REST Resource: projects.notes

Resource: Note

A type of analysis that can be done for a resource.

JSON representation
{
  "name": string,
  "shortDescription": string,
  "longDescription": string,
  "kind": enum (NoteKind),
  "relatedUrl": [
    {
      object (RelatedUrl)
    }
  ],
  "expirationTime": string,
  "createTime": string,
  "updateTime": string,
  "relatedNoteNames": [
    string
  ],

  // Union field type can be only one of the following:
  "vulnerability": {
    object (VulnerabilityNote)
  },
  "build": {
    object (BuildNote)
  },
  "image": {
    object (ImageNote)
  },
  "package": {
    object (PackageNote)
  },
  "deployment": {
    object (DeploymentNote)
  },
  "discovery": {
    object (DiscoveryNote)
  },
  "attestation": {
    object (AttestationNote)
  },
  "upgrade": {
    object (UpgradeNote)
  },
  "compliance": {
    object (ComplianceNote)
  },
  "dsseAttestation": {
    object (DSSEAttestationNote)
  },
  "vulnerabilityAssessment": {
    object (VulnerabilityAssessmentNote)
  },
  "sbomReference": {
    object (SBOMReferenceNote)
  }
  // End of list of possible types for union field type.
}
Fields
name

string

Output only. The name of the note in the form of projects/[PROVIDER_ID]/notes/[NOTE_ID].

shortDescription

string

A one sentence description of this note.

longDescription

string

A detailed description of this note.

kind

enum (NoteKind)

Output only. The type of analysis. This field can be used as a filter in list requests.

relatedUrl[]

object (RelatedUrl)

URLs associated with this note.

expirationTime

string (Timestamp format)

Time of expiration for this note. Empty if note does not expire.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

createTime

string (Timestamp format)

Output only. The time this note was created. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time this note was last updated. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

relatedNoteNames[]

string

Other notes related to this note.

Union field type. Required. Immutable. The type of analysis this note represents. type can be only one of the following:
vulnerability

object (VulnerabilityNote)

A note describing a package vulnerability.

build

object (BuildNote)

A note describing build provenance for a verifiable build.

image

object (ImageNote)

A note describing a base image.

package

object (PackageNote)

A note describing a package hosted by various package managers.

deployment

object (DeploymentNote)

A note describing something that can be deployed.

discovery

object (DiscoveryNote)

A note describing the initial analysis of a resource.

attestation

object (AttestationNote)

A note describing an attestation role.

upgrade

object (UpgradeNote)

A note describing available package upgrades.

compliance

object (ComplianceNote)

A note describing a compliance check.

dsseAttestation

object (DSSEAttestationNote)

A note describing a dsse attestation note.

vulnerabilityAssessment

object (VulnerabilityAssessmentNote)

A note describing a vulnerability assessment.

sbomReference

object (SBOMReferenceNote)

A note describing an SBOM reference.

VulnerabilityNote

A security vulnerability that can be found in resources.

JSON representation
{
  "cvssScore": number,
  "severity": enum (Severity),
  "details": [
    {
      object (Detail)
    }
  ],
  "cvssV3": {
    object (CVSSv3)
  },
  "windowsDetails": [
    {
      object (WindowsDetail)
    }
  ],
  "sourceUpdateTime": string,
  "cvssVersion": enum (CVSSVersion),
  "cvssV2": {
    object (CVSS)
  }
}
Fields
cvssScore

number

The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10 where 0 indicates low severity and 10 indicates high severity.

severity

enum (Severity)

The note provider assigned severity of this vulnerability.

details[]

object (Detail)

Details of all known distros and packages affected by this vulnerability.

cvssV3

object (CVSSv3)

The full description of the CVSSv3 for this vulnerability.

windowsDetails[]

object (WindowsDetail)

Windows details get their own format because the information format and model don't match a normal detail. Specifically Windows updates are done as patches, thus Windows vulnerabilities really are a missing package, rather than a package being at an incorrect version.

sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

cvssVersion

enum (CVSSVersion)

CVSS version used to populate cvssScore and severity.

cvssV2

object (CVSS)

The full description of the v2 CVSS for this vulnerability.

Detail

A detail for a distro and package affected by this vulnerability and its associated fix (if one is available).

JSON representation
{
  "severityName": string,
  "description": string,
  "packageType": string,
  "affectedCpeUri": string,
  "affectedPackage": string,
  "affectedVersionStart": {
    object (Version)
  },
  "affectedVersionEnd": {
    object (Version)
  },
  "fixedCpeUri": string,
  "fixedPackage": string,
  "fixedVersion": {
    object (Version)
  },
  "isObsolete": boolean,
  "sourceUpdateTime": string,
  "source": string,
  "vendor": string
}
Fields
severityName

string

The distro assigned severity of this vulnerability.

description

string

A vendor-specific description of this vulnerability.

packageType

string

The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).

affectedCpeUri

string

Required. The CPE URI this vulnerability affects.

affectedPackage

string

Required. The package this vulnerability affects.

affectedVersionStart

object (Version)

The version number at the start of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affectedVersionStart and affectedVersionEnd will be the same in that Detail.

affectedVersionEnd

object (Version)

The version number at the end of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affectedVersionStart and affectedVersionEnd will be the same in that Detail.

fixedCpeUri

string

The distro recommended CPE URI to update to that contains a fix for this vulnerability. It is possible for this to be different from the affectedCpeUri.

fixedPackage

string

The distro recommended package to update to that contains a fix for this vulnerability. It is possible for this to be different from the affectedPackage.

fixedVersion

object (Version)

The distro recommended version to update to that contains a fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no such version is yet available.

isObsolete

boolean

Whether this detail is obsolete. Occurrences are expected not to point to obsolete details.

sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

source

string

The source from which the information in this Detail was obtained.

vendor

string

The name of the vendor of the product.

CVSSv3

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

JSON representation
{
  "baseScore": number,
  "exploitabilityScore": number,
  "impactScore": number,
  "attackVector": enum (AttackVector),
  "attackComplexity": enum (AttackComplexity),
  "privilegesRequired": enum (PrivilegesRequired),
  "userInteraction": enum (UserInteraction),
  "scope": enum (Scope),
  "confidentialityImpact": enum (Impact),
  "integrityImpact": enum (Impact),
  "availabilityImpact": enum (Impact)
}
Fields
baseScore

number

The base score is a function of the base metric scores.

exploitabilityScore

number

impactScore

number

attackVector

enum (AttackVector)

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.

attackComplexity

enum (AttackComplexity)

privilegesRequired

enum (PrivilegesRequired)

userInteraction

enum (UserInteraction)

scope

enum (Scope)

confidentialityImpact

enum (Impact)

integrityImpact

enum (Impact)

availabilityImpact

enum (Impact)

AttackVector

Enums
ATTACK_VECTOR_UNSPECIFIED
ATTACK_VECTOR_NETWORK
ATTACK_VECTOR_ADJACENT
ATTACK_VECTOR_LOCAL
ATTACK_VECTOR_PHYSICAL

AttackComplexity

Enums
ATTACK_COMPLEXITY_UNSPECIFIED
ATTACK_COMPLEXITY_LOW
ATTACK_COMPLEXITY_HIGH

PrivilegesRequired

Enums
PRIVILEGES_REQUIRED_UNSPECIFIED
PRIVILEGES_REQUIRED_NONE
PRIVILEGES_REQUIRED_LOW
PRIVILEGES_REQUIRED_HIGH

UserInteraction

Enums
USER_INTERACTION_UNSPECIFIED
USER_INTERACTION_NONE
USER_INTERACTION_REQUIRED

Scope

Enums
SCOPE_UNSPECIFIED
SCOPE_UNCHANGED
SCOPE_CHANGED

Impact

Enums
IMPACT_UNSPECIFIED
IMPACT_HIGH
IMPACT_LOW
IMPACT_NONE

WindowsDetail

JSON representation
{
  "cpeUri": string,
  "name": string,
  "description": string,
  "fixingKbs": [
    {
      object (KnowledgeBase)
    }
  ]
}
Fields
cpeUri

string

Required. The CPE URI this vulnerability affects.

name

string

Required. The name of this vulnerability.

description

string

The description of this vulnerability.

fixingKbs[]

object (KnowledgeBase)

Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed KBs presence is considered a fix.

KnowledgeBase

JSON representation
{
  "name": string,
  "url": string
}
Fields
name

string

The KB name (generally of the form KB[0-9]+ (e.g., KB123456)).

url

string

A link to the KB in the Windows update catalog.

BuildNote

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

JSON representation
{
  "builderVersion": string
}
Fields
builderVersion

string

Required. Immutable. Version of the builder which produced this build.

ImageNote

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g., a tag of the resourceUrl.

JSON representation
{
  "resourceUrl": string,
  "fingerprint": {
    object (Fingerprint)
  }
}
Fields
resourceUrl

string

Required. Immutable. The resourceUrl for the resource representing the basis of associated occurrence images.

fingerprint

object (Fingerprint)

Required. Immutable. The fingerprint of the base image.

PackageNote

PackageNote represents a particular package version.

JSON representation
{
  "name": string,
  "distribution": [
    {
      object (Distribution)
    }
  ],
  "packageType": string,
  "cpeUri": string,
  "architecture": enum (Architecture),
  "version": {
    object (Version)
  },
  "maintainer": string,
  "url": string,
  "description": string,
  "license": {
    object (License)
  },
  "digest": [
    {
      object (Digest)
    }
  ]
}
Fields
name

string

Required. Immutable. The name of the package.

distribution[]

object (Distribution)

Deprecated. The various channels by which a package is distributed.

packageType

string

The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).

cpeUri

string

The cpeUri in CPE format denoting the package manager version distributing a package. The cpeUri will be blank for language packages.

architecture

enum (Architecture)

The CPU architecture for which packages in this distribution channel were built. Architecture will be blank for language packages.

version

object (Version)

The version of the package.

maintainer

string

A freeform text denoting the maintainer of this package.

url

string

The homepage for this package.

description

string

The description of this package.

license

object (License)

Licenses that have been declared by the authors of the package.

digest[]

object (Digest)

Hash value, typically a file digest, that allows unique identification a specific package.

Distribution

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

JSON representation
{
  "cpeUri": string,
  "architecture": enum (Architecture),
  "latestVersion": {
    object (Version)
  },
  "maintainer": string,
  "url": string,
  "description": string
}
Fields
cpeUri

string

Required. The cpeUri in CPE format denoting the package manager version distributing a package.

architecture

enum (Architecture)

The CPU architecture for which packages in this distribution channel were built.

latestVersion

object (Version)

The latest available version of this package in this distribution channel.

maintainer

string

A freeform string denoting the maintainer of this package.

url

string

The distribution channel-specific homepage for this package.

description

string

The distribution channel-specific description of this package.

Digest

Digest information.

JSON representation
{
  "algo": string,
  "digestBytes": string
}
Fields
algo

string

SHA1, SHA512 etc.

digestBytes

string (bytes format)

Value of the digest.

A base64-encoded string.

DeploymentNote

An artifact that can be deployed in some runtime.

JSON representation
{
  "resourceUri": [
    string
  ]
}
Fields
resourceUri[]

string

Required. Resource URI for the artifact being deployed.

DiscoveryNote

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

JSON representation
{
  "analysisKind": enum (NoteKind)
}
Fields
analysisKind

enum (NoteKind)

Required. Immutable. The kind of analysis that is handled by this discovery.

AttestationNote

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

JSON representation
{
  "hint": {
    object (Hint)
  }
}
Fields
hint

object (Hint)

Hint hints at the purpose of the attestation authority.

Hint

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

JSON representation
{
  "humanReadableName": string
}
Fields
humanReadableName

string

Required. The human readable name of this attestation authority, for example "qa".

UpgradeNote

An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be an Upgrade Note. For Windows, windowsUpdate field represents the information related to the update.

JSON representation
{
  "package": string,
  "version": {
    object (Version)
  },
  "distributions": [
    {
      object (UpgradeDistribution)
    }
  ],
  "windowsUpdate": {
    object (WindowsUpdate)
  }
}
Fields
package

string

Required for non-Windows OS. The package this Upgrade is for.

version

object (Version)

Required for non-Windows OS. The version of the package in machine + human readable form.

distributions[]

object (UpgradeDistribution)

Metadata about the upgrade for each specific operating system.

windowsUpdate

object (WindowsUpdate)

Required for Windows OS. Represents the metadata about the Windows update.

ComplianceNote

JSON representation
{
  "title": string,
  "description": string,
  "version": [
    {
      object (ComplianceVersion)
    }
  ],
  "rationale": string,
  "remediation": string,
  "scanInstructions": string,

  // Union field compliance_type can be only one of the following:
  "cisBenchmark": {
    object (CisBenchmark)
  }
  // End of list of possible types for union field compliance_type.
}
Fields
title

string

The title that identifies this compliance check.

description

string

A description about this compliance check.

version[]

object (ComplianceVersion)

The OS and config versions the benchmark applies to.

rationale

string

A rationale for the existence of this compliance check.

remediation

string

A description of remediation steps if the compliance check fails.

scanInstructions

string (bytes format)

Serialized scan instructions with a predefined format.

A base64-encoded string.

Union field compliance_type.

compliance_type can be only one of the following:

cisBenchmark

object (CisBenchmark)

ComplianceVersion

Describes the CIS benchmark version that is applicable to a given OS and os version.

JSON representation
{
  "cpeUri": string,
  "benchmarkDocument": string,
  "version": string
}
Fields
cpeUri

string

The CPE URI (https://cpe.mitre.org/specification/) this benchmark is applicable to.

benchmarkDocument

string

The name of the document that defines this benchmark, e.g. "CIS Container-Optimized OS".

version

string

The version of the benchmark. This is set to the version of the OS-specific CIS document the benchmark is defined in.

CisBenchmark

A compliance check that is a CIS benchmark.

JSON representation
{
  "profileLevel": integer,
  "severity": enum (Severity)
}
Fields
profileLevel

integer

severity

enum (Severity)

DSSEAttestationNote

JSON representation
{
  "hint": {
    object (DSSEHint)
  }
}
Fields
hint

object (DSSEHint)

DSSEHint hints at the purpose of the attestation authority.

DSSEHint

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

JSON representation
{
  "humanReadableName": string
}
Fields
humanReadableName

string

Required. The human readable name of this attestation authority, for example "cloudbuild-prod".

VulnerabilityAssessmentNote

A single VulnerabilityAssessmentNote represents one particular product's vulnerability assessment for one CVE.

JSON representation
{
  "title": string,
  "shortDescription": string,
  "longDescription": string,
  "languageCode": string,
  "publisher": {
    object (Publisher)
  },
  "product": {
    object (Product)
  },
  "assessment": {
    object (Assessment)
  }
}
Fields
title

string

The title of the note. E.g. Vex-Debian-11.4

shortDescription

string

A one sentence description of this Vex.

longDescription

string

A detailed description of this Vex.

languageCode

string

Identifies the language used by this document, corresponding to IETF BCP 47 / RFC 5646.

publisher

object (Publisher)

Publisher details of this Note.

product

object (Product)

The product affected by this vex.

assessment

object (Assessment)

Represents a vulnerability assessment for the product.

Publisher

Publisher contains information about the publisher of this Note.

JSON representation
{
  "name": string,
  "issuingAuthority": string,
  "publisherNamespace": string
}
Fields
name

string

Name of the publisher. Examples: 'Google', 'Google Cloud Platform'.

issuingAuthority

string

Provides information about the authority of the issuing party to release the document, in particular, the party's constituency and responsibilities or other obligations.

publisherNamespace

string

The context or namespace. Contains a URL which is under control of the issuing party and can be used as a globally unique identifier for that issuing party. Example: https://csaf.io

Product

Product contains information about a product and how to uniquely identify it.

JSON representation
{
  "name": string,
  "id": string,

  // Union field identifier can be only one of the following:
  "genericUri": string
  // End of list of possible types for union field identifier.
}
Fields
name

string

Name of the product.

id

string

Token that identifies a product so that it can be referred to from other parts in the document. There is no predefined format as long as it uniquely identifies a group in the context of the current document.

Union field identifier.

identifier can be only one of the following:

genericUri

string

Contains a URI which is vendor-specific. Example: The artifact repository URL of an image.

Assessment

Assessment provides all information that is related to a single vulnerability for this product.

JSON representation
{
  "cve": string,
  "shortDescription": string,
  "longDescription": string,
  "relatedUris": [
    {
      object (RelatedUrl)
    }
  ],
  "state": enum (State),
  "impacts": [
    string
  ],
  "justification": {
    object (Justification)
  },
  "remediations": [
    {
      object (Remediation)
    }
  ]
}
Fields
cve

string

Holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.

shortDescription

string

A one sentence description of this Vex.

longDescription

string

A detailed description of this Vex.

relatedUris[]

object (RelatedUrl)

Holds a list of references associated with this vulnerability item and assessment. These uris have additional information about the vulnerability and the assessment itself. E.g. Link to a document which details how this assessment concluded the state of this vulnerability.

state

enum (State)

Provides the state of this Vulnerability assessment.

impacts[]

string

Contains information about the impact of this vulnerability, this will change with time.

justification

object (Justification)

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

remediations[]

object (Remediation)

Specifies details on how to handle (and presumably, fix) a vulnerability.

SBOMReferenceNote

The note representing an SBOM reference.

JSON representation
{
  "format": string,
  "version": string
}
Fields
format

string

The format that SBOM takes. E.g. may be spdx, cyclonedx, etc...

version

string

The version of the format that the SBOM takes. E.g. if the format is spdx, the version may be 2.3.

Methods

batchCreate

Creates new notes in batch.

create

Creates a new note.

delete

Deletes the specified note.

get

Gets the specified note.

getIamPolicy

Gets the access control policy for a note or an occurrence resource.

list

Lists notes for the specified project.

patch

Updates the specified note.

setIamPolicy

Sets the access control policy on the specified note or occurrence.

testIamPermissions

Returns the permissions that a caller has on the specified note or occurrence.