ContainerAnalysisNote

Property Value
Google Cloud Service Name Container Analysis
Google Cloud Service Documentation /container-analysis/docs/
Google Cloud REST Resource Name v1.projects.notes
Google Cloud REST Resource Documentation /container-analysis/docs/reference/rest/v1/projects.notes
Config Connector Resource Short Names gcpcontaineranalysisnote
gcpcontaineranalysisnotes
containeranalysisnote
Config Connector Service Name containeranalysis.googleapis.com
Config Connector Resource Fully Qualified Name containeranalysisnotes.containeranalysis.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/project-id

Spec

Schema

  attestation:
    hint:
      humanReadableName: string
  build:
    builderVersion: string
  deployment:
    resourceUri:
    - string
  discovery:
    analysisKind: string
  expirationTime: string
  image:
    fingerprint:
      v1Name: string
      v2Blob:
      - string
    resourceUrl: string
  longDescription: string
  package:
    distribution:
    - architecture: string
      cpeUri: string
      description: string
      latestVersion:
        epoch: integer
        fullName: string
        kind: string
        name: string
        revision: string
      maintainer: string
      url: string
    name: string
  relatedNoteNames:
  - external: string
    name: string
    namespace: string
  relatedUrl:
  - label: string
    url: string
  resourceID: string
  shortDescription: string
  vulnerability:
    cvssScore: float
    cvssV3:
      attackComplexity: string
      attackVector: string
      availabilityImpact: string
      baseScore: float
      confidentialityImpact: string
      exploitabilityScore: float
      impactScore: float
      integrityImpact: string
      privilegesRequired: string
      scope: string
      userInteraction: string
    details:
    - affectedCpeUri: string
      affectedPackage: string
      affectedVersionEnd:
        epoch: integer
        fullName: string
        kind: string
        name: string
        revision: string
      affectedVersionStart:
        epoch: integer
        fullName: string
        kind: string
        name: string
        revision: string
      description: string
      fixedCpeUri: string
      fixedPackage: string
      fixedVersion:
        epoch: integer
        fullName: string
        kind: string
        name: string
        revision: string
      isObsolete: boolean
      packageType: string
      severityName: string
      sourceUpdateTime: string
    severity: string
    sourceUpdateTime: string
    windowsDetails:
    - cpeUri: string
      description: string
      fixingKbs:
      - name: string
        url: string
      name: string
Fields

attestation

Optional

object

A note describing an attestation role.

attestation.hint

Optional

object

Hint hints at the purpose of the attestation authority.

attestation.hint.humanReadableName

Required*

string

Required. The human readable name of this attestation authority, for example "qa".

build

Optional

object

A note describing build provenance for a verifiable build.

build.builderVersion

Required*

string

Required. Immutable. Version of the builder which produced this build.

deployment

Optional

object

A note describing something that can be deployed.

deployment.resourceUri

Required*

list (string)

Required. Resource URI for the artifact being deployed.

deployment.resourceUri.[]

Required*

string

discovery

Optional

object

A note describing the initial analysis of a resource.

discovery.analysisKind

Required*

string

Required. Immutable. The kind of analysis that is handled by this discovery. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

expirationTime

Optional

string

Time of expiration for this note. Empty if note does not expire.

image

Optional

object

A note describing a base image.

image.fingerprint

Required*

object

Required. Immutable. The fingerprint of the base image.

image.fingerprint.v1Name

Required*

string

Required. The layer ID of the final layer in the Docker image's v1 representation.

image.fingerprint.v2Blob

Required*

list (string)

Required. The ordered list of v2 blobs that represent a given image.

image.fingerprint.v2Blob.[]

Required*

string

image.resourceUrl

Required*

string

Required. Immutable. The resource_url for the resource representing the basis of associated occurrence images.

longDescription

Optional

string

A detailed description of this note.

package

Optional

object

Required for non-Windows OS. The package this Upgrade is for.

package.distribution

Optional

list (object)

The various channels by which a package is distributed.

package.distribution.[]

Optional

object

package.distribution.[].architecture

Optional

string

The CPU architecture for which packages in this distribution channel were built. Possible values: ARCHITECTURE_UNSPECIFIED, X86, X64

package.distribution.[].cpeUri

Required*

string

Required. The cpe_uri in (https://cpe.mitre.org/specification/) denoting the package manager version distributing a package.

package.distribution.[].description

Optional

string

The distribution channel-specific description of this package.

package.distribution.[].latestVersion

Optional

object

The latest available version of this package in this distribution channel.

package.distribution.[].latestVersion.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

package.distribution.[].latestVersion.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

package.distribution.[].latestVersion.kind

Required*

string

Required. Distinguishes between sentinel MIN/MAX versions and normal versions. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

package.distribution.[].latestVersion.name

Optional

string

Required only when version kind is NORMAL. The main part of the version name.

package.distribution.[].latestVersion.revision

Optional

string

The iteration of the package build from the above version.

package.distribution.[].maintainer

Optional

string

A freeform string denoting the maintainer of this package.

package.distribution.[].url

Optional

string

The distribution channel-specific homepage for this package.

package.name

Required*

string

Required. Immutable. The name of the package.

relatedNoteNames

Optional

list (object)

relatedNoteNames.[]

Optional

object

relatedNoteNames.[].external

Optional

string

relatedNoteNames.[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

relatedNoteNames.[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

relatedUrl

Optional

list (object)

URLs associated with this note.

relatedUrl.[]

Optional

object

relatedUrl.[].label

Optional

string

Label to describe usage of the URL.

relatedUrl.[].url

Optional

string

Specific URL associated with the resource.

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

shortDescription

Optional

string

A one sentence description of this note.

vulnerability

Optional

object

A note describing a package vulnerability.

vulnerability.cvssScore

Optional

float

The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10 where 0 indicates low severity and 10 indicates high severity.

vulnerability.cvssV3

Optional

object

The full description of the CVSSv3 for this vulnerability.

vulnerability.cvssV3.attackComplexity

Optional

string

Possible values: ATTACK_COMPLEXITY_UNSPECIFIED, ATTACK_COMPLEXITY_LOW, ATTACK_COMPLEXITY_HIGH

vulnerability.cvssV3.attackVector

Optional

string

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. Possible values: ATTACK_VECTOR_UNSPECIFIED, ATTACK_VECTOR_NETWORK, ATTACK_VECTOR_ADJACENT, ATTACK_VECTOR_LOCAL, ATTACK_VECTOR_PHYSICAL

vulnerability.cvssV3.availabilityImpact

Optional

string

Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH, IMPACT_LOW, IMPACT_NONE

vulnerability.cvssV3.baseScore

Optional

float

The base score is a function of the base metric scores.

vulnerability.cvssV3.confidentialityImpact

Optional

string

Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH, IMPACT_LOW, IMPACT_NONE

vulnerability.cvssV3.exploitabilityScore

Optional

float

vulnerability.cvssV3.impactScore

Optional

float

vulnerability.cvssV3.integrityImpact

Optional

string

Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH, IMPACT_LOW, IMPACT_NONE

vulnerability.cvssV3.privilegesRequired

Optional

string

Possible values: PRIVILEGES_REQUIRED_UNSPECIFIED, PRIVILEGES_REQUIRED_NONE, PRIVILEGES_REQUIRED_LOW, PRIVILEGES_REQUIRED_HIGH

vulnerability.cvssV3.scope

Optional

string

Possible values: SCOPE_UNSPECIFIED, SCOPE_UNCHANGED, SCOPE_CHANGED

vulnerability.cvssV3.userInteraction

Optional

string

Possible values: USER_INTERACTION_UNSPECIFIED, USER_INTERACTION_NONE, USER_INTERACTION_REQUIRED

vulnerability.details

Optional

list (object)

Details of all known distros and packages affected by this vulnerability.

vulnerability.details.[]

Optional

object

vulnerability.details.[].affectedCpeUri

Required*

string

Required. The (https://cpe.mitre.org/specification/) this vulnerability affects.

vulnerability.details.[].affectedPackage

Required*

string

Required. The package this vulnerability affects.

vulnerability.details.[].affectedVersionEnd

Optional

object

The version number at the end of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: ) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affected_version_start and affected_version_end will be the same in that Detail.

vulnerability.details.[].affectedVersionEnd.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

vulnerability.details.[].affectedVersionEnd.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

vulnerability.details.[].affectedVersionEnd.kind

Required*

string

Required. Distinguishes between sentinel MIN/MAX versions and normal versions. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

vulnerability.details.[].affectedVersionEnd.name

Optional

string

Required only when version kind is NORMAL. The main part of the version name.

vulnerability.details.[].affectedVersionEnd.revision

Optional

string

The iteration of the package build from the above version.

vulnerability.details.[].affectedVersionStart

Optional

object

The version number at the start of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: ) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affected_version_start and affected_version_end will be the same in that Detail.

vulnerability.details.[].affectedVersionStart.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

vulnerability.details.[].affectedVersionStart.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

vulnerability.details.[].affectedVersionStart.kind

Required*

string

Required. Distinguishes between sentinel MIN/MAX versions and normal versions. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

vulnerability.details.[].affectedVersionStart.name

Optional

string

Required only when version kind is NORMAL. The main part of the version name.

vulnerability.details.[].affectedVersionStart.revision

Optional

string

The iteration of the package build from the above version.

vulnerability.details.[].description

Optional

string

A vendor-specific description of this vulnerability.

vulnerability.details.[].fixedCpeUri

Optional

string

The distro recommended (https://cpe.mitre.org/specification/) to update to that contains a fix for this vulnerability. It is possible for this to be different from the affected_cpe_uri.

vulnerability.details.[].fixedPackage

Optional

string

The distro recommended package to update to that contains a fix for this vulnerability. It is possible for this to be different from the affected_package.

vulnerability.details.[].fixedVersion

Optional

object

The distro recommended version to update to that contains a fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no such version is yet available.

vulnerability.details.[].fixedVersion.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

vulnerability.details.[].fixedVersion.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

vulnerability.details.[].fixedVersion.kind

Required*

string

Required. Distinguishes between sentinel MIN/MAX versions and normal versions. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

vulnerability.details.[].fixedVersion.name

Optional

string

Required only when version kind is NORMAL. The main part of the version name.

vulnerability.details.[].fixedVersion.revision

Optional

string

The iteration of the package build from the above version.

vulnerability.details.[].isObsolete

Optional

boolean

Whether this detail is obsolete. Occurrences are expected not to point to obsolete details.

vulnerability.details.[].packageType

Optional

string

The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).

vulnerability.details.[].severityName

Optional

string

The distro assigned severity of this vulnerability.

vulnerability.details.[].sourceUpdateTime

Optional

string

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

vulnerability.severity

Optional

string

The note provider assigned severity of this vulnerability. Possible values: SEVERITY_UNSPECIFIED, MINIMAL, LOW, MEDIUM, HIGH, CRITICAL

vulnerability.sourceUpdateTime

Optional

string

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

vulnerability.windowsDetails

Optional

list (object)

Windows details get their own format because the information format and model don't match a normal detail. Specifically Windows updates are done as patches, thus Windows vulnerabilities really are a missing package, rather than a package being at an incorrect version.

vulnerability.windowsDetails.[]

Optional

object

vulnerability.windowsDetails.[].cpeUri

Required*

string

Required. The (https://cpe.mitre.org/specification/) this vulnerability affects.

vulnerability.windowsDetails.[].description

Optional

string

The description of this vulnerability.

vulnerability.windowsDetails.[].fixingKbs

Required*

list (object)

Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed KBs presence is considered a fix.

vulnerability.windowsDetails.[].fixingKbs.[]

Required*

object

vulnerability.windowsDetails.[].fixingKbs.[].name

Optional

string

The KB name (generally of the form KB+ (e.g., KB123456)).

vulnerability.windowsDetails.[].fixingKbs.[].url

Optional

string

A link to the KB in the (https://www.catalog.update.microsoft.com/).

vulnerability.windowsDetails.[].name

Required*

string

Required. The name of this vulnerability.

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  createTime: string
  image:
    fingerprint:
      v2Name: string
  observedGeneration: integer
  updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

createTime

string

Output only. The time this note was created. This field can be used as a filter in list requests.

image

object

image.fingerprint

object

image.fingerprint.v2Name

string

Output only. The name of the image's v2 blobs computed via: ) Only the name of the final blob is kept.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

updateTime

string

Output only. The time this note was last updated. This field can be used as a filter in list requests.

Sample YAML(s)

Typical Use Case

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
  kind: ContainerAnalysisNote
  metadata:
    name: containeranalysisnote-sample
  spec:
    shortDescription: "short description"
    longDescription: "long description"
    relatedUrl:
    - url: "some.url"
      label: "test"
    - url: "google.com"
      label: "google"
    attestation:
      hint:
        humanReadableName: "Attestor Note"