本页面提供了从 Cloud Storage 下载的安全元数据示例,并对元数据字段进行了说明。
本页面仅适用于 Assured OSS 高级层级。
安全元数据
{
"overview": {
"refreshTime": "string", // when was the data last refreshed
"originValidated": boolean, // is the origin of the binary validated
"builtByAssuredOSS": boolean, // is the binary built by Assured OSS
"transitivelyClosed": boolean, // are package dependencies built by Assured OSS
"SCADataAvailable": boolean, // is dependency information available
"SBOMAvailable": boolean, // is the SBOM present in SPDX-2.3 format
"VEXAvailable": boolean, // is the VEX Information present in CycloneDX-1.4 format
"licenseScanned": boolean, // is the license information present
"fuzzTestedByGoogle": boolean // was the package fuzz tested by Google
},
"buildInfo": "string", // build details along with SPDX
"buildInfoSignature": {
"certInfo": {
"cert": "string", // certificate for verifying build info
"certChain": "string" // certChain for verifying build info
},
"digest": [
{
"digest": "string", // digest of the build info
"algorithm": "string" // algorithm used for hashing
}
],
"signature": [
{
"signature": "string", // signature of the digest
"algorithm": "string" // algorithm used for signing
}
]
},
"vexInfo": "string", // vex information along with CycloneDX
"vexInfoSignature": {
"certInfo": {
"cert": "string", // certificate for verifying vex info
"certChain": "string" // certChain for verifying vex info
},
"digest": [
{
"digest": "string", // digest of the vex info
"algorithm": "string" // algorithm used for hashing
}
],
"signature": [
{
"signature": "string", // signature of the digest
"algorithm": "string" // algorithm used for signing
}
]
},
"healthInfo": "string", // health information
"healthInfoSignature": {
"certInfo": {
"cert": "string", // certificate for verifying health info
"certChain": "string" // certChain for verifying health info
},
"digest": [
{
"digest": "string", // digest of the health info
"algorithm": "string" // algorithm used for hashing
}
],
"signature": [
{
"signature": "string", // signature of the digest
"algorithm": "string" // algorithm used for signing
}
]
}
}
构建信息
{
"creationTime": "string", // time of creation of document (RFC 3339)
"refreshTime": "string", // time when the data was refreshed (RFC 3339)
"buildDetails": [
{
"packageFileName": "string", // the name of the file to which the build details apply
"slsaLevel": "string", // SLSA level adhered by the build system
"buildTool": "string",
"transitiveClosureState": "string", // ENUM indicating if all the build dependencies for the package (direct or indirect) are also present in Assured OSS's portfolio or not. It can have 2 values, CLOSED if all dependencies are present else OPEN.
"buildProvenances": [
{
"provenanceVersion": "string", // version of SLSA provenance
"provenance": "string", // string representation of build provenance in "provenanceVersion" format
"provenancePublicKey": "string", // public key used for verifying the singatures of the provenance
"envelope": { // a string representing a DSSE envelope that can be used to verify the integrity of the provenance document. This is also generated by Cloud Build
"payload": "string",
"payloadType": "string",
"signatures": [
{
"sig": "string",
"keyid": "string"
}
]
}
}
]
}
],
"sourceInfo": [
{
"sourceUrl": "string", // the GitHub URL
"commitHash": "string", // the commit hash attached to release
"tag": "string", // release tag associated with the package-version
"host": {
"name": "string" // name of the system that hosts the source code in GitHub
},
"commitTime": "string" // time of commit (RFC 3339)
}
],
"sbom": "string", // SBOM string in SPDX-2.3 format
"creator": {
"name": "string", // the name of the organization that created this document
"email": "string" // the email address of the organization in case of any query or complaint
}
}
VEX 信息
{
"creationTime": "string", // time of creation of document (RFC 3339)
"refreshTime": "string", // time when the data was refreshed (RFC 3339)
"vexData": "string", // Vulnerability Exploitability eXchange (VEX) string in CycloneDX 1.4 format
"creator": {
"name": "string", // the name of the organization that created this document
"email": "string" // the email address of the organization in case of any query or complaint
}
}
健康信息
{
"creationTime": "string", // time of creation of document (RFC 3339)
"refreshTime": "string", // time when the data was refreshed (RFC 3339)
"testingData": [
{
"testType": "string", // the type of test that was done. For example, FUZZ
"tool": {
"name": "string" // the name of the tool that was used to perform the test
},
"testStatus": "string" // the status of the test. It can be one of TESTED (testing was executed) or UNTESTED (package was not tested) or NOT_REQUIRED (testing was not required for the package. For example, fuzz testing is not required on a package that contains only interfaces)
}
],
"creator": {
"name": "string", // the name of the organization that created this document
"email": "string" // the email address of the organization in case of any query or complaint
}
}