Providing metadata for images

You can choose to provide your own vulnerability metadata to Container Analysis to satisfy a specific business need. For example, an organization that provides security management for their customers' Docker containers can use Container Analysis to store and retrieve security-related metadata for those images.

Follow the steps below to provide custom vulnerability metadata for your images using the Container Analysis API. You can use the same instructions to store and retrieve any kind of metadata that Container Analysis supports.

Before you begin

  1. Enable the Container Scanning API. This enables vulnerability scanning as well as the Container Analysis API. You can enable the API for an existing project, or create a new project and then enable the API. You can manually disable vulnerability scanning at a later time.

    Enable the Container Scanning API

  2. Read the Container Analysis overview.

Creating vulnerability notes and occurrences for projects

This section explains how third-party vulnerability providers can create notes and occurrences for their user's projects.

As a provider, you will create a note in your project for each vulnerability kind, and you will create an occurrence in your customer's project for an occurrence of that vulnerability.

Creating notes

IAM permissions:

To perform this task, you must have the following IAM permissions on the provider's project (which is the project where the notes are created):

  • containeranalysis.notes.create

Alternately, you can grant the following predefined IAM role, which will automatically provide all the necessary permissions:

  • Container Analysis Notes Editor role on your project.

To create a note:

API

  1. Create a file named note.json with vulnerability description and details. The following code shows an example note.json file:

    {
        "shortDescription": "A brief Description of the note",
        "longDescription": "A longer description of the note",
        "kind": "PACKAGE_VULNERABILITY",
        "vulnerabilityType": {
            "details": [
            {
                "package": "libexempi3",
                "cpeUri": "cpe:/o:debian:debian_linux:7",
                "minAffectedVersion": { "name": "2.5.7", "revision": "1"},
                "maxAffectedVersion": { "name": "2.5.9", "revision": "1"},
            },
            {
                "cpeUri": "something else"
            }
            ]
        }
    }
    
  2. Run the following curl command to create a note where [PROVIDER_PROJECT_ID] is your project ID:

    curl -X POST -H "Content-Type: application/json" -H \
        "Authorization: Bearer $(gcloud auth print-access-token)" \
        https://containeranalysis.googleapis.com/v1/projects/[PROVIDER_PROJECT_ID]/notes?note_id=[NOTE_ID] -d @note.json
    

Java

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Java API reference documentation .

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.Note;
import io.grafeas.v1.ProjectName;
import io.grafeas.v1.Version;
import io.grafeas.v1.VulnerabilityNote;
import java.io.IOException;
import java.lang.InterruptedException;


public class CreateNote {

  // Creates and returns a new Note
  public static Note createNote(String noteId, String projectId)
      throws IOException, InterruptedException {
    // String noteId = "my-note";
    // String projectId = "my-project-id";
    final String projectName = ProjectName.format(projectId);


    Note newNote = Note.newBuilder()
        // Associate the Note with the metadata type
        // https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
        // Here, we use the type "vulnerability"
        .setVulnerability(VulnerabilityNote.newBuilder()
            .addDetails(VulnerabilityNote.Detail.newBuilder()
                .setAffectedCpeUri("your-uri-here")
                .setAffectedPackage("your-package-here")
                .setAffectedVersionStart(Version.newBuilder()
                    .setKind(Version.VersionKind.MINIMUM))
                .setAffectedVersionEnd(Version.newBuilder()
                    .setKind(Version.VersionKind.MAXIMUM))))
        .build();

    // Initialize client that will be used to send requests. After completing all of your requests,
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    Note result = client.createNote(projectName, noteId, newNote);
    return result;
  }
}

Go

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Go API reference documentation .


import (
	"context"
	"fmt"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// createNote creates and returns a new vulnerability Note.
func createNote(noteID, projectID string) (*grafeaspb.Note, error) {
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("NewClient: %v", err)
	}
	defer client.Close()

	projectName := fmt.Sprintf("projects/%s", projectID)

	req := &grafeaspb.CreateNoteRequest{
		Parent: projectName,
		NoteId: noteID,
		Note: &grafeaspb.Note{
			Type: &grafeaspb.Note_Vulnerability{
				// The 'Vulnerability' field can be modified to contain information about your vulnerability.
				Vulnerability: &grafeaspb.VulnerabilityNote{
					Details: []*grafeaspb.VulnerabilityNote_Detail{
						{
							AffectedCpeUri:  "your-uri-here",
							AffectedPackage: "your-package-here",
							AffectedVersionStart: &grafeaspb.Version{
								Kind: grafeaspb.Version_MINIMUM,
							},
							AffectedVersionEnd: &grafeaspb.Version{
								Kind: grafeaspb.Version_MAXIMUM,
							},
						},
					},
				},
			},
		},
	}

	return client.GetGrafeasClient().CreateNote(ctx, req)
}

Node.js

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Node.js API reference documentation .

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const projectId = 'your-project-id', // Your GCP Project ID
// const noteId = 'my-note-id' // Id of the note

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Construct request
// Associate the Note with a metadata type
// https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
// Here, we use the type "vulnerabiltity"
const formattedParent = client.getGrafeasClient().projectPath(projectId);

// Creates and returns a new Note
const [note] = await client.getGrafeasClient().createNote({
  parent: formattedParent,
  noteId: noteId,
  note: {
    vulnerability: {
      details: [
        {
          affectedCpeUri: 'foo.uri',
          affectedPackage: 'foo',
          affectedVersionStart: {
            kind: 'MINIMUM',
          },
          affectedVersionEnd: {
            kind: 'MAXIMUM',
          },
        },
      ],
    },
  },
});

console.log(`Note ${note.name} created.`);

Ruby

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Ruby API reference documentation .

# note_id    = "A user-specified identifier for the note"
# project_id = "Your Google Cloud project ID"

require "grafeas"

# Initialize the client
client = Grafeas.new

formatted_parent = Grafeas::V1::GrafeasClient.project_path project_id
note = {
  vulnerability: {
    details: [
      affected_cpe_uri:     "your-uri-here",
      affected_package:     "your-package-here",
      min_affected_version: { kind: :MINIMUM },
      fixed_version:        { kind: :MAXIMUM }
    ]
  }
}
response = client.create_note formatted_parent, note_id, note
puts response.name

Python

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Python API reference documentation .

def create_note(note_id, project_id):
    """Creates and returns a new vulnerability note."""
    # note_id = 'my-note'
    # project_id = 'my-gcp-project'

    from grafeas.grafeas_v1.gapic.enums import Version
    from google.cloud.devtools import containeranalysis_v1

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    project_name = grafeas_client.project_path(project_id)
    note = {
        'vulnerability': {
            'details': [
                {
                    'affected_cpe_uri': 'your-uri-here',
                    'affected_package': 'your-package-here',
                    'min_affected_version': {
                        'kind': Version.VersionKind.MINIMUM
                    },
                    'fixed_version': {
                        'kind': Version.VersionKind.MAXIMUM
                    }
                }
            ]
        }
    }
    response = grafeas_client.create_note(project_name, note_id, note)
    return response

Creating occurrences for the notes

IAM permissions:

To perform this task, you must have the following IAM permissions:

  • containeranalysis.occurrences.create on your customer's project
  • containeranalysis.notes.attachOccurrence on your project.

Alternately, you can grant the following predefined IAM role, which will automatically provide all the necessary permissions:

  • Container Analysis Occurrences Editor role on your customer's project
  • Container Analysis Notes Attacher role on your project.

To create occurrences for a note:

API

  1. Create a file named occurrence.json with the following contents:

    {
        "resourceUrl": "<resource_url>",
        "noteName": "projects/<provider-project-id>/notes/<note_id>",
        "kind": "PACKAGE_VULNERABILITY",
        "vulnerabilityDetails": {
            "packageIssue": [{
                "affectedLocation": {
                    "cpeUri": "7",
                    "package": "a",
                    "version":  {
                        "epoch": "1"
                        "name": "namestring"
                        "revision": "r"
                    },
                },
                "fixedLocation": {
                    "cpeUri": "cpe:/o:debian:debian_linux:7",
                    "package": "a",
                    "version":  {
                        "epoch": "2"
                        "name": "namestring"
                        "revision": "1"
                    }
                }
            }]
        }
    }
    
  2. Run the following curl command where [CUSTOMER_PROJECT_ID] is your customer's project ID:

    curl -v -X POST -H "Content-Type: application/json" -H \
        "Authorization: Bearer $(gcloud auth print-access-token)" \
        https://containeranalysis.googleapis.com/v1/projects/[CUSTOMER_PROJECT_ID]/occurrences -d @occurrence.json
    

Java

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Java API reference documentation .

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.NoteName;
import io.grafeas.v1.Occurrence;
import io.grafeas.v1.ProjectName;
import io.grafeas.v1.Version;
import io.grafeas.v1.VulnerabilityOccurrence;
import io.grafeas.v1.VulnerabilityOccurrence.PackageIssue;
import java.io.IOException;
import java.lang.InterruptedException;

public class CreateOccurrence {
  // Creates and returns a new vulnerability Occurrence associated with an existing Note
  public static Occurrence createOccurrence(String resourceUrl, String noteId,
      String occProjectId, String noteProjectId) throws IOException, InterruptedException {
    // String resourceUrl = "https://gcr.io/project/image@sha256:123";
    // String noteId = "my-note";
    // String occProjectId = "my-project-id";
    // String noteProjectId = "my-project-id";
    final NoteName noteName = NoteName.of(noteProjectId, noteId);
    final String occProjectName = ProjectName.format(occProjectId);

    Occurrence newOcc = Occurrence.newBuilder()
        .setNoteName(noteName.toString())
        .setResourceUri(resourceUrl)
        .setVulnerability(VulnerabilityOccurrence.newBuilder()
            .addPackageIssue(PackageIssue.newBuilder()
                .setAffectedCpeUri("your-uri-here")
                .setAffectedPackage("your-package-here")
                .setAffectedVersion(Version.newBuilder()
                    .setKind(Version.VersionKind.MINIMUM))
                .setFixedVersion(Version.newBuilder()
                    .setKind(Version.VersionKind.MAXIMUM))))
        .build();

    // Initialize client that will be used to send requests. After completing all of your requests,
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    Occurrence result = client.createOccurrence(occProjectName, newOcc);
    return result;
  }
}

Go

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Go API reference documentation .


import (
	"context"
	"fmt"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// createsOccurrence creates and returns a new Occurrence of a previously created vulnerability Note.
func createOccurrence(resourceURL, noteID, occProjectID, noteProjectID string) (*grafeaspb.Occurrence, error) {
	// resourceURL := fmt.Sprintf("https://gcr.io/my-project/my-image")
	// noteID := fmt.Sprintf("my-note")
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("NewClient: %v", err)
	}
	defer client.Close()

	req := &grafeaspb.CreateOccurrenceRequest{
		Parent: fmt.Sprintf("projects/%s", occProjectID),
		Occurrence: &grafeaspb.Occurrence{
			NoteName: fmt.Sprintf("projects/%s/notes/%s", noteProjectID, noteID),
			// Attach the occurrence to the associated resource uri.
			ResourceUri: resourceURL,
			// Details about the vulnerability instance can be added here.
			Details: &grafeaspb.Occurrence_Vulnerability{
				Vulnerability: &grafeaspb.VulnerabilityOccurrence{
					PackageIssue: []*grafeaspb.VulnerabilityOccurrence_PackageIssue{
						{
							AffectedCpeUri:  "your-uri-here",
							AffectedPackage: "your-package-here",
							AffectedVersion: &grafeaspb.Version{
								Kind: grafeaspb.Version_MINIMUM,
							},
							FixedVersion: &grafeaspb.Version{
								Kind: grafeaspb.Version_MAXIMUM,
							},
						},
					},
				},
			},
		},
	}
	return client.GetGrafeasClient().CreateOccurrence(ctx, req)
}

Node.js

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Node.js API reference documentation .

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const noteProjectId = 'your-project-id', // Your GCP Project Id
// const noteId = 'my-note-id', // Id of the note
// const occurrenceProjectId = 'your-project-id', // GCP Project Id of Occurrence
// const imageUrl = 'https://gcr.io/my-project/my-image:123' // Image to attach metadata to

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Construct request
const formattedParent = client
  .getGrafeasClient()
  .projectPath(occurrenceProjectId);
const formattedNote = client
  .getGrafeasClient()
  .notePath(noteProjectId, noteId);

// Creates and returns a new Occurrence associated with an existing Note
const [occurrence] = await client.getGrafeasClient().createOccurrence({
  parent: formattedParent,
  occurrence: {
    noteName: formattedNote,
    resourceUri: imageUrl,
    vulnerability: {
      packageIssue: [
        {
          affectedCpeUri: 'foo.uri',
          affectedPackage: 'foo',
          affectedVersion: {
            kind: 'MINIMUM',
          },
          fixedVersion: {
            kind: 'MAXIMUM',
          },
        },
      ],
    },
  },
});
console.log(`Occurrence created ${occurrence.name}.`);
return occurrence;

Ruby

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Ruby API reference documentation .

# resource_url       = "The URL of the resource associated with the
#                       occurrence.
#                       e.g. https://gcr.io/project/image@sha256:123
# note_id            = "The identifier of the note associated with the
#                       occurrence"
# occurrence_project = "The Google Cloud project ID for the new occurrence"
# note_project       = "The Google Cloud project ID of the associated note"

require "grafeas"

# Initialize the client
client = Grafeas.new
formatted_note = Grafeas::V1::GrafeasClient.note_path note_project, note_id
formatted_project = Grafeas::V1::GrafeasClient.project_path occurrence_project

occurrence = {
  note_name:     formatted_note,
  resource_uri:  resource_url,
  vulnerability: {
    package_issue: [
      affected_cpe_uri:     "your-uri-here:",
      affected_package:     "your-package-here",
      min_affected_version: { kind: :MINIMUM },
      fixed_version:        { kind: :MAXIMUM }
    ]
  }
}

response = client.create_occurrence formatted_project, occurrence
puts response.name

Python

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Python API reference documentation .

def create_occurrence(resource_url, note_id, occurrence_project, note_project):
    """ Creates and returns a new occurrence of a previously
    created vulnerability note."""
    # resource_url = 'https://gcr.io/my-project/my-image@sha256:123'
    # note_id = 'my-note'
    # occurrence_project = 'my-gcp-project'
    # note_project = 'my-gcp-project'

    from grafeas.grafeas_v1.gapic.enums import Version
    from google.cloud.devtools import containeranalysis_v1

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    formatted_note = grafeas_client.note_path(note_project, note_id)
    formatted_project = grafeas_client.project_path(occurrence_project)

    occurrence = {
        'note_name': formatted_note,
        'resource_uri': resource_url,
        'vulnerability': {
            'package_issue': [
                {
                    'affected_cpe_uri': 'your-uri-here',
                    'affected_package': 'your-package-here',
                    'min_affected_version': {
                        'kind': Version.VersionKind.MINIMUM
                    },
                    'fixed_version': {
                        'kind': Version.VersionKind.MAXIMUM
                    }
                }
            ]
        }
    }

    return grafeas_client.create_occurrence(formatted_project, occurrence)

Get all occurrences for a specific note

You can view all occurrences of a specific vulnerability across your customer's projects using notes.occurrences.list().

IAM permissions:

To perform this task, you must have the following IAM permissions:

  • containeranalysis.notes.listOccurrences on your project

Alternately, you can grant the following predefined IAM role, which will automatically provide all the necessary permissions:

  • Container Analysis Occurrences Viewer role on your project

To get all occurrences for a note:

API

To list all the occurrences for a note, send a GET request as follows:

GET https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/notes/NOTE_ID/occurrences

Refer to the projects.notes.occurrences.list API endpoint for complete details.

Java

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Java API reference documentation .

import static java.lang.Thread.sleep;

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.ListNoteOccurrencesRequest;
import io.grafeas.v1.NoteName;
import io.grafeas.v1.Occurrence;
import java.io.IOException;
import java.lang.InterruptedException;

public class OccurrencesForNote {
  // Retrieves all the Occurrences associated with a specified Note
  // Here, all Occurrences are printed and counted
  public static int getOccurrencesForNote(String noteId, String projectId)
      throws IOException, InterruptedException {
    // String noteId = "my-note";
    // String projectId = "my-project-id";
    final NoteName noteName = NoteName.of(projectId, noteId);

    ListNoteOccurrencesRequest request = ListNoteOccurrencesRequest.newBuilder()
                                                                   .setName(noteName.toString())
                                                                   .build();

    // Initialize client that will be used to send requests. After completing all of your requests,
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    int i = 0;
    for (Occurrence o : client.listNoteOccurrences(request).iterateAll()) {
      // Write custom code to process each Occurrence here
      System.out.println(o.getName());
      i = i + 1;
    }
    return i;
  }
}

Go

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Go API reference documentation .


import (
	"context"
	"fmt"
	"io"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	"google.golang.org/api/iterator"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// getOccurrencesForNote retrieves all the Occurrences associated with a specified Note.
// Here, all Occurrences are printed and counted.
func getOccurrencesForNote(w io.Writer, noteID, projectID string) (int, error) {
	// noteID := fmt.Sprintf("my-note")
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return -1, fmt.Errorf("NewClient: %v", err)
	}
	defer client.Close()

	req := &grafeaspb.ListNoteOccurrencesRequest{
		Name: fmt.Sprintf("projects/%s/notes/%s", projectID, noteID),
	}
	it := client.GetGrafeasClient().ListNoteOccurrences(ctx, req)
	count := 0
	for {
		occ, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return -1, fmt.Errorf("occurrence iteration error: %v", err)
		}
		// Write custom code to process each Occurrence here.
		fmt.Fprintln(w, occ)
		count = count + 1
	}
	return count, nil
}

Node.js

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Node.js API reference documentation .

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const projectId = 'your-project-id', // Your GCP Project ID
// const noteId = 'my-note-id' // Id of the note

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Get path to Note
const formattedNote = client.notePath(projectId, noteId);

// Retrieves all the Occurrences associated with a specified Note
const [occurrences] = await client.getGrafeasClient().listNoteOccurrences({
  name: formattedNote,
});
if (occurrences.length) {
  console.log('Occurrences:');
  occurrences.forEach(occurrence => {
    console.log(`${occurrence.name}:`);
  });
} else {
  console.log('No occurrences found.');
}

Ruby

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Ruby API reference documentation .

  # note_id    = "The identifier for the note to query"
  # project_id = "The Google Cloud project ID of the occurrences to retrieve"

  require "grafeas"

  # Initialize the client
  client = Grafeas.new

  formatted_note = Grafeas::V1::GrafeasClient.note_path project_id, note_id
  count = 0
  client.list_note_occurrences(formatted_note).each do |occurrence|
    # Process occurrence here
    puts occurrence
    count += 1
  end
  puts "Found #{count} occurrences"
  count
end

def get_discovery_info resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence.
  #                 e.g. https://gcr.io/project/image@sha256:123"
  # project_id   = "The Google Cloud project ID of the occurrences to retrieve"

  require "grafeas"

  # Initialize the client
  client = Grafeas.new

  formatted_parent = Grafeas::V1::GrafeasClient.project_path project_id
  filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
  client.list_occurrences(formatted_parent, filter: filter).each do |occurrence|
    # Process discovery occurrence here
    puts occurrence
  end
end

def occurrence_pubsub subscription_id:, timeout_seconds:, project_id:
  # subscription_id = "A user-specified identifier for the new subscription"
  # timeout_seconds = "The number of seconds to listen for new Pub/Sub
  #                    messages"
  # project_id      = "Your Google Cloud project ID"

  require "google/cloud/pubsub"

  pubsub = Google::Cloud::Pubsub.new project: project_id
  topic = pubsub.topic "container-analysis-occurrences-v1"
  subscription = topic.subscribe subscription_id

  count = 0
  subscriber = subscription.listen do |received_message|
    count += 1
    # Process incoming occurrence here
    puts "Message #{count}: #{received_message.data}"
    received_message.acknowledge!
  end
  subscriber.start
  # Wait for incomming occurrences
  sleep timeout_seconds
  subscriber.stop.wait!
  subscription.delete
  # Print and return the total number of Pub/Sub messages received
  puts "Total Messages Received: #{count}"
  count
end

def poll_discovery_finished resource_url:, timeout_seconds:, project_id:
  # resource_url    = "The URL of the resource associated with the occurrence.
  #                    e.g. https://gcr.io/project/image@sha256:123"
  # timeout_seconds = "The number of seconds to wait for the discovery
  #                    occurrence"
  # project_id      = "Your Google Cloud project ID"

  require "grafeas"

  deadline = Time.now + timeout_seconds

  # Initialize the client
  client = Grafeas.new
  formatted_parent = Grafeas::V1::GrafeasClient.project_path project_id

  # Find the discovery occurrence using a filter string
  discovery_occurrence = nil
  while discovery_occurrence.nil?
    begin
      filter = 'resourceUrl="#{resource_url}" ' \
               'AND noteProjectId="goog-analysis" ' \
               'AND noteId="PACKAGE_VULNERABILITY"'
      # The above filter isn"t testable, since it looks for occurrences in a
      # locked down project. Fall back to a more permissive filter for testing
      filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
      # Only the discovery occurrence should be returned for the given filter
      discovery_occurrence = client.list_occurrences(formatted_parent, filter: filter).first
    rescue StandardError # If there is an error, keep trying until the deadline
      puts "discovery occurrence not yet found"
    ensure
      # check for timeout
      sleep 1
      if Time.now > deadline
        raise "Timeout while retrieving discovery occurrence."
      end
    end
  end

  # Wait for the discovery occurrence to enter a terminal state
  status = Grafeas::V1::DiscoveryOccurrence::AnalysisStatus::PENDING
  while status != :FINISHED_SUCCESS &&
        status != :FINISHED_FAILED &&
        status != :FINISHED_UNSUPPORTED
    # Update occurrence
    begin
      updated = client.get_occurrence discovery_occurrence.name
      status = updated.discovery.analysis_status
    rescue StandardError # If there is an error, keep trying until the deadline
      puts "discovery occurrence not yet in terminal state"
    ensure
      # check for timeout
      sleep 1
      if Time.now > deadline
        raise "Timeout while retrieving discovery occurrence."
      end
    end
  end
  puts "Found discovery occurrence #{updated.name}."
  puts "Status: #{updated.discovery.analysis_status}"
  updated
end

def find_vulnerabilities_for_image resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence
  #                e.g. https://gcr.io/project/image@sha256:123"
  # project_id   = "The Google Cloud project ID of the vulnerabilities to find"

  require "grafeas"

  # Initialize the client
  client = Grafeas.new

  formatted_parent = Grafeas::V1::GrafeasClient.project_path project_id
  filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
  client.list_occurrences formatted_parent, filter: filter
end

def find_high_severity_vulnerabilities_for_image resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence,
  #                 e.g. https://gcr.io/project/image@sha256:123"
  # project_id   = "The Google Cloud project ID of the vulnerabilities to find"

  require "grafeas"

  # Initialize the client
  client = Grafeas.new

  formatted_parent = Grafeas::V1::GrafeasClient.project_path project_id
  filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
  vulnerability_list = client
                       .list_occurrences(formatted_parent, filter: filter)
  # Filter the list to include only "high" and "critical" vulnerabilities
  vulnerability_list.select do |item|
    item.vulnerability.severity == :HIGH || item.vulnerability.severity == :CRITICAL
  end
end

Python

To learn how to install and use the client library for Container Registry, see the Container Registry Client Libraries . For more information, see the Container Registry Python API reference documentation .

def get_occurrences_for_note(note_id, project_id):
    """Retrieves all the occurrences associated with a specified Note.
    Here, all occurrences are printed and counted."""
    # note_id = 'my-note'
    # project_id = 'my-gcp-project'

    from google.cloud.devtools import containeranalysis_v1

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    note_name = grafeas_client.note_path(project_id, note_id)

    response = grafeas_client.list_note_occurrences(note_name)
    count = 0
    for o in response:
        # do something with the retrieved occurrence
        # in this sample, we will simply count each one
        count += 1
    return count

What's next

  • For instructions on how to view, filter, and get notifications on vulnerabilities for the images in Container Registry, see Getting Image Vulnerabilities.
Was this page helpful? Let us know how we did:

Send feedback about...

Container Registry