grafeas-v1 0.2.2 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/grafeas/v1/attestation_pb.rb +6 -1
- data/lib/grafeas/v1/build_pb.rb +5 -1
- data/lib/grafeas/v1/common_pb.rb +13 -0
- data/lib/grafeas/v1/compliance_pb.rb +48 -0
- data/lib/grafeas/v1/deployment_pb.rb +1 -1
- data/lib/grafeas/v1/discovery_pb.rb +2 -2
- data/lib/grafeas/v1/dsse_attestation_pb.rb +31 -0
- data/lib/grafeas/v1/grafeas/client.rb +298 -42
- data/lib/grafeas/v1/grafeas_pb.rb +9 -2
- data/lib/grafeas/v1/grafeas_services_pb.rb +1 -1
- data/lib/grafeas/v1/intoto_provenance_pb.rb +49 -0
- data/lib/grafeas/v1/intoto_statement_pb.rb +31 -0
- data/lib/grafeas/v1/package_pb.rb +1 -0
- data/lib/grafeas/v1/provenance_pb.rb +1 -1
- data/lib/grafeas/v1/slsa_provenance_pb.rb +54 -0
- data/lib/grafeas/v1/upgrade_pb.rb +2 -2
- data/lib/grafeas/v1/version.rb +1 -1
- data/lib/grafeas/v1/vulnerability_pb.rb +13 -2
- data/proto_docs/grafeas/v1/attestation.rb +21 -0
- data/proto_docs/grafeas/v1/build.rb +11 -1
- data/proto_docs/grafeas/v1/common.rb +31 -2
- data/proto_docs/grafeas/v1/compliance.rb +98 -0
- data/proto_docs/grafeas/v1/dsse_attestation.rb +59 -0
- data/proto_docs/grafeas/v1/grafeas.rb +15 -0
- data/proto_docs/grafeas/v1/intoto_provenance.rb +134 -0
- data/proto_docs/grafeas/v1/intoto_statement.rb +65 -0
- data/proto_docs/grafeas/v1/package.rb +8 -0
- data/proto_docs/grafeas/v1/slsa_provenance.rb +152 -0
- data/proto_docs/grafeas/v1/vulnerability.rb +38 -0
- metadata +12 -2
@@ -1,9 +1,9 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: grafeas/v1/provenance.proto
|
3
3
|
|
4
|
+
require 'google/protobuf/timestamp_pb'
|
4
5
|
require 'google/protobuf'
|
5
6
|
|
6
|
-
require 'google/protobuf/timestamp_pb'
|
7
7
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
8
8
|
add_file("grafeas/v1/provenance.proto", :syntax => :proto3) do
|
9
9
|
add_message "grafeas.v1.BuildProvenance" do
|
@@ -0,0 +1,54 @@
|
|
1
|
+
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
|
+
# source: grafeas/v1/slsa_provenance.proto
|
3
|
+
|
4
|
+
require 'google/protobuf/any_pb'
|
5
|
+
require 'google/protobuf/timestamp_pb'
|
6
|
+
require 'google/protobuf'
|
7
|
+
|
8
|
+
Google::Protobuf::DescriptorPool.generated_pool.build do
|
9
|
+
add_file("grafeas/v1/slsa_provenance.proto", :syntax => :proto3) do
|
10
|
+
add_message "grafeas.v1.SlsaProvenance" do
|
11
|
+
optional :builder, :message, 1, "grafeas.v1.SlsaProvenance.SlsaBuilder"
|
12
|
+
optional :recipe, :message, 2, "grafeas.v1.SlsaProvenance.SlsaRecipe"
|
13
|
+
optional :metadata, :message, 3, "grafeas.v1.SlsaProvenance.SlsaMetadata"
|
14
|
+
repeated :materials, :message, 4, "grafeas.v1.SlsaProvenance.Material"
|
15
|
+
end
|
16
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaRecipe" do
|
17
|
+
optional :type, :string, 1
|
18
|
+
optional :defined_in_material, :int64, 2
|
19
|
+
optional :entry_point, :string, 3
|
20
|
+
optional :arguments, :message, 4, "google.protobuf.Any"
|
21
|
+
optional :environment, :message, 5, "google.protobuf.Any"
|
22
|
+
end
|
23
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaCompleteness" do
|
24
|
+
optional :arguments, :bool, 1
|
25
|
+
optional :environment, :bool, 2
|
26
|
+
optional :materials, :bool, 3
|
27
|
+
end
|
28
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaMetadata" do
|
29
|
+
optional :build_invocation_id, :string, 1
|
30
|
+
optional :build_started_on, :message, 2, "google.protobuf.Timestamp"
|
31
|
+
optional :build_finished_on, :message, 3, "google.protobuf.Timestamp"
|
32
|
+
optional :completeness, :message, 4, "grafeas.v1.SlsaProvenance.SlsaCompleteness"
|
33
|
+
optional :reproducible, :bool, 5
|
34
|
+
end
|
35
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaBuilder" do
|
36
|
+
optional :id, :string, 1
|
37
|
+
end
|
38
|
+
add_message "grafeas.v1.SlsaProvenance.Material" do
|
39
|
+
optional :uri, :string, 1
|
40
|
+
map :digest, :string, :string, 2
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
module Grafeas
|
46
|
+
module V1
|
47
|
+
SlsaProvenance = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance").msgclass
|
48
|
+
SlsaProvenance::SlsaRecipe = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaRecipe").msgclass
|
49
|
+
SlsaProvenance::SlsaCompleteness = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaCompleteness").msgclass
|
50
|
+
SlsaProvenance::SlsaMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaMetadata").msgclass
|
51
|
+
SlsaProvenance::SlsaBuilder = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaBuilder").msgclass
|
52
|
+
SlsaProvenance::Material = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.Material").msgclass
|
53
|
+
end
|
54
|
+
end
|
@@ -1,10 +1,10 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: grafeas/v1/upgrade.proto
|
3
3
|
|
4
|
-
require 'google/protobuf'
|
5
|
-
|
6
4
|
require 'google/protobuf/timestamp_pb'
|
7
5
|
require 'grafeas/v1/package_pb'
|
6
|
+
require 'google/protobuf'
|
7
|
+
|
8
8
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
9
9
|
add_file("grafeas/v1/upgrade.proto", :syntax => :proto3) do
|
10
10
|
add_message "grafeas.v1.UpgradeNote" do
|
data/lib/grafeas/v1/version.rb
CHANGED
@@ -1,12 +1,13 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: grafeas/v1/vulnerability.proto
|
3
3
|
|
4
|
-
require 'google/
|
5
|
-
|
4
|
+
require 'google/api/field_behavior_pb'
|
6
5
|
require 'google/protobuf/timestamp_pb'
|
7
6
|
require 'grafeas/v1/common_pb'
|
8
7
|
require 'grafeas/v1/cvss_pb'
|
9
8
|
require 'grafeas/v1/package_pb'
|
9
|
+
require 'google/protobuf'
|
10
|
+
|
10
11
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
11
12
|
add_file("grafeas/v1/vulnerability.proto", :syntax => :proto3) do
|
12
13
|
add_message "grafeas.v1.VulnerabilityNote" do
|
@@ -30,6 +31,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
30
31
|
optional :fixed_version, :message, 10, "grafeas.v1.Version"
|
31
32
|
optional :is_obsolete, :bool, 11
|
32
33
|
optional :source_update_time, :message, 12, "google.protobuf.Timestamp"
|
34
|
+
optional :source, :string, 13
|
35
|
+
optional :vendor, :string, 14
|
33
36
|
end
|
34
37
|
add_message "grafeas.v1.VulnerabilityNote.WindowsDetail" do
|
35
38
|
optional :cpe_uri, :string, 1
|
@@ -45,6 +48,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
45
48
|
optional :type, :string, 1
|
46
49
|
optional :severity, :enum, 2, "grafeas.v1.Severity"
|
47
50
|
optional :cvss_score, :float, 3
|
51
|
+
optional :cvssv3, :message, 10, "grafeas.v1.VulnerabilityOccurrence.CVSSV3"
|
48
52
|
repeated :package_issue, :message, 4, "grafeas.v1.VulnerabilityOccurrence.PackageIssue"
|
49
53
|
optional :short_description, :string, 5
|
50
54
|
optional :long_description, :string, 6
|
@@ -52,6 +56,10 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
52
56
|
optional :effective_severity, :enum, 8, "grafeas.v1.Severity"
|
53
57
|
optional :fix_available, :bool, 9
|
54
58
|
end
|
59
|
+
add_message "grafeas.v1.VulnerabilityOccurrence.CVSSV3" do
|
60
|
+
optional :base_score, :float, 1
|
61
|
+
optional :severity, :enum, 2, "grafeas.v1.Severity"
|
62
|
+
end
|
55
63
|
add_message "grafeas.v1.VulnerabilityOccurrence.PackageIssue" do
|
56
64
|
optional :affected_cpe_uri, :string, 1
|
57
65
|
optional :affected_package, :string, 2
|
@@ -60,6 +68,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
60
68
|
optional :fixed_package, :string, 5
|
61
69
|
optional :fixed_version, :message, 6, "grafeas.v1.Version"
|
62
70
|
optional :fix_available, :bool, 7
|
71
|
+
optional :package_type, :string, 8
|
72
|
+
optional :effective_severity, :enum, 9, "grafeas.v1.Severity"
|
63
73
|
end
|
64
74
|
add_enum "grafeas.v1.Severity" do
|
65
75
|
value :SEVERITY_UNSPECIFIED, 0
|
@@ -79,6 +89,7 @@ module Grafeas
|
|
79
89
|
VulnerabilityNote::WindowsDetail = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityNote.WindowsDetail").msgclass
|
80
90
|
VulnerabilityNote::WindowsDetail::KnowledgeBase = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityNote.WindowsDetail.KnowledgeBase").msgclass
|
81
91
|
VulnerabilityOccurrence = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence").msgclass
|
92
|
+
VulnerabilityOccurrence::CVSSV3 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence.CVSSV3").msgclass
|
82
93
|
VulnerabilityOccurrence::PackageIssue = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence.PackageIssue").msgclass
|
83
94
|
Severity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.Severity").enummodule
|
84
95
|
end
|
@@ -51,6 +51,16 @@ module Grafeas
|
|
51
51
|
end
|
52
52
|
end
|
53
53
|
|
54
|
+
# @!attribute [rw] compact_jwt
|
55
|
+
# @return [::String]
|
56
|
+
# The compact encoding of a JWS, which is always three base64 encoded strings
|
57
|
+
# joined by periods. For details, see:
|
58
|
+
# https://tools.ietf.org/html/rfc7515.html#section-3.1
|
59
|
+
class Jwt
|
60
|
+
include ::Google::Protobuf::MessageExts
|
61
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
62
|
+
end
|
63
|
+
|
54
64
|
# Occurrence that represents a single "attestation". The authenticity of an
|
55
65
|
# attestation can be verified using the attached signature. If the verifier
|
56
66
|
# trusts the public key of the signer, then verifying the signature is
|
@@ -69,6 +79,17 @@ module Grafeas
|
|
69
79
|
# should consider this attestation message verified if at least one
|
70
80
|
# `signature` verifies `serialized_payload`. See `Signature` in common.proto
|
71
81
|
# for more details on signature structure and verification.
|
82
|
+
# @!attribute [rw] jwts
|
83
|
+
# @return [::Array<::Grafeas::V1::Jwt>]
|
84
|
+
# One or more JWTs encoding a self-contained attestation.
|
85
|
+
# Each JWT encodes the payload that it verifies within the JWT itself.
|
86
|
+
# Verifier implementation SHOULD ignore the `serialized_payload` field
|
87
|
+
# when verifying these JWTs.
|
88
|
+
# If only JWTs are present on this AttestationOccurrence, then the
|
89
|
+
# `serialized_payload` SHOULD be left empty.
|
90
|
+
# Each JWT SHOULD encode a claim specific to the `resource_uri` of this
|
91
|
+
# Occurrence, but this is not validated by Grafeas metadata API
|
92
|
+
# implementations. The JWT itself is opaque to Grafeas.
|
72
93
|
class AttestationOccurrence
|
73
94
|
include ::Google::Protobuf::MessageExts
|
74
95
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -32,7 +32,7 @@ module Grafeas
|
|
32
32
|
# Details of a build occurrence.
|
33
33
|
# @!attribute [rw] provenance
|
34
34
|
# @return [::Grafeas::V1::BuildProvenance]
|
35
|
-
#
|
35
|
+
# The actual provenance for the build.
|
36
36
|
# @!attribute [rw] provenance_bytes
|
37
37
|
# @return [::String]
|
38
38
|
# Serialized JSON representation of the provenance, used in generating the
|
@@ -46,6 +46,16 @@ module Grafeas
|
|
46
46
|
# The serialized form is captured both to avoid ambiguity in how the
|
47
47
|
# provenance is marshalled to json as well to prevent incompatibilities with
|
48
48
|
# future changes.
|
49
|
+
# @!attribute [rw] intoto_provenance
|
50
|
+
# @return [::Grafeas::V1::InTotoProvenance]
|
51
|
+
# Deprecated. See InTotoStatement for the replacement.
|
52
|
+
# In-toto Provenance representation as defined in spec.
|
53
|
+
# @!attribute [rw] intoto_statement
|
54
|
+
# @return [::Grafeas::V1::InTotoStatement]
|
55
|
+
# In-toto Statement representation as defined in spec.
|
56
|
+
# The intoto_statement can contain any type of provenance. The serialized
|
57
|
+
# payload of the statement can be stored and signed in the Occurrence's
|
58
|
+
# envelope.
|
49
59
|
class BuildOccurrence
|
50
60
|
include ::Google::Protobuf::MessageExts
|
51
61
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -65,7 +65,7 @@ module Grafeas
|
|
65
65
|
# @return [::String]
|
66
66
|
# The identifier for the public key that verifies this signature.
|
67
67
|
# * The `public_key_id` is required.
|
68
|
-
# * The `public_key_id`
|
68
|
+
# * The `public_key_id` SHOULD be an RFC3986 conformant URI.
|
69
69
|
# * When possible, the `public_key_id` SHOULD be an immutable reference,
|
70
70
|
# such as a cryptographic digest.
|
71
71
|
#
|
@@ -85,9 +85,32 @@ module Grafeas
|
|
85
85
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
86
86
|
end
|
87
87
|
|
88
|
+
# MUST match
|
89
|
+
# https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An
|
90
|
+
# authenticated message of arbitrary type.
|
91
|
+
# @!attribute [rw] payload
|
92
|
+
# @return [::String]
|
93
|
+
# @!attribute [rw] payload_type
|
94
|
+
# @return [::String]
|
95
|
+
# @!attribute [rw] signatures
|
96
|
+
# @return [::Array<::Grafeas::V1::EnvelopeSignature>]
|
97
|
+
class Envelope
|
98
|
+
include ::Google::Protobuf::MessageExts
|
99
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
100
|
+
end
|
101
|
+
|
102
|
+
# @!attribute [rw] sig
|
103
|
+
# @return [::String]
|
104
|
+
# @!attribute [rw] keyid
|
105
|
+
# @return [::String]
|
106
|
+
class EnvelopeSignature
|
107
|
+
include ::Google::Protobuf::MessageExts
|
108
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
109
|
+
end
|
110
|
+
|
88
111
|
# Kind represents the kinds of notes supported.
|
89
112
|
module NoteKind
|
90
|
-
#
|
113
|
+
# Default value. This value is unused.
|
91
114
|
NOTE_KIND_UNSPECIFIED = 0
|
92
115
|
|
93
116
|
# The note and occurrence represent a package vulnerability.
|
@@ -113,6 +136,12 @@ module Grafeas
|
|
113
136
|
|
114
137
|
# This represents an available package upgrade.
|
115
138
|
UPGRADE = 8
|
139
|
+
|
140
|
+
# This represents a Compliance Note
|
141
|
+
COMPLIANCE = 9
|
142
|
+
|
143
|
+
# This represents a DSSE attestation Note
|
144
|
+
DSSE_ATTESTATION = 10
|
116
145
|
end
|
117
146
|
end
|
118
147
|
end
|
@@ -0,0 +1,98 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# @!attribute [rw] title
|
23
|
+
# @return [::String]
|
24
|
+
# The title that identifies this compliance check.
|
25
|
+
# @!attribute [rw] description
|
26
|
+
# @return [::String]
|
27
|
+
# A description about this compliance check.
|
28
|
+
# @!attribute [rw] version
|
29
|
+
# @return [::Array<::Grafeas::V1::ComplianceVersion>]
|
30
|
+
# The OS and config versions the benchmark applies to.
|
31
|
+
# @!attribute [rw] rationale
|
32
|
+
# @return [::String]
|
33
|
+
# A rationale for the existence of this compliance check.
|
34
|
+
# @!attribute [rw] remediation
|
35
|
+
# @return [::String]
|
36
|
+
# A description of remediation steps if the compliance check fails.
|
37
|
+
# @!attribute [rw] cis_benchmark
|
38
|
+
# @return [::Grafeas::V1::ComplianceNote::CisBenchmark]
|
39
|
+
# @!attribute [rw] scan_instructions
|
40
|
+
# @return [::String]
|
41
|
+
# Serialized scan instructions with a predefined format.
|
42
|
+
class ComplianceNote
|
43
|
+
include ::Google::Protobuf::MessageExts
|
44
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
45
|
+
|
46
|
+
# A compliance check that is a CIS benchmark.
|
47
|
+
# @!attribute [rw] profile_level
|
48
|
+
# @return [::Integer]
|
49
|
+
# @!attribute [rw] severity
|
50
|
+
# @return [::Grafeas::V1::Severity]
|
51
|
+
class CisBenchmark
|
52
|
+
include ::Google::Protobuf::MessageExts
|
53
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
# Describes the CIS benchmark version that is applicable to a given OS and
|
58
|
+
# os version.
|
59
|
+
# @!attribute [rw] cpe_uri
|
60
|
+
# @return [::String]
|
61
|
+
# The CPE URI (https://cpe.mitre.org/specification/) this benchmark is
|
62
|
+
# applicable to.
|
63
|
+
# @!attribute [rw] version
|
64
|
+
# @return [::String]
|
65
|
+
# The version of the benchmark. This is set to the version of the OS-specific
|
66
|
+
# CIS document the benchmark is defined in.
|
67
|
+
class ComplianceVersion
|
68
|
+
include ::Google::Protobuf::MessageExts
|
69
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
70
|
+
end
|
71
|
+
|
72
|
+
# An indication that the compliance checks in the associated ComplianceNote
|
73
|
+
# were not satisfied for particular resources or a specified reason.
|
74
|
+
# @!attribute [rw] non_compliant_files
|
75
|
+
# @return [::Array<::Grafeas::V1::NonCompliantFile>]
|
76
|
+
# @!attribute [rw] non_compliance_reason
|
77
|
+
# @return [::String]
|
78
|
+
class ComplianceOccurrence
|
79
|
+
include ::Google::Protobuf::MessageExts
|
80
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
81
|
+
end
|
82
|
+
|
83
|
+
# Details about files that caused a compliance check to fail.
|
84
|
+
# @!attribute [rw] path
|
85
|
+
# @return [::String]
|
86
|
+
# Empty if `display_command` is set.
|
87
|
+
# @!attribute [rw] display_command
|
88
|
+
# @return [::String]
|
89
|
+
# Command to display the non-compliant files.
|
90
|
+
# @!attribute [rw] reason
|
91
|
+
# @return [::String]
|
92
|
+
# Explains why a file is non compliant for a CIS check.
|
93
|
+
class NonCompliantFile
|
94
|
+
include ::Google::Protobuf::MessageExts
|
95
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
@@ -0,0 +1,59 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# @!attribute [rw] hint
|
23
|
+
# @return [::Grafeas::V1::DSSEAttestationNote::DSSEHint]
|
24
|
+
# DSSEHint hints at the purpose of the attestation authority.
|
25
|
+
class DSSEAttestationNote
|
26
|
+
include ::Google::Protobuf::MessageExts
|
27
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
28
|
+
|
29
|
+
# This submessage provides human-readable hints about the purpose of the
|
30
|
+
# authority. Because the name of a note acts as its resource reference, it is
|
31
|
+
# important to disambiguate the canonical name of the Note (which might be a
|
32
|
+
# UUID for security purposes) from "readable" names more suitable for debug
|
33
|
+
# output. Note that these hints should not be used to look up authorities in
|
34
|
+
# security sensitive contexts, such as when looking up attestations to
|
35
|
+
# verify.
|
36
|
+
# @!attribute [rw] human_readable_name
|
37
|
+
# @return [::String]
|
38
|
+
# Required. The human readable name of this attestation authority, for
|
39
|
+
# example "cloudbuild-prod".
|
40
|
+
class DSSEHint
|
41
|
+
include ::Google::Protobuf::MessageExts
|
42
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
# Deprecated. Prefer to use a regular Occurrence, and populate the
|
47
|
+
# Envelope at the top level of the Occurrence.
|
48
|
+
# @!attribute [rw] envelope
|
49
|
+
# @return [::Grafeas::V1::Envelope]
|
50
|
+
# If doing something security critical, make sure to verify the signatures in
|
51
|
+
# this metadata.
|
52
|
+
# @!attribute [rw] statement
|
53
|
+
# @return [::Grafeas::V1::InTotoStatement]
|
54
|
+
class DSSEAttestationOccurrence
|
55
|
+
include ::Google::Protobuf::MessageExts
|
56
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
@@ -72,6 +72,15 @@ module Grafeas
|
|
72
72
|
# @!attribute [rw] upgrade
|
73
73
|
# @return [::Grafeas::V1::UpgradeOccurrence]
|
74
74
|
# Describes an available package upgrade on the linked resource.
|
75
|
+
# @!attribute [rw] compliance
|
76
|
+
# @return [::Grafeas::V1::ComplianceOccurrence]
|
77
|
+
# Describes a compliance violation on a linked resource.
|
78
|
+
# @!attribute [rw] dsse_attestation
|
79
|
+
# @return [::Grafeas::V1::DSSEAttestationOccurrence]
|
80
|
+
# Describes an attestation of an artifact using dsse.
|
81
|
+
# @!attribute [rw] envelope
|
82
|
+
# @return [::Grafeas::V1::Envelope]
|
83
|
+
# https://github.com/secure-systems-lab/dsse
|
75
84
|
class Occurrence
|
76
85
|
include ::Google::Protobuf::MessageExts
|
77
86
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -133,6 +142,12 @@ module Grafeas
|
|
133
142
|
# @!attribute [rw] upgrade
|
134
143
|
# @return [::Grafeas::V1::UpgradeNote]
|
135
144
|
# A note describing available package upgrades.
|
145
|
+
# @!attribute [rw] compliance
|
146
|
+
# @return [::Grafeas::V1::ComplianceNote]
|
147
|
+
# A note describing a compliance check.
|
148
|
+
# @!attribute [rw] dsse_attestation
|
149
|
+
# @return [::Grafeas::V1::DSSEAttestationNote]
|
150
|
+
# A note describing a dsse attestation note.
|
136
151
|
class Note
|
137
152
|
include ::Google::Protobuf::MessageExts
|
138
153
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -0,0 +1,134 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# Steps taken to build the artifact.
|
23
|
+
# For a TaskRun, typically each container corresponds to one step in the
|
24
|
+
# recipe.
|
25
|
+
# @!attribute [rw] type
|
26
|
+
# @return [::String]
|
27
|
+
# URI indicating what type of recipe was performed. It determines the meaning
|
28
|
+
# of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
|
29
|
+
# @!attribute [rw] defined_in_material
|
30
|
+
# @return [::Integer]
|
31
|
+
# Index in materials containing the recipe steps that are not implied by
|
32
|
+
# recipe.type. For example, if the recipe type were "make", then this would
|
33
|
+
# point to the source containing the Makefile, not the make program itself.
|
34
|
+
# Set to -1 if the recipe doesn't come from a material, as zero is default
|
35
|
+
# unset value for int64.
|
36
|
+
# @!attribute [rw] entry_point
|
37
|
+
# @return [::String]
|
38
|
+
# String identifying the entry point into the build.
|
39
|
+
# This is often a path to a configuration file and/or a target label within
|
40
|
+
# that file. The syntax and meaning are defined by recipe.type. For example,
|
41
|
+
# if the recipe type were "make", then this would reference the directory in
|
42
|
+
# which to run make as well as which target to use.
|
43
|
+
# @!attribute [rw] arguments
|
44
|
+
# @return [::Array<::Google::Protobuf::Any>]
|
45
|
+
# Collection of all external inputs that influenced the build on top of
|
46
|
+
# recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe
|
47
|
+
# type were "make", then this might be the flags passed to make aside from
|
48
|
+
# the target, which is captured in recipe.entryPoint. Since the arguments
|
49
|
+
# field can greatly vary in structure, depending on the builder and recipe
|
50
|
+
# type, this is of form "Any".
|
51
|
+
# @!attribute [rw] environment
|
52
|
+
# @return [::Array<::Google::Protobuf::Any>]
|
53
|
+
# Any other builder-controlled inputs necessary for correctly evaluating the
|
54
|
+
# recipe. Usually only needed for reproducing the build but not evaluated as
|
55
|
+
# part of policy. Since the environment field can greatly vary in structure,
|
56
|
+
# depending on the builder and recipe type, this is of form "Any".
|
57
|
+
class Recipe
|
58
|
+
include ::Google::Protobuf::MessageExts
|
59
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
60
|
+
end
|
61
|
+
|
62
|
+
# Indicates that the builder claims certain fields in this message to be
|
63
|
+
# complete.
|
64
|
+
# @!attribute [rw] arguments
|
65
|
+
# @return [::Boolean]
|
66
|
+
# If true, the builder claims that recipe.arguments is complete, meaning that
|
67
|
+
# all external inputs are properly captured in the recipe.
|
68
|
+
# @!attribute [rw] environment
|
69
|
+
# @return [::Boolean]
|
70
|
+
# If true, the builder claims that recipe.environment is claimed to be
|
71
|
+
# complete.
|
72
|
+
# @!attribute [rw] materials
|
73
|
+
# @return [::Boolean]
|
74
|
+
# If true, the builder claims that materials are complete, usually through
|
75
|
+
# some controls to prevent network access. Sometimes called "hermetic".
|
76
|
+
class Completeness
|
77
|
+
include ::Google::Protobuf::MessageExts
|
78
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
79
|
+
end
|
80
|
+
|
81
|
+
# Other properties of the build.
|
82
|
+
# @!attribute [rw] build_invocation_id
|
83
|
+
# @return [::String]
|
84
|
+
# Identifies the particular build invocation, which can be useful for finding
|
85
|
+
# associated logs or other ad-hoc analysis. The value SHOULD be globally
|
86
|
+
# unique, per in-toto Provenance spec.
|
87
|
+
# @!attribute [rw] build_started_on
|
88
|
+
# @return [::Google::Protobuf::Timestamp]
|
89
|
+
# The timestamp of when the build started.
|
90
|
+
# @!attribute [rw] build_finished_on
|
91
|
+
# @return [::Google::Protobuf::Timestamp]
|
92
|
+
# The timestamp of when the build completed.
|
93
|
+
# @!attribute [rw] completeness
|
94
|
+
# @return [::Grafeas::V1::Completeness]
|
95
|
+
# Indicates that the builder claims certain fields in this message to be
|
96
|
+
# complete.
|
97
|
+
# @!attribute [rw] reproducible
|
98
|
+
# @return [::Boolean]
|
99
|
+
# If true, the builder claims that running the recipe on materials will
|
100
|
+
# produce bit-for-bit identical output.
|
101
|
+
class Metadata
|
102
|
+
include ::Google::Protobuf::MessageExts
|
103
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
104
|
+
end
|
105
|
+
|
106
|
+
# @!attribute [rw] id
|
107
|
+
# @return [::String]
|
108
|
+
class BuilderConfig
|
109
|
+
include ::Google::Protobuf::MessageExts
|
110
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
111
|
+
end
|
112
|
+
|
113
|
+
# @!attribute [rw] builder_config
|
114
|
+
# @return [::Grafeas::V1::BuilderConfig]
|
115
|
+
# @!attribute [rw] recipe
|
116
|
+
# @return [::Grafeas::V1::Recipe]
|
117
|
+
# Identifies the configuration used for the build.
|
118
|
+
# When combined with materials, this SHOULD fully describe the build,
|
119
|
+
# such that re-running this recipe results in bit-for-bit identical output
|
120
|
+
# (if the build is reproducible).
|
121
|
+
# @!attribute [rw] metadata
|
122
|
+
# @return [::Grafeas::V1::Metadata]
|
123
|
+
# @!attribute [rw] materials
|
124
|
+
# @return [::Array<::String>]
|
125
|
+
# The collection of artifacts that influenced the build including sources,
|
126
|
+
# dependencies, build tools, base images, and so on. This is considered to be
|
127
|
+
# incomplete unless metadata.completeness.materials is true. Unset or null is
|
128
|
+
# equivalent to empty.
|
129
|
+
class InTotoProvenance
|
130
|
+
include ::Google::Protobuf::MessageExts
|
131
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# Spec defined at
|
23
|
+
# https://github.com/in-toto/attestation/tree/main/spec#statement The
|
24
|
+
# serialized InTotoStatement will be stored as Envelope.payload.
|
25
|
+
# Envelope.payloadType is always "application/vnd.in-toto+json".
|
26
|
+
# @!attribute [rw] type
|
27
|
+
# @return [::String]
|
28
|
+
# Always `https://in-toto.io/Statement/v0.1`.
|
29
|
+
# @!attribute [rw] subject
|
30
|
+
# @return [::Array<::Grafeas::V1::Subject>]
|
31
|
+
# @!attribute [rw] predicate_type
|
32
|
+
# @return [::String]
|
33
|
+
# `https://slsa.dev/provenance/v0.1` for SlsaProvenance.
|
34
|
+
# @!attribute [rw] provenance
|
35
|
+
# @return [::Grafeas::V1::InTotoProvenance]
|
36
|
+
# @!attribute [rw] slsa_provenance
|
37
|
+
# @return [::Grafeas::V1::SlsaProvenance]
|
38
|
+
class InTotoStatement
|
39
|
+
include ::Google::Protobuf::MessageExts
|
40
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
41
|
+
end
|
42
|
+
|
43
|
+
# @!attribute [rw] name
|
44
|
+
# @return [::String]
|
45
|
+
# @!attribute [rw] digest
|
46
|
+
# @return [::Google::Protobuf::Map{::String => ::String}]
|
47
|
+
# `"<ALGORITHM>": "<HEX_VALUE>"`
|
48
|
+
# Algorithms can be e.g. sha256, sha512
|
49
|
+
# See
|
50
|
+
# https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
|
51
|
+
class Subject
|
52
|
+
include ::Google::Protobuf::MessageExts
|
53
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
54
|
+
|
55
|
+
# @!attribute [rw] key
|
56
|
+
# @return [::String]
|
57
|
+
# @!attribute [rw] value
|
58
|
+
# @return [::String]
|
59
|
+
class DigestEntry
|
60
|
+
include ::Google::Protobuf::MessageExts
|
61
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
@@ -101,6 +101,14 @@ module Grafeas
|
|
101
101
|
# @!attribute [rw] revision
|
102
102
|
# @return [::String]
|
103
103
|
# The iteration of the package build from the above version.
|
104
|
+
# @!attribute [rw] inclusive
|
105
|
+
# @return [::Boolean]
|
106
|
+
# Whether this version is specifying part of an inclusive range. Grafeas
|
107
|
+
# does not have the capability to specify version ranges; instead we have
|
108
|
+
# fields that specify start version and end versions. At times this is
|
109
|
+
# insufficient - we also need to specify whether the version is included in
|
110
|
+
# the range or is excluded from the range. This boolean is expected to be set
|
111
|
+
# to true when the version is included in a range.
|
104
112
|
# @!attribute [rw] kind
|
105
113
|
# @return [::Grafeas::V1::Version::VersionKind]
|
106
114
|
# Required. Distinguishes between sentinel MIN/MAX versions and normal
|