Package-level declarations

An alias to a repo revision.

Builder for AliasContextArgs.

Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.

Builder for AnalysisCompletedArgs.

Artifact describes a build product.

Builder for ArtifactArgs.

Defines a hash object for use in Materials and Products.

Builder for ArtifactHashesArgs.

Defines an object to declare an in-toto artifact rule

Builder for ArtifactRuleArgs.

Assessment provides all information that is related to a single vulnerability for this product.

Builder for AssessmentArgs.

Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for look-up (how to find this attestation if you already know the authority and artifact to be verified) and intent (which authority was this attestation intended to sign for).

Builder for AttestationArgs.

Note kind that represents a logical attestation "role" or "authority". For example, an organization might have one Authority for "QA" and one for "build". This note is intended to act strictly as a grouping mechanism for the attached occurrences (Attestations). This grouping mechanism also provides a security boundary, since IAM ACLs gate the ability for a principle to attach an occurrence to a given note. It also provides a single point of lookup to find all attached attestation occurrences, even if they don't all live in the same project.

Builder for AuthorityArgs.

Basis describes the base image portion (Note) of the DockerImage relationship. Linked occurrences are derived from this or an equivalent image via: FROM Or an equivalent reference, e.g. a tag of the resource_url.

Builder for BasisArgs.

Associates members, or principals, with a role.

Builder for BindingArgs.

Note holding the version of the provider's builder and the signature of the provenance message in the build details occurrence.

Builder for BuildArgs.

Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.

Builder for BuildProvenanceArgs.

Message encapsulating the signature of the verified build.

Builder for BuildSignatureArgs.

Defines an object for the byproducts field in in-toto links. The suggested fields are "stderr", "stdout", and "return-value".

Builder for ByProductsArgs.

A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.

Builder for CloudRepoSourceContextArgs.

Command describes a step performed as part of the build pipeline.

Builder for CommandArgs.

Common Vulnerability Scoring System. This message is compatible with CVSS v2 and v3. For CVSS v2 details, see https://www.first.org/cvss/v2/guide CVSS v2 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator For CVSS v3 details, see https://www.first.org/cvss/specification-document CVSS v3 calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Builder for CVSSArgs.

Deprecated. Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

Builder for CVSSv3Args.

An artifact that can be deployed in some runtime.

Builder for DeployableArgs.

The period during which some deployable was active in a runtime.

Builder for DeploymentArgs.

Derived describes the derived image portion (Occurrence) of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .

Builder for DerivedArgs.

Identifies all appearances of this vulnerability in the package for a specific distro/location. For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2

Builder for DetailArgs.

Details of an attestation occurrence.

Builder for DetailsArgs.

Digest information.

Builder for DigestArgs.

Provides information about the analysis status of a discovered resource.

Builder for DiscoveredArgs.

A note that indicates a type of analysis a provider would perform. This note exists in a provider's project. A Discovery occurrence is created in a consumer's project at the start of analysis.

Builder for DiscoveryArgs.

This represents a particular channel of distribution for a given package. E.g., Debian's jessie-backports dpkg mirror.

Builder for DistributionArgs.

DocumentNote represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/

Builder for DocumentNoteArgs.

DocumentOccurrence represents an SPDX Document Creation Information section: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/

Builder for DocumentOccurrenceArgs.

MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.

Builder for EnvelopeArgs.

Builder for EnvelopeSignatureArgs.

Defines an object for the environment field in in-toto links. The suggested fields are "variables", "filesystem", and "workdir".

Builder for EnvironmentArgs.

Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.

Builder for ExprArgs.

An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package

Builder for ExternalRefArgs.

FileNote represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

Builder for FileNoteArgs.

FileOccurrence represents an SPDX File Information section: https://spdx.github.io/spdx-spec/4-file-information/

Builder for FileOccurrenceArgs.

A set of properties that uniquely identify a given Docker image.

Builder for FingerprintArgs.

An attestation wrapper that uses the Grafeas Signature message. This attestation must define the serialized_payload that the signatures verify and any metadata necessary to interpret that plaintext. The signatures should always be over the serialized_payload bytestring.

Builder for GenericSignedAttestationArgs.

A SourceContext referring to a Gerrit project.

Builder for GerritSourceContextArgs.

Builder for GetNoteIamPolicyPlainArgs.

Builder for GetNotePlainArgs.

Builder for GetOccurrenceIamPolicyPlainArgs.

Builder for GetOccurrencePlainArgs.

A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).

Builder for GitSourceContextArgs.

Details of a build occurrence.

Builder for GrafeasV1beta1BuildDetailsArgs.

Details of a deployment occurrence.

Builder for GrafeasV1beta1DeploymentDetailsArgs.

Details of a discovery occurrence.

Builder for GrafeasV1beta1DiscoveryDetailsArgs.

Details of an image occurrence.

Builder for GrafeasV1beta1ImageDetailsArgs.

Builder for GrafeasV1beta1IntotoArtifactArgs.

This corresponds to a signed in-toto link - it is made up of one or more signatures and the in-toto link itself. This is used for occurrences of a Grafeas in-toto note.

Builder for GrafeasV1beta1IntotoDetailsArgs.

A signature object consists of the KeyID used and the signature itself.

Builder for GrafeasV1beta1IntotoSignatureArgs.

Details of a package occurrence.

Builder for GrafeasV1beta1PackageDetailsArgs.

Details of a vulnerability Occurrence.

Builder for GrafeasV1beta1VulnerabilityDetailsArgs.

Container message for hash values.

Builder for HashArgs.

This submessage provides human-readable hints about the purpose of the authority. Because the name of a note acts as its resource reference, it is important to disambiguate the canonical name of the Note (which might be a UUID for security purposes) from "readable" names more suitable for debug output. Note that these hints should not be used to look up authorities in security sensitive contexts, such as when looking up attestations to verify.

Builder for HintArgs.

This represents how a particular software package may be installed on a system.

Builder for InstallationArgs.

This contains the fields corresponding to the definition of a software supply chain step in an in-toto layout. This information goes into a Grafeas note.

Builder for InTotoArgs.

Justification provides the justification when the state of the assessment if NOT_AFFECTED.

Builder for JustificationArgs.

Builder for KnowledgeBaseArgs.

Layer holds metadata specific to a layer of a Docker image.

Builder for LayerArgs.

License information.

Builder for LicenseArgs.

This corresponds to an in-toto link.

Builder for LinkArgs.

An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.

Builder for LocationArgs.

Package represents a particular package version.

Builder for PackageArgs.

PackageInfoNote represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

Builder for PackageInfoNoteArgs.

PackageInfoOccurrence represents an SPDX Package Information section: https://spdx.github.io/spdx-spec/3-package-information/

Builder for PackageInfoOccurrenceArgs.

This message wraps a location affected by a vulnerability and its associated fix (if one is available).

Builder for PackageIssueArgs.

An attestation wrapper with a PGP-compatible signature. This message only supports ATTACHED signatures, where the payload that is signed is included alongside the signature itself in the same file.

Builder for PgpSignedAttestationArgs.

Product contains information about a product and how to uniquely identify it.

Builder for ProductArgs.

Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.

Builder for ProjectRepoIdArgs.

Publisher contains information about the publisher of this Note.

Builder for PublisherArgs.

Metadata for any related URL information.

Builder for RelatedUrlArgs.

RelationshipNote represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

Builder for RelationshipNoteArgs.

RelationshipOccurrence represents an SPDX Relationship section: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

Builder for RelationshipOccurrenceArgs.

Specifies details on how to handle (and presumably, fix) a vulnerability.

Builder for RemediationArgs.

A unique identifier for a Cloud Repo.

Builder for RepoIdArgs.