ContainerAnalysisNote


Property Value
Google Cloud Service Name Container Analysis
Google Cloud Service Documentation /container-analysis/docs/
Google Cloud REST Resource Name v1.projects.notes
Google Cloud REST Resource Documentation /container-analysis/docs/reference/rest/v1/projects.notes
Config Connector Resource Short Names gcpcontaineranalysisnote
gcpcontaineranalysisnotes
containeranalysisnote
Config Connector Service Name containeranalysis.googleapis.com
Config Connector Resource Fully Qualified Name containeranalysisnotes.containeranalysis.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/project-id

Spec

Schema

attestation:
  hint:
    humanReadableName: string
build:
  builderVersion: string
deployment:
  resourceUri:
  - string
discovery:
  analysisKind: string
expirationTime: string
image:
  fingerprint:
    v1Name: string
    v2Blob:
    - string
  resourceUrl: string
longDescription: string
package:
  distribution:
  - architecture: string
    cpeUri: string
    description: string
    latestVersion:
      epoch: integer
      fullName: string
      kind: string
      name: string
      revision: string
    maintainer: string
    url: string
  name: string
relatedNoteNames:
- external: string
  name: string
  namespace: string
relatedUrl:
- label: string
  url: string
resourceID: string
shortDescription: string
vulnerability:
  cvssScore: float
  cvssV3:
    attackComplexity: string
    attackVector: string
    availabilityImpact: string
    baseScore: float
    confidentialityImpact: string
    exploitabilityScore: float
    impactScore: float
    integrityImpact: string
    privilegesRequired: string
    scope: string
    userInteraction: string
  details:
  - affectedCpeUri: string
    affectedPackage: string
    affectedVersionEnd:
      epoch: integer
      fullName: string
      kind: string
      name: string
      revision: string
    affectedVersionStart:
      epoch: integer
      fullName: string
      kind: string
      name: string
      revision: string
    description: string
    fixedCpeUri: string
    fixedPackage: string
    fixedVersion:
      epoch: integer
      fullName: string
      kind: string
      name: string
      revision: string
    isObsolete: boolean
    packageType: string
    severityName: string
    sourceUpdateTime: string
  severity: string
  sourceUpdateTime: string
  windowsDetails:
  - cpeUri: string
    description: string
    fixingKbs:
    - name: string
      url: string
    name: string
Fields

attestation

Optional

object

A note describing an attestation role.

attestation.hint

Optional

object

Hint hints at the purpose of the attestation authority.

attestation.hint.humanReadableName

Required*

string

Required. The human readable name of this attestation authority, for example "qa".

build

Optional

object

A note describing build provenance for a verifiable build.

build.builderVersion

Required*

string

Required. Immutable. Version of the builder which produced this build.

deployment

Optional

object

A note describing something that can be deployed.

deployment.resourceUri

Required*

list (string)

Required. Resource URI for the artifact being deployed.

deployment.resourceUri[]

Required*

string

discovery

Optional

object

A note describing the initial analysis of a resource.

discovery.analysisKind

Required*

string

The kind of analysis that is handled by this discovery. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

expirationTime

Optional

string

Time of expiration for this note. Empty if note does not expire.

image

Optional

object

A note describing a base image.

image.fingerprint

Required*

object

Required. Immutable. The fingerprint of the base image.

image.fingerprint.v1Name

Required*

string

Required. The layer ID of the final layer in the Docker image's v1 representation.

image.fingerprint.v2Blob

Required*

list (string)

Required. The ordered list of v2 blobs that represent a given image.

image.fingerprint.v2Blob[]

Required*

string

image.resourceUrl

Required*

string

Required. Immutable. The resource_url for the resource representing the basis of associated occurrence images.

longDescription

Optional

string

A detailed description of this note.

package

Optional

object

Required for non-Windows OS. The package this Upgrade is for.

package.distribution

Optional

list (object)

The various channels by which a package is distributed.

package.distribution[]

Optional

object

package.distribution[].architecture

Optional

string

The CPU architecture for which packages in this distribution channel were built Possible values: ARCHITECTURE_UNSPECIFIED, X86, X64

package.distribution[].cpeUri

Required*

string

The cpe_uri in [cpe format](https://cpe.mitre.org/specification/) denoting the package manager version distributing a package.

package.distribution[].description

Optional

string

The distribution channel-specific description of this package.

package.distribution[].latestVersion

Optional

object

The latest available version of this package in this distribution channel.

package.distribution[].latestVersion.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

package.distribution[].latestVersion.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

package.distribution[].latestVersion.kind

Required*

string

Distinguish between sentinel MIN/MAX versions and normal versions. If kind is not NORMAL, then the other fields are ignored. Possible values: VERSION_KIND_UNSPECIFIED, NORMAL, MINIMUM, MAXIMUM

package.distribution[].latestVersion.name

Optional

string

The main part of the version name.

package.distribution[].latestVersion.revision

Optional

string

The iteration of the package build from the above version.

package.distribution[].maintainer

Optional

string

A freeform string denoting the maintainer of this package.

package.distribution[].url

Optional

string

The distribution channel-specific homepage for this package.

package.name

Required*

string

The name of the package.

relatedNoteNames

Optional

list (object)

relatedNoteNames[]

Optional

object

relatedNoteNames[].external

Optional

string

Allowed value: The Google Cloud resource name of a `ContainerAnalysisNote` resource (format: `projects/{{project}}/notes/{{name}}`).

relatedNoteNames[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

relatedNoteNames[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

relatedUrl

Optional

list (object)

URLs associated with this note.

relatedUrl[]

Optional

object

relatedUrl[].label

Optional

string

Label to describe usage of the URL

relatedUrl[].url

Optional

string

Specific URL to associate with the note

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

shortDescription

Optional

string

A one sentence description of this note.

vulnerability

Optional

object

A note describing a package vulnerability.

vulnerability.cvssScore

Optional

float

The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10 where 0 indicates low severity and 10 indicates high severity.

vulnerability.cvssV3

Optional

object

The full description of the CVSSv3 for this vulnerability.

vulnerability.cvssV3.attackComplexity

Optional

string

Possible values: ATTACK_COMPLEXITY_UNSPECIFIED, ATTACK_COMPLEXITY_LOW, ATTACK_COMPLEXITY_HIGH

vulnerability.cvssV3.attackVector

Optional

string

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. Possible values: ATTACK_VECTOR_UNSPECIFIED, ATTACK_VECTOR_NETWORK, ATTACK_VECTOR_ADJACENT, ATTACK_VECTOR_LOCAL, ATTACK_VECTOR_PHYSICAL

vulnerability.cvssV3.availabilityImpact

Optional

string

Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH, IMPACT_LOW, IMPACT_NONE

vulnerability.cvssV3.baseScore

Optional

float

The base score is a function of the base metric scores.

vulnerability.cvssV3.confidentialityImpact

Optional

string

Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH, IMPACT_LOW, IMPACT_NONE

vulnerability.cvssV3.exploitabilityScore

Optional

float

vulnerability.cvssV3.impactScore

Optional

float

vulnerability.cvssV3.integrityImpact

Optional

string

Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH, IMPACT_LOW, IMPACT_NONE

vulnerability.cvssV3.privilegesRequired

Optional

string

Possible values: PRIVILEGES_REQUIRED_UNSPECIFIED, PRIVILEGES_REQUIRED_NONE, PRIVILEGES_REQUIRED_LOW, PRIVILEGES_REQUIRED_HIGH

vulnerability.cvssV3.scope

Optional

string

Possible values: SCOPE_UNSPECIFIED, SCOPE_UNCHANGED, SCOPE_CHANGED

vulnerability.cvssV3.userInteraction

Optional

string

Possible values: USER_INTERACTION_UNSPECIFIED, USER_INTERACTION_NONE, USER_INTERACTION_REQUIRED

vulnerability.details

Optional

list (object)

Details of all known distros and packages affected by this vulnerability.

vulnerability.details[]

Optional

object

vulnerability.details[].affectedCpeUri

Required*

string

Required. The (https://cpe.mitre.org/specification/) this vulnerability affects.

vulnerability.details[].affectedPackage

Required*

string

Required. The package this vulnerability affects.

vulnerability.details[].affectedVersionEnd

Optional

object

The version number at the end of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: ) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affected_version_start and affected_version_end will be the same in that Detail.

vulnerability.details[].affectedVersionEnd.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

vulnerability.details[].affectedVersionEnd.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

vulnerability.details[].affectedVersionEnd.kind

Required*

string

Required. Distinguishes between sentinel MIN/MAX versions and normal versions. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

vulnerability.details[].affectedVersionEnd.name

Optional

string

Required only when version kind is NORMAL. The main part of the version name.

vulnerability.details[].affectedVersionEnd.revision

Optional

string

The iteration of the package build from the above version.

vulnerability.details[].affectedVersionStart

Optional

object

The version number at the start of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: ) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affected_version_start and affected_version_end will be the same in that Detail.

vulnerability.details[].affectedVersionStart.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

vulnerability.details[].affectedVersionStart.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

vulnerability.details[].affectedVersionStart.kind

Required*

string

Required. Distinguishes between sentinel MIN/MAX versions and normal versions. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

vulnerability.details[].affectedVersionStart.name

Optional

string

Required only when version kind is NORMAL. The main part of the version name.

vulnerability.details[].affectedVersionStart.revision

Optional

string

The iteration of the package build from the above version.

vulnerability.details[].description

Optional

string

A vendor-specific description of this vulnerability.

vulnerability.details[].fixedCpeUri

Optional

string

The distro recommended (https://cpe.mitre.org/specification/) to update to that contains a fix for this vulnerability. It is possible for this to be different from the affected_cpe_uri.

vulnerability.details[].fixedPackage

Optional

string

The distro recommended package to update to that contains a fix for this vulnerability. It is possible for this to be different from the affected_package.

vulnerability.details[].fixedVersion

Optional

object

The distro recommended version to update to that contains a fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no such version is yet available.

vulnerability.details[].fixedVersion.epoch

Optional

integer

Used to correct mistakes in the version numbering scheme.

vulnerability.details[].fixedVersion.fullName

Optional

string

Human readable version string. This string is of the form :- and is only set when kind is NORMAL.

vulnerability.details[].fixedVersion.kind

Required*

string

Required. Distinguishes between sentinel MIN/MAX versions and normal versions. Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE

vulnerability.details[].fixedVersion.name

Optional

string

Required only when version kind is NORMAL. The main part of the version name.

vulnerability.details[].fixedVersion.revision

Optional

string

The iteration of the package build from the above version.

vulnerability.details[].isObsolete

Optional

boolean

Whether this detail is obsolete. Occurrences are expected not to point to obsolete details.

vulnerability.details[].packageType

Optional

string

The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).

vulnerability.details[].severityName

Optional

string

The distro assigned severity of this vulnerability.

vulnerability.details[].sourceUpdateTime

Optional

string

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

vulnerability.severity

Optional

string

The note provider assigned severity of this vulnerability. Possible values: SEVERITY_UNSPECIFIED, MINIMAL, LOW, MEDIUM, HIGH, CRITICAL

vulnerability.sourceUpdateTime

Optional

string

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

vulnerability.windowsDetails

Optional

list (object)

Windows details get their own format because the information format and model don't match a normal detail. Specifically Windows updates are done as patches, thus Windows vulnerabilities really are a missing package, rather than a package being at an incorrect version.

vulnerability.windowsDetails[]

Optional

object

vulnerability.windowsDetails[].cpeUri

Required*

string

Required. The (https://cpe.mitre.org/specification/) this vulnerability affects.

vulnerability.windowsDetails[].description

Optional

string

The description of this vulnerability.

vulnerability.windowsDetails[].fixingKbs

Required*

list (object)

Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed KBs presence is considered a fix.

vulnerability.windowsDetails[].fixingKbs[]

Required*

object

vulnerability.windowsDetails[].fixingKbs[].name

Optional

string

The KB name (generally of the form KB+ (e.g., KB123456)).

vulnerability.windowsDetails[].fixingKbs[].url

Optional

string

A link to the KB in the (https://www.catalog.update.microsoft.com/).

vulnerability.windowsDetails[].name

Required*

string

Required. The name of this vulnerability.

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createTime: string
image:
  fingerprint:
    v2Name: string
observedGeneration: integer
updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

createTime

string

Output only. The time this note was created. This field can be used as a filter in list requests.

image

object

image.fingerprint

object

image.fingerprint.v2Name

string

Output only. The name of the image's v2 blobs computed via: ) Only the name of the final blob is kept.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

updateTime

string

Output only. The time this note was last updated. This field can be used as a filter in list requests.

Sample YAML(s)

Typical Use Case

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
  name: containeranalysisnote-sample
spec:
  shortDescription: "short description"
  longDescription: "long description"
  relatedUrl:
  - url: "some.url"
    label: "test"
  - url: "google.com"
    label: "google"
  attestation:
    hint:
      humanReadableName: "Attestor Note"