Grafeas v1 API - Namespace Grafeas.V1 (3.6.0)

An alias to a repo revision.

Container for nested types declared in the AliasContext message type.

Artifact describes a build product.

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

Container for nested types declared in the AttestationNote message type.

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign.

Request to create notes in batch.

Response for creating notes in batch.

Request to create occurrences in batch.

Response for creating occurrences in batch.

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

Details of a build occurrence.

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

Common Vulnerability Scoring System. For details, see https://www.first.org/cvss/specification-document This is a message we will try to use for storing various versions of CVSS rather than making a separate proto for storing a specific version.

Container for nested types declared in the CVSS message type.

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

Container for nested types declared in the CVSSv3 message type.

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

Command describes a step performed as part of the build pipeline.

Indicates that the builder claims certain fields in this message to be complete.

Container for nested types declared in the ComplianceNote message type.

A compliance check that is a CIS benchmark.

An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.

Describes the CIS benchmark version that is applicable to a given OS and os version.

Request to create a new note.

Request to create a new occurrence.

Container for nested types declared in the DSSEAttestationNote message type.

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence.

Request to delete a note.

Request to delete an occurrence.

An artifact that can be deployed in some runtime.

The period during which some deployable was active in a runtime.

Container for nested types declared in the DeploymentOccurrence message type.

Digest information.

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

Provides information about the analysis status of a discovered resource.

Container for nested types declared in the DiscoveryOccurrence message type.

Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.

The status of an SBOM generation.

Container for nested types declared in the SBOMStatus message type.

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.

Container message for hashes of byte content of files, used in source messages to verify integrity of source input to the build.

Indicates the location at which a package was found.

A set of properties that uniquely identify a given Docker image.

A SourceContext referring to a Gerrit project.

Request to get a note.

Request to get the note to which the specified occurrence is attached.

Request to get an occurrence.

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

Grafeas API.

Retrieves analysis results of Cloud components such as Docker container images.

Analysis results are stored as a series of occurrences. An Occurrence contains information about a specific analysis instance on a resource. An occurrence refers to a Note. A note contains details describing the analysis and is generally stored in a separate project, called a Provider. Multiple occurrences can refer to the same note.

For example, an SSL vulnerability could affect multiple images. In this case, there would be one note for the vulnerability and an occurrence for each image with the vulnerability referring to that note.

Base class for server-side implementations of Grafeas

Client for Grafeas

Grafeas client wrapper, for convenient use.

Builder class for GrafeasClient to provide simple configuration of credentials, endpoint etc.

Grafeas client wrapper implementation, for convenient use.

Settings for GrafeasClient instances.

Container message for hash values.

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM <Basis.resource_url> Or an equivalent reference, e.g., a tag of the resource_url.

Details of the derived image portion of the DockerImage relationship. This image would be produced from a Dockerfile with FROM <DockerImage.Basis in attached Note>.

Container for nested types declared in the InTotoSlsaProvenanceV1 message type.

Keep in sync with schema at https://github.com/slsa-framework/slsa/blob/main/docs/provenance/schema/v1/provenance.proto Builder renamed to ProvenanceBuilder because of Java conflicts.

Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".

Layer holds metadata specific to a layer of a Docker image.

License information.

Request to list occurrences for a note.

Response for listing occurrences for a note.

Request to list notes.

Response for listing notes.

Request to list occurrences.

Response for listing occurrences.

An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.

Other properties of the build.

Details about files that caused a compliance check to fail.

A type of analysis that can be done for a resource.

Resource name for the Note resource.

An instance of an analysis type that has been found on a resource.

Resource name for the Occurrence resource.

PackageNote represents a particular package version.

Details on how a particular software package was installed on a system.

Resource name for the Project resource.

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Metadata for any related URL information.

A unique identifier for a Cloud Repo.

The note representing an SBOM reference.

The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.

The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.

A predicate which describes the SBOM being referenced.

Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm).

In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances:

• The public_key_id is not recognized by the verifier.
• The public key that public_key_id refers to does not verify the signature with respect to the payload.

The signature contents SHOULD NOT be "attached" (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).

Container for nested types declared in the SlsaProvenance message type.

Indicates that the builder claims certain fields in this message to be complete.

Other properties of the build.

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

See full explanation of fields at slsa.dev/provenance/v0.2.

Container for nested types declared in the SlsaProvenanceZeroTwo message type.

Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance.

Indicates that the builder claims certain fields in this message to be complete.

Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.

Identifies the event that kicked off the build.

The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.

Other properties of the build.

Source describes the location of the source used for the build.

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

Request to update a note.

Request to update an occurrence.

The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities.

An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be an Upgrade Note. For Windows, windows_update field represents the information related to the update.

An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability). For Windows, both distribution and windows_update contain information for the Windows update.

Version contains structured information about the version of a package.

Container for nested types declared in the Version message type.

A single VulnerabilityAssessmentNote represents one particular product's vulnerability assessment for one CVE.

Container for nested types declared in the VulnerabilityAssessmentNote message type.

Assessment provides all information that is related to a single vulnerability for this product.

Container for nested types declared in the Assessment message type.

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

Container for nested types declared in the Justification message type.

Specifies details on how to handle (and presumably, fix) a vulnerability.

Container for nested types declared in the Remediation message type.

Product contains information about a product and how to uniquely identify it. (-- api-linter: core::0123::resource-annotation=disabled aip.dev/not-precedent: Product is not a separate resource. --)

Publisher contains information about the publisher of this Note. (-- api-linter: core::0123::resource-annotation=disabled aip.dev/not-precedent: Publisher is not a separate resource. --)

A security vulnerability that can be found in resources.

Container for nested types declared in the VulnerabilityNote message type.

A detail for a distro and package affected by this vulnerability and its associated fix (if one is available).

Container for nested types declared in the WindowsDetail message type.

An occurrence of a severity vulnerability on a resource.

Container for nested types declared in the VulnerabilityOccurrence message type.

A detail for a distro and package this vulnerability occurrence was found in and its associated fix (if one is available).

VexAssessment provides all publisher provided Vex information that is related to this vulnerability.

Windows Update represents the metadata about the update for the Windows operating system. The fields in this message come from the Windows Update API documented at https://docs.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdate.

Container for nested types declared in the WindowsUpdate message type.

The category to which the update belongs.

The unique identifier of the update.

The type of an alias.

Instruction set architectures supported by various package managers.

CVSS Version.

Enum of possible cases for the "revision" oneof.

Enum of possible cases for the "compliance_type" oneof.

Enum of possible cases for the "potential_impact" oneof.

Enum of possible cases for the "decoded_payload" oneof.

Types of platforms.

Analysis status for a resource. Currently for initial analysis only (not updated in continuous analysis).

Whether the resource is continuously analyzed.

An enum indicating the progress of the SBOM generation.

Enum of possible cases for the "revision" oneof.

Enum of possible cases for the "predicate" oneof.

Enum of possible cases for the "type" oneof.

Kind represents the kinds of notes supported.

The possible contents of NoteName.

Enum of possible cases for the "details" oneof.

The possible contents of OccurrenceName.

The possible contents of ProjectName.

Enum of possible cases for the "id" oneof.

Note provider assigned severity/impact ranking.

Enum of possible cases for the "context" oneof.

Whether this is an ordinary package version or a sentinel MIN/MAX version.

Provides the type of justification.

The type of remediation that can be applied.

Provides the state of this Vulnerability assessment.

Enum of possible cases for the "identifier" oneof.