Package-level declarations

Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.

Artifact describes a build product.

Assessment provides all information that is related to a single vulnerability for this product.

This submessage provides human-readable hints about the purpose of the AttestationAuthority. Because the name of a Note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should NOT be used to look up AttestationAuthorities in security sensitive contexts, such as when looking up Attestations to verify.

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one AttestationAuthority for "QA" and one for "build". This Note is intended to act strictly as a grouping mechanism for the attached Occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an Occurrence to a given Note. It also provides a single point of lookup to find all attached Attestation Occurrences, even if they don't all live in the same project.

Occurrence that represents a single "attestation". The authenticity of an Attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the AttestationAuthority to which this Attestation is attached is primarily useful for look-up (how to find this Attestation if you already know the Authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.

Associates members, or principals, with a role.

Message encapsulating build provenance details.

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

Message encapsulating the signature of the verified build.

Note holding the version of the provider's builder and the signature of the provenance message in linked BuildDetails.

A compliance check that is a CIS benchmark.

Command describes a step performed as part of the build pipeline.

Indicates that the builder claims certain fields in this message to be complete.

ComplianceNote encapsulates all information about a specific compliance check.

An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.

Describes the CIS benchmark version that is applicable to a given OS and os version.

Common Vulnerability Scoring System. This message is compatible with CVSS v2 and v3. For CVSS v2 details, see https://www.first.org/cvss/v2/guide CVSS v2 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator For CVSS v3 details, see https://www.first.org/cvss/specification-document CVSS v3 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

An artifact that can be deployed in some runtime.

The period during which some deployable was active in a runtime.

Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Identifies all occurrences of this vulnerability in the package for a specific distro/location For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

Digest information.

Provides information about the scan status of a discovered resource.

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis. The occurrence's operation will indicate the status of the analysis. Absence of an occurrence linked to this note for a resource indicates that analysis hasn't started.

This represents a particular channel of distribution for a given package. e.g. Debian's jessie-backports dpkg mirror

DocumentNote represents an SPDX Document Creation Infromation section: https://spdx.github.io/spdx-spec/2-document-creation-information/

DocumentOccurrence represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/2-document-creation-information/

A note describing an attestation

An occurrence describing an attestation on a resource

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.

A DSSE signature

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

Indicates the location at which a package was found.

FileNote represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

FileOccurrence represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

A set of properties that uniquely identify a given Docker image.

An alias to a repo revision.

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

A SourceContext referring to a Gerrit project.

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

A unique identifier for a Cloud Repo.

Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance.

Indicates that the builder claims certain fields in this message to be complete.

Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.

Identifies the event that kicked off the build.

The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.

Other properties of the build.

A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.

Container message for hash values.

Helps in identifying the underlying product. This should be treated like a one-of field. Only one field should be set in this proto. This is a workaround because spanner indexes on one-of fields restrict addition and deletion of fields.

This represents how a particular software package may be installed on a system.

Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

Layer holds metadata specific to a layer of a Docker image.

License information.

An occurrence of a particular package installation found within a system's filesystem. e.g. glibc was found in /var/lib/dpkg/status

Material is a material used in the generation of the provenance

Other properties of the build.

Details about files that caused a compliance check to fail.

This resource represents a long-running operation that is the result of a network API call.

PackageInfoNote represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

PackageInfoOccurrence represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

This message wraps a location affected by a vulnerability and its associated fix (if one is available).

This represents a particular package that is distributed over various channels. e.g. glibc (aka libc6) is distributed by many, at various versions.

An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.

Product contains information about a product and how to uniquely identify it.

Publisher contains information about the publisher of this Note.

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Metadata for any related URL information

RelationshipNote represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

RelationshipOccurrence represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

Specifies details on how to handle (and presumably, fix) a vulnerability.

RepoSource describes the location of the source in a Google Cloud Source Repository.

Resource is an entity that can have metadata. E.g., a Docker image.

The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.

A predicate which describes the SBOM being referenced.

The note representing an SBOM reference.

The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.

SlsaBuilder encapsulates the identity of the builder of this provenance.

Indicates that the builder claims certain fields in this message to be complete.

Other properties of the build.

SlsaProvenance is the slsa provenance as defined by the slsa spec.

SlsaProvenanceZeroTwo is the slsa provenance as defined by the slsa spec. See full explanation of fields at slsa.dev/provenance/v0.2.

Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.

Source describes the location of the source used for the build.

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

StorageSource describes the location of the source in an archive file in Google Cloud Storage.

Subject refers to the subject of the intoto statement

The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities.

An Upgrade Note represents a potential upgrade of a package to a given version. For each package version combination (i.e. bash 4.0, bash 4.1, bash 4.1.2), there will be a Upgrade Note.

An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability).

An URI message.

Version contains structured information about the version of the package. For a discussion of this in Debian/Ubuntu: http://serverfault.com/questions/604541/debian-packages-version-convention For a discussion of this in Redhat/Fedora/Centos: http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/

VexAssessment provides all publisher provided Vex information that is related to this vulnerability.

A single VulnerabilityAssessmentNote represents one particular product's vulnerability assessment for one CVE. Multiple VulnerabilityAssessmentNotes together form a Vex statement. Please go/sds-vex-example for a sample Vex statement in the CSAF format.

Used by Occurrence to point to where the vulnerability exists and how to fix it.

The location of the vulnerability

VulnerabilityType provides metadata about a security vulnerability.