REST Resource: projects.notes

Resource: Note

A type of analysis that can be done for a resource.

JSON representation 
{
  "name": string,
  "shortDescription": string,
  "longDescription": string,
  "kind": enum (NoteKind),
  "relatedUrl": [
    {
      object (RelatedUrl)
    }
  ],
  "expirationTime": string,
  "createTime": string,
  "updateTime": string,
  "relatedNoteNames": [
    string
  ],

  // Union field type can be only one of the following:
  "vulnerability": {
    object (Vulnerability)
  },
  "build": {
    object (Build)
  },
  "baseImage": {
    object (Basis)
  },
  "package": {
    object (Package)
  },
  "deployable": {
    object (Deployable)
  },
  "discovery": {
    object (Discovery)
  },
  "attestationAuthority": {
    object (Authority)
  },
  "intoto": {
    object (InToto)
  }
  // End of list of possible types for union field type.
}
Fields
name

string

Output only. The name of the note in the form of projects/[PROVIDER_ID]/notes/[NOTE_ID].
shortDescription

string

A one sentence description of this note.
longDescription

string

A detailed description of this note.
kind

enum (NoteKind)

Output only. The type of analysis. This field can be used as a filter in list requests.
relatedUrl[]

object (RelatedUrl)

URLs associated with this note.
expirationTime

string (Timestamp format)

Time of expiration for this note. Empty if note does not expire.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
createTime

string (Timestamp format)

Output only. The time this note was created. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
updateTime

string (Timestamp format)

Output only. The time this note was last updated. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
relatedNoteNames[]

string

Other notes related to this note.
Union field type. Required. Immutable. The type of analysis this note represents. type can be only one of the following:
vulnerability

object (Vulnerability)

A note describing a package vulnerability.
build

object (Build)

A note describing build provenance for a verifiable build.
baseImage

object (Basis)

A note describing a base image.
package

object (Package)

A note describing a package hosted by various package managers.
deployable

object (Deployable)

A note describing something that can be deployed.
discovery

object (Discovery)

A note describing the initial analysis of a resource.
attestationAuthority

object (Authority)

A note describing an attestation role.
intoto

object (InToto)

A note describing an in-toto link.

Vulnerability

Vulnerability provides metadata about a security vulnerability in a Note.

JSON representation 
{
  "cvssScore": number,
  "severity": enum (Severity),
  "details": [
    {
      object (Detail)
    }
  ],
  "cvssV3": {
    object (CVSSv3)
  },
  "windowsDetails": [
    {
      object (WindowsDetail)
    }
  ],
  "sourceUpdateTime": string
}
Fields
cvssScore

number

The CVSS score for this vulnerability.
severity

enum (Severity)

Note provider assigned impact of the vulnerability.
details[]

object (Detail)

All information about the package to specifically identify this vulnerability. One entry per (version range and cpeUri) the package vulnerability has manifested in.
cvssV3

object (CVSSv3)

The full description of the CVSSv3.
windowsDetails[]

object (WindowsDetail)

Windows details get their own format because the information format and model don't match a normal detail. Specifically Windows updates are done as patches, thus Windows vulnerabilities really are a missing package, rather than a package being at an incorrect version.
sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Detail

Identifies all appearances of this vulnerability in the package for a specific distro/location. For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

JSON representation 
{
  "cpeUri": string,
  "package": string,
  "minAffectedVersion": {
    object (Version)
  },
  "maxAffectedVersion": {
    object (Version)
  },
  "severityName": string,
  "description": string,
  "fixedLocation": {
    object (VulnerabilityLocation)
  },
  "packageType": string,
  "isObsolete": boolean,
  "sourceUpdateTime": string
}
Fields
cpeUri

string

Required. The CPE URI in cpe format in which the vulnerability manifests. Examples include distro or storage location for vulnerable jar.
package

string

Required. The name of the package where the vulnerability was found.
minAffectedVersion

object (Version)

The min version of the package in which the vulnerability exists.
maxAffectedVersion

object (Version)

The max version of the package in which the vulnerability exists.
severityName

string

The severity (eg: distro assigned severity) for this vulnerability.
description

string

A vendor-specific description of this note.
fixedLocation

object (VulnerabilityLocation)

The fix for this specific package version.
packageType

string

The type of package; whether native or non native(ruby gems, node.js packages etc).
isObsolete

boolean

Whether this detail is obsolete. Occurrences are expected not to point to obsolete details.
sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

CVSSv3

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

JSON representation 
{
  "baseScore": number,
  "exploitabilityScore": number,
  "impactScore": number,
  "attackVector": enum (AttackVector),
  "attackComplexity": enum (AttackComplexity),
  "privilegesRequired": enum (PrivilegesRequired),
  "userInteraction": enum (UserInteraction),
  "scope": enum (Scope),
  "confidentialityImpact": enum (Impact),
  "integrityImpact": enum (Impact),
  "availabilityImpact": enum (Impact)
}
Fields
baseScore

number

The base score is a function of the base metric scores.
exploitabilityScore

number
impactScore

number
attackVector

enum (AttackVector)

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.
attackComplexity

enum (AttackComplexity)
privilegesRequired

enum (PrivilegesRequired)
userInteraction

enum (UserInteraction)
scope

enum (Scope)
confidentialityImpact

enum (Impact)
integrityImpact

enum (Impact)
availabilityImpact

enum (Impact)

AttackVector

Enums
ATTACK_VECTOR_UNSPECIFIED
ATTACK_VECTOR_NETWORK
ATTACK_VECTOR_ADJACENT
ATTACK_VECTOR_LOCAL
ATTACK_VECTOR_PHYSICAL

AttackComplexity

Enums
ATTACK_COMPLEXITY_UNSPECIFIED
ATTACK_COMPLEXITY_LOW
ATTACK_COMPLEXITY_HIGH

PrivilegesRequired

Enums
PRIVILEGES_REQUIRED_UNSPECIFIED
PRIVILEGES_REQUIRED_NONE
PRIVILEGES_REQUIRED_LOW
PRIVILEGES_REQUIRED_HIGH

UserInteraction

Enums
USER_INTERACTION_UNSPECIFIED
USER_INTERACTION_NONE
USER_INTERACTION_REQUIRED

Scope

Enums
SCOPE_UNSPECIFIED
SCOPE_UNCHANGED
SCOPE_CHANGED

Impact

Enums
IMPACT_UNSPECIFIED
IMPACT_HIGH
IMPACT_LOW
IMPACT_NONE

WindowsDetail

JSON representation 
{
  "cpeUri": string,
  "name": string,
  "description": string,
  "fixingKbs": [
    {
      object (KnowledgeBase)
    }
  ]
}
Fields
cpeUri

string

Required. The CPE URI in cpe format in which the vulnerability manifests. Examples include distro or storage location for vulnerable jar.
name

string

Required. The name of the vulnerability.
description

string

The description of the vulnerability.
fixingKbs[]

object (KnowledgeBase)

Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed kb's presence is considered a fix.

KnowledgeBase

JSON representation 
{
  "name": string,
  "url": string
}
Fields
name

string

The KB name (generally of the form KB[0-9]+ i.e. KB123456).
url

string

A link to the KB in the Windows update catalog - https://www.catalog.update.microsoft.com/

Build

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

JSON representation 
{
  "builderVersion": string,
  "signature": {
    object (BuildSignature)
  }
}
Fields
builderVersion

string

Required. Immutable. Version of the builder which produced this build.
signature

object (BuildSignature)

Signature of the build in occurrences pointing to this build note containing build details.

BuildSignature

Message encapsulating the signature of the verified build.

JSON representation 
{
  "publicKey": string,
  "signature": string,
  "keyId": string,
  "keyType": enum (KeyType)
}
Fields
publicKey

string

Public key of the builder which can be used to verify that the related findings are valid and unchanged. If keyType is empty, this defaults to PEM encoded public keys.

This field may be empty if keyId references an external key.

For Cloud Build based signatures, this is a PEM encoded public key. To verify the Cloud Build signature, place the contents of this field into a file (public.pem). The signature field is base64-decoded into its binary representation in signature.bin, and the provenance bytes from BuildDetails are base64-decoded into a binary representation in signed.bin. OpenSSL can then verify the signature: openssl sha256 -verify public.pem -signature signature.bin signed.bin
signature

string (bytes format)

Required. Signature of the related BuildProvenance. In JSON, this is base-64 encoded.

A base64-encoded string.
keyId

string

An ID for the key used to sign. This could be either an ID for the key stored in publicKey (such as the ID or fingerprint for a PGP key, or the CN for a cert), or a reference to an external key (such as a reference to a key in Cloud Key Management Service).
keyType

enum (KeyType)

The type of the key, either stored in publicKey or referenced in keyId.

KeyType

Public key formats.

Enums
KEY_TYPE_UNSPECIFIED KeyType is not set.
PGP_ASCII_ARMORED PGP ASCII Armored public key.
PKIX_PEM PKIX PEM public key.

Basis

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g. a tag of the resourceUrl.

JSON representation 
{
  "resourceUrl": string,
  "fingerprint": {
    object (Fingerprint)
  }
}
Fields
resourceUrl

string

Required. Immutable. The resourceUrl for the resource representing the basis of associated occurrence images.
fingerprint

object (Fingerprint)

Required. Immutable. The fingerprint of the base image.

Package

This represents a particular package that is distributed over various channels. E.g., glibc (aka libc6) is distributed by many, at various versions.

JSON representation 
{
  "name": string,
  "distribution": [
    {
      object (Distribution)
    }
  ]
}
Fields
name

string

Required. Immutable. The name of the package.
distribution[]

object (Distribution)

The various channels by which a package is distributed.

Distribution

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

JSON representation 
{
  "cpeUri": string,
  "architecture": enum (Architecture),
  "latestVersion": {
    object (Version)
  },
  "maintainer": string,
  "url": string,
  "description": string
}
Fields
cpeUri

string

Required. The cpeUri in CPE format denoting the package manager version distributing a package.
architecture

enum (Architecture)

The CPU architecture for which packages in this distribution channel were built.
latestVersion

object (Version)

The latest available version of this package in this distribution channel.
maintainer

string

A freeform string denoting the maintainer of this package.
url

string

The distribution channel-specific homepage for this package.
description

string

The distribution channel-specific description of this package.

Architecture

Instruction set architectures supported by various package managers.

Enums
ARCHITECTURE_UNSPECIFIED Unknown architecture.
X86 X86 architecture.
X64 X64 architecture.

Deployable

An artifact that can be deployed in some runtime.

JSON representation 
{
  "resourceUri": [
    string
  ]
}
Fields
resourceUri[]

string

Required. Resource URI for the artifact being deployed.

Discovery

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

JSON representation 
{
  "analysisKind": enum (NoteKind)
}
Fields
analysisKind

enum (NoteKind)

Required. Immutable. The kind of analysis that is handled by this discovery.

Authority

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

JSON representation 
{
  "hint": {
    object (Hint)
  }
}
Fields
hint

object (Hint)

Hint hints at the purpose of the attestation authority.

Hint

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

JSON representation 
{
  "humanReadableName": string
}
Fields
humanReadableName

string

Required. The human readable name of this attestation authority, for example "qa".

InToto

This contains the fields corresponding to the definition of a software supply chain step in an in-toto layout. This information goes into a Grafeas note.

JSON representation 
{
  "stepName": string,
  "signingKeys": [
    {
      object (SigningKey)
    }
  ],
  "expectedMaterials": [
    {
      object (ArtifactRule)
    }
  ],
  "expectedProducts": [
    {
      object (ArtifactRule)
    }
  ],
  "expectedCommand": [
    string
  ],
  "threshold": string
}
Fields
stepName

string

This field identifies the name of the step in the supply chain.
signingKeys[]

object (SigningKey)

This field contains the public keys that can be used to verify the signatures on the step metadata.
expectedMaterials[]

object (ArtifactRule)

The following fields contain in-toto artifact rules identifying the artifacts that enter this supply chain step, and exit the supply chain step, i.e. materials and products of the step.
expectedProducts[]

object (ArtifactRule)
expectedCommand[]

string

This field contains the expected command used to perform the step.
threshold

string (int64 format)

This field contains a value that indicates the minimum number of keys that need to be used to sign the step's in-toto link.

SigningKey

This defines the format used to record keys used in the software supply chain. An in-toto link is attested using one or more keys defined in the in-toto layout. An example of this is: { "keyId": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...", "keyType": "rsa", "publicKeyValue": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...", "keyScheme": "rsassa-pss-sha256" } The format for in-toto's key definition can be found in section 4.2 of the in-toto specification.

JSON representation 
{
  "keyId": string,
  "keyType": string,
  "publicKeyValue": string,
  "keyScheme": string
}
Fields
keyId

string

keyId is an identifier for the signing key.
keyType

string

This field identifies the specific signing method. Eg: "rsa", "ed25519", and "ecdsa".
publicKeyValue

string

This field contains the actual public key.
keyScheme

string

This field contains the corresponding signature scheme. Eg: "rsassa-pss-sha256".

ArtifactRule

Defines an object to declare an in-toto artifact rule

JSON representation 
{
  "artifactRule": [
    string
  ]
}
Fields
artifactRule[]

string

Methods

batchCreate

 Creates new notes in batch.

create

 Creates a new note.

delete

 Deletes the specified note.

get

 Gets the specified note.

getIamPolicy

 Gets the access control policy for a note or an occurrence resource.

list

 Lists notes for the specified project.

patch

 Updates the specified note.

setIamPolicy

 Sets the access control policy on the specified note or occurrence.

testIamPermissions

 Returns the permissions that a caller has on the specified note or occurrence.