View Source API Reference google_api_on_demand_scanning v0.4.0
Modules
API client metadata for GoogleApi.OnDemandScanning.V1.
API calls for all endpoints tagged Projects.
Handle Tesla connections for GoogleApi.OnDemandScanning.V1.
An alias to a repo revision.
Indicates which analysis completed successfully. Multiple types of analysis can be performed on a single resource.
AnalyzePackagesMetadata contains metadata for an active scan of a container image.
AnalyzePackagesMetadata contains metadata for an active scan of a container image.
AnalyzePackagesRequest is the request to analyze a list of packages and create Vulnerability Occurrences for it.
AnalyzePackagesResponse contains the information necessary to find results for the given scan.
AnalyzePackagesResponse contains the information necessary to find results for the given scan.
Artifact describes a build product.
Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign.
Attributes
-
binaryVersion(type:GoogleApi.OnDemandScanning.V1.Model.PackageVersion.t, default:nil) - The binary package. This is significant when the source is different than the binary itself. Historically if they've differed, we've stored the name of the source and its version in the package/version fields, but we should also store the binary package info, as that's what's actually installed. See b/175908657#comment15. -
sourceVersion(type:GoogleApi.OnDemandScanning.V1.Model.PackageVersion.t, default:nil) - The source package. Similar to the above, this is significant when the source is different than the binary itself. Since the top-level package/version fields are based on an if/else, we need a separate field for both binary and source if we want to know definitively where the data is coming from.
Details of a build occurrence.
Provenance of a build. Contains all information needed to verify the full details about the build from source to completion.
Common Vulnerability Scoring System. For details, see https://www.first.org/cvss/specification-document This is a message we will try to use for storing various versions of CVSS rather than making a separate proto for storing a specific version.
The category to which the update belongs.
A CloudRepoSourceContext denotes a particular revision in a Google Cloud Source Repo.
Command describes a step performed as part of the build pipeline.
Indicates that the builder claims certain fields in this message to be complete.
An indication that the compliance checks in the associated ComplianceNote were not satisfied for particular resources or a specified reason.
Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence.
The period during which some deployable was active in a runtime.
Provides information about the analysis status of a discovered resource.
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type.
Container message for hashes of byte content of files, used in source messages to verify integrity of source input to the build.
Indicates the location at which a package was found.
A set of properties that uniquely identify a given Docker image.
A SourceContext referring to a Gerrit project.
A GitSourceContext denotes a particular revision in a third party Git repository (e.g., GitHub).
Indicates the location at which a package was found.
Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance.
Indicates that the builder claims certain fields in this message to be complete.
Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.
Identifies the event that kicked off the build.
The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.
Other properties of the build.
Container message for hash values.
The unique identifier of the update.
Details of the derived image portion of the DockerImage relationship. This image would be produced from a Dockerfile with FROM .
Attributes
-
builderConfig(type:GoogleApi.OnDemandScanning.V1.Model.BuilderConfig.t, default:nil) - required -
materials(type:list(String.t), default:nil) - The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty. -
metadata(type:GoogleApi.OnDemandScanning.V1.Model.Metadata.t, default:nil) - -
recipe(type:GoogleApi.OnDemandScanning.V1.Model.Recipe.t, default:nil) - Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
Attributes
-
_type(type:String.t, default:nil) - InToto spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement -
predicate(type:GoogleApi.OnDemandScanning.V1.Model.SlsaProvenanceV1.t, default:nil) - -
predicateType(type:String.t, default:nil) - -
subject(type:list(GoogleApi.OnDemandScanning.V1.Model.Subject.t), default:nil) -
Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
Justification provides the justification when the state of the assessment if NOT_AFFECTED.
Attributes
-
compactJwt(type:String.t, default:nil) - The compact encoding of a JWS, which is always three base64 encoded strings joined by periods. For details, see: https://tools.ietf.org/html/rfc7515.html#section-3.1
Indicates a language package available between this package and the customer's resource artifact.
Layer holds metadata specific to a layer of a Docker image.
License information.
The response message for Operations.ListOperations.
ListVulnerabilitiesResponse contains a single page of vulnerabilities resulting from a scan.
An occurrence of a particular package installation found within a system's filesystem. E.g., glibc was found in /var/lib/dpkg/status.
Other properties of the build.
Details about files that caused a compliance check to fail. display_command is a single command that can be used to display a list of non compliant files. When there is no such command, we can also iterate a list of non compliant file using 'path'.
An instance of an analysis type that has been found on a resource.
This resource represents a long-running operation that is the result of a network API call.
Attributes
-
architecture(type:String.t, default:nil) - The architecture of the package. -
binarySourceInfo(type:list(GoogleApi.OnDemandScanning.V1.Model.BinarySourceInfo.t), default:nil) - A bundle containing the binary and source information. -
binaryVersion(type:GoogleApi.OnDemandScanning.V1.Model.PackageVersion.t, default:nil) - DEPRECATED -
cpeUri(type:String.t, default:nil) - The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) in which the vulnerability may manifest. Examples include distro or storage location for vulnerable jar. -
dependencyChain(type:list(GoogleApi.OnDemandScanning.V1.Model.LanguagePackageDependency.t), default:nil) - The dependency chain between this package and the user's artifact. List in order from the customer's package under review first, to the current package last. Inclusive of the original package and the current package. -
fileLocation(type:list(GoogleApi.OnDemandScanning.V1.Model.FileLocation.t), default:nil) - The path to the jar file / go binary file. -
hashDigest(type:String.t, default:nil) - HashDigest stores the SHA512 hash digest of the jar file if the package is of type Maven. This field will be unset for non Maven packages. -
licenses(type:list(String.t), default:nil) - The list of licenses found that are related to a given package. Note that licenses may also be stored on the BinarySourceInfo. If there is no BinarySourceInfo (because there's no concept of source vs binary), then it will be stored here, while if there are BinarySourceInfos, it will be stored there, as one source can have multiple binaries with different licenses. -
maintainer(type:GoogleApi.OnDemandScanning.V1.Model.Maintainer.t, default:nil) - The maintainer of the package. -
os(type:String.t, default:nil) - The OS affected by a vulnerability Used to generate the cpe_uri for OS packages -
osVersion(type:String.t, default:nil) - The version of the OS Used to generate the cpe_uri for OS packages -
package(type:String.t, default:nil) - The package being analysed for vulnerabilities -
packageType(type:String.t, default:nil) - The type of package: os, maven, go, etc. -
patchedCve(type:list(String.t), default:nil) - CVEs that this package is no longer vulnerable to go/drydock-dd-custom-binary-scanning -
sourceVersion(type:GoogleApi.OnDemandScanning.V1.Model.PackageVersion.t, default:nil) - DEPRECATED -
unused(type:String.t, default:nil) - -
version(type:String.t, default:nil) - The version of the package being analysed
A detail for a distro and package this vulnerability occurrence was found in and its associated fix (if one is available).
Details on how a particular software package was installed on a system.
Attributes
-
licenses(type:list(String.t), default:nil) - The licenses associated with this package. Note that this has to go on the PackageVersion level, because we can have cases with images with the same source having different licences. E.g. in Alpine, musl and musl-utils both have the same origin musl, but have different sets of licenses. -
name(type:String.t, default:nil) - -
version(type:String.t, default:nil) -
Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.
Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.
Metadata for any related URL information.
Specifies details on how to handle (and presumably, fix) a vulnerability.
A unique identifier for a Cloud Repo.
The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.
The status of an SBOM generation.
The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.
A predicate which describes the SBOM being referenced.
Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: The public_key_id is not recognized by the verifier. The public key that public_key_id refers to does not verify the signature with respect to the payload. The signature contents SHOULD NOT be "attached" (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).
Indicates that the builder claims certain fields in this message to be complete.
Other properties of the build.
Attributes
-
builder(type:GoogleApi.OnDemandScanning.V1.Model.SlsaBuilder.t, default:nil) - required -
materials(type:list(GoogleApi.OnDemandScanning.V1.Model.Material.t), default:nil) - The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty. -
metadata(type:GoogleApi.OnDemandScanning.V1.Model.SlsaMetadata.t, default:nil) - -
recipe(type:GoogleApi.OnDemandScanning.V1.Model.SlsaRecipe.t, default:nil) - Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
Keep in sync with schema at https://github.com/slsa-framework/slsa/blob/main/docs/provenance/schema/v1/provenance.proto Builder renamed to ProvenanceBuilder because of Java conflicts.
See full explanation of fields at slsa.dev/provenance/v0.2.
Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe.
Source describes the location of the source used for the build.
A SourceContext is a reference to a tree of files. A SourceContext together with a path point to a unique revision of a single file or directory.
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
Attributes
-
digest(type:map(), default:nil) -"": ""Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet -
name(type:String.t, default:nil) -
The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities.
An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability). For Windows, both distribution and windows_update contain information for the Windows update.
Version contains structured information about the version of a package.
VexAssessment provides all publisher provided Vex information that is related to this vulnerability.
An occurrence of a severity vulnerability on a resource.
Windows Update represents the metadata about the update for the Windows operating system. The fields in this message come from the Windows Update API documented at https://docs.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdate.