Subscribe to notifications

Assured Open Source Software (Assured OSS) publishes two types of notifications:

• Package availability: These notifications contain information about new packages and package versions that are added to Assured OSS and updates regarding the package onboarding status.

• Vulnerability notifications: These notifications contain information about new vulnerabilities detected in the packages that are curated by Assured OSS or updates to existing vulnerabilities.

Programmatic notifications about updates on security metadata and new packages are published on Pub/Sub topics. These notifications are available in JSON format. You can create a pull subscription or push subscription to the Assured OSS topic to receive notifications.

To create these subscriptions, use the same service account or workload identity credentials that you use to access artifacts or metadata. When your access to Assured OSS is enabled, the service accounts are granted permission to create subscriptions on these topics.

The following sections describe the Pub/Sub topics.

This document applies to both the paid tier and free tier.

Package onboarding topic

• Topic Name: projects/cloud-aoss/topics/package_onboarding
• Message: this topic contains information about new package versions that are added to Assured OSS and updates regarding its onboarding status.

• Message Data Schema:

  {
  "package_name" string
  "package_version" string
  "language" string
  "onboarding_status" string
  "notification_status" string
  }
  

• Message Data Attributes:

  "PackageName"     string
  "PackageVersion"  string
  "PackageLanguage" string
  "SchemaVersion"   string
  "GenerateTime"    string
  

Vulnerability information topic

• Topic Name: projects/cloud-aoss/topics/vulnerability_information
• Message: this topic contains information about new vulnerabilities detected in the system or if the metadata of any vulnerability is updated.

• Message Data Schema:

  {
  "vulnerabilityId" string
  "notificationStatus" string
  }
  

• Message Data Attributes:

  "PackageName"     string
  "PackageVersion"  string
  "PackageLanguage" string
  "SchemaVersion"   string
  "GenerateTime"    string
  

Consolidated package onboarding and vulnerability information topic for paid tier

You can access all Assured OSS notifications from the following Pub/Sub topic:

projects/assuredoss-blue/topics/assuredoss-notifications

Notification attributes

The following notification attributes are part of the published Pub/Sub message. You can use these attributes to filter the message.

{
  "Type": "string",             // Indicates the type of notification, can be 'PackageVersion' or 'Vulnerability'
  "PackageName": "string",      // Package ID
  "PackageVersion": "string",   // Version of the package
  "Language": "string",         // Language of the package
  "SchemaVersion": int,         // Schema version of the data in message
  "GenerateTime": "string"      // Time at which the event occurred
}

The GenerateTime attribute is in RFC 3339 format.

Package-related notifications

When the Type attribute is PackageVersion, the message data has the following fields:

{
  "PackageName": "string",       // Package ID
  "PackageVersion": "string",    // Version of the package
  "Language": "string",          // Language of the package
  "NotificationStatus": "string" // Status of package-version,'New' indicates available to download from Assured OSS
}

Vulnerability-related notifications

When the Type attribute is Vulnerability, the message data has the following fields:

{
  "ID": "string",            // Vulnerability ID affecting the package
  "Severity": "string",      // Severity of the vulnerability
  "Sources": [
    {
      "Name": "string",      // Source of vulnerability information
      "Link": "string"       // URL of vulnerability details
    }
  ],
  "Summary": "string",       // Summary of vulnerability
  "Description": "string",   // Detailed description of vulnerability
  "PackageName": "string",       // Package ID
  "PackageVersion": "string",    // Version of the package
  "Language": "string",          // Language of the package
  "NotificationStatus": "string" // Status of package-version
}

The value of the NotificationStatus field indicates the status of the vulnerability. If the vulnerability is new for a package, the value is New. If there is an update to an existing vulnerability, the value is Update.

Create a pull subscription

To create a pull subscription, complete the following:

1. Create a pull subscription. You can use the Google Cloud console, Google Cloud CLI, or Pub/Sub API.

2. After you have created the pull subscription, start polling for messages by using client libraries or the Google Cloud CLI.

Create a push subscription

To create a push subscription, set up an HTTPS server with a certificate that isn't self-signed and that is accessible on the internet. Use the push subscription model in one of the following ways:

• If you have a Google Cloud project and service account (for example, you integrated Assured OSS with Security Command Center):

  Because Assured OSS provides permission to create subscriptions, you can create your own push subscriptions and associate them with the endpoint of your choice. For more information, see Push subscriptions.

• If you are using the free tier and you don't have a Google Cloud project and service account, enter the HTTPS endpoint in the Enable Access or Update Notification Preferences form. The Assured OSS team will create a push subscription and attach the endpoint with that subscription.

What's next

• Artifact signature overview
• Verify signatures
• Verify the build provenance
• Protect your software supply chain using Software Delivery Shield