diff --git a/google/devtools/containeranalysis/README.md b/google/devtools/containeranalysis/README.md new file mode 100644 index 00000000..db07fbb1 --- /dev/null +++ b/google/devtools/containeranalysis/README.md @@ -0,0 +1,19 @@ +# Instructions for updating the GAPIC IDLs and sanitized protos + + + + +Follow instructions at: +https://g3doc.corp.google.com/company/teams/veneer/user/user-guide.md#refreshing-existing-client-libraries + +Additional steps: + +1. Ensure `google-iam-v1` is under `proto_deps` in + `artman_containeranalysis.yaml`. +1. Diff the existing `containeranalysis_gapic.yaml` with the updated one that + was generated and ensure things like `flattening` and `required_fields` + contain the correct fields and not include deprecated fields like `name`. + See cl/175301075 for reference. +1. While we still support the deprecated + `google/devtools/source/v1/source_context.proto`, the sanitized + `provenance.proto` still seems to import it, remove the import statement. diff --git a/google/devtools/containeranalysis/artman_containeranalysis.yaml b/google/devtools/containeranalysis/artman_containeranalysis.yaml new file mode 100644 index 00000000..46ce03a6 --- /dev/null +++ b/google/devtools/containeranalysis/artman_containeranalysis.yaml @@ -0,0 +1,35 @@ +common: + api_name: containeranalysis + api_version: v1alpha1 + organization_name: google-cloud + proto_deps: + - name: google-common-protos + - name: google-iam-v1 + src_proto_paths: + - v1alpha1 + service_yaml: containeranalysis.yaml + gapic_yaml: v1alpha1/containeranalysis_gapic.yaml +artifacts: +- name: gapic_config + type: GAPIC_CONFIG +- name: java_gapic + type: GAPIC + language: JAVA +- name: python_gapic + type: GAPIC + language: PYTHON +- name: nodejs_gapic + type: GAPIC + language: NODEJS +- name: php_gapic + type: GAPIC + language: PHP +- name: go_gapic + type: GAPIC + language: GO +- name: ruby_gapic + type: GAPIC + language: RUBY +- name: csharp_gapic + type: GAPIC + language: CSHARP diff --git a/google/devtools/containeranalysis/containeranalysis.yaml b/google/devtools/containeranalysis/containeranalysis.yaml new file mode 100644 index 00000000..35219242 --- /dev/null +++ b/google/devtools/containeranalysis/containeranalysis.yaml @@ -0,0 +1,25 @@ +type: google.api.Service +config_version: 3 +name: containeranalysis.googleapis.com +title: Container Analysis API + +apis: +- name: google.devtools.containeranalysis.v1alpha1.ContainerAnalysis + +types: +- name: google.devtools.containeranalysis.v1alpha1.OperationMetadata + +documentation: + summary: |- + An implementation of the Grafeas API, which stores, and enables querying and + retrieval of critical metadata about all of your software artifacts. + overview: |- + The Container Analysis API allows you to store and retrieve metadata for a + container resource. + +authentication: + rules: + - selector: '*' + oauth: + canonical_scopes: |- + https://www.googleapis.com/auth/cloud-platform diff --git a/google/devtools/containeranalysis/v1alpha1/bill_of_materials.proto b/google/devtools/containeranalysis/v1alpha1/bill_of_materials.proto new file mode 100644 index 00000000..dc0e422d --- /dev/null +++ b/google/devtools/containeranalysis/v1alpha1/bill_of_materials.proto @@ -0,0 +1,103 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.devtools.containeranalysis.v1alpha1; + +import "google/api/annotations.proto"; +import "google/devtools/containeranalysis/v1alpha1/package_vulnerability.proto"; + +option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis"; +option java_multiple_files = true; +option java_package = "com.google.containeranalysis.v1alpha1"; +option objc_class_prefix = "GCA"; + + +// PackageManager provides metadata about available / installed packages. +message PackageManager { + // This represents a particular channel of distribution for a given package. + // e.g. Debian's jessie-backports dpkg mirror + message Distribution { + // The cpe_uri in [cpe format](https://cpe.mitre.org/specification/) + // denoting the package manager version distributing a package. + string cpe_uri = 1; + + // The CPU architecture for which packages in this distribution + // channel were built + Architecture architecture = 2; + + // The latest available version of this package in + // this distribution channel. + VulnerabilityType.Version latest_version = 3; + + // A freeform string denoting the maintainer of this package. + string maintainer = 4; + + // The distribution channel-specific homepage for this package. + string url = 6; + + // The distribution channel-specific description of this package. + string description = 7; + } + + // An occurrence of a particular package installation found within a + // system's filesystem. + // e.g. glibc was found in /var/lib/dpkg/status + message Location { + // The cpe_uri in [cpe format](https://cpe.mitre.org/specification/) + // denoting the package manager version distributing a package. + string cpe_uri = 1; + + // The version installed at this location. + VulnerabilityType.Version version = 2; + + // The path from which we gathered that this package/version is installed. + string path = 3; + } + + // This represents a particular package that is distributed over + // various channels. + // e.g. glibc (aka libc6) is distributed by many, at various versions. + message Package { + // The name of the package. + string name = 1; + + // The various channels by which a package is distributed. + repeated Distribution distribution = 10; + } + + // This represents how a particular software package may be installed on + // a system. + message Installation { + // Output only. The name of the installed package. + string name = 1; + + // All of the places within the filesystem versions of this package + // have been found. + repeated Location location = 2; + } + + // Instruction set architectures supported by various package managers. + enum Architecture { + // Unknown architecture + ARCHITECTURE_UNSPECIFIED = 0; + + // X86 architecture + X86 = 1; + + // X64 architecture + X64 = 2; + } +} diff --git a/google/devtools/containeranalysis/v1alpha1/containeranalysis.proto b/google/devtools/containeranalysis/v1alpha1/containeranalysis.proto new file mode 100644 index 00000000..dd7a6c78 --- /dev/null +++ b/google/devtools/containeranalysis/v1alpha1/containeranalysis.proto @@ -0,0 +1,650 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.devtools.containeranalysis.v1alpha1; + +import "google/api/annotations.proto"; +import "google/devtools/containeranalysis/v1alpha1/bill_of_materials.proto"; +import "google/devtools/containeranalysis/v1alpha1/image_basis.proto"; +import "google/devtools/containeranalysis/v1alpha1/package_vulnerability.proto"; +import "google/devtools/containeranalysis/v1alpha1/provenance.proto"; +import "google/iam/v1/iam_policy.proto"; +import "google/iam/v1/policy.proto"; +import "google/longrunning/operations.proto"; +import "google/protobuf/any.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/field_mask.proto"; +import "google/protobuf/timestamp.proto"; + +option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis"; +option java_multiple_files = true; +option java_package = "com.google.containeranalysis.v1alpha1"; +option objc_class_prefix = "GCA"; + + +// Retrieves the results of vulnerability scanning of cloud components such as +// container images. The Container Analysis API is an implementation of the +// [Grafeas](grafeas.io) API. +// +// The vulnerability results are stored as a series of Occurrences. +// An `Occurrence` contains information about a specific vulnerability in a +// resource. An `Occurrence` references a `Note`. A `Note` contains details +// about the vulnerability and is stored in a stored in a separate project. +// Multiple `Occurrences` can reference the same `Note`. For example, an SSL +// vulnerability could affect multiple packages in an image. In this case, +// there would be one `Note` for the vulnerability and an `Occurrence` for +// each package with the vulnerability referencing that `Note`. +service ContainerAnalysis { + // Returns the requested `Occurrence`. + rpc GetOccurrence(GetOccurrenceRequest) returns (Occurrence) { + option (google.api.http) = { get: "/v1alpha1/{name=projects/*/occurrences/*}" }; + } + + // Lists active `Occurrences` for a given project matching the filters. + rpc ListOccurrences(ListOccurrencesRequest) returns (ListOccurrencesResponse) { + option (google.api.http) = { get: "/v1alpha1/{parent=projects/*}/occurrences" }; + } + + // Deletes the given `Occurrence` from the system. Use this when + // an `Occurrence` is no longer applicable for the given resource. + rpc DeleteOccurrence(DeleteOccurrenceRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { delete: "/v1alpha1/{name=projects/*/occurrences/*}" }; + } + + // Creates a new `Occurrence`. Use this method to create `Occurrences` + // for a resource. + rpc CreateOccurrence(CreateOccurrenceRequest) returns (Occurrence) { + option (google.api.http) = { post: "/v1alpha1/{parent=projects/*}/occurrences" body: "occurrence" }; + } + + // Updates an existing occurrence. + rpc UpdateOccurrence(UpdateOccurrenceRequest) returns (Occurrence) { + option (google.api.http) = { patch: "/v1alpha1/{name=projects/*/occurrences/*}" body: "occurrence" }; + } + + // Gets the `Note` attached to the given `Occurrence`. + rpc GetOccurrenceNote(GetOccurrenceNoteRequest) returns (Note) { + option (google.api.http) = { get: "/v1alpha1/{name=projects/*/occurrences/*}/notes" }; + } + + // Returns the requested `Note`. + rpc GetNote(GetNoteRequest) returns (Note) { + option (google.api.http) = { get: "/v1alpha1/{name=projects/*/notes/*}" }; + } + + // Lists all `Notes` for a given project. + rpc ListNotes(ListNotesRequest) returns (ListNotesResponse) { + option (google.api.http) = { get: "/v1alpha1/{parent=projects/*}/notes" }; + } + + // Deletes the given `Note` from the system. + rpc DeleteNote(DeleteNoteRequest) returns (google.protobuf.Empty) { + option (google.api.http) = { delete: "/v1alpha1/{name=projects/*/notes/*}" }; + } + + // Creates a new `Note`. + rpc CreateNote(CreateNoteRequest) returns (Note) { + option (google.api.http) = { post: "/v1alpha1/{parent=projects/*}/notes" body: "note" }; + } + + // Updates an existing `Note`. + rpc UpdateNote(UpdateNoteRequest) returns (Note) { + option (google.api.http) = { patch: "/v1alpha1/{name=projects/*/notes/*}" body: "note" }; + } + + // Lists `Occurrences` referencing the specified `Note`. Use this method to + // get all occurrences referencing your `Note` across all your customer + // projects. + rpc ListNoteOccurrences(ListNoteOccurrencesRequest) returns (ListNoteOccurrencesResponse) { + option (google.api.http) = { get: "/v1alpha1/{name=projects/*/notes/*}/occurrences" }; + } + + // Gets a summary of the number and severity of occurrences. + rpc GetVulnzOccurrencesSummary(GetVulnzOccurrencesSummaryRequest) returns (GetVulnzOccurrencesSummaryResponse) { + option (google.api.http) = { get: "/v1alpha1/{parent=projects/*}/vulnzsummary" }; + } + + // Sets the access control policy on the specified `Note` or `Occurrence`. + // Requires `containeranalysis.notes.setIamPolicy` or + // `containeranalysis.occurrences.setIamPolicy` permission if the resource is + // a `Note` or an `Occurrence`, respectively. + // Attempting to call this method without these permissions will result in a ` + // `PERMISSION_DENIED` error. + // Attempting to call this method on a non-existent resource will result in a + // `NOT_FOUND` error if the user has `containeranalysis.notes.list` permission + // on a `Note` or `containeranalysis.occurrences.list` on an `Occurrence`, or + // a `PERMISSION_DENIED` error otherwise. The resource takes the following + // formats: `projects/{projectid}/occurrences/{occurrenceid}` for occurrences + // and projects/{projectid}/notes/{noteid} for notes + rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { post: "/v1alpha1/{resource=projects/*/notes/*}:setIamPolicy" body: "*" }; + } + + // Gets the access control policy for a note or an `Occurrence` resource. + // Requires `containeranalysis.notes.setIamPolicy` or + // `containeranalysis.occurrences.setIamPolicy` permission if the resource is + // a note or occurrence, respectively. + // Attempting to call this method on a resource without the required + // permission will result in a `PERMISSION_DENIED` error. Attempting to call + // this method on a non-existent resource will result in a `NOT_FOUND` error + // if the user has list permission on the project, or a `PERMISSION_DENIED` + // error otherwise. The resource takes the following formats: + // `projects/{PROJECT_ID}/occurrences/{OCCURRENCE_ID}` for occurrences and + // projects/{PROJECT_ID}/notes/{NOTE_ID} for notes + rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { + option (google.api.http) = { post: "/v1alpha1/{resource=projects/*/notes/*}:getIamPolicy" body: "*" }; + } + + // Returns the permissions that a caller has on the specified note or + // occurrence resource. Requires list permission on the project (for example, + // "storage.objects.list" on the containing bucket for testing permission of + // an object). Attempting to call this method on a non-existent resource will + // result in a `NOT_FOUND` error if the user has list permission on the + // project, or a `PERMISSION_DENIED` error otherwise. The resource takes the + // following formats: `projects/{PROJECT_ID}/occurrences/{OCCURRENCE_ID}` for + // `Occurrences` and `projects/{PROJECT_ID}/notes/{NOTE_ID}` for `Notes` + rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { + option (google.api.http) = { post: "/v1alpha1/{resource=projects/*/notes/*}:testIamPermissions" body: "*" }; + } +} + +// `Occurrence` includes information about analysis occurrences for an image. +message Occurrence { + // Output only. The name of the `Occurrence` in the form + // "projects/{project_id}/occurrences/{OCCURRENCE_ID}" + string name = 1; + + // The unique URL of the image or the container for which the `Occurrence` + // applies. For example, https://gcr.io/project/image@sha256:foo This field + // can be used as a filter in list requests. + string resource_url = 2; + + // An analysis note associated with this image, in the form + // "providers/{provider_id}/notes/{NOTE_ID}" + // This field can be used as a filter in list requests. + string note_name = 3; + + // Output only. This explicitly denotes which of the `Occurrence` details are + // specified. This field can be used as a filter in list requests. + Note.Kind kind = 6; + + // Describes the details of the vulnerability `Note` found in this resource. + oneof details { + // Details of a security vulnerability note. + VulnerabilityType.VulnerabilityDetails vulnerability_details = 8; + + // Build details for a verifiable build. + BuildDetails build_details = 7; + + // Describes how this resource derives from the basis + // in the associated note. + DockerImage.Derived derived_image = 11; + + // Describes the installation of a package on the linked resource. + PackageManager.Installation installation = 12; + + // Describes the deployment of an artifact on a runtime. + Deployable.Deployment deployment = 14; + + // Describes the initial scan status for this resource. + Discovery.Discovered discovered = 15; + } + + // A description of actions that can be taken to remedy the `Note` + string remediation = 5; + + // Output only. The time this `Occurrence` was created. + google.protobuf.Timestamp create_time = 9; + + // Output only. The time this `Occurrence` was last updated. + google.protobuf.Timestamp update_time = 10; +} + +// Provides a detailed description of a `Note`. +message Note { + // Metadata for any related URL information + message RelatedUrl { + // Specific URL to associate with the note + string url = 1; + + // Label to describe usage of the URL + string label = 2; + } + + // This must be 1:1 with members of our oneofs, it can be used for filtering + // Note and Occurrence on their kind. + enum Kind { + // Unknown + KIND_UNSPECIFIED = 0; + + // The note and occurrence represent a package vulnerability. + PACKAGE_VULNERABILITY = 2; + + // The note and occurrence assert build provenance. + BUILD_DETAILS = 3; + + // This represents an image basis relationship. + IMAGE_BASIS = 4; + + // This represents a package installed via a package manager. + PACKAGE_MANAGER = 5; + + // The note and occurrence track deployment events. + DEPLOYABLE = 6; + + // The note and occurrence track the initial discovery status of a resource. + DISCOVERY = 7; + } + + // The name of the note in the form + // "providers/{provider_id}/notes/{NOTE_ID}" + string name = 1; + + // A one sentence description of this `Note`. + string short_description = 3; + + // A detailed description of this `Note`. + string long_description = 4; + + // Output only. This explicitly denotes which kind of note is specified. This + // field can be used as a filter in list requests. + Kind kind = 9; + + // The type of note. + oneof note_type { + // A package vulnerability type of note. + VulnerabilityType vulnerability_type = 6; + + // Build provenance type for a verifiable build. + BuildType build_type = 8; + + // A note describing a base image. + DockerImage.Basis base_image = 13; + + // A note describing a package hosted by various package managers. + PackageManager.Package package = 14; + + // A note describing something that can be deployed. + Deployable deployable = 17; + + // A note describing a provider/analysis type. + Discovery discovery = 18; + } + + // URLs associated with this note + repeated RelatedUrl related_url = 7; + + // Time of expiration for this note, null if note does not expire. + google.protobuf.Timestamp expiration_time = 10; + + // Output only. The time this note was created. This field can be used as a + // filter in list requests. + google.protobuf.Timestamp create_time = 11; + + // Output only. The time this note was last updated. This field can be used as + // a filter in list requests. + google.protobuf.Timestamp update_time = 12; +} + +// An artifact that can be deployed in some runtime. +message Deployable { + // The period during which some deployable was active in a runtime. + message Deployment { + // Types of platforms. + enum Platform { + // Unknown + PLATFORM_UNSPECIFIED = 0; + + // Google Container Engine + GKE = 1; + + // Google App Engine: Flexible Environment + FLEX = 2; + + // Custom user-defined platform + CUSTOM = 3; + } + + // Identity of the user that triggered this deployment. + string user_email = 1; + + // Beginning of the lifetime of this deployment. + google.protobuf.Timestamp deploy_time = 2; + + // End of the lifetime of this deployment. + google.protobuf.Timestamp undeploy_time = 3; + + // Configuration used to create this deployment. + string config = 8; + + // Address of the runtime element hosting this deployment. + string address = 5; + + // Output only. Resource URI for the artifact being deployed taken from the + // deployable field with the same name. + repeated string resource_uri = 6; + + // Platform hosting this deployment. + Platform platform = 7; + } + + // Resource URI for the artifact being deployed. + repeated string resource_uri = 1; +} + +// A note that indicates a type of analysis a provider would perform. This note +// exists in a provider's project. A `Discovery` occurrence is created in a +// consumer's project at the start of analysis. The occurrence's operation will +// indicate the status of the analysis. Absence of an occurrence linked to this +// note for a resource indicates that analysis hasn't started. +message Discovery { + // Provides information about the scan status of a discovered resource. + message Discovered { + // Output only. An operation that indicates the status of the current scan. + google.longrunning.Operation operation = 1; + } + + // The kind of analysis that is handled by this discovery. + Note.Kind analysis_kind = 1; +} + +// Note holding the version of the provider's builder and the signature of +// the provenance message in linked BuildDetails. +message BuildType { + // Version of the builder which produced this Note. + string builder_version = 1; + + // Signature of the build in Occurrences pointing to the Note containing this + // `BuilderDetails`. + BuildSignature signature = 2; +} + +// Message encapsulating the signature of the verified build. +message BuildSignature { + // Public key formats + enum KeyType { + // `KeyType` is not set. + KEY_TYPE_UNSPECIFIED = 0; + + // `PGP ASCII Armored` public key. + PGP_ASCII_ARMORED = 1; + + // `PKIX PEM` public key. + PKIX_PEM = 2; + } + + // Public key of the builder which can be used to verify that the related + // findings are valid and unchanged. If `key_type` is empty, this defaults + // to PEM encoded public keys. + // + // This field may be empty if `key_id` references an external key. + // + // For Cloud Container Builder based signatures, this is a PEM encoded public + // key. To verify the Cloud Container Builder signature, place the contents of + // this field into a file (public.pem). The signature field is base64-decoded + // into its binary representation in signature.bin, and the provenance bytes + // from `BuildDetails` are base64-decoded into a binary representation in + // signed.bin. OpenSSL can then verify the signature: + // `openssl sha256 -verify public.pem -signature signature.bin signed.bin` + string public_key = 1; + + // Signature of the related `BuildProvenance`, encoded in a base64 string. + string signature = 2; + + // An Id for the key used to sign. This could be either an Id for the key + // stored in `public_key` (such as the Id or fingerprint for a PGP key, or the + // CN for a cert), or a reference to an external key (such as a reference to a + // key in Cloud Key Management Service). + string key_id = 3; + + // The type of the key, either stored in `public_key` or referenced in + // `key_id` + KeyType key_type = 4; +} + +// Message encapsulating build provenance details. +message BuildDetails { + // The actual provenance + BuildProvenance provenance = 1; + + // Serialized JSON representation of the provenance, used in generating the + // `BuildSignature` in the corresponding Result. After verifying the + // signature, `provenance_bytes` can be unmarshalled and compared to the + // provenance to confirm that it is unchanged. A base64-encoded string + // representation of the provenance bytes is used for the signature in order + // to interoperate with openssl which expects this format for signature + // verification. + // + // The serialized form is captured both to avoid ambiguity in how the + // provenance is marshalled to json as well to prevent incompatibilities with + // future changes. + string provenance_bytes = 2; +} + +// Request to get a Occurrence. +message GetOccurrenceRequest { + // The name of the occurrence of the form + // "projects/{project_id}/occurrences/{OCCURRENCE_ID}" + string name = 1; +} + +// Request to list occurrences. +message ListOccurrencesRequest { + // The name field contains the project Id. For example: + // "projects/{project_id} + // @Deprecated + string name = 1; + + // This contains the project Id for example: projects/{project_id}. + string parent = 5; + + // The filter expression. + string filter = 2; + + // Number of occurrences to return in the list. + int32 page_size = 3; + + // Token to provide to skip to a particular spot in the list. + string page_token = 4; +} + +// Response including listed active occurrences. +message ListOccurrencesResponse { + // The occurrences requested. + repeated Occurrence occurrences = 1; + + // The next pagination token in the list response. It should be used as + // `page_token` for the following request. An empty value means no more + // results. + string next_page_token = 2; +} + +// Request to delete a occurrence +message DeleteOccurrenceRequest { + // The name of the occurrence in the form of + // "projects/{project_id}/occurrences/{OCCURRENCE_ID}" + string name = 1; +} + +// Request to insert a new occurrence. +message CreateOccurrenceRequest { + // The name of the project. Should be of the form "projects/{project_id}". + // @Deprecated + string name = 1; + + // This field contains the project Id for example: "projects/{project_id}" + string parent = 3; + + // The occurrence to be inserted + Occurrence occurrence = 2; +} + +// Request to update an existing occurrence +message UpdateOccurrenceRequest { + // The name of the occurrence. + // Should be of the form "projects/{project_id}/occurrences/{OCCURRENCE_ID}". + string name = 1; + + // The updated occurrence. + Occurrence occurrence = 2; + + // The fields to update. + google.protobuf.FieldMask update_mask = 3; +} + +// Request to get a Note. +message GetNoteRequest { + // The name of the note in the form of + // "providers/{provider_id}/notes/{NOTE_ID}" + string name = 1; +} + +// Request to get the note to which this occurrence is attached. +message GetOccurrenceNoteRequest { + // The name of the occurrence in the form + // "projects/{project_id}/occurrences/{OCCURRENCE_ID}" + string name = 1; +} + +// Request to list notes. +message ListNotesRequest { + // The name field will contain the project Id for example: + // "providers/{provider_id} + // @Deprecated + string name = 1; + + // This field contains the project Id for example: + // "project/{project_id} + string parent = 5; + + // The filter expression. + string filter = 2; + + // Number of notes to return in the list. + int32 page_size = 3; + + // Token to provide to skip to a particular spot in the list. + string page_token = 4; +} + +// Response including listed notes. +message ListNotesResponse { + // The occurrences requested + repeated Note notes = 1; + + // The next pagination token in the list response. It should be used as + // page_token for the following request. An empty value means no more result. + string next_page_token = 2; +} + +// Request to delete a note +message DeleteNoteRequest { + // The name of the note in the form of + // "providers/{provider_id}/notes/{NOTE_ID}" + string name = 1; +} + +// Request to insert a new note +message CreateNoteRequest { + // The name of the project. + // Should be of the form "providers/{provider_id}". + // @Deprecated + string name = 1; + + // This field contains the project Id for example: + // "project/{project_id} + string parent = 4; + + // The ID to use for this note. + string note_id = 2; + + // The Note to be inserted + Note note = 3; +} + +// Request to update an existing note +message UpdateNoteRequest { + // The name of the note. + // Should be of the form "projects/{provider_id}/notes/{note_id}". + string name = 1; + + // The updated note. + Note note = 2; + + // The fields to update. + google.protobuf.FieldMask update_mask = 3; +} + +// Request to list occurrences. +message ListNoteOccurrencesRequest { + // The name field will contain the note name for example: + // "provider/{provider_id}/notes/{note_id}" + string name = 1; + + // The filter expression. + string filter = 2; + + // Number of notes to return in the list. + int32 page_size = 3; + + // Token to provide to skip to a particular spot in the list. + string page_token = 4; +} + +// Response including listed occurrences for a note. +message ListNoteOccurrencesResponse { + // The occurrences attached to the specified note. + repeated Occurrence occurrences = 1; + + // Token to receive the next page of notes. + string next_page_token = 2; +} + +// Metadata for all operations used and required for all operations +// that created by Container Analysis Providers +message OperationMetadata { + // Output only. The time this operation was created. + google.protobuf.Timestamp create_time = 1; + + // Output only. The time that this operation was marked completed or failed. + google.protobuf.Timestamp end_time = 2; +} + +// Request to get the vulnz summary for some set of vulnerability Occurrences. +message GetVulnzOccurrencesSummaryRequest { + // This contains the project Id for example: projects/{project_id} + string parent = 1; + + // The filter expression. + string filter = 2; +} + +// A summary of how many vulnz occurrences there are per severity type. +// counts by groups, or if we should have different summary messages +// like this. +message GetVulnzOccurrencesSummaryResponse { + // The number of occurrences created for a specific severity. + message SeverityCount { + // The severity of the occurrences. + VulnerabilityType.Severity severity = 1; + + // The number of occurrences with the severity. + int64 count = 2; + } + + // A map of how many occurrences were found for each severity. + repeated SeverityCount counts = 1; +} diff --git a/google/devtools/containeranalysis/v1alpha1/containeranalysis_gapic.yaml b/google/devtools/containeranalysis/v1alpha1/containeranalysis_gapic.yaml new file mode 100644 index 00000000..e5bc9045 --- /dev/null +++ b/google/devtools/containeranalysis/v1alpha1/containeranalysis_gapic.yaml @@ -0,0 +1,357 @@ +type: com.google.api.codegen.ConfigProto +config_schema_version: 1.0.0 +# The settings of generated code in a specific language. +language_settings: + java: + package_name: com.google.cloud.devtools.containeranalysis.v1alpha1 + python: + package_name: google.cloud.devtools.containeranalysis_v1alpha1.gapic + go: + package_name: cloud.google.com/go/devtools/containeranalysis/apiv1alpha1 + csharp: + package_name: Google.Devtools.Containeranalysis.V1alpha1 + ruby: + package_name: Google::Cloud::Devtools::Containeranalysis::V1alpha1 + php: + package_name: Google\Cloud\Devtools\Containeranalysis\V1alpha1 + nodejs: + package_name: containeranalysis.v1alpha1 +# The configuration for the license header to put on generated files. +license_header: + # The file containing the copyright line(s). + copyright_file: copyright-google.txt + # The file containing the raw license header without any copyright line(s). + license_file: license-header-apache-2.0.txt +# A list of API interface configurations. +interfaces: + # The fully qualified name of the API interface. +- name: google.devtools.containeranalysis.v1alpha1.ContainerAnalysis + # A list of resource collection configurations. + # Consists of a name_pattern and an entity_name. + # The name_pattern is a pattern to describe the names of the resources of this + # collection, using the platform's conventions for URI patterns. A generator + # may use this to generate methods to compose and decompose such names. The + # pattern should use named placeholders as in `shelves/{shelf}/books/{book}`; + # those will be taken as hints for the parameter names of the generated + # methods. If empty, no name methods are generated. + # The entity_name is the name to be used as a basis for generated methods and + # classes. + collections: + - name_pattern: projects/{project} + entity_name: project + - name_pattern: projects/{project}/notes/{note} + entity_name: note + - name_pattern: projects/{project}/occurrences/{occurrence} + entity_name: occurrence + # Definition for retryable codes. + retry_codes_def: + - name: idempotent + retry_codes: + - UNAVAILABLE + - DEADLINE_EXCEEDED + - name: non_idempotent + retry_codes: [] + # Definition for retry/backoff parameters. + retry_params_def: + - name: default + initial_retry_delay_millis: 100 + retry_delay_multiplier: 1.3 + max_retry_delay_millis: 60000 + initial_rpc_timeout_millis: 20000 + rpc_timeout_multiplier: 1 + max_rpc_timeout_millis: 20000 + total_timeout_millis: 600000 + # A list of method configurations. + # Common properties: + # name - The simple name of the method. + # flattening - Specifies the configuration for parameter flattening. + # Describes the parameter groups for which a generator should produce + # method overloads which allow a client to directly pass request message + # fields as method parameters. This information may or may not be used, + # depending on the target language. + # Consists of groups, which each represent a list of parameters to be + # flattened. Each parameter listed must be a field of the request + # message. + # required_fields - Fields that are always required for a request to be + # valid. + # request_object_method - Turns on or off the generation of a method whose + # sole parameter is a request object. Not all languages will generate + # this method. + # resource_name_treatment - An enum that specifies how to treat the + # resource name formats defined in the field_name_patterns + # and response_field_name_patterns fields. + # UNSET: default value + # NONE: the collection configs will not be used by the generated code. + # VALIDATE: string fields will be validated by the client against the + # specified resource name formats. + # STATIC_TYPES: the client will use generated types for resource names. + # page_streaming - Specifies the configuration for paging. + # Describes information for generating a method which transforms a + # paging list RPC into a stream of resources. + # Consists of a request and a response. + # The request specifies request information of the list method. It + # defines which fields match the paging pattern in the request. The + # request consists of a page_size_field and a token_field. The + # page_size_field is the name of the optional field specifying the + # maximum number of elements to be returned in the response. The + # token_field is the name of the field in the request containing the + # page token. + # The response specifies response information of the list method. It + # defines which fields match the paging pattern in the response. The + # response consists of a token_field and a resources_field. The + # token_field is the name of the field in the response containing the + # next page token. The resources_field is the name of the field in the + # response containing the list of resources belonging to the page. + # retry_codes_name - Specifies the configuration for retryable codes. The + # name must be defined in interfaces.retry_codes_def. + # retry_params_name - Specifies the configuration for retry/backoff + # parameters. The name must be defined in interfaces.retry_params_def. + # field_name_patterns - Maps the field name of the request type to + # entity_name of interfaces.collections. + # Specifies the string pattern that the field must follow. + # timeout_millis - Specifies the default timeout for a non-retrying call. If + # the call is retrying, refer to retry_params_name instead. + methods: + - name: GetOccurrence + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: occurrence + timeout_millis: 60000 + - name: ListOccurrences + flattening: + groups: + - parameters: + - parent + required_fields: + - parent + request_object_method: true + page_streaming: + request: + page_size_field: page_size + token_field: page_token + response: + token_field: next_page_token + resources_field: occurrences + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + parent: project + timeout_millis: 60000 + - name: DeleteOccurrence + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: occurrence + timeout_millis: 60000 + - name: CreateOccurrence + flattening: + groups: + - parameters: + - parent + - occurrence + required_fields: + - parent + - occurrence + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + parent: project + timeout_millis: 60000 + - name: UpdateOccurrence + flattening: + groups: + - parameters: + - name + - occurrence + required_fields: + - name + - occurrence + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: occurrence + timeout_millis: 60000 + - name: GetOccurrenceNote + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: occurrence + timeout_millis: 60000 + - name: GetNote + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: note + timeout_millis: 60000 + - name: ListNotes + flattening: + groups: + - parameters: + - parent + required_fields: + - parent + request_object_method: true + page_streaming: + request: + page_size_field: page_size + token_field: page_token + response: + token_field: next_page_token + resources_field: notes + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + parent: project + timeout_millis: 60000 + - name: DeleteNote + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: false + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: note + timeout_millis: 60000 + - name: CreateNote + flattening: + groups: + - parameters: + - parent + - note_id + - note + required_fields: + - parent + - note_id + - note + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + parent: project + timeout_millis: 60000 + - name: UpdateNote + flattening: + groups: + - parameters: + - name + - note + required_fields: + - name + - note + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + name: note + timeout_millis: 60000 + - name: ListNoteOccurrences + flattening: + groups: + - parameters: + - name + required_fields: + - name + request_object_method: true + page_streaming: + request: + page_size_field: page_size + token_field: page_token + response: + token_field: next_page_token + resources_field: occurrences + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + name: note + timeout_millis: 60000 + - name: GetVulnzOccurrencesSummary + flattening: + groups: + - parameters: + - parent + required_fields: + - parent + request_object_method: true + retry_codes_name: idempotent + retry_params_name: default + field_name_patterns: + parent: project + timeout_millis: 60000 + - name: SetIamPolicy + flattening: + groups: + - parameters: + - resource + - policy + required_fields: + - resource + - policy + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: note + timeout_millis: 60000 + - name: GetIamPolicy + flattening: + groups: + - parameters: + - resource + required_fields: + - resource + request_object_method: false + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: note + timeout_millis: 60000 + - name: TestIamPermissions + flattening: + groups: + - parameters: + - resource + - permissions + required_fields: + - resource + - permissions + request_object_method: true + retry_codes_name: non_idempotent + retry_params_name: default + field_name_patterns: + resource: note + timeout_millis: 60000 diff --git a/google/devtools/containeranalysis/v1alpha1/image_basis.proto b/google/devtools/containeranalysis/v1alpha1/image_basis.proto new file mode 100644 index 00000000..d3a50c4c --- /dev/null +++ b/google/devtools/containeranalysis/v1alpha1/image_basis.proto @@ -0,0 +1,149 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.devtools.containeranalysis.v1alpha1; + +import "google/api/annotations.proto"; + +option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis"; +option java_multiple_files = true; +option java_package = "com.google.containeranalysis.v1alpha1"; +option objc_class_prefix = "GCA"; + + +// DockerImage holds types defining base image notes +// and derived image occurrences. +message DockerImage { + // Layer holds metadata specific to a layer of a Docker image. + message Layer { + // Instructions from dockerfile + enum Directive { + // Default value for unsupported/missing directive + DIRECTIVE_UNSPECIFIED = 0; + + // https://docs.docker.com/reference/builder/#maintainer + MAINTAINER = 1; + + // https://docs.docker.com/reference/builder/#run + RUN = 2; + + // https://docs.docker.com/reference/builder/#cmd + CMD = 3; + + // https://docs.docker.com/reference/builder/#label + LABEL = 4; + + // https://docs.docker.com/reference/builder/#expose + EXPOSE = 5; + + // https://docs.docker.com/reference/builder/#env + ENV = 6; + + // https://docs.docker.com/reference/builder/#add + ADD = 7; + + // https://docs.docker.com/reference/builder/#copy + COPY = 8; + + // https://docs.docker.com/reference/builder/#entrypoint + ENTRYPOINT = 9; + + // https://docs.docker.com/reference/builder/#volume + VOLUME = 10; + + // https://docs.docker.com/reference/builder/#user + USER = 11; + + // https://docs.docker.com/reference/builder/#workdir + WORKDIR = 12; + + // https://docs.docker.com/reference/builder/#arg + ARG = 13; + + // https://docs.docker.com/reference/builder/#onbuild + ONBUILD = 14; + + // https://docs.docker.com/reference/builder/#stopsignal + STOPSIGNAL = 15; + + // https://docs.docker.com/reference/builder/#healthcheck + HEALTHCHECK = 16; + + // https://docs.docker.com/reference/builder/#shell + SHELL = 17; + } + + // The recovered Dockerfile directive used to construct this layer. + Directive directive = 1; + + // The recovered arguments to the Dockerfile directive. + string arguments = 2; + } + + // A set of properties that uniquely identify a given Docker image. + message Fingerprint { + // The layer-id of the final layer in the Docker image's v1 + // representation. + // This field can be used as a filter in list requests. + string v1_name = 1; + + // The ordered list of v2 blobs that represent a given image. + repeated string v2_blob = 2; + + // Output only. The name of the image's v2 blobs computed via: + // [bottom] := v2_blob[bottom] + // [N] := sha256(v2_blob[N] + " " + v2_name[N+1]) + // Only the name of the final blob is kept. + // This field can be used as a filter in list requests. + string v2_name = 3; + } + + // Basis describes the base image portion (Note) of the DockerImage + // relationship. Linked occurrences are derived from this or an + // equivalent image via: + // FROM + // Or an equivalent reference, e.g. a tag of the resource_url. + message Basis { + // The resource_url for the resource representing the basis of + // associated occurrence images. + string resource_url = 1; + + // The fingerprint of the base image + Fingerprint fingerprint = 2; + } + + // Derived describes the derived image portion (Occurrence) of the + // DockerImage relationship. This image would be produced from a Dockerfile + // with FROM . + message Derived { + // The fingerprint of the derived image + Fingerprint fingerprint = 1; + + // Output only. The number of layers by which this image differs from + // the associated image basis. + uint32 distance = 2; + + // This contains layer-specific metadata, if populated it + // has length "distance" and is ordered with [distance] being the + // layer immediately following the base image and [1] + // being the final layer. + repeated Layer layer_info = 3; + + // Output only.This contains the base image url for the derived image + // Occurrence + string base_resource_url = 4; + } +} diff --git a/google/devtools/containeranalysis/v1alpha1/package_vulnerability.proto b/google/devtools/containeranalysis/v1alpha1/package_vulnerability.proto new file mode 100644 index 00000000..a19f69aa --- /dev/null +++ b/google/devtools/containeranalysis/v1alpha1/package_vulnerability.proto @@ -0,0 +1,178 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.devtools.containeranalysis.v1alpha1; + +import "google/api/annotations.proto"; + +option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis"; +option java_multiple_files = true; +option java_package = "com.google.containeranalysis.v1alpha1"; +option objc_class_prefix = "GCA"; + + +// VulnerabilityType provides metadata about a security vulnerability. +message VulnerabilityType { + // Version contains structured information about the version of the package. + // For a discussion of this in Debian/Ubuntu: + // http://serverfault.com/questions/604541/debian-packages-version-convention + // For a discussion of this in Redhat/Fedora/Centos: + // http://blog.jasonantman.com/2014/07/how-yum-and-rpm-compare-versions/ + message Version { + // Whether this is an ordinary package version or a + // sentinel MIN/MAX version. + enum VersionKind { + // A standard package version, defined by the other fields. + NORMAL = 0; + + // A special version representing negative infinity, + // other fields are ignored. + MINIMUM = 1; + + // A special version representing positive infinity, + // other fields are ignored. + MAXIMUM = 2; + } + + // Used to correct mistakes in the version numbering scheme. + int32 epoch = 1; + + // The main part of the version name. + string name = 2; + + // The iteration of the package build from the above version. + string revision = 3; + + // Distinguish between sentinel MIN/MAX versions and normal versions. + // If kind is not NORMAL, then the other fields are ignored. + VersionKind kind = 5; + } + + // Identifies all occurrences of this vulnerability in the package for a + // specific distro/location + // For example: glibc in cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2 + message Detail { + // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) in + // which the vulnerability manifests. Examples include distro or storage + // location for vulnerable jar. + // This field can be used as a filter in list requests. + string cpe_uri = 1; + + // The name of the package where the vulnerability was found. + // This field can be used as a filter in list requests. + string package = 8; + + // The min version of the package in which the vulnerability exists. + Version min_affected_version = 6; + + // The max version of the package in which the vulnerability exists. + // This field can be used as a filter in list requests. + Version max_affected_version = 7; + + // The severity (eg: distro assigned severity) for this vulnerability. + string severity_name = 4; + + // A vendor-specific description of this note. + string description = 9; + + // The fix for this specific package version. + VulnerabilityLocation fixed_location = 5; + + // The type of package; whether native or non native(ruby gems, + // node.js packages etc) + string package_type = 10; + } + + // Used by Occurrence to point to where the vulnerability exists and how + // to fix it. + message VulnerabilityDetails { + // The type of package; whether native or non native(ruby gems, + // node.js packages etc) + string type = 3; + + // Output only. The note provider assigned Severity of the vulnerability. + Severity severity = 4; + + // Output only. The CVSS score of this vulnerability. CVSS score is on a + // scale of 0-10 where 0 indicates low severity and 10 indicates high + // severity. + float cvss_score = 5; + + // The set of affected locations and their fixes (if available) within + // the associated resource. + repeated PackageIssue package_issue = 6; + } + + // This message wraps a location affected by a vulnerability and its + // associated fix (if one is available). + message PackageIssue { + // The location of the vulnerability. + VulnerabilityLocation affected_location = 1; + + // The location of the available fix for vulnerability. + VulnerabilityLocation fixed_location = 2; + + // The severity (eg: distro assigned severity) for this vulnerability. + string severity_name = 3; + } + + // The location of the vulnerability + message VulnerabilityLocation { + // The cpe_uri in [cpe format] (https://cpe.mitre.org/specification/) + // format. Examples include distro or storage location for vulnerable jar. + // This field can be used as a filter in list requests. + string cpe_uri = 1; + + // The package being described. + string package = 2; + + // The version of the package being described. + // This field can be used as a filter in list requests. + Version version = 4; + } + + // Note provider-assigned severity/impact ranking + enum Severity { + // Unknown Impact + SEVERITY_UNSPECIFIED = 0; + + // Minimal Impact + MINIMAL = 1; + + // Low Impact + LOW = 2; + + // Medium Impact + MEDIUM = 3; + + // High Impact + HIGH = 4; + + // Critical Impact + CRITICAL = 5; + } + + // The CVSS score for this Vulnerability. + float cvss_score = 2; + + // Note provider assigned impact of the vulnerability + Severity severity = 3; + + // All information about the package to specifically identify this + // vulnerability. One entry per (version range and cpe_uri) the + // package vulnerability has manifested in. + repeated Detail details = 4; +} diff --git a/google/devtools/containeranalysis/v1alpha1/provenance.proto b/google/devtools/containeranalysis/v1alpha1/provenance.proto new file mode 100644 index 00000000..b1f8193d --- /dev/null +++ b/google/devtools/containeranalysis/v1alpha1/provenance.proto @@ -0,0 +1,224 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.devtools.containeranalysis.v1alpha1; + +import "google/api/annotations.proto"; +import "google/devtools/containeranalysis/v1alpha1/source_context.proto"; +import "google/protobuf/timestamp.proto"; + +option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis"; +option java_multiple_files = true; +option java_package = "com.google.containeranalysis.v1alpha1"; +option objc_class_prefix = "GCA"; + + +// Provenance of a build. Contains all information needed to verify the full +// details about the build from source to completion. +message BuildProvenance { + // Unique identifier of the build. + string id = 1; + + // ID of the project. + string project_id = 2; + + // Commands requested by the build. + repeated Command commands = 5; + + // Output of the build. + repeated Artifact built_artifacts = 6; + + // Time at which the build was created. + google.protobuf.Timestamp create_time = 7; + + // Time at which execution of the build was started. + google.protobuf.Timestamp start_time = 8; + + // Time at which execution of the build was finished. + google.protobuf.Timestamp finish_time = 9; + + // E-mail address of the user who initiated this build. Note that this was the + // user's e-mail address at the time the build was initiated; this address may + // not represent the same end-user for all time. + string creator = 11; + + // Google Cloud Storage bucket where logs were written. + string logs_bucket = 13; + + // Details of the Source input to the build. + Source source_provenance = 14; + + // Trigger identifier if the build was triggered automatically; empty if not. + string trigger_id = 15; + + // Special options applied to this build. This is a catch-all field where + // build providers can enter any desired additional details. + map build_options = 16; + + // Version string of the builder at the time this build was executed. + string builder_version = 17; +} + +// Source describes the location of the source used for the build. +message Source { + // Source location information. + oneof source { + // If provided, get the source from this location in in Google Cloud + // Storage. + StorageSource storage_source = 1; + + // If provided, get source from this location in a Cloud Repo. + RepoSource repo_source = 2; + } + + // If provided, the input binary artifacts for the build came from this + // location. + StorageSource artifact_storage_source = 4; + + // Hash(es) of the build source, which can be used to verify that the original + // source integrity was maintained in the build. + // + // The keys to this map are file paths used as build source and the values + // contain the hash values for those files. + // + // If the build source came in a single package such as a gzipped tarfile + // (.tar.gz), the FileHash will be for the single path to that file. + map file_hashes = 3; + + // If provided, the source code used for the build came from this location. + SourceContext context = 7; + + // If provided, some of the source code used for the build may be found in + // these locations, in the case where the source repository had multiple + // remotes or submodules. This list will not include the context specified in + // the context field. + repeated SourceContext additional_contexts = 8; +} + +// Container message for hashes of byte content of files, used in Source +// messages to verify integrity of source input to the build. +message FileHashes { + // Collection of file hashes. + repeated Hash file_hash = 1; +} + +// Container message for hash values. +message Hash { + // Specifies the hash algorithm, if any. + enum HashType { + // No hash requested. + NONE = 0; + + // A sha256 hash. + SHA256 = 1; + } + + // The type of hash that was performed. + HashType type = 1; + + // The hash value. + bytes value = 2; +} + +// StorageSource describes the location of the source in an archive file in +// Google Cloud Storage. +message StorageSource { + // Google Cloud Storage bucket containing source (see [Bucket Name + // Requirements] + // (https://cloud.google.com/storage/docs/bucket-naming#requirements)). + string bucket = 1; + + // Google Cloud Storage object containing source. + string object = 2; + + // Google Cloud Storage generation for the object. + int64 generation = 3; +} + +// RepoSource describes the location of the source in a Google Cloud Source +// Repository. +message RepoSource { + // ID of the project that owns the repo. + string project_id = 1; + + // Name of the repo. + string repo_name = 2; + + // A revision within the source repository must be specified in + // one of these ways. + oneof revision { + // Name of the branch to build. + string branch_name = 3; + + // Name of the tag to build. + string tag_name = 4; + + // Explicit commit SHA to build. + string commit_sha = 5; + } +} + +// Command describes a step performed as part of the build pipeline. +message Command { + // Name of the command, as presented on the command line, or if the command is + // packaged as a Docker container, as presented to `docker pull`. + string name = 1; + + // Environment variables set before running this Command. + repeated string env = 2; + + // Command-line arguments used when executing this Command. + repeated string args = 3; + + // Working directory (relative to project source root) used when running + // this Command. + string dir = 4; + + // Optional unique identifier for this Command, used in wait_for to reference + // this Command as a dependency. + string id = 5; + + // The ID(s) of the Command(s) that this Command depends on. + repeated string wait_for = 6; +} + +// Artifact describes a build product. +message Artifact { + // Name of the artifact. This may be the path to a binary or jar file, or in + // the case of a container build, the name used to push the container image to + // Google Container Registry, as presented to `docker push`. + // + // This field is deprecated in favor of the plural `names` field; it continues + // to exist here to allow existing BuildProvenance serialized to json in + // google.devtools.containeranalysis.v1alpha1.BuildDetails.provenance_bytes to + // deserialize back into proto. + string name = 1; + + // Hash or checksum value of a binary, or Docker Registry 2.0 digest of a + // container. + string checksum = 2; + + // Artifact ID, if any; for container images, this will be a URL by digest + // like gcr.io/projectID/imagename@sha256:123456 + string id = 3; + + // Related artifact names. This may be the path to a binary or jar file, or in + // the case of a container build, the name used to push the container image to + // Google Container Registry, as presented to `docker push`. Note that a + // single Artifact ID can have multiple names, for example if two tags are + // applied to one image. + repeated string names = 4; +} diff --git a/google/devtools/containeranalysis/v1alpha1/source_context.proto b/google/devtools/containeranalysis/v1alpha1/source_context.proto new file mode 100644 index 00000000..918f4b0e --- /dev/null +++ b/google/devtools/containeranalysis/v1alpha1/source_context.proto @@ -0,0 +1,141 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.devtools.containeranalysis.v1alpha1; + +import "google/api/annotations.proto"; + +option go_package = "google.golang.org/genproto/googleapis/devtools/containeranalysis/v1alpha1;containeranalysis"; +option java_multiple_files = true; +option java_package = "com.google.containeranalysis.v1alpha1"; +option objc_class_prefix = "GCA"; + + +// A SourceContext is a reference to a tree of files. A SourceContext together +// with a path point to a unique revision of a single file or directory. +message SourceContext { + // A SourceContext can refer any one of the following types of repositories. + oneof context { + // A SourceContext referring to a revision in a Google Cloud Source Repo. + CloudRepoSourceContext cloud_repo = 1; + + // A SourceContext referring to a Gerrit project. + GerritSourceContext gerrit = 2; + + // A SourceContext referring to any third party Git repo (e.g., GitHub). + GitSourceContext git = 3; + } + + // Labels with user defined metadata. + map labels = 4; +} + +// An alias to a repo revision. +message AliasContext { + // The type of an alias. + enum Kind { + // Unknown. + KIND_UNSPECIFIED = 0; + + // Git tag. + FIXED = 1; + + // Git branch. + MOVABLE = 2; + + // Used to specify non-standard aliases. For example, if a Git repo has a + // ref named "refs/foo/bar". + OTHER = 4; + } + + // The alias kind. + Kind kind = 1; + + // The alias name. + string name = 2; +} + +// A CloudRepoSourceContext denotes a particular revision in a Google Cloud +// Source Repo. +message CloudRepoSourceContext { + // The ID of the repo. + RepoId repo_id = 1; + + // A revision in a Cloud Repo can be identified by either its revision ID or + // its alias. + oneof revision { + // A revision ID. + string revision_id = 2; + + // An alias, which may be a branch or tag. + AliasContext alias_context = 3; + } +} + +// A SourceContext referring to a Gerrit project. +message GerritSourceContext { + // The URI of a running Gerrit instance. + string host_uri = 1; + + // The full project name within the host. Projects may be nested, so + // "project/subproject" is a valid project name. The "repo name" is + // the hostURI/project. + string gerrit_project = 2; + + // A revision in a Gerrit project can be identified by either its revision ID + // or its alias. + oneof revision { + // A revision (commit) ID. + string revision_id = 3; + + // An alias, which may be a branch or tag. + AliasContext alias_context = 4; + } +} + +// A GitSourceContext denotes a particular revision in a third party Git +// repository (e.g., GitHub). +message GitSourceContext { + // Git repository URL. + string url = 1; + + // Required. + // Git commit hash. + string revision_id = 2; +} + +// A unique identifier for a Cloud Repo. +message RepoId { + // A cloud repo can be identified by either its project ID and repository name + // combination, or its globally unique identifier. + oneof id { + // A combination of a project ID and a repo name. + ProjectRepoId project_repo_id = 1; + + // A server-assigned, globally unique identifier. + string uid = 2; + } +} + +// Selects a repo using a Google Cloud Platform project ID (e.g., +// winged-cargo-31) and a repo name within that project. +message ProjectRepoId { + // The ID of the project. + string project_id = 1; + + // The name of the repo. Leave empty for the default repo. + string repo_name = 2; +}