Stay organized with collections
Save and categorize content based on your preferences.
Assured OSS provides security metadata for every available package. Each
version of the package has its own metadata. This page explains what information
is provided as part of the metadata and how you can access this metadata.
You can access the security metadata using one of the following options:
Artifact Analysis API
Cloud Storage
This page applies to the free tier only.
Security metadata files
The security metadata for each Assured OSS package version is
distributed across the following four files in a Cloud Storage bucket:
buildinfo.zip: This file contains metadata about the build information
of a package. This metadata would change in very rare scenarios like re-building of package,
certificate rotation, and addition of new fields.
vexinfo.zip: This file contains the vulnerability information for a
package in CycloneDX 1.4
format. This is expected to change whenever there is any information about a
vulnerability for the package.
healthinfo.zip: This file contains details about the testing performed on a
package. This can change if the testing status of a package gets modified. For
example, if a new security testing is performed or if coverage result is
changed.
licenseinfo.zip: This file contains metadata pertaining to the license
information of a package. The license information of a package can change if
the publisher of the package modifies the information.
Each zip file contains the following two files:
A JSON file containing data.
A signature.zip file containing the signature for that data.
JSON file structure
The structure for the JSON files is described in the following section:
buildInfo.json
creationTime: the time of creation for this document in RFC 3339 string format.
creator: the owner of the document. The following details are provided:
name: the name of the organization that created this document.
email: the email address of the organization in case of any query or complaint.
buildDetails: the details related to building the binary. The following details are provided:
packageFileName: the name of the file to which the build details apply.
buildProvenance: a string representing build provenance
of the package in SLSA v0.2 format.
This is generated by Cloud Build.
envelope: a string representing a DSSE envelope that can be used to verify
the integrity of the provenance document. This is also generated by Cloud Build.
slsaLevel: This indicates the SLSA level adhered by the build system.
buildTool: Name of the tool being used for building package, which is Cloud Build. For more information, see Cloud Build.
transitiveClosureState: This is an ENUM indicating if all the build dependencies for the package (direct or indirect)
are also present in Assured OSS's portfolio or not. This can have two values:
OPEN: If zero or only partial transitive dependencies are supported by Assured OSS.
CLOSED: If all transitive dependencies are supported by Assured OSS.
sourceInfo: the information about the source code that was used to build the
package. The following details are provided:
sourceUrl: the GitHub URL string.
commitHash: commit hash string attached to the release.
tag: the release tag associated with the package version.
host: name of the system that hosts the source code in GitHub.
commitTime: the time of a commit in RFC 3339 string format.
To download all the metadata types such as the build information, health
information, and VEX information together for a given package and version, use
the following command:
Extract the zip file. On macOS or Linux, use the unzip command: unzip input.zip -d outputFolder.
Each zip file contains a JSON file and a signature.zip file. The JSON file
contains the actual security metadata and the signature.zip file contains
files to verify the Google signature on the JSON.
Download license information
The license information for all Assured OSS packages is available in a single
JSON file. To download this file, run the following command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eAssured OSS provides security metadata for each package version, which can be accessed via the Artifact Analysis API or Cloud Storage, and this page specifically details accessing it through the free tier.\u003c/p\u003e\n"],["\u003cp\u003eSecurity metadata is distributed across four files within a Cloud Storage bucket: \u003ccode\u003ebuildinfo.zip\u003c/code\u003e (build details), \u003ccode\u003evexinfo.zip\u003c/code\u003e (vulnerability information), \u003ccode\u003ehealthinfo.zip\u003c/code\u003e (testing details), and \u003ccode\u003elicenseinfo.zip\u003c/code\u003e (license information).\u003c/p\u003e\n"],["\u003cp\u003eEach metadata zip file contains a JSON file with the actual data and a \u003ccode\u003esignature.zip\u003c/code\u003e file for signature verification.\u003c/p\u003e\n"],["\u003cp\u003eTo access metadata from Cloud Storage, you can construct a URL using the language, package ID, version, and metadata type and use \u003ccode\u003egcloud storage\u003c/code\u003e or \u003ccode\u003ecurl\u003c/code\u003e commands to download.\u003c/p\u003e\n"],["\u003cp\u003eLicense information is available for all Assured OSS packages in a single JSON file which can be accessed with \u003ccode\u003egcloud\u003c/code\u003e and \u003ccode\u003ecurl\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Access metadata using Cloud Storage\n\nAssured OSS provides security metadata for every available package. Each\nversion of the package has its own metadata. This page explains what information\nis provided as part of the metadata and how you can access this metadata.\n\nYou can access the security metadata using one of the following options:\n\n- Artifact Analysis API\n- Cloud Storage\n\nThis page applies to the free tier only.\n\nSecurity metadata files\n-----------------------\n\nThe security metadata for each Assured OSS package version is\ndistributed across the following four files in a Cloud Storage bucket:\n\n- `buildinfo.zip`: This file contains metadata about the build information of a package. This metadata would change in very rare scenarios like re-building of package, certificate rotation, and addition of new fields.\n- `vexinfo.zip`: This file contains the vulnerability information for a package in [CycloneDX 1.4](https://cyclonedx.org/docs/1.4/json/) format. This is expected to change whenever there is any information about a vulnerability for the package.\n- `healthinfo.zip`: This file contains details about the testing performed on a package. This can change if the testing status of a package gets modified. For example, if a new security testing is performed or if coverage result is changed.\n- `licenseinfo.zip`: This file contains metadata pertaining to the license information of a package. The license information of a package can change if the publisher of the package modifies the information.\n\nEach zip file contains the following two files:\n\n- A JSON file containing data.\n- A `signature.zip` file containing the signature for that data.\n\nJSON file structure\n-------------------\n\nThe structure for the JSON files is described in the following section:\n\n**`buildInfo.json`**\n\n- `creationTime`: the time of creation for this document in [RFC 3339](https://tools.ietf.org/html/rfc3339) string format.\n- `creator`: the owner of the document. The following details are provided:\n - `name`: the name of the organization that created this document.\n - `email`: the email address of the organization in case of any query or complaint.\n- `buildDetails`: the details related to building the binary. The following details are provided:\n - `packageFileName`: the name of the file to which the build details apply.\n - `buildProvenance`: a string representing build provenance of the package in [SLSA v0.2](https://slsa.dev/provenance/v0.2) format. This is generated by Cloud Build.\n - `envelope`: a string representing a DSSE envelope that can be used to verify the integrity of the provenance document. This is also generated by Cloud Build.\n - `slsaLevel`: This indicates the SLSA level adhered by the build system.\n - `buildTool`: Name of the tool being used for building package, which is Cloud Build. For more information, see [Cloud Build](/build/docs).\n - `transitiveClosureState`: This is an ENUM indicating if all the build dependencies for the package (direct or indirect) are also present in Assured OSS's portfolio or not. This can have two values:\n - `OPEN`: If zero or only partial transitive dependencies are supported by Assured OSS.\n - `CLOSED`: If all transitive dependencies are supported by Assured OSS.\n- `sourceInfo`: the information about the source code that was used to build the package. The following details are provided:\n - `sourceUrl`: the GitHub URL string.\n - `commitHash`: commit hash string attached to the release.\n - `tag`: the release tag associated with the package version.\n - `host`: name of the system that hosts the source code in GitHub.\n - `commitTime`: the time of a commit in [RFC 3339](https://tools.ietf.org/html/rfc3339) string format.\n- `sbom` - SBOM string in [SPDX 2.3](https://spdx.github.io/spdx-spec/v2.3/) format.\n\n**`vexInfo.json`**\n\n- `creationTime`: the time of creation for this document in [RFC 3339](https://tools.ietf.org/html/rfc3339) string format.\n- `creator`: the owner of the document. The following details are provided:\n - `name`: the name of the organization that created this document.\n - `email`: the email address of the organization in case of any query or complaint.\n- `vexData`: Vulnerability Exploitability eXchange (VEX) string in [CycloneDX 1.4](https://cyclonedx.org/docs/1.4/json/) format.\n\n**`healthInfo.json`**\n\n- `creationTime`: the time of creation for this document in [RFC 3339](https://tools.ietf.org/html/rfc3339) string format.\n- `creator`: the owner of the document. The following details are provided:\n - `name`: the name of the organization that created this document.\n - `email`: the email address of the organization in case of any query or complaint.\n- `testingData`: the details about the security testing done on a package. The following details are provided:\n - `testType`: the type of test that was done. For example, `FUZZ`.\n - `tool`: the name of the tool that was used to perform the test.\n - `testStatus`: the status of the test. The status may be one of the following:\n - `TESTED`: testing was executed.\n - `NOT_REQUIRED`: testing was not required for the package. For example, fuzz testing is not required on a package that contains only interfaces.\n - `UNTESTED`: package was not tested.\n\n**`licenseInfo.json`**\n\n- `package_name`: The name of the package in string format.\n- `package_version`: The version of the package.\n- `license_info`: The license associated with the package.\n\nAccess security metadata from Cloud Storage\n-------------------------------------------\n\nTo access the security metadata from Cloud Storage, follow these steps:\n\n### Step 1 - Set up authentication\n\nFor information about setting up authentication, see [Set up authentication](/assured-open-source-software/docs/validate-connection#set_up_authentication).\n\n### Step 2 - Construct the URL\n\nYou can use either `gcloud storage` or `curl` commands to download the metadata.\nConstruct the URL for both using the following information:\n\n- **Language:** `java` or `python`. The value must be in lowercase.\n- **Package_ID:** for Java, it's \u003cvar translate=\"no\"\u003egroupId:artifactId\u003c/var\u003e and for Python it's \u003cvar translate=\"no\"\u003epackageName\u003c/var\u003e. The value must be in lower case.\n- **Version:** the version of the package.\n- **Metadata_Type:** choose between `buildinfo.zip`, `vexinfo.zip`, and `healthinfo.zip`.\n\nThe URL must have the following format: \n\n### gcloud\n\n`gs://cloud-aoss-metadata/\u003clanguage\u003e/\u003cpackage_id\u003e/\u003cversion\u003e/\u003cmetadata_type\u003e`\n\nNote that the URL must be in lowercase.\n\nSample Python URL: `gs://cloud-aoss-metadata/python/cryptography/37.0.4/buildinfo.zip`\n\nSample Java URL: `gs://cloud-aoss-metadata/java/com.google.errorprone:error_prone_annotations/2.15.0/buildinfo.zip`\n\n### curl\n\n`https://storage.googleapis.com/cloud-aoss-metadata/\u003clanguage\u003e/\u003cpackage_id\u003e/\u003cversion\u003e/\u003cmetadata_type\u003e`\n\nNote that the URL must be in lowercase.\n\nSample Python URL: `https://storage.googleapis.com/cloud-aoss-metadata/python/cryptography/37.0.4/buildinfo.zip`\n\nSample Java URL: `https://storage.googleapis.com/cloud-aoss-metadata/java/com.google.errorprone:error_prone_annotations/2.15.0/buildinfo.zip`\n\n### Step 3 - Download the metadata\n\nUse the following commands to download the metadata: \n\n### gcloud\n\n gcloud storage cp \"gs://cloud-aoss-metadata/\u003clanguage\u003e/\u003cpackage_id\u003e/\u003cversion\u003e/\u003cmetadata_type\u003e\" outputFolderLocation\n\nTo download all the metadata types such as the build information, health\ninformation, and VEX information together for a given package and version, use\nthe following command: \n\n gcloud storage cp \"gs://cloud-aoss-metadata/\u003clanguage\u003e/\u003cpackage_id\u003e/\u003cversion\u003e\" outputFolderLocation --recursive\n\nThe metadata is distributed across three zip files (`buildinfo.zip`, `healthinfo.zip`, `vexinfo.zip`)\nand downloaded into the output folder.\n\n### curl\n\n curl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -L https://storage.googleapis.com/cloud-aoss-metadata/\u003clanguage\u003e/\u003cpackage_id\u003e/\u003cversion\u003e/\u003cmetadata_type\u003e -o output.zip\n\n### Step 4 - Extract the metadata\n\nExtract the zip file. On macOS or Linux, use the `unzip` command: `unzip input.zip -d outputFolder`.\nEach zip file contains a JSON file and a `signature.zip` file. The JSON file\ncontains the actual security metadata and the `signature.zip` file contains\nfiles to verify the Google signature on the JSON.\n\n### Download license information\n\nThe license information for all Assured OSS packages is available in a single\nJSON file. To download this file, run the following command: \n\n### gcloud\n\n gcloud storage cp \"gs://cloud-aoss/info/LicenseInfo.json\" outputFolderLocation\n\n### curl\n\n curl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -L https://storage.googleapis.com/cloud-aoss/info/LicenseInfo.json\n\nTo download the signature for the license metadata file, run the following command: \n\n### gcloud\n\n gcloud storage cp \"gs://cloud-aoss/info/LicenseInfo.json-sig.zip\" outputFolderLocation\n\n### curl\n\n curl -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -L https://storage.googleapis.com/cloud-aoss/info/LicenseInfo.json-sig.zip -o output.zip\n\nWhat's next\n-----------\n\n- [Access security metadata using Artifact Analysis API](/assured-open-source-software/docs/access-metadata-using-container-analysis)\n- [Subscribe to notifications](/assured-open-source-software/docs/usenotifications)\n- [Artifact signature overview](/assured-open-source-software/docs/package-signature-overview)\n- [Verify signatures](/assured-open-source-software/docs/verify-packages)\n- [Verify the build provenance](/assured-open-source-software/docs/verify-build-provenance)"]]
