REST Resource: projects.notes

Resource: Note

Provides a detailed description of a Note.

JSON representation
{
  "name": string,
  "shortDescription": string,
  "longDescription": string,
  "kind": enum (Kind),
  "relatedUrl": [
    {
      object (RelatedUrl)
    }
  ],
  "expirationTime": string,
  "createTime": string,
  "updateTime": string,

  // Union field note_type can be only one of the following:
  "vulnerabilityType": {
    object (VulnerabilityType)
  },
  "buildType": {
    object (BuildType)
  },
  "baseImage": {
    object (Basis)
  },
  "package": {
    object (Package)
  },
  "deployable": {
    object (Deployable)
  },
  "discovery": {
    object (Discovery)
  },
  "attestationAuthority": {
    object (AttestationAuthority)
  },
  "upgrade": {
    object (UpgradeNote)
  }
  // End of list of possible types for union field note_type.
}
Fields
name

string

The name of the note in the form "projects/{provider_project_id}/notes/{NOTE_ID}"

shortDescription

string

A one sentence description of this Note.

longDescription

string

A detailed description of this Note.

kind

enum (Kind)

Output only. This explicitly denotes which kind of note is specified. This field can be used as a filter in list requests.

relatedUrl[]

object (RelatedUrl)

URLs associated with this note

expirationTime

string (Timestamp format)

Time of expiration for this note, null if note does not expire.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

createTime

string (Timestamp format)

Output only. The time this note was created. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time this note was last updated. This field can be used as a filter in list requests.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

Union field note_type. The type of note. note_type can be only one of the following:
vulnerabilityType

object (VulnerabilityType)

A package vulnerability type of note.

buildType

object (BuildType)

Build provenance type for a verifiable build.

baseImage

object (Basis)

A note describing a base image.

package

object (Package)

A note describing a package hosted by various package managers.

deployable

object (Deployable)

A note describing something that can be deployed.

discovery

object (Discovery)

A note describing a provider/analysis type.

attestationAuthority

object (AttestationAuthority)

A note describing an attestation role.

upgrade

object (UpgradeNote)

A note describing an upgrade.

VulnerabilityType

VulnerabilityType provides metadata about a security vulnerability.

JSON representation
{
  "cvssScore": number,
  "severity": enum (Severity),
  "details": [
    {
      object (Detail)
    }
  ]
}
Fields
cvssScore

number

The CVSS score for this Vulnerability.

severity

enum (Severity)

Note provider assigned impact of the vulnerability

details[]

object (Detail)

All information about the package to specifically identify this vulnerability. One entry per (version range and cpeUri) the package vulnerability has manifested in.

Detail

Identifies all occurrences of this vulnerability in the package for a specific distro/location For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

JSON representation
{
  "cpeUri": string,
  "package": string,
  "minAffectedVersion": {
    object (Version)
  },
  "maxAffectedVersion": {
    object (Version)
  },
  "severityName": string,
  "description": string,
  "fixedLocation": {
    object (VulnerabilityLocation)
  },
  "packageType": string,
  "isObsolete": boolean
}
Fields
cpeUri

string

The cpeUri in cpe format in which the vulnerability manifests. Examples include distro or storage location for vulnerable jar. This field can be used as a filter in list requests.

package

string

The name of the package where the vulnerability was found. This field can be used as a filter in list requests.

minAffectedVersion

object (Version)

The min version of the package in which the vulnerability exists.

maxAffectedVersion
(deprecated)

object (Version)

The max version of the package in which the vulnerability exists.

severityName

string

The severity (eg: distro assigned severity) for this vulnerability.

description

string

A vendor-specific description of this note.

fixedLocation

object (VulnerabilityLocation)

The fix for this specific package version.

packageType

string

The type of package; whether native or non native(ruby gems, node.js packages etc)

isObsolete

boolean

Whether this Detail is obsolete. Occurrences are expected not to point to obsolete details.

BuildType

Note holding the version of the provider's builder and the signature of the provenance message in linked BuildDetails.

JSON representation
{
  "builderVersion": string,
  "signature": {
    object (BuildSignature)
  }
}
Fields
builderVersion

string

Version of the builder which produced this Note.

signature

object (BuildSignature)

Signature of the build in Occurrences pointing to the Note containing this BuilderDetails.

BuildSignature

Message encapsulating the signature of the verified build.

JSON representation
{
  "publicKey": string,
  "signature": string,
  "keyId": string,
  "keyType": enum (KeyType)
}
Fields
publicKey

string

Public key of the builder which can be used to verify that the related findings are valid and unchanged. If keyType is empty, this defaults to PEM encoded public keys.

This field may be empty if keyId references an external key.

For Cloud Build based signatures, this is a PEM encoded public key. To verify the Cloud Build signature, place the contents of this field into a file (public.pem). The signature field is base64-decoded into its binary representation in signature.bin, and the provenance bytes from BuildDetails are base64-decoded into a binary representation in signed.bin. OpenSSL can then verify the signature: openssl sha256 -verify public.pem -signature signature.bin signed.bin

signature

string

Signature of the related BuildProvenance, encoded in a base64 string.

keyId

string

An Id for the key used to sign. This could be either an Id for the key stored in publicKey (such as the Id or fingerprint for a PGP key, or the CN for a cert), or a reference to an external key (such as a reference to a key in Cloud Key Management Service).

keyType

enum (KeyType)

The type of the key, either stored in publicKey or referenced in keyId

KeyType

Public key formats

Enums
KEY_TYPE_UNSPECIFIED KeyType is not set.
PGP_ASCII_ARMORED PGP ASCII Armored public key.
PKIX_PEM PKIX PEM public key.

Basis

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g. a tag of the resourceUrl.

JSON representation
{
  "resourceUrl": string,
  "fingerprint": {
    object (Fingerprint)
  }
}
Fields
resourceUrl

string

The resourceUrl for the resource representing the basis of associated occurrence images.

fingerprint

object (Fingerprint)

The fingerprint of the base image.

Package

This represents a particular package that is distributed over various channels. e.g. glibc (aka libc6) is distributed by many, at various versions.

JSON representation
{
  "name": string,
  "distribution": [
    {
      object (Distribution)
    }
  ]
}
Fields
name

string

The name of the package.

distribution[]

object (Distribution)

The various channels by which a package is distributed.

Distribution

This represents a particular channel of distribution for a given package. e.g. Debian's jessie-backports dpkg mirror

JSON representation
{
  "cpeUri": string,
  "architecture": enum (Architecture),
  "latestVersion": {
    object (Version)
  },
  "maintainer": string,
  "url": string,
  "description": string
}
Fields
cpeUri

string

The cpeUri in cpe format denoting the package manager version distributing a package.

architecture

enum (Architecture)

The CPU architecture for which packages in this distribution channel were built

latestVersion

object (Version)

The latest available version of this package in this distribution channel.

maintainer

string

A freeform string denoting the maintainer of this package.

url

string

The distribution channel-specific homepage for this package.

description

string

The distribution channel-specific description of this package.

Architecture

Instruction set architectures supported by various package managers.

Enums
ARCHITECTURE_UNSPECIFIED Unknown architecture
X86 X86 architecture
X64 X64 architecture

Deployable

An artifact that can be deployed in some runtime.

JSON representation
{
  "resourceUri": [
    string
  ]
}
Fields
resourceUri[]

string

Resource URI for the artifact being deployed.

Discovery

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis. The occurrence's operation will indicate the status of the analysis. Absence of an occurrence linked to this note for a resource indicates that analysis hasn't started.

JSON representation
{
  "analysisKind": enum (Kind)
}
Fields
analysisKind

enum (Kind)

The kind of analysis that is handled by this discovery.

AttestationAuthority

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one AttestationAuthority for "QA" and one for "build". This Note is intended to act strictly as a grouping mechanism for the attached Occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an Occurrence to a given Note. It also provides a single point of lookup to find all attached Attestation Occurrences, even if they don't all live in the same project.

JSON representation
{
  "hint": {
    object (AttestationAuthorityHint)
  }
}
Fields
hint

object (AttestationAuthorityHint)

AttestationAuthorityHint

This submessage provides human-readable hints about the purpose of the AttestationAuthority. Because the name of a Note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should NOT be used to look up AttestationAuthorities in security sensitive contexts, such as when looking up Attestations to verify.

JSON representation
{
  "humanReadableName": string
}
Fields
humanReadableName

string

The human readable name of this Attestation Authority, for example "qa".

UpgradeNote

An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be a Upgrade Note.

JSON representation
{
  "package": string,
  "version": {
    object (Version)
  },
  "distributions": [
    {
      object (UpgradeDistribution)
    }
  ]
}
Fields
package

string

Required - The package this Upgrade is for.

version

object (Version)

Required - The version of the package in machine + human readable form.

distributions[]

object (UpgradeDistribution)

Metadata about the upgrade for each specific operating system.

RelatedUrl

Metadata for any related URL information

JSON representation
{
  "url": string,
  "label": string
}
Fields
url

string

Specific URL to associate with the note

label

string

Label to describe usage of the URL

Methods

create

Creates a new Note.

delete

Deletes the given Note from the system.

get

Returns the requested Note.

getIamPolicy

Gets the access control policy for a note or an Occurrence resource.

list

Lists all Notes for a given project.

patch

Updates an existing Note.

setIamPolicy

Sets the access control policy on the specified Note or Occurrence.

testIamPermissions

Returns the permissions that a caller has on the specified note or occurrence resource.
Was this page helpful? Let us know how we did:

Send feedback about...

Container Registry Documentation