Package-level declarations

Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.

Builder for AnalysisCompletedArgs.

Artifact describes a build product.

Builder for ArtifactArgs.

Assessment provides all information that is related to a single vulnerability for this product.

Builder for AssessmentArgs.

Occurrence that represents a single "attestation". The authenticity of an Attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the AttestationAuthority to which this Attestation is attached is primarily useful for look-up (how to find this Attestation if you already know the Authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).

Builder for AttestationArgs.

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one AttestationAuthority for "QA" and one for "build". This Note is intended to act strictly as a grouping mechanism for the attached Occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an Occurrence to a given Note. It also provides a single point of lookup to find all attached Attestation Occurrences, even if they don't all live in the same project.

Builder for AttestationAuthorityArgs.

This submessage provides human-readable hints about the purpose of the AttestationAuthority. Because the name of a Note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should NOT be used to look up AttestationAuthorities in security sensitive contexts, such as when looking up Attestations to verify.

Builder for AttestationAuthorityHintArgs.

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.

Builder for BasisArgs.

Associates members, or principals, with a role.

Builder for BindingArgs.

Message encapsulating build provenance details.

Builder for BuildDetailsArgs.

Builder for BuilderConfigArgs.

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

Builder for BuildProvenanceArgs.

Message encapsulating the signature of the verified build.

Builder for BuildSignatureArgs.

Note holding the version of the provider's builder and the signature of the provenance message in linked BuildDetails.

Builder for BuildTypeArgs.

A compliance check that is a CIS benchmark.

Builder for CisBenchmarkArgs.

Command describes a step performed as part of the build pipeline.

Builder for CommandArgs.

Indicates that the builder claims certain fields in this message to be complete.

Builder for CompletenessArgs.

ComplianceNote encapsulates all information about a specific compliance check.

Builder for ComplianceNoteArgs.

An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.

Builder for ComplianceOccurrenceArgs.

Describes the CIS benchmark version that is applicable to a given OS and os version.

Builder for ComplianceVersionArgs.

Common Vulnerability Scoring System. This message is compatible with CVSS v2 and v3. For CVSS v2 details, see https://www.first.org/cvss/v2/guide CVSS v2 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator For CVSS v3 details, see https://www.first.org/cvss/specification-document CVSS v3 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Builder for CVSSArgs.

An artifact that can be deployed in some runtime.

Builder for DeployableArgs.

The period during which some deployable was active in a runtime.

Builder for DeploymentArgs.

Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Builder for DerivedArgs.

Identifies all occurrences of this vulnerability in the package for a specific distro/location For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

Builder for DetailArgs.

Digest information.

Builder for DigestArgs.

Provides information about the scan status of a discovered resource.

Builder for DiscoveredArgs.

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis. The occurrence's operation will indicate the status of the analysis. Absence of an occurrence linked to this note for a resource indicates that analysis hasn't started.

Builder for DiscoveryArgs.

This represents a particular channel of distribution for a given package. e.g. Debian's jessie-backports dpkg mirror

Builder for DistributionArgs.

DocumentNote represents an SPDX Document Creation Infromation section: https://spdx.github.io/spdx-spec/2-document-creation-information/

Builder for DocumentNoteArgs.

DocumentOccurrence represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/2-document-creation-information/

Builder for DocumentOccurrenceArgs.

A note describing an attestation

Builder for DSSEAttestationNoteArgs.

An occurrence describing an attestation on a resource

Builder for DSSEAttestationOccurrenceArgs.

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

Builder for DSSEHintArgs.

MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.

Builder for EnvelopeArgs.

A DSSE signature

Builder for EnvelopeSignatureArgs.

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

Builder for ExprArgs.

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

Builder for ExternalRefArgs.

Indicates the location at which a package was found.

Builder for FileLocationArgs.

FileNote represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

Builder for FileNoteArgs.

FileOccurrence represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

Builder for FileOccurrenceArgs.

A set of properties that uniquely identify a given Docker image.

Builder for FingerprintArgs.

Builder for GetNoteIamPolicyPlainArgs.

Builder for GetNotePlainArgs.

Builder for GetOccurrenceIamPolicyPlainArgs.

Builder for GetOccurrencePlainArgs.

Builder for GetProviderNoteIamPolicyPlainArgs.

An alias to a repo revision.

Builder for GoogleDevtoolsContaineranalysisV1alpha1AliasContextArgs.

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

Builder for GoogleDevtoolsContaineranalysisV1alpha1CloudRepoSourceContextArgs.

A SourceContext referring to a Gerrit project.

Builder for GoogleDevtoolsContaineranalysisV1alpha1GerritSourceContextArgs.

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

Builder for GoogleDevtoolsContaineranalysisV1alpha1GitSourceContextArgs.

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

Builder for GoogleDevtoolsContaineranalysisV1alpha1ProjectRepoIdArgs.

A unique identifier for a Cloud Repo.

Builder for GoogleDevtoolsContaineranalysisV1alpha1RepoIdArgs.

Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance.

Builder for GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaBuilderArgs.

Indicates that the builder claims certain fields in this message to be complete.

Builder for GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaCompletenessArgs.

Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.

Builder for GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaConfigSourceArgs.

Identifies the event that kicked off the build.

Builder for GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaInvocationArgs.

The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.

Builder for GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaMaterialArgs.

Other properties of the build.

Builder for GoogleDevtoolsContaineranalysisV1alpha1SlsaProvenanceZeroTwoSlsaMetadataArgs.

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

Builder for GoogleDevtoolsContaineranalysisV1alpha1SourceContextArgs.

Container message for hash values.

Builder for HashArgs.

Helps in identifying the underlying product. This should be treated like a one-of field. Only one field should be set in this proto. This is a workaround because spanner indexes on one-of fields restrict addition and deletion of fields.

Builder for IdentifierHelperArgs.

This represents how a particular software package may be installed on a system.

Builder for InstallationArgs.

Builder for InTotoProvenanceArgs.

Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".

Builder for InTotoStatementArgs.

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

Builder for JustificationArgs.

Layer holds metadata specific to a layer of a Docker image.

Builder for LayerArgs.

License information.

Builder for LicenseArgs.

An occurrence of a particular package installation found within a system's filesystem. e.g. glibc was found in /var/lib/dpkg/status

Builder for LocationArgs.

Material is a material used in the generation of the provenance

Builder for MaterialArgs.

Other properties of the build.

Builder for MetadataArgs.

Details about files that caused a compliance check to fail.

Builder for NonCompliantFileArgs.

This represents a particular package that is distributed over various channels. e.g. glibc (aka libc6) is distributed by many, at various versions.

Builder for PackageArgs.