Package-level declarations
Types
An alias to a repo revision.
Builder for AliasContextArgs.
Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.
Builder for AnalysisCompletedArgs.
Artifact describes a build product.
Builder for ArtifactArgs.
Assessment provides all information that is related to a single vulnerability for this product.
Builder for AssessmentArgs.
Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.
Builder for AttestationNoteArgs.
Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign.
Builder for AttestationOccurrenceArgs.
Associates members, or principals, with a role.
Builder for BindingArgs.
Builder for BuilderConfigArgs.
Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.
Builder for BuildNoteArgs.
Details of a build occurrence.
Builder for BuildOccurrenceArgs.
Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.
Builder for BuildProvenanceArgs.
The category to which the update belongs.
Builder for CategoryArgs.
A compliance check that is a CIS benchmark.
Builder for CisBenchmarkArgs.
A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.
Builder for CloudRepoSourceContextArgs.
Command describes a step performed as part of the build pipeline.
Builder for CommandArgs.
Indicates that the builder claims certain fields in this message to be complete.
Builder for CompletenessArgs.
Builder for ComplianceNoteArgs.
An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.
Builder for ComplianceOccurrenceArgs.
Describes the CIS benchmark version that is applicable to a given OS and os version.
Builder for ComplianceVersionArgs.
Common Vulnerability Scoring System. For details, see https://www.first.org/cvss/specification-document This is a message we will try to use for storing various versions of CVSS rather than making a separate proto for storing a specific version.
Builder for CVSSArgs.
Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document
Builder for CVSSv3Args.
An artifact that can be deployed in some runtime.
Builder for DeploymentNoteArgs.
The period during which some deployable was active in a runtime.
Builder for DeploymentOccurrenceArgs.
A detail for a distro and package affected by this vulnerability and its associated fix (if one is available).
Builder for DetailArgs.
Digest information.
Builder for DigestArgs.
A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.
Builder for DiscoveryNoteArgs.
Provides information about the analysis status of a discovered resource.
Builder for DiscoveryOccurrenceArgs.
This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.
Builder for DistributionArgs.
Builder for DSSEAttestationNoteArgs.
Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence.
Builder for DSSEAttestationOccurrenceArgs.
This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.
Builder for DSSEHintArgs.
MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.
Builder for EnvelopeArgs.
Builder for EnvelopeSignatureArgs.
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
Builder for ExprArgs.
A set of properties that uniquely identify a given Docker image.
Builder for FingerprintArgs.
A SourceContext referring to a Gerrit project.
Builder for GerritSourceContextArgs.
Builder for GetNoteIamPolicyPlainArgs.
Builder for GetNotePlainArgs.
Builder for GetOccurrenceIamPolicyPlainArgs.
Builder for GetOccurrencePlainArgs.
A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).
Builder for GitSourceContextArgs.
Indicates the location at which a package was found.
Builder for GrafeasV1FileLocationArgs.
Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance.
Indicates that the builder claims certain fields in this message to be complete.
Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.
Identifies the event that kicked off the build.
The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.
Other properties of the build.
This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.
Builder for HintArgs.
The unique identifier of the update.
Builder for IdentityArgs.
Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g., a tag of the resource_url.
Builder for ImageNoteArgs.
Details of the derived image portion of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .
Builder for ImageOccurrenceArgs.
Builder for InTotoProvenanceArgs.
Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
Builder for InTotoStatementArgs.
Justification provides the justification when the state of the assessment if NOT_AFFECTED.
Builder for JustificationArgs.
Builder for JwtArgs.
Builder for KnowledgeBaseArgs.
Builder for LayerArgs.
License information.
Builder for LicenseArgs.
An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.
Builder for LocationArgs.
Builder for MaterialArgs.
Other properties of the build.
Builder for MetadataArgs.
Details about files that caused a compliance check to fail. display_command is a single command that can be used to display a list of non compliant files. When there is no such command, we can also iterate a list of non compliant file using 'path'.
Builder for NonCompliantFileArgs.
A detail for a distro and package this vulnerability occurrence was found in and its associated fix (if one is available).
Builder for PackageIssueArgs.
PackageNote represents a particular package version.
Builder for PackageNoteArgs.
Details on how a particular software package was installed on a system.
Builder for PackageOccurrenceArgs.
Product contains information about a product and how to uniquely identify it.
Builder for ProductArgs.
Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.
Builder for ProjectRepoIdArgs.
Publisher contains information about the publisher of this Note.
Builder for PublisherArgs.
Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.
Builder for RecipeArgs.
Metadata for any related URL information.
Builder for RelatedUrlArgs.
Specifies details on how to handle (and presumably, fix) a vulnerability.
Builder for RemediationArgs.
A unique identifier for a Cloud Repo.
Builder for RepoIdArgs.
The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.
Builder for SbomReferenceIntotoPayloadArgs.
A predicate which describes the SBOM being referenced.
Builder for SbomReferenceIntotoPredicateArgs.
The note representing an SBOM reference.
Builder for SBOMReferenceNoteArgs.
The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.
Builder for SBOMReferenceOccurrenceArgs.
Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: * The public_key_id is not recognized by the verifier. * The public key that public_key_id refers to does not verify the signature with respect to the payload. The signature contents SHOULD NOT be "attached" (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).
Builder for SignatureArgs.
Builder for SlsaBuilderArgs.
Indicates that the builder claims certain fields in this message to be complete.
Builder for SlsaCompletenessArgs.
Other properties of the build.
Builder for SlsaMetadataArgs.
Builder for SlsaProvenanceArgs.
See full explanation of fields at slsa.dev/provenance/v0.2.
Builder for SlsaProvenanceZeroTwoArgs.
Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.
Builder for SlsaRecipeArgs.
Source describes the location of the source used for the build.
Builder for SourceArgs.
A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.
Builder for SourceContextArgs.
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
Builder for StatusArgs.
Builder for SubjectArgs.
The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities.
Builder for UpgradeDistributionArgs.
An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be an Upgrade Note. For Windows, windows_update field represents the information related to the update.
Builder for UpgradeNoteArgs.
An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability). For Windows, both distribution and windows_update contain information for the Windows update.
Builder for UpgradeOccurrenceArgs.
Version contains structured information about the version of a package.
Builder for VersionArgs.
VexAssessment provides all publisher provided Vex information that is related to this vulnerability.
Builder for VexAssessmentArgs.
A single VulnerabilityAssessmentNote represents one particular product's vulnerability assessment for one CVE.
Builder for VulnerabilityAssessmentNoteArgs.
A security vulnerability that can be found in resources.
Builder for VulnerabilityNoteArgs.
An occurrence of a severity vulnerability on a resource.
Builder for VulnerabilityOccurrenceArgs.
Builder for WindowsDetailArgs.
Windows Update represents the metadata about the update for the Windows operating system. The fields in this message come from the Windows Update API documented at https://docs.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdate.
Builder for WindowsUpdateArgs.