REST Resource: projects.notes

Resource: Note

A type of analysis that can be done for a resource.

JSON representation
{
  "name": string,
  "shortDescription": string,
  "longDescription": string,
  "kind": enum (NoteKind),
  "relatedUrl": [
    {
      object (RelatedUrl)
    }
  ],
  "expirationTime": string,
  "createTime": string,
  "updateTime": string,
  "relatedNoteNames": [
    string
  ],

  // Union field type can be only one of the following:
  "vulnerability": {
    object (VulnerabilityNote)
  },
  "build": {
    object (BuildNote)
  },
  "image": {
    object (ImageNote)
  },
  "package": {
    object (PackageNote)
  },
  "deployment": {
    object (DeploymentNote)
  },
  "discovery": {
    object (DiscoveryNote)
  },
  "attestation": {
    object (AttestationNote)
  },
  "upgrade": {
    object (UpgradeNote)
  }
  // End of list of possible types for union field type.
}
Fields
name

string

Output only. The name of the note in the form of projects/[PROVIDER_ID]/notes/[NOTE_ID].

shortDescription

string

A one sentence description of this note.

longDescription

string

A detailed description of this note.

kind

enum (NoteKind)

Output only. The type of analysis. This field can be used as a filter in list requests.

relatedUrl[]

object (RelatedUrl)

URLs associated with this note.

expirationTime

string (Timestamp format)

Time of expiration for this note. Empty if note does not expire.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

createTime

string (Timestamp format)

Output only. The time this note was created. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time this note was last updated. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

relatedNoteNames[]

string

Other notes related to this note.

Union field type. Required. Immutable. The type of analysis this note represents. type can be only one of the following:
vulnerability

object (VulnerabilityNote)

A note describing a package vulnerability.

build

object (BuildNote)

A note describing build provenance for a verifiable build.

image

object (ImageNote)

A note describing a base image.

package

object (PackageNote)

A note describing a package hosted by various package managers.

deployment

object (DeploymentNote)

A note describing something that can be deployed.

discovery

object (DiscoveryNote)

A note describing the initial analysis of a resource.

attestation

object (AttestationNote)

A note describing an attestation role.

upgrade

object (UpgradeNote)

A note describing available package upgrades.

VulnerabilityNote

A security vulnerability that can be found in resources.

JSON representation
{
  "cvssScore": number,
  "severity": enum (Severity),
  "details": [
    {
      object (Detail)
    }
  ],
  "cvssV3": {
    object (CVSSv3)
  },
  "windowsDetails": [
    {
      object (WindowsDetail)
    }
  ],
  "sourceUpdateTime": string
}
Fields
cvssScore

number

The CVSS score of this vulnerability. CVSS score is on a scale of 0 - 10 where 0 indicates low severity and 10 indicates high severity.

severity

enum (Severity)

The note provider assigned severity of this vulnerability.

details[]

object (Detail)

Details of all known distros and packages affected by this vulnerability.

cvssV3

object (CVSSv3)

The full description of the CVSSv3 for this vulnerability.

windowsDetails[]

object (WindowsDetail)

Windows details get their own format because the information format and model don't match a normal detail. Specifically Windows updates are done as patches, thus Windows vulnerabilities really are a missing package, rather than a package being at an incorrect version.

sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

Detail

A detail for a distro and package affected by this vulnerability and its associated fix (if one is available).

JSON representation
{
  "severityName": string,
  "description": string,
  "packageType": string,
  "affectedCpeUri": string,
  "affectedPackage": string,
  "affectedVersionStart": {
    object (Version)
  },
  "affectedVersionEnd": {
    object (Version)
  },
  "fixedCpeUri": string,
  "fixedPackage": string,
  "fixedVersion": {
    object (Version)
  },
  "isObsolete": boolean,
  "sourceUpdateTime": string
}
Fields
severityName

string

The distro assigned severity of this vulnerability.

description

string

A vendor-specific description of this vulnerability.

packageType

string

The type of package; whether native or non native (e.g., ruby gems, node.js packages, etc.).

affectedCpeUri

string

Required. The CPE URI this vulnerability affects.

affectedPackage

string

Required. The package this vulnerability affects.

affectedVersionStart

object (Version)

The version number at the start of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affectedVersionStart and affectedVersionEnd will be the same in that Detail.

affectedVersionEnd

object (Version)

The version number at the end of an interval in which this vulnerability exists. A vulnerability can affect a package between version numbers that are disjoint sets of intervals (example: [1.0.0-1.1.0], [2.4.6-2.4.8] and [4.5.6-4.6.8]) each of which will be represented in its own Detail. If a specific affected version is provided by a vulnerability database, affectedVersionStart and affectedVersionEnd will be the same in that Detail.

fixedCpeUri

string

The distro recommended CPE URI to update to that contains a fix for this vulnerability. It is possible for this to be different from the affectedCpeUri.

fixedPackage

string

The distro recommended package to update to that contains a fix for this vulnerability. It is possible for this to be different from the affectedPackage.

fixedVersion

object (Version)

The distro recommended version to update to that contains a fix for this vulnerability. Setting this to VersionKind.MAXIMUM means no such version is yet available.

isObsolete

boolean

Whether this detail is obsolete. Occurrences are expected not to point to obsolete details.

sourceUpdateTime

string (Timestamp format)

The time this information was last changed at the source. This is an upstream timestamp from the underlying information source - e.g. Ubuntu security tracker.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

CVSSv3

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

JSON representation
{
  "baseScore": number,
  "exploitabilityScore": number,
  "impactScore": number,
  "attackVector": enum (AttackVector),
  "attackComplexity": enum (AttackComplexity),
  "privilegesRequired": enum (PrivilegesRequired),
  "userInteraction": enum (UserInteraction),
  "scope": enum (Scope),
  "confidentialityImpact": enum (Impact),
  "integrityImpact": enum (Impact),
  "availabilityImpact": enum (Impact)
}
Fields
baseScore

number

The base score is a function of the base metric scores.

exploitabilityScore

number

impactScore

number

attackVector

enum (AttackVector)

Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.

attackComplexity

enum (AttackComplexity)

privilegesRequired

enum (PrivilegesRequired)

userInteraction

enum (UserInteraction)

scope

enum (Scope)

confidentialityImpact

enum (Impact)

integrityImpact

enum (Impact)

availabilityImpact

enum (Impact)

AttackVector

Enums
ATTACK_VECTOR_UNSPECIFIED
ATTACK_VECTOR_NETWORK
ATTACK_VECTOR_ADJACENT
ATTACK_VECTOR_LOCAL
ATTACK_VECTOR_PHYSICAL

AttackComplexity

Enums
ATTACK_COMPLEXITY_UNSPECIFIED
ATTACK_COMPLEXITY_LOW
ATTACK_COMPLEXITY_HIGH

PrivilegesRequired

Enums
PRIVILEGES_REQUIRED_UNSPECIFIED
PRIVILEGES_REQUIRED_NONE
PRIVILEGES_REQUIRED_LOW
PRIVILEGES_REQUIRED_HIGH

UserInteraction

Enums
USER_INTERACTION_UNSPECIFIED
USER_INTERACTION_NONE
USER_INTERACTION_REQUIRED

Scope

Enums
SCOPE_UNSPECIFIED
SCOPE_UNCHANGED
SCOPE_CHANGED

Impact

Enums
IMPACT_UNSPECIFIED
IMPACT_HIGH
IMPACT_LOW
IMPACT_NONE

WindowsDetail

JSON representation
{
  "cpeUri": string,
  "name": string,
  "description": string,
  "fixingKbs": [
    {
      object (KnowledgeBase)
    }
  ]
}
Fields
cpeUri

string

Required. The CPE URI this vulnerability affects.

name

string

Required. The name of this vulnerability.

description

string

The description of this vulnerability.

fixingKbs[]

object (KnowledgeBase)

Required. The names of the KBs which have hotfixes to mitigate this vulnerability. Note that there may be multiple hotfixes (and thus multiple KBs) that mitigate a given vulnerability. Currently any listed KBs presence is considered a fix.

KnowledgeBase

JSON representation
{
  "name": string,
  "url": string
}
Fields
name

string

The KB name (generally of the form KB[0-9]+ (e.g., KB123456)).

url

string

A link to the KB in the Windows update catalog.

BuildNote

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

JSON representation
{
  "builderVersion": string
}
Fields
builderVersion

string

Required. Immutable. Version of the builder which produced this build.

ImageNote

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g., a tag of the resourceUrl.

JSON representation
{
  "resourceUrl": string,
  "fingerprint": {
    object (Fingerprint)
  }
}
Fields
resourceUrl

string

Required. Immutable. The resourceUrl for the resource representing the basis of associated occurrence images.

fingerprint

object (Fingerprint)

Required. Immutable. The fingerprint of the base image.

PackageNote

This represents a particular package that is distributed over various channels. E.g., glibc (aka libc6) is distributed by many, at various versions.

JSON representation
{
  "name": string,
  "distribution": [
    {
      object (Distribution)
    }
  ]
}
Fields
name

string

Required. Immutable. The name of the package.

distribution[]

object (Distribution)

The various channels by which a package is distributed.

Distribution

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

JSON representation
{
  "cpeUri": string,
  "architecture": enum (Architecture),
  "latestVersion": {
    object (Version)
  },
  "maintainer": string,
  "url": string,
  "description": string
}
Fields
cpeUri

string

Required. The cpeUri in CPE format denoting the package manager version distributing a package.

architecture

enum (Architecture)

The CPU architecture for which packages in this distribution channel were built.

latestVersion

object (Version)

The latest available version of this package in this distribution channel.

maintainer

string

A freeform string denoting the maintainer of this package.

url

string

The distribution channel-specific homepage for this package.

description

string

The distribution channel-specific description of this package.

Architecture

Instruction set architectures supported by various package managers.

Enums
ARCHITECTURE_UNSPECIFIED Unknown architecture.
X86 X86 architecture.
X64 X64 architecture.

DeploymentNote

An artifact that can be deployed in some runtime.

JSON representation
{
  "resourceUri": [
    string
  ]
}
Fields
resourceUri[]

string

Required. Resource URI for the artifact being deployed.

DiscoveryNote

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

JSON representation
{
  "analysisKind": enum (NoteKind)
}
Fields
analysisKind

enum (NoteKind)

Required. Immutable. The kind of analysis that is handled by this discovery.

AttestationNote

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

JSON representation
{
  "hint": {
    object (Hint)
  }
}
Fields
hint

object (Hint)

Hint hints at the purpose of the attestation authority.

Hint

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

JSON representation
{
  "humanReadableName": string
}
Fields
humanReadableName

string

Required. The human readable name of this attestation authority, for example "qa".

UpgradeNote

A Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be a Upgrade Note.

JSON representation
{
  "package": string,
  "version": {
    object (Version)
  },
  "distributions": [
    {
      object (UpgradeDistribution)
    }
  ]
}
Fields
package

string

Required - The package this Upgrade is for.

version

object (Version)

Required - The version of the package in machine + human readable form.

distributions[]

object (UpgradeDistribution)

Metadata about the upgrade for each specific operating system.

Methods

batchCreate

Creates new notes in batch.

create

Creates a new note.

delete

Deletes the specified note.

get

Gets the specified note.

getIamPolicy

Gets the access control policy for a note or an occurrence resource.

list

Lists notes for the specified project.

patch

Updates the specified note.

setIamPolicy

Sets the access control policy on the specified note or occurrence.

testIamPermissions

Returns the permissions that a caller has on the specified note or occurrence.
Kunde den här sidan hjälpa dig? Berätta:

Skicka feedback om ...

Container Registry Documentation