Champs de métadonnées de sécurité

Cette page fournit des exemples de métadonnées de sécurité que vous pouvez télécharger à partir de Cloud Storage, ainsi qu'une explication des champs de métadonnées.

Cette page ne s'applique qu'au niveau payant d'Assured OSS.

Métadonnées de sécurité

{
    "overview": {
        "refreshTime": "string",        // when was the data last refreshed
        "originValidated": boolean,     // is the origin of the binary validated
        "builtByAssuredOSS": boolean,   // is the binary built by Assured OSS
        "transitivelyClosed": boolean,  // are package dependencies built by Assured OSS
        "SCADataAvailable": boolean,    // is dependency information available
        "SBOMAvailable": boolean,       // is the SBOM present in SPDX-2.3 format
        "VEXAvailable": boolean,        // is the VEX Information present in CycloneDX-1.4 format
        "licenseScanned": boolean,      // is the license information present
        "fuzzTestedByGoogle": boolean   // was the package fuzz tested by Google
    },
    "buildInfo": "string",              // build details along with SPDX
    "buildInfoSignature": {
        "certInfo": {
            "cert": "string",           // certificate for verifying build info
            "certChain": "string"       // certChain for verifying build info
        },
        "digest": [
            {
                "digest": "string",     // digest of the build info
                "algorithm": "string"   // algorithm used for hashing
            }
        ],
        "signature": [
            {
                "signature": "string",  // signature of the digest
                "algorithm": "string"   // algorithm used for signing
            }
        ]
    },
    "vexInfo": "string",                // vex information along with CycloneDX
    "vexInfoSignature": {
        "certInfo": {
            "cert": "string",           // certificate for verifying vex info
            "certChain": "string"       // certChain for verifying vex info
        },
        "digest": [
            {
                "digest": "string",     // digest of the vex info
                "algorithm": "string"   // algorithm used for hashing
            }
        ],
        "signature": [
            {
                "signature": "string",  // signature of the digest
                "algorithm": "string"   // algorithm used for signing
            }
        ]
    },
    "healthInfo": "string",             // health information
    "healthInfoSignature": {
        "certInfo": {
            "cert": "string",           // certificate for verifying health info
            "certChain": "string"       // certChain for verifying health info
        },
        "digest": [
            {
                "digest": "string",     // digest of the health info
                "algorithm": "string"   // algorithm used for hashing
            }
        ],
        "signature": [
            {
                "signature": "string",  // signature of the digest
                "algorithm": "string"   // algorithm used for signing
            }
        ]
    }
}

Informations sur la compilation

{
  "creationTime": "string",    // time of creation of document (RFC 3339)
  "refreshTime": "string",     // time when the data was refreshed (RFC 3339)
  "buildDetails": [
    {
      "packageFileName": "string",  // the name of the file to which the build details apply
      "slsaLevel": "string",        // SLSA level adhered by the build system
      "buildTool": "string",
      "transitiveClosureState": "string",  // ENUM indicating if all the build dependencies for the package (direct or indirect) are also present in Assured OSS's portfolio or not. It can have 2 values, CLOSED if all dependencies are present else OPEN.
      "buildProvenances": [
        {
          "provenanceVersion": "string",  // version of SLSA provenance
          "provenance": "string",         // string representation of build provenance in "provenanceVersion" format
          "provenancePublicKey": "string", // public key used for verifying the singatures of the provenance
          "envelope": {  // a string representing a DSSE envelope that can be used to verify the integrity of the provenance document. This is also generated by Cloud Build
            "payload": "string",
            "payloadType": "string",
            "signatures": [
              {
                "sig": "string",
                "keyid": "string"
              }
            ]
          }
        }
      ]
    }
  ],
  "sourceInfo": [
    {
      "sourceUrl": "string",  // the GitHub URL
      "commitHash": "string", // the commit hash attached to release
      "tag": "string",        // release tag associated with the package-version
      "host": {
        "name": "string"      // name of the system that hosts the source code in GitHub
      },
      "commitTime": "string"  // time of commit (RFC 3339)
    }
  ],
  "sbom": "string",           // SBOM string in SPDX-2.3 format
  "creator": {
    "name": "string", // the name of the organization that created this document
    "email": "string" // the email address of the organization in case of any query or complaint
  }
}

Des informations VEX

{
  "creationTime": "string",    // time of creation of document (RFC 3339)
  "refreshTime": "string",     // time when the data was refreshed (RFC 3339)
  "vexData": "string",  // Vulnerability Exploitability eXchange (VEX) string in CycloneDX 1.4 format
  "creator": {
    "name": "string", // the name of the organization that created this document
    "email": "string" // the email address of the organization in case of any query or complaint
  }
}

Des informations d'intégrité

{
  "creationTime": "string",    // time of creation of document (RFC 3339)
  "refreshTime": "string",     // time when the data was refreshed (RFC 3339)
  "testingData": [
    {
      "testType": "string",   // the type of test that was done. For example, FUZZ
      "tool": {
        "name": "string"      // the name of the tool that was used to perform the test
      },
      "testStatus": "string"  // the status of the test. It can be one of TESTED (testing was executed) or UNTESTED (package was not tested) or NOT_REQUIRED (testing was not required for the package. For example, fuzz testing is not required on a package that contains only interfaces)
    }
  ],
  "creator": {
    "name": "string", // the name of the organization that created this document
    "email": "string" // the email address of the organization in case of any query or complaint
  }
}

Étapes suivantes