Security metadata fields

This page provides examples of the security metadata that you download from Cloud Storage and an explanation of the metadata fields.

This page applies to the Assured OSS premium tier only.

Security metadata

{
    "overview": {
        "refreshTime": "string",        // when was the data last refreshed
        "originValidated": boolean,     // is the origin of the binary validated
        "builtByAssuredOSS": boolean,   // is the binary built by Assured OSS
        "transitivelyClosed": boolean,  // are package dependencies built by Assured OSS
        "SCADataAvailable": boolean,    // is dependency information available
        "SBOMAvailable": boolean,       // is the SBOM present in SPDX-2.3 format
        "VEXAvailable": boolean,        // is the VEX Information present in CycloneDX-1.4 format
        "licenseScanned": boolean,      // is the license information present
        "fuzzTestedByGoogle": boolean   // was the package fuzz tested by Google
    },
    "buildInfo": "string",              // build details along with SPDX
    "buildInfoSignature": {
        "certInfo": {
            "cert": "string",           // certificate for verifying build info
            "certChain": "string"       // certChain for verifying build info
        },
        "digest": [
            {
                "digest": "string",     // digest of the build info
                "algorithm": "string"   // algorithm used for hashing
            }
        ],
        "signature": [
            {
                "signature": "string",  // signature of the digest
                "algorithm": "string"   // algorithm used for signing
            }
        ]
    },
    "vexInfo": "string",                // vex information along with CycloneDX
    "vexInfoSignature": {
        "certInfo": {
            "cert": "string",           // certificate for verifying vex info
            "certChain": "string"       // certChain for verifying vex info
        },
        "digest": [
            {
                "digest": "string",     // digest of the vex info
                "algorithm": "string"   // algorithm used for hashing
            }
        ],
        "signature": [
            {
                "signature": "string",  // signature of the digest
                "algorithm": "string"   // algorithm used for signing
            }
        ]
    },
    "healthInfo": "string",             // health information
    "healthInfoSignature": {
        "certInfo": {
            "cert": "string",           // certificate for verifying health info
            "certChain": "string"       // certChain for verifying health info
        },
        "digest": [
            {
                "digest": "string",     // digest of the health info
                "algorithm": "string"   // algorithm used for hashing
            }
        ],
        "signature": [
            {
                "signature": "string",  // signature of the digest
                "algorithm": "string"   // algorithm used for signing
            }
        ]
    }
}

Build information

{
  "creationTime": "string",    // time of creation of document (RFC 3339)
  "refreshTime": "string",     // time when the data was refreshed (RFC 3339)
  "buildDetails": [
    {
      "packageFileName": "string",  // the name of the file to which the build details apply
      "slsaLevel": "string",        // SLSA level adhered by the build system
      "buildTool": "string",
      "transitiveClosureState": "string",  // ENUM indicating if all the build dependencies for the package (direct or indirect) are also present in Assured OSS's portfolio or not. It can have 2 values, CLOSED if all dependencies are present else OPEN.
      "buildProvenances": [
        {
          "provenanceVersion": "string",  // version of SLSA provenance
          "provenance": "string",         // string representation of build provenance in "provenanceVersion" format
          "provenancePublicKey": "string", // public key used for verifying the signatures of the provenance
          "envelope": {  // a string representing a DSSE envelope that can be used to verify the integrity of the provenance document. This is also generated by Cloud Build
            "payload": "string",
            "payloadType": "string",
            "signatures": [
              {
                "sig": "string",
                "keyid": "string"
              }
            ]
          }
        }
      ]
    }
  ],
  "sourceInfo": [
    {
      "sourceUrl": "string",  // the GitHub URL
      "commitHash": "string", // the commit hash attached to release
      "tag": "string",        // release tag associated with the package-version
      "host": {
        "name": "string"      // name of the system that hosts the source code in GitHub
      },
      "commitTime": "string"  // time of commit (RFC 3339)
    }
  ],
  "sbom": "string",           // SBOM string in SPDX-2.3 format
  "creator": {
    "name": "string", // the name of the organization that created this document
    "email": "string" // the email address of the organization in case of any query or complaint
  }
}

VEX information

{
  "creationTime": "string",    // time of creation of document (RFC 3339)
  "refreshTime": "string",     // time when the data was refreshed (RFC 3339)
  "vexData": "string",  // Vulnerability Exploitability eXchange (VEX) string in CycloneDX 1.4 format
  "creator": {
    "name": "string", // the name of the organization that created this document
    "email": "string" // the email address of the organization in case of any query or complaint
  }
}

Health information

{
  "creationTime": "string",    // time of creation of document (RFC 3339)
  "refreshTime": "string",     // time when the data was refreshed (RFC 3339)
  "testingData": [
    {
      "testType": "string",   // the type of test that was done. For example, FUZZ
      "tool": {
        "name": "string"      // the name of the tool that was used to perform the test
      },
      "testStatus": "string"  // the status of the test. It can be one of TESTED (testing was executed) or UNTESTED (package was not tested) or NOT_REQUIRED (testing was not required for the package. For example, fuzz testing is not required on a package that contains only interfaces)
    }
  ],
  "creator": {
    "name": "string", // the name of the organization that created this document
    "email": "string" // the email address of the organization in case of any query or complaint
  }
}

What's next