REST Resource: projects.locations.notes

Resource: Note

A type of analysis that can be done for a resource.

JSON representation 
{
  "name": string,
  "shortDescription": string,
  "longDescription": string,
  "kind": enum (NoteKind),
  "relatedUrl": [
    {
      object (RelatedUrl)
    }
  ],
  "expirationTime": string,
  "createTime": string,
  "updateTime": string,
  "relatedNoteNames": [
    string
  ],

  // Union field type can be only one of the following:
  "vulnerability": {
    object (Vulnerability)
  },
  "build": {
    object (Build)
  },
  "baseImage": {
    object (Basis)
  },
  "package": {
    object (Package)
  },
  "deployable": {
    object (Deployable)
  },
  "discovery": {
    object (Discovery)
  },
  "attestationAuthority": {
    object (Authority)
  },
  "intoto": {
    object (InToto)
  },
  "sbom": {
    object (DocumentNote)
  },
  "spdxPackage": {
    object (PackageInfoNote)
  },
  "spdxFile": {
    object (FileNote)
  },
  "spdxRelationship": {
    object (RelationshipNote)
  },
  "vulnerabilityAssessment": {
    object (VulnerabilityAssessmentNote)
  },
  "sbomReference": {
    object (SBOMReferenceNote)
  }
  // End of list of possible types for union field type.
}
Fields
name

string

Output only. The name of the note in the form of projects/[PROVIDER_ID]/notes/[NOTE_ID].
shortDescription

string

A one sentence description of this note.
longDescription

string

A detailed description of this note.
kind

enum (NoteKind)

Output only. The type of analysis. This field can be used as a filter in list requests.
relatedUrl[]

object (RelatedUrl)

URLs associated with this note.
expirationTime

string (Timestamp format)

Time of expiration for this note. Empty if note does not expire.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
createTime

string (Timestamp format)

Output only. The time this note was created. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
updateTime

string (Timestamp format)

Output only. The time this note was last updated. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
relatedNoteNames[]

string

Other notes related to this note.
Union field type. Required. Immutable. The type of analysis this note represents. type can be only one of the following:
vulnerability

object (Vulnerability)

A note describing a package vulnerability.
build

object (Build)

A note describing build provenance for a verifiable build.
baseImage

object (Basis)

A note describing a base image.
package

object (Package)

A note describing a package hosted by various package managers.
deployable

object (Deployable)

A note describing something that can be deployed.
discovery

object (Discovery)

A note describing the initial analysis of a resource.
attestationAuthority

object (Authority)

A note describing an attestation role.
intoto

object (InToto)

A note describing an in-toto link.
sbom

object (DocumentNote)

A note describing a software bill of materials.
spdxPackage

object (PackageInfoNote)

A note describing an SPDX Package.
spdxFile

object (FileNote)

A note describing an SPDX File.
spdxRelationship

object (RelationshipNote)

A note describing an SPDX File.
vulnerabilityAssessment

object (VulnerabilityAssessmentNote)

A note describing a vulnerability assessment.
sbomReference

object (SBOMReferenceNote)

A note describing an SBOM reference.

Vulnerability

Vulnerability provides metadata about a security vulnerability in a Note.

JSON representation 
{
  "cvssScore": number,
  "severity": enum (Severity),
  "details": [
    {
      object (Detail)
    }
  ],
  "cvssV3": {
    object (CVSSv3)
  },
  "windowsDetails": [
    {
      object (WindowsDetail)
    }
  ],
  "sourceUpdateTime": string,
  "cvssV2": {
    object (CVSS)
  },
  "cwe": [
    string
  ],
  "cvssVersion": enum (CVSSVersion)
}
Fields
cvssScore

number

The CVSS score for this vulnerability.
severity

enum (Severity)

Note provider assigned impact of the vulnerability.
details[]

object (Detail)

All information about the package to specifically identify this vulnerability. One entry per (version range and cpeUri) the package vulnerability has manifested in.
cvssV3

object (CVSSv3)

The full description of the CVSS for version 3.
windowsDetails[]

object (WindowsDetail)

Windows details get their own format because the information format and model don't match a normal detail. Specifically Windows updates are done as patches, thus Windows vulnerabilities really are a missing package, rather than a package being at an incorrect version.
sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
cvssV2

object (CVSS)

The full description of the CVSS for version 2.
cwe[]

string

A list of CWE for this vulnerability. For details, see: https://cwe.mitre.org/index.html
cvssVersion

enum (CVSSVersion)

CVSS version used to populate cvssScore and severity.

Detail

Identifies all appearances of this vulnerability in the package for a specific distro/location. For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

JSON representation 
{
  "cpeUri": string,
  "package": string,
  "minAffectedVersion": {
    object (Version)
  },
  "maxAffectedVersion": {
    object (Version)
  },
  "severityName": string,
  "description": string,
  "fixedLocation": {
    object (VulnerabilityLocation)
  },
  "packageType": string,
  "isObsolete": boolean,
  "sourceUpdateTime": string,
  "source": string,
  "vendor": string
}
Fields
cpeUri

string

Required. The CPE URI in cpe format in which the vulnerability manifests. Examples include distro or storage location for vulnerable jar.
package

string

Required. The name of the package where the vulnerability was found.
minAffectedVersion

object (Version)

The min version of the package in which the vulnerability exists.
maxAffectedVersion

object (Version)

The max version of the package in which the vulnerability exists.
severityName

string

The severity (eg: distro assigned severity) for this vulnerability.
description

string

A vendor-specific description of this note.
fixedLocation

object (VulnerabilityLocation)

The fix for this specific package version.
packageType

string

The type of package; whether native or non native(ruby gems, node.js packages etc).
isObsolete

boolean

Whether this detail is obsolete. Occurrences are expected not to point to obsolete details.
sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
source

string

The source from which the information in this Detail was obtained.
vendor

string

The name of the vendor of the product.

CVSSv3

Deprecated. Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

JSON representation 
{
  "baseScore": number,
  "exploitabilityScore": number,
  "impactScore": number,
  "attackVector": enum (AttackVector),
  "attackComplexity": enum (AttackComplexity),
  "privilegesRequired": enum (PrivilegesRequired),
  "userInteraction": enum (UserInteraction),
  "scope": enum (Scope),
  "confidentialityImpact": enum (Impact),
  "integrityImpact": enum (Impact),
  "availabilityImpact": enum (Impact)
}
Fields
baseScore

number

The base score is a function of the base metric scores.
exploitabilityScore

number
impactScore

number
attackVector

enum (AttackVector)

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.
attackComplexity

enum (AttackComplexity)
privilegesRequired

enum (PrivilegesRequired)
userInteraction

enum (UserInteraction)
scope

enum (Scope)
confidentialityImpact

enum (Impact)
integrityImpact

enum (Impact)
availabilityImpact

enum (Impact)

AttackVector

Enums
ATTACK_VECTOR_UNSPECIFIED
ATTACK_VECTOR_NETWORK
ATTACK_VECTOR_ADJACENT
ATTACK_VECTOR_LOCAL
ATTACK_VECTOR_PHYSICAL

AttackComplexity

Enums
ATTACK_COMPLEXITY_UNSPECIFIED
ATTACK_COMPLEXITY_LOW
ATTACK_COMPLEXITY_HIGH

PrivilegesRequired

Enums
PRIVILEGES_REQUIRED_UNSPECIFIED
PRIVILEGES_REQUIRED_NONE
PRIVILEGES_REQUIRED_LOW
PRIVILEGES_REQUIRED_HIGH

UserInteraction

Enums
USER_INTERACTION_UNSPECIFIED
USER_INTERACTION_NONE
USER_INTERACTION_REQUIRED

Scope

Enums
SCOPE_UNSPECIFIED
SCOPE_UNCHANGED
SCOPE_CHANGED

Impact

Enums
IMPACT_UNSPECIFIED
IMPACT_HIGH
IMPACT_LOW
IMPACT_NONE

WindowsDetail

JSON representation 
{
  "cpeUri": string,
  "name": string,
  "description": string,
  "fixingKbs": [
    {
      object (KnowledgeBase)
    }
  ]
}
Fields
cpeUri

string

Required. The CPE URI in cpe format in which the vulnerability manifests. Examples include distro or storage location for vulnerable jar.
name

string

Required. The name of the vulnerability.
description

string

The description of the vulnerability.
fixingKbs[]

object (KnowledgeBase)

Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed kb's presence is considered a fix.

KnowledgeBase

JSON representation 
{
  "name": string,
  "url": string
}
Fields
name

string

The KB name (generally of the form KB[0-9]+ i.e. KB123456).
url

string

A link to the KB in the Windows update catalog - https://www.catalog.update.microsoft.com/

Build

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

JSON representation 
{
  "builderVersion": string,
  "signature": {
    object (BuildSignature)
  }
}
Fields
builderVersion

string

Required. Immutable. Version of the builder which produced this build.
signature

object (BuildSignature)

Signature of the build in occurrences pointing to this build note containing build details.

BuildSignature

Message encapsulating the signature of the verified build.

JSON representation 
{
  "publicKey": string,
  "signature": string,
  "keyId": string,
  "keyType": enum (KeyType)
}
Fields
publicKey

string

Public key of the builder which can be used to verify that the related findings are valid and unchanged. If keyType is empty, this defaults to PEM encoded public keys.

This field may be empty if keyId references an external key.

For Cloud Build based signatures, this is a PEM encoded public key. To verify the Cloud Build signature, place the contents of this field into a file (public.pem). The signature field is base64-decoded into its binary representation in signature.bin, and the provenance bytes from BuildDetails are base64-decoded into a binary representation in signed.bin. OpenSSL can then verify the signature: openssl sha256 -verify public.pem -signature signature.bin signed.bin
signature

string (bytes format)

Required. Signature of the related BuildProvenance. In JSON, this is base-64 encoded.

A base64-encoded string.
keyId

string

An ID for the key used to sign. This could be either an ID for the key stored in publicKey (such as the ID or fingerprint for a PGP key, or the CN for a cert), or a reference to an external key (such as a reference to a key in Cloud Key Management Service).
keyType

enum (KeyType)

The type of the key, either stored in publicKey or referenced in keyId.

KeyType

Public key formats.

Enums
KEY_TYPE_UNSPECIFIED KeyType is not set.
PGP_ASCII_ARMORED PGP ASCII Armored public key.
PKIX_PEM PKIX PEM public key.

Basis

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g. a tag of the resourceUrl.

JSON representation 
{
  "resourceUrl": string,
  "fingerprint": {
    object (Fingerprint)
  }
}
Fields
resourceUrl

string

Required. Immutable. The resourceUrl for the resource representing the basis of associated occurrence images.
fingerprint

object (Fingerprint)

Required. Immutable. The fingerprint of the base image.

Package

Package represents a particular package version.

JSON representation 
{
  "name": string,
  "distribution": [
    {
      object (Distribution)
    }
  ],
  "packageType": string,
  "cpeUri": string,
  "architecture": enum (Architecture),
  "version": {
    object (Version)
  },
  "maintainer": string,
  "url": string,
  "description": string,
  "license": {
    object (License)
  },
  "digest": [
    {
      object (Digest)
    }
  ]
}
Fields
name

string

Required. Immutable. The name of the package.
distribution[]

object (Distribution)

The various channels by which a package is distributed.
packageType

string

The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).
cpeUri

string

The cpeUri in CPE format denoting the package manager version distributing a package. The cpeUri will be blank for language packages.
architecture

enum (Architecture)

The CPU architecture for which packages in this distribution channel were built. Architecture will be blank for language packages.
version

object (Version)

The version of the package.
maintainer

string

A freeform text denoting the maintainer of this package.
url

string

The homepage for this package.
description

string

The description of this package.
license

object (License)

Licenses that have been declared by the authors of the package.
digest[]

object (Digest)

Hash value, typically a file digest, that allows unique identification a specific package.

Distribution

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

JSON representation 
{
  "cpeUri": string,
  "architecture": enum (Architecture),
  "latestVersion": {
    object (Version)
  },
  "maintainer": string,
  "url": string,
  "description": string
}
Fields
cpeUri

string

Required. The cpeUri in CPE format denoting the package manager version distributing a package.
architecture

enum (Architecture)

The CPU architecture for which packages in this distribution channel were built.
latestVersion

object (Version)

The latest available version of this package in this distribution channel.
maintainer

string

A freeform string denoting the maintainer of this package.
url

string

The distribution channel-specific homepage for this package.
description

string

The distribution channel-specific description of this package.

Digest

Digest information.

JSON representation 
{
  "algo": string,
  "digestBytes": string
}
Fields
algo

string

SHA1, SHA512 etc.
digestBytes

string (bytes format)

Value of the digest.

A base64-encoded string.

Deployable

An artifact that can be deployed in some runtime.

JSON representation 
{
  "resourceUri": [
    string
  ]
}
Fields
resourceUri[]

string

Required. Resource URI for the artifact being deployed.

Discovery

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

JSON representation 
{
  "analysisKind": enum (NoteKind)
}
Fields
analysisKind

enum (NoteKind)

Required. Immutable. The kind of analysis that is handled by this discovery.

Authority

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

JSON representation 
{
  "hint": {
    object (Hint)
  }
}
Fields
hint

object (Hint)

Hint hints at the purpose of the attestation authority.

Hint

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

JSON representation 
{
  "humanReadableName": string
}
Fields
humanReadableName

string

Required. The human readable name of this attestation authority, for example "qa".

InToto

This contains the fields corresponding to the definition of a software supply chain step in an in-toto layout. This information goes into a Grafeas note.

JSON representation 
{
  "stepName": string,
  "signingKeys": [
    {
      object (SigningKey)
    }
  ],
  "expectedMaterials": [
    {
      object (ArtifactRule)
    }
  ],
  "expectedProducts": [
    {
      object (ArtifactRule)
    }
  ],
  "expectedCommand": [
    string
  ],
  "threshold": string
}
Fields
stepName

string

This field identifies the name of the step in the supply chain.
signingKeys[]

object (SigningKey)

This field contains the public keys that can be used to verify the signatures on the step metadata.
expectedMaterials[]

object (ArtifactRule)

The following fields contain in-toto artifact rules identifying the artifacts that enter this supply chain step, and exit the supply chain step, i.e. materials and products of the step.
expectedProducts[]

object (ArtifactRule)
expectedCommand[]

string

This field contains the expected command used to perform the step.
threshold

string (int64 format)

This field contains a value that indicates the minimum number of keys that need to be used to sign the step's in-toto link.

SigningKey

This defines the format used to record keys used in the software supply chain. An in-toto link is attested using one or more keys defined in the in-toto layout. An example of this is: { "keyId": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...", "keyType": "rsa", "publicKeyValue": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...", "keyScheme": "rsassa-pss-sha256" } The format for in-toto's key definition can be found in section 4.2 of the in-toto specification.

JSON representation 
{
  "keyId": string,
  "keyType": string,
  "publicKeyValue": string,
  "keyScheme": string
}
Fields
keyId

string

keyId is an identifier for the signing key.
keyType

string

This field identifies the specific signing method. Eg: "rsa", "ed25519", and "ecdsa".
publicKeyValue

string

This field contains the actual public key.
keyScheme

string

This field contains the corresponding signature scheme. Eg: "rsassa-pss-sha256".

ArtifactRule

Defines an object to declare an in-toto artifact rule

JSON representation 
{
  "artifactRule": [
    string
  ]
}
Fields
artifactRule[]

string

DocumentNote

DocumentNote represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/2-document-creation-information/

JSON representation 
{
  "spdxVersion": string,
  "dataLicence": string
}
Fields
spdxVersion

string

Provide a reference number that can be used to understand how to parse and interpret the rest of the file
dataLicence

string

Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields ("SPDX-Metadata")

PackageInfoNote

PackageInfoNote represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

JSON representation 
{
  "title": string,
  "version": string,
  "supplier": string,
  "originator": string,
  "downloadLocation": string,
  "analyzed": boolean,
  "verificationCode": string,
  "checksum": string,
  "homePage": string,
  "filesLicenseInfo": [
    string
  ],
  "licenseDeclared": {
    object (License)
  },
  "copyright": string,
  "summaryDescription": string,
  "detailedDescription": string,
  "externalRefs": [
    {
      object (ExternalRef)
    }
  ],
  "attribution": string,
  "packageType": string
}
Fields
title

string

Identify the full name of the package as given by the Package Originator
version

string

Identify the version of the package
supplier

string

Identify the actual distribution source for the package/directory identified in the SPDX file
originator

string

If the package identified in the SPDX file originated from a different person or organization than identified as Package Supplier, this field identifies from where or whom the package originally came
downloadLocation

string

This section identifies the download Universal Resource Locator (URL), or a specific location within a version control system (VCS) for the package at the time that the SPDX file was created
analyzed

boolean

Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document
verificationCode

string

This field provides an independently reproducible mechanism identifying specific contents of a package based on the actual files (except the SPDX file itself, if it is included in the package) that make up each package and that correlates to the data in this SPDX file
checksum

string

Provide an independently reproducible mechanism that permits unique identification of a specific package that correlates to the data in this SPDX file
homePage

string

Provide a place for the SPDX file creator to record a web site that serves as the package's home page
filesLicenseInfo[]

string

Contain the license the SPDX file creator has concluded as governing the This field is to contain a list of all licenses found in the package. The relationship between licenses (i.e., conjunctive, disjunctive) is not specified in this field – it is simply a listing of all licenses found
licenseDeclared

object (License)

List the licenses that have been declared by the authors of the package
copyright

string

Identify the copyright holders of the package, as well as any dates present
summaryDescription

string

A short description of the package
detailedDescription

string

A more detailed description of the package
externalRefs[]

object (ExternalRef)

ExternalRef
attribution

string

A place for the SPDX data creator to record, at the package level, acknowledgements that may be needed to be communicated in some contexts
packageType

string

The type of package: OS, MAVEN, GO, GO_STDLIB, etc.

ExternalRef

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

JSON representation 
{
  "category": enum (Category),
  "type": string,
  "locator": string,
  "comment": string
}
Fields
category

enum (Category)

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package
type

string

Type of category (e.g. 'npm' for the PACKAGE_MANAGER category)
locator

string

The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location
comment

string

Human-readable information about the purpose and target of the reference

Category

The category of the external reference

Enums
CATEGORY_UNSPECIFIED Unspecified
SECURITY Security (e.g. cpe22Type, cpe23Type)
PACKAGE_MANAGER Package Manager (e.g. maven-central, npm, nuget, bower, purl)
PERSISTENT_ID Persistent-Id (e.g. swh)
OTHER Other

FileNote

FileNote represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

JSON representation 
{
  "title": string,
  "fileType": enum (FileType),
  "checksum": [
    string
  ]
}
Fields
title

string

Identify the full path and filename that corresponds to the file information in this section
fileType

enum (FileType)

This field provides information about the type of file identified
checksum[]

string

Provide a unique identifier to match analysis information on each specific file in a package

FileType

File Type is intrinsic to the file, independent of how the file is being used

Enums
FILE_TYPE_UNSPECIFIED Unspecified
SOURCE The file is human readable source code (.c, .html, etc.)
BINARY The file is a compiled object, target image or binary executable (.o, .a, etc.)
ARCHIVE The file represents an archive (.tar, .jar, etc.)
APPLICATION The file is associated with a specific application type (MIME type of application/*)
AUDIO The file is associated with an audio file (MIME type of audio/* , e.g. .mp3)
IMAGE The file is associated with an picture image file (MIME type of image/*, e.g., .jpg, .gif)
TEXT The file is human readable text file (MIME type of text/*)
VIDEO The file is associated with a video file type (MIME type of video/*)
DOCUMENTATION The file serves as documentation
SPDX The file is an SPDX document
OTHER The file doesn't fit into the above categories (generated artifacts, data files, etc.)

RelationshipNote

RelationshipNote represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

JSON representation 
{
  "type": enum (RelationshipType)
}
Fields
type

enum (RelationshipType)

The type of relationship between the source and target SPDX elements

VulnerabilityAssessmentNote

A single VulnerabilityAssessmentNote represents one particular product's vulnerability assessment for one CVE.

JSON representation 
{
  "title": string,
  "shortDescription": string,
  "longDescription": string,
  "languageCode": string,
  "publisher": {
    object (Publisher)
  },
  "product": {
    object (Product)
  },
  "assessment": {
    object (Assessment)
  }
}
Fields
title

string

The title of the note. E.g. Vex-Debian-11.4
shortDescription

string

A one sentence description of this Vex.
longDescription

string

A detailed description of this Vex.
languageCode

string

Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646.
publisher

object (Publisher)

Publisher details of this Note.
product

object (Product)

The product affected by this vex.
assessment

object (Assessment)

Represents a vulnerability assessment for the product.

Publisher

Publisher contains information about the publisher of this Note.

JSON representation 
{
  "name": string,
  "issuingAuthority": string,
  "publisherNamespace": string
}
Fields
name

string

Name of the publisher. Examples: 'Google', 'Google Cloud Platform'.
issuingAuthority

string

Provides information about the authority of the issuing party to release the document, in particular, the party's constituency and responsibilities or other obligations.
publisherNamespace

string

The context or namespace. Contains a URL which is under control of the issuing party and can be used as a globally unique identifier for that issuing party. Example: https://csaf.io

Product

Product contains information about a product and how to uniquely identify it.

JSON representation 
{
  "name": string,
  "id": string,

  // Union field identifier can be only one of the following:
  "genericUri": string
  // End of list of possible types for union field identifier.
}
Fields
name

string

Name of the product.
id

string

Token that identifies a product so that it can be referred to from other parts in the document. There is no predefined format as long as it uniquely identifies a group in the context of the current document.

Union field identifier.

identifier can be only one of the following:
genericUri

string

Contains a URI which is vendor-specific. Example: The artifact repository URL of an image.

Assessment

Assessment provides all information that is related to a single vulnerability for this product.

JSON representation 
{
  "cve": string,
  "vulnerabilityId": string,
  "shortDescription": string,
  "longDescription": string,
  "relatedUris": [
    {
      object (RelatedUrl)
    }
  ],
  "state": enum (State),
  "impacts": [
    string
  ],
  "justification": {
    object (Justification)
  },
  "remediations": [
    {
      object (Remediation)
    }
  ]
}
Fields
cve
(deprecated)

string

Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability. Deprecated: Use vulnerabilityId instead to denote CVEs.
vulnerabilityId

string

The vulnerability identifier for this Assessment. Will hold one of common identifiers e.g. CVE, GHSA etc.
shortDescription

string

A one sentence description of this Vex.
longDescription

string

A detailed description of this Vex.
relatedUris[]

object (RelatedUrl)

Holds a list of references associated with this vulnerability item and assessment. These uris have additional information about the vulnerability and the assessment itself. E.g. Link to a document which details how this assessment concluded the state of this vulnerability.
state

enum (State)

Provides the state of this Vulnerability assessment.
impacts[]

string

Contains information about the impact of this vulnerability, this will change with time.
justification

object (Justification)

Justification provides the justification when the state of the assessment if NOT_AFFECTED.
remediations[]

object (Remediation)

Specifies details on how to handle (and presumably, fix) a vulnerability.

SBOMReferenceNote

The note representing an SBOM reference.

JSON representation 
{
  "format": string,
  "version": string
}
Fields
format

string

The format that SBOM takes. E.g. may be spdx, cyclonedx, etc...
version

string

The version of the format that the SBOM takes. E.g. if the format is spdx, the version may be 2.3.

Methods

batchCreate

 Creates new notes in batch.

create

 Creates a new note.

delete

 Deletes the specified note.

get

 Gets the specified note.

getIamPolicy

 Gets the access control policy for a note or an occurrence resource.

list

 Lists notes for the specified project.

patch

 Updates the specified note.

setIamPolicy

 Sets the access control policy on the specified note or occurrence.

testIamPermissions

 Returns the permissions that a caller has on the specified note or occurrence.