  "parsedVersion": {
    object (Version)
  },
  "distribution": {
    object (UpgradeDistribution)
  },
  "windowsUpdate": {
    object (WindowsUpdate)
  }
}

string

Required for non-Windows OS. The package this Upgrade is for.

object (Version)

Required for non-Windows OS. The version of the package in a machine + human readable form.

object (UpgradeDistribution)

Metadata about the upgrade for available for the specific operating system for the resourceUrl. This allows efficient filtering, as well as making it easier to use the occurrence.

object (WindowsUpdate)

Required for Windows OS. Represents the metadata about the Windows update.

{
  "nonCompliantFiles": [
    {
      object (NonCompliantFile)
    }
  ],
  "nonComplianceReason": string
}

object (NonCompliantFile)

string

{
  "path": string,
  "displayCommand": string,
  "reason": string
}

string

Empty if displayCommand is set.

string

Command to display the non-compliant files.

string

Explains why a file is non compliant for a CIS check.

{
  "envelope": {
    object (Envelope)
  },

  // Union field decoded_payload can be only one of the following:
  "statement": {
    object (InTotoStatement)
  }
  // End of list of possible types for union field decoded_payload.
}

object (Envelope)

If doing something security critical, make sure to verify the signatures in this metadata.

object (InTotoStatement)

{
  "payload": string,
  "payloadType": string,
  "signatures": [
    {
      object (EnvelopeSignature)
    }
  ]
}

string (bytes format)

A base64-encoded string.

string

object (EnvelopeSignature)

{
  "sig": string,
  "keyid": string
}

string (bytes format)

A base64-encoded string.

string

{
  "payload": {
    object (SbomReferenceIntotoPayload)
  },
  "payloadType": string,
  "signatures": [
    {
      object (EnvelopeSignature)
    }
  ]
}

object (SbomReferenceIntotoPayload)

The actual payload that contains the SBOM reference data.

string

The kind of payload that SbomReferenceIntotoPayload takes. Since it's in the intoto format, this value is expected to be 'application/vnd.in-toto+json'.

object (EnvelopeSignature)

The signatures over the payload.

{
  "_type": string,
  "predicateType": string,
  "subject": [
    {
      object (Subject)
    }
  ],
  "predicate": {
    object (SbomReferenceIntotoPredicate)
  }
}

string

Identifier for the schema of the Statement.

string

URI identifying the type of the Predicate.

object (Subject)

Set of software artifacts that the attestation applies to. Each element represents a single software artifact.

object (SbomReferenceIntotoPredicate)

Additional parameters of the Predicate. Includes the actual data about the SBOM.

{
  "referrerId": string,
  "location": string,
  "mimeType": string,
  "digest": {
    string: string,
    ...
  }
}

string

The person or system referring this predicate to the consumer.

string

The location of the SBOM.

string

The mime type of the SBOM.

map (key: string, value: string)

A map of algorithm to digest of the contents of the SBOM.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.