grafeas-v1 0.2.2 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/grafeas/v1/attestation_pb.rb +6 -1
- data/lib/grafeas/v1/build_pb.rb +5 -1
- data/lib/grafeas/v1/common_pb.rb +13 -0
- data/lib/grafeas/v1/compliance_pb.rb +48 -0
- data/lib/grafeas/v1/deployment_pb.rb +1 -1
- data/lib/grafeas/v1/discovery_pb.rb +2 -2
- data/lib/grafeas/v1/dsse_attestation_pb.rb +31 -0
- data/lib/grafeas/v1/grafeas/client.rb +298 -42
- data/lib/grafeas/v1/grafeas_pb.rb +9 -2
- data/lib/grafeas/v1/grafeas_services_pb.rb +1 -1
- data/lib/grafeas/v1/intoto_provenance_pb.rb +49 -0
- data/lib/grafeas/v1/intoto_statement_pb.rb +31 -0
- data/lib/grafeas/v1/package_pb.rb +1 -0
- data/lib/grafeas/v1/provenance_pb.rb +1 -1
- data/lib/grafeas/v1/slsa_provenance_pb.rb +54 -0
- data/lib/grafeas/v1/upgrade_pb.rb +2 -2
- data/lib/grafeas/v1/version.rb +1 -1
- data/lib/grafeas/v1/vulnerability_pb.rb +13 -2
- data/proto_docs/grafeas/v1/attestation.rb +21 -0
- data/proto_docs/grafeas/v1/build.rb +11 -1
- data/proto_docs/grafeas/v1/common.rb +31 -2
- data/proto_docs/grafeas/v1/compliance.rb +98 -0
- data/proto_docs/grafeas/v1/dsse_attestation.rb +59 -0
- data/proto_docs/grafeas/v1/grafeas.rb +15 -0
- data/proto_docs/grafeas/v1/intoto_provenance.rb +134 -0
- data/proto_docs/grafeas/v1/intoto_statement.rb +65 -0
- data/proto_docs/grafeas/v1/package.rb +8 -0
- data/proto_docs/grafeas/v1/slsa_provenance.rb +152 -0
- data/proto_docs/grafeas/v1/vulnerability.rb +38 -0
- metadata +12 -2
@@ -1,9 +1,9 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: grafeas/v1/provenance.proto
|
3
3
|
|
4
|
+
require 'google/protobuf/timestamp_pb'
|
4
5
|
require 'google/protobuf'
|
5
6
|
|
6
|
-
require 'google/protobuf/timestamp_pb'
|
7
7
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
8
8
|
add_file("grafeas/v1/provenance.proto", :syntax => :proto3) do
|
9
9
|
add_message "grafeas.v1.BuildProvenance" do
|
@@ -0,0 +1,54 @@
|
|
1
|
+
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
|
+
# source: grafeas/v1/slsa_provenance.proto
|
3
|
+
|
4
|
+
require 'google/protobuf/any_pb'
|
5
|
+
require 'google/protobuf/timestamp_pb'
|
6
|
+
require 'google/protobuf'
|
7
|
+
|
8
|
+
Google::Protobuf::DescriptorPool.generated_pool.build do
|
9
|
+
add_file("grafeas/v1/slsa_provenance.proto", :syntax => :proto3) do
|
10
|
+
add_message "grafeas.v1.SlsaProvenance" do
|
11
|
+
optional :builder, :message, 1, "grafeas.v1.SlsaProvenance.SlsaBuilder"
|
12
|
+
optional :recipe, :message, 2, "grafeas.v1.SlsaProvenance.SlsaRecipe"
|
13
|
+
optional :metadata, :message, 3, "grafeas.v1.SlsaProvenance.SlsaMetadata"
|
14
|
+
repeated :materials, :message, 4, "grafeas.v1.SlsaProvenance.Material"
|
15
|
+
end
|
16
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaRecipe" do
|
17
|
+
optional :type, :string, 1
|
18
|
+
optional :defined_in_material, :int64, 2
|
19
|
+
optional :entry_point, :string, 3
|
20
|
+
optional :arguments, :message, 4, "google.protobuf.Any"
|
21
|
+
optional :environment, :message, 5, "google.protobuf.Any"
|
22
|
+
end
|
23
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaCompleteness" do
|
24
|
+
optional :arguments, :bool, 1
|
25
|
+
optional :environment, :bool, 2
|
26
|
+
optional :materials, :bool, 3
|
27
|
+
end
|
28
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaMetadata" do
|
29
|
+
optional :build_invocation_id, :string, 1
|
30
|
+
optional :build_started_on, :message, 2, "google.protobuf.Timestamp"
|
31
|
+
optional :build_finished_on, :message, 3, "google.protobuf.Timestamp"
|
32
|
+
optional :completeness, :message, 4, "grafeas.v1.SlsaProvenance.SlsaCompleteness"
|
33
|
+
optional :reproducible, :bool, 5
|
34
|
+
end
|
35
|
+
add_message "grafeas.v1.SlsaProvenance.SlsaBuilder" do
|
36
|
+
optional :id, :string, 1
|
37
|
+
end
|
38
|
+
add_message "grafeas.v1.SlsaProvenance.Material" do
|
39
|
+
optional :uri, :string, 1
|
40
|
+
map :digest, :string, :string, 2
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
module Grafeas
|
46
|
+
module V1
|
47
|
+
SlsaProvenance = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance").msgclass
|
48
|
+
SlsaProvenance::SlsaRecipe = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaRecipe").msgclass
|
49
|
+
SlsaProvenance::SlsaCompleteness = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaCompleteness").msgclass
|
50
|
+
SlsaProvenance::SlsaMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaMetadata").msgclass
|
51
|
+
SlsaProvenance::SlsaBuilder = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaBuilder").msgclass
|
52
|
+
SlsaProvenance::Material = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.Material").msgclass
|
53
|
+
end
|
54
|
+
end
|
@@ -1,10 +1,10 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: grafeas/v1/upgrade.proto
|
3
3
|
|
4
|
-
require 'google/protobuf'
|
5
|
-
|
6
4
|
require 'google/protobuf/timestamp_pb'
|
7
5
|
require 'grafeas/v1/package_pb'
|
6
|
+
require 'google/protobuf'
|
7
|
+
|
8
8
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
9
9
|
add_file("grafeas/v1/upgrade.proto", :syntax => :proto3) do
|
10
10
|
add_message "grafeas.v1.UpgradeNote" do
|
data/lib/grafeas/v1/version.rb
CHANGED
@@ -1,12 +1,13 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: grafeas/v1/vulnerability.proto
|
3
3
|
|
4
|
-
require 'google/
|
5
|
-
|
4
|
+
require 'google/api/field_behavior_pb'
|
6
5
|
require 'google/protobuf/timestamp_pb'
|
7
6
|
require 'grafeas/v1/common_pb'
|
8
7
|
require 'grafeas/v1/cvss_pb'
|
9
8
|
require 'grafeas/v1/package_pb'
|
9
|
+
require 'google/protobuf'
|
10
|
+
|
10
11
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
11
12
|
add_file("grafeas/v1/vulnerability.proto", :syntax => :proto3) do
|
12
13
|
add_message "grafeas.v1.VulnerabilityNote" do
|
@@ -30,6 +31,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
30
31
|
optional :fixed_version, :message, 10, "grafeas.v1.Version"
|
31
32
|
optional :is_obsolete, :bool, 11
|
32
33
|
optional :source_update_time, :message, 12, "google.protobuf.Timestamp"
|
34
|
+
optional :source, :string, 13
|
35
|
+
optional :vendor, :string, 14
|
33
36
|
end
|
34
37
|
add_message "grafeas.v1.VulnerabilityNote.WindowsDetail" do
|
35
38
|
optional :cpe_uri, :string, 1
|
@@ -45,6 +48,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
45
48
|
optional :type, :string, 1
|
46
49
|
optional :severity, :enum, 2, "grafeas.v1.Severity"
|
47
50
|
optional :cvss_score, :float, 3
|
51
|
+
optional :cvssv3, :message, 10, "grafeas.v1.VulnerabilityOccurrence.CVSSV3"
|
48
52
|
repeated :package_issue, :message, 4, "grafeas.v1.VulnerabilityOccurrence.PackageIssue"
|
49
53
|
optional :short_description, :string, 5
|
50
54
|
optional :long_description, :string, 6
|
@@ -52,6 +56,10 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
52
56
|
optional :effective_severity, :enum, 8, "grafeas.v1.Severity"
|
53
57
|
optional :fix_available, :bool, 9
|
54
58
|
end
|
59
|
+
add_message "grafeas.v1.VulnerabilityOccurrence.CVSSV3" do
|
60
|
+
optional :base_score, :float, 1
|
61
|
+
optional :severity, :enum, 2, "grafeas.v1.Severity"
|
62
|
+
end
|
55
63
|
add_message "grafeas.v1.VulnerabilityOccurrence.PackageIssue" do
|
56
64
|
optional :affected_cpe_uri, :string, 1
|
57
65
|
optional :affected_package, :string, 2
|
@@ -60,6 +68,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
60
68
|
optional :fixed_package, :string, 5
|
61
69
|
optional :fixed_version, :message, 6, "grafeas.v1.Version"
|
62
70
|
optional :fix_available, :bool, 7
|
71
|
+
optional :package_type, :string, 8
|
72
|
+
optional :effective_severity, :enum, 9, "grafeas.v1.Severity"
|
63
73
|
end
|
64
74
|
add_enum "grafeas.v1.Severity" do
|
65
75
|
value :SEVERITY_UNSPECIFIED, 0
|
@@ -79,6 +89,7 @@ module Grafeas
|
|
79
89
|
VulnerabilityNote::WindowsDetail = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityNote.WindowsDetail").msgclass
|
80
90
|
VulnerabilityNote::WindowsDetail::KnowledgeBase = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityNote.WindowsDetail.KnowledgeBase").msgclass
|
81
91
|
VulnerabilityOccurrence = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence").msgclass
|
92
|
+
VulnerabilityOccurrence::CVSSV3 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence.CVSSV3").msgclass
|
82
93
|
VulnerabilityOccurrence::PackageIssue = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence.PackageIssue").msgclass
|
83
94
|
Severity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.Severity").enummodule
|
84
95
|
end
|
@@ -51,6 +51,16 @@ module Grafeas
|
|
51
51
|
end
|
52
52
|
end
|
53
53
|
|
54
|
+
# @!attribute [rw] compact_jwt
|
55
|
+
# @return [::String]
|
56
|
+
# The compact encoding of a JWS, which is always three base64 encoded strings
|
57
|
+
# joined by periods. For details, see:
|
58
|
+
# https://tools.ietf.org/html/rfc7515.html#section-3.1
|
59
|
+
class Jwt
|
60
|
+
include ::Google::Protobuf::MessageExts
|
61
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
62
|
+
end
|
63
|
+
|
54
64
|
# Occurrence that represents a single "attestation". The authenticity of an
|
55
65
|
# attestation can be verified using the attached signature. If the verifier
|
56
66
|
# trusts the public key of the signer, then verifying the signature is
|
@@ -69,6 +79,17 @@ module Grafeas
|
|
69
79
|
# should consider this attestation message verified if at least one
|
70
80
|
# `signature` verifies `serialized_payload`. See `Signature` in common.proto
|
71
81
|
# for more details on signature structure and verification.
|
82
|
+
# @!attribute [rw] jwts
|
83
|
+
# @return [::Array<::Grafeas::V1::Jwt>]
|
84
|
+
# One or more JWTs encoding a self-contained attestation.
|
85
|
+
# Each JWT encodes the payload that it verifies within the JWT itself.
|
86
|
+
# Verifier implementation SHOULD ignore the `serialized_payload` field
|
87
|
+
# when verifying these JWTs.
|
88
|
+
# If only JWTs are present on this AttestationOccurrence, then the
|
89
|
+
# `serialized_payload` SHOULD be left empty.
|
90
|
+
# Each JWT SHOULD encode a claim specific to the `resource_uri` of this
|
91
|
+
# Occurrence, but this is not validated by Grafeas metadata API
|
92
|
+
# implementations. The JWT itself is opaque to Grafeas.
|
72
93
|
class AttestationOccurrence
|
73
94
|
include ::Google::Protobuf::MessageExts
|
74
95
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -32,7 +32,7 @@ module Grafeas
|
|
32
32
|
# Details of a build occurrence.
|
33
33
|
# @!attribute [rw] provenance
|
34
34
|
# @return [::Grafeas::V1::BuildProvenance]
|
35
|
-
#
|
35
|
+
# The actual provenance for the build.
|
36
36
|
# @!attribute [rw] provenance_bytes
|
37
37
|
# @return [::String]
|
38
38
|
# Serialized JSON representation of the provenance, used in generating the
|
@@ -46,6 +46,16 @@ module Grafeas
|
|
46
46
|
# The serialized form is captured both to avoid ambiguity in how the
|
47
47
|
# provenance is marshalled to json as well to prevent incompatibilities with
|
48
48
|
# future changes.
|
49
|
+
# @!attribute [rw] intoto_provenance
|
50
|
+
# @return [::Grafeas::V1::InTotoProvenance]
|
51
|
+
# Deprecated. See InTotoStatement for the replacement.
|
52
|
+
# In-toto Provenance representation as defined in spec.
|
53
|
+
# @!attribute [rw] intoto_statement
|
54
|
+
# @return [::Grafeas::V1::InTotoStatement]
|
55
|
+
# In-toto Statement representation as defined in spec.
|
56
|
+
# The intoto_statement can contain any type of provenance. The serialized
|
57
|
+
# payload of the statement can be stored and signed in the Occurrence's
|
58
|
+
# envelope.
|
49
59
|
class BuildOccurrence
|
50
60
|
include ::Google::Protobuf::MessageExts
|
51
61
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -65,7 +65,7 @@ module Grafeas
|
|
65
65
|
# @return [::String]
|
66
66
|
# The identifier for the public key that verifies this signature.
|
67
67
|
# * The `public_key_id` is required.
|
68
|
-
# * The `public_key_id`
|
68
|
+
# * The `public_key_id` SHOULD be an RFC3986 conformant URI.
|
69
69
|
# * When possible, the `public_key_id` SHOULD be an immutable reference,
|
70
70
|
# such as a cryptographic digest.
|
71
71
|
#
|
@@ -85,9 +85,32 @@ module Grafeas
|
|
85
85
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
86
86
|
end
|
87
87
|
|
88
|
+
# MUST match
|
89
|
+
# https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An
|
90
|
+
# authenticated message of arbitrary type.
|
91
|
+
# @!attribute [rw] payload
|
92
|
+
# @return [::String]
|
93
|
+
# @!attribute [rw] payload_type
|
94
|
+
# @return [::String]
|
95
|
+
# @!attribute [rw] signatures
|
96
|
+
# @return [::Array<::Grafeas::V1::EnvelopeSignature>]
|
97
|
+
class Envelope
|
98
|
+
include ::Google::Protobuf::MessageExts
|
99
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
100
|
+
end
|
101
|
+
|
102
|
+
# @!attribute [rw] sig
|
103
|
+
# @return [::String]
|
104
|
+
# @!attribute [rw] keyid
|
105
|
+
# @return [::String]
|
106
|
+
class EnvelopeSignature
|
107
|
+
include ::Google::Protobuf::MessageExts
|
108
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
109
|
+
end
|
110
|
+
|
88
111
|
# Kind represents the kinds of notes supported.
|
89
112
|
module NoteKind
|
90
|
-
#
|
113
|
+
# Default value. This value is unused.
|
91
114
|
NOTE_KIND_UNSPECIFIED = 0
|
92
115
|
|
93
116
|
# The note and occurrence represent a package vulnerability.
|
@@ -113,6 +136,12 @@ module Grafeas
|
|
113
136
|
|
114
137
|
# This represents an available package upgrade.
|
115
138
|
UPGRADE = 8
|
139
|
+
|
140
|
+
# This represents a Compliance Note
|
141
|
+
COMPLIANCE = 9
|
142
|
+
|
143
|
+
# This represents a DSSE attestation Note
|
144
|
+
DSSE_ATTESTATION = 10
|
116
145
|
end
|
117
146
|
end
|
118
147
|
end
|
@@ -0,0 +1,98 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# @!attribute [rw] title
|
23
|
+
# @return [::String]
|
24
|
+
# The title that identifies this compliance check.
|
25
|
+
# @!attribute [rw] description
|
26
|
+
# @return [::String]
|
27
|
+
# A description about this compliance check.
|
28
|
+
# @!attribute [rw] version
|
29
|
+
# @return [::Array<::Grafeas::V1::ComplianceVersion>]
|
30
|
+
# The OS and config versions the benchmark applies to.
|
31
|
+
# @!attribute [rw] rationale
|
32
|
+
# @return [::String]
|
33
|
+
# A rationale for the existence of this compliance check.
|
34
|
+
# @!attribute [rw] remediation
|
35
|
+
# @return [::String]
|
36
|
+
# A description of remediation steps if the compliance check fails.
|
37
|
+
# @!attribute [rw] cis_benchmark
|
38
|
+
# @return [::Grafeas::V1::ComplianceNote::CisBenchmark]
|
39
|
+
# @!attribute [rw] scan_instructions
|
40
|
+
# @return [::String]
|
41
|
+
# Serialized scan instructions with a predefined format.
|
42
|
+
class ComplianceNote
|
43
|
+
include ::Google::Protobuf::MessageExts
|
44
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
45
|
+
|
46
|
+
# A compliance check that is a CIS benchmark.
|
47
|
+
# @!attribute [rw] profile_level
|
48
|
+
# @return [::Integer]
|
49
|
+
# @!attribute [rw] severity
|
50
|
+
# @return [::Grafeas::V1::Severity]
|
51
|
+
class CisBenchmark
|
52
|
+
include ::Google::Protobuf::MessageExts
|
53
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
54
|
+
end
|
55
|
+
end
|
56
|
+
|
57
|
+
# Describes the CIS benchmark version that is applicable to a given OS and
|
58
|
+
# os version.
|
59
|
+
# @!attribute [rw] cpe_uri
|
60
|
+
# @return [::String]
|
61
|
+
# The CPE URI (https://cpe.mitre.org/specification/) this benchmark is
|
62
|
+
# applicable to.
|
63
|
+
# @!attribute [rw] version
|
64
|
+
# @return [::String]
|
65
|
+
# The version of the benchmark. This is set to the version of the OS-specific
|
66
|
+
# CIS document the benchmark is defined in.
|
67
|
+
class ComplianceVersion
|
68
|
+
include ::Google::Protobuf::MessageExts
|
69
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
70
|
+
end
|
71
|
+
|
72
|
+
# An indication that the compliance checks in the associated ComplianceNote
|
73
|
+
# were not satisfied for particular resources or a specified reason.
|
74
|
+
# @!attribute [rw] non_compliant_files
|
75
|
+
# @return [::Array<::Grafeas::V1::NonCompliantFile>]
|
76
|
+
# @!attribute [rw] non_compliance_reason
|
77
|
+
# @return [::String]
|
78
|
+
class ComplianceOccurrence
|
79
|
+
include ::Google::Protobuf::MessageExts
|
80
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
81
|
+
end
|
82
|
+
|
83
|
+
# Details about files that caused a compliance check to fail.
|
84
|
+
# @!attribute [rw] path
|
85
|
+
# @return [::String]
|
86
|
+
# Empty if `display_command` is set.
|
87
|
+
# @!attribute [rw] display_command
|
88
|
+
# @return [::String]
|
89
|
+
# Command to display the non-compliant files.
|
90
|
+
# @!attribute [rw] reason
|
91
|
+
# @return [::String]
|
92
|
+
# Explains why a file is non compliant for a CIS check.
|
93
|
+
class NonCompliantFile
|
94
|
+
include ::Google::Protobuf::MessageExts
|
95
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
@@ -0,0 +1,59 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# @!attribute [rw] hint
|
23
|
+
# @return [::Grafeas::V1::DSSEAttestationNote::DSSEHint]
|
24
|
+
# DSSEHint hints at the purpose of the attestation authority.
|
25
|
+
class DSSEAttestationNote
|
26
|
+
include ::Google::Protobuf::MessageExts
|
27
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
28
|
+
|
29
|
+
# This submessage provides human-readable hints about the purpose of the
|
30
|
+
# authority. Because the name of a note acts as its resource reference, it is
|
31
|
+
# important to disambiguate the canonical name of the Note (which might be a
|
32
|
+
# UUID for security purposes) from "readable" names more suitable for debug
|
33
|
+
# output. Note that these hints should not be used to look up authorities in
|
34
|
+
# security sensitive contexts, such as when looking up attestations to
|
35
|
+
# verify.
|
36
|
+
# @!attribute [rw] human_readable_name
|
37
|
+
# @return [::String]
|
38
|
+
# Required. The human readable name of this attestation authority, for
|
39
|
+
# example "cloudbuild-prod".
|
40
|
+
class DSSEHint
|
41
|
+
include ::Google::Protobuf::MessageExts
|
42
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
# Deprecated. Prefer to use a regular Occurrence, and populate the
|
47
|
+
# Envelope at the top level of the Occurrence.
|
48
|
+
# @!attribute [rw] envelope
|
49
|
+
# @return [::Grafeas::V1::Envelope]
|
50
|
+
# If doing something security critical, make sure to verify the signatures in
|
51
|
+
# this metadata.
|
52
|
+
# @!attribute [rw] statement
|
53
|
+
# @return [::Grafeas::V1::InTotoStatement]
|
54
|
+
class DSSEAttestationOccurrence
|
55
|
+
include ::Google::Protobuf::MessageExts
|
56
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
@@ -72,6 +72,15 @@ module Grafeas
|
|
72
72
|
# @!attribute [rw] upgrade
|
73
73
|
# @return [::Grafeas::V1::UpgradeOccurrence]
|
74
74
|
# Describes an available package upgrade on the linked resource.
|
75
|
+
# @!attribute [rw] compliance
|
76
|
+
# @return [::Grafeas::V1::ComplianceOccurrence]
|
77
|
+
# Describes a compliance violation on a linked resource.
|
78
|
+
# @!attribute [rw] dsse_attestation
|
79
|
+
# @return [::Grafeas::V1::DSSEAttestationOccurrence]
|
80
|
+
# Describes an attestation of an artifact using dsse.
|
81
|
+
# @!attribute [rw] envelope
|
82
|
+
# @return [::Grafeas::V1::Envelope]
|
83
|
+
# https://github.com/secure-systems-lab/dsse
|
75
84
|
class Occurrence
|
76
85
|
include ::Google::Protobuf::MessageExts
|
77
86
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -133,6 +142,12 @@ module Grafeas
|
|
133
142
|
# @!attribute [rw] upgrade
|
134
143
|
# @return [::Grafeas::V1::UpgradeNote]
|
135
144
|
# A note describing available package upgrades.
|
145
|
+
# @!attribute [rw] compliance
|
146
|
+
# @return [::Grafeas::V1::ComplianceNote]
|
147
|
+
# A note describing a compliance check.
|
148
|
+
# @!attribute [rw] dsse_attestation
|
149
|
+
# @return [::Grafeas::V1::DSSEAttestationNote]
|
150
|
+
# A note describing a dsse attestation note.
|
136
151
|
class Note
|
137
152
|
include ::Google::Protobuf::MessageExts
|
138
153
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -0,0 +1,134 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# Steps taken to build the artifact.
|
23
|
+
# For a TaskRun, typically each container corresponds to one step in the
|
24
|
+
# recipe.
|
25
|
+
# @!attribute [rw] type
|
26
|
+
# @return [::String]
|
27
|
+
# URI indicating what type of recipe was performed. It determines the meaning
|
28
|
+
# of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
|
29
|
+
# @!attribute [rw] defined_in_material
|
30
|
+
# @return [::Integer]
|
31
|
+
# Index in materials containing the recipe steps that are not implied by
|
32
|
+
# recipe.type. For example, if the recipe type were "make", then this would
|
33
|
+
# point to the source containing the Makefile, not the make program itself.
|
34
|
+
# Set to -1 if the recipe doesn't come from a material, as zero is default
|
35
|
+
# unset value for int64.
|
36
|
+
# @!attribute [rw] entry_point
|
37
|
+
# @return [::String]
|
38
|
+
# String identifying the entry point into the build.
|
39
|
+
# This is often a path to a configuration file and/or a target label within
|
40
|
+
# that file. The syntax and meaning are defined by recipe.type. For example,
|
41
|
+
# if the recipe type were "make", then this would reference the directory in
|
42
|
+
# which to run make as well as which target to use.
|
43
|
+
# @!attribute [rw] arguments
|
44
|
+
# @return [::Array<::Google::Protobuf::Any>]
|
45
|
+
# Collection of all external inputs that influenced the build on top of
|
46
|
+
# recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe
|
47
|
+
# type were "make", then this might be the flags passed to make aside from
|
48
|
+
# the target, which is captured in recipe.entryPoint. Since the arguments
|
49
|
+
# field can greatly vary in structure, depending on the builder and recipe
|
50
|
+
# type, this is of form "Any".
|
51
|
+
# @!attribute [rw] environment
|
52
|
+
# @return [::Array<::Google::Protobuf::Any>]
|
53
|
+
# Any other builder-controlled inputs necessary for correctly evaluating the
|
54
|
+
# recipe. Usually only needed for reproducing the build but not evaluated as
|
55
|
+
# part of policy. Since the environment field can greatly vary in structure,
|
56
|
+
# depending on the builder and recipe type, this is of form "Any".
|
57
|
+
class Recipe
|
58
|
+
include ::Google::Protobuf::MessageExts
|
59
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
60
|
+
end
|
61
|
+
|
62
|
+
# Indicates that the builder claims certain fields in this message to be
|
63
|
+
# complete.
|
64
|
+
# @!attribute [rw] arguments
|
65
|
+
# @return [::Boolean]
|
66
|
+
# If true, the builder claims that recipe.arguments is complete, meaning that
|
67
|
+
# all external inputs are properly captured in the recipe.
|
68
|
+
# @!attribute [rw] environment
|
69
|
+
# @return [::Boolean]
|
70
|
+
# If true, the builder claims that recipe.environment is claimed to be
|
71
|
+
# complete.
|
72
|
+
# @!attribute [rw] materials
|
73
|
+
# @return [::Boolean]
|
74
|
+
# If true, the builder claims that materials are complete, usually through
|
75
|
+
# some controls to prevent network access. Sometimes called "hermetic".
|
76
|
+
class Completeness
|
77
|
+
include ::Google::Protobuf::MessageExts
|
78
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
79
|
+
end
|
80
|
+
|
81
|
+
# Other properties of the build.
|
82
|
+
# @!attribute [rw] build_invocation_id
|
83
|
+
# @return [::String]
|
84
|
+
# Identifies the particular build invocation, which can be useful for finding
|
85
|
+
# associated logs or other ad-hoc analysis. The value SHOULD be globally
|
86
|
+
# unique, per in-toto Provenance spec.
|
87
|
+
# @!attribute [rw] build_started_on
|
88
|
+
# @return [::Google::Protobuf::Timestamp]
|
89
|
+
# The timestamp of when the build started.
|
90
|
+
# @!attribute [rw] build_finished_on
|
91
|
+
# @return [::Google::Protobuf::Timestamp]
|
92
|
+
# The timestamp of when the build completed.
|
93
|
+
# @!attribute [rw] completeness
|
94
|
+
# @return [::Grafeas::V1::Completeness]
|
95
|
+
# Indicates that the builder claims certain fields in this message to be
|
96
|
+
# complete.
|
97
|
+
# @!attribute [rw] reproducible
|
98
|
+
# @return [::Boolean]
|
99
|
+
# If true, the builder claims that running the recipe on materials will
|
100
|
+
# produce bit-for-bit identical output.
|
101
|
+
class Metadata
|
102
|
+
include ::Google::Protobuf::MessageExts
|
103
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
104
|
+
end
|
105
|
+
|
106
|
+
# @!attribute [rw] id
|
107
|
+
# @return [::String]
|
108
|
+
class BuilderConfig
|
109
|
+
include ::Google::Protobuf::MessageExts
|
110
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
111
|
+
end
|
112
|
+
|
113
|
+
# @!attribute [rw] builder_config
|
114
|
+
# @return [::Grafeas::V1::BuilderConfig]
|
115
|
+
# @!attribute [rw] recipe
|
116
|
+
# @return [::Grafeas::V1::Recipe]
|
117
|
+
# Identifies the configuration used for the build.
|
118
|
+
# When combined with materials, this SHOULD fully describe the build,
|
119
|
+
# such that re-running this recipe results in bit-for-bit identical output
|
120
|
+
# (if the build is reproducible).
|
121
|
+
# @!attribute [rw] metadata
|
122
|
+
# @return [::Grafeas::V1::Metadata]
|
123
|
+
# @!attribute [rw] materials
|
124
|
+
# @return [::Array<::String>]
|
125
|
+
# The collection of artifacts that influenced the build including sources,
|
126
|
+
# dependencies, build tools, base images, and so on. This is considered to be
|
127
|
+
# incomplete unless metadata.completeness.materials is true. Unset or null is
|
128
|
+
# equivalent to empty.
|
129
|
+
class InTotoProvenance
|
130
|
+
include ::Google::Protobuf::MessageExts
|
131
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
@@ -0,0 +1,65 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2021 Google LLC
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# https://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
|
18
|
+
|
19
|
+
|
20
|
+
module Grafeas
|
21
|
+
module V1
|
22
|
+
# Spec defined at
|
23
|
+
# https://github.com/in-toto/attestation/tree/main/spec#statement The
|
24
|
+
# serialized InTotoStatement will be stored as Envelope.payload.
|
25
|
+
# Envelope.payloadType is always "application/vnd.in-toto+json".
|
26
|
+
# @!attribute [rw] type
|
27
|
+
# @return [::String]
|
28
|
+
# Always `https://in-toto.io/Statement/v0.1`.
|
29
|
+
# @!attribute [rw] subject
|
30
|
+
# @return [::Array<::Grafeas::V1::Subject>]
|
31
|
+
# @!attribute [rw] predicate_type
|
32
|
+
# @return [::String]
|
33
|
+
# `https://slsa.dev/provenance/v0.1` for SlsaProvenance.
|
34
|
+
# @!attribute [rw] provenance
|
35
|
+
# @return [::Grafeas::V1::InTotoProvenance]
|
36
|
+
# @!attribute [rw] slsa_provenance
|
37
|
+
# @return [::Grafeas::V1::SlsaProvenance]
|
38
|
+
class InTotoStatement
|
39
|
+
include ::Google::Protobuf::MessageExts
|
40
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
41
|
+
end
|
42
|
+
|
43
|
+
# @!attribute [rw] name
|
44
|
+
# @return [::String]
|
45
|
+
# @!attribute [rw] digest
|
46
|
+
# @return [::Google::Protobuf::Map{::String => ::String}]
|
47
|
+
# `"<ALGORITHM>": "<HEX_VALUE>"`
|
48
|
+
# Algorithms can be e.g. sha256, sha512
|
49
|
+
# See
|
50
|
+
# https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
|
51
|
+
class Subject
|
52
|
+
include ::Google::Protobuf::MessageExts
|
53
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
54
|
+
|
55
|
+
# @!attribute [rw] key
|
56
|
+
# @return [::String]
|
57
|
+
# @!attribute [rw] value
|
58
|
+
# @return [::String]
|
59
|
+
class DigestEntry
|
60
|
+
include ::Google::Protobuf::MessageExts
|
61
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
@@ -101,6 +101,14 @@ module Grafeas
|
|
101
101
|
# @!attribute [rw] revision
|
102
102
|
# @return [::String]
|
103
103
|
# The iteration of the package build from the above version.
|
104
|
+
# @!attribute [rw] inclusive
|
105
|
+
# @return [::Boolean]
|
106
|
+
# Whether this version is specifying part of an inclusive range. Grafeas
|
107
|
+
# does not have the capability to specify version ranges; instead we have
|
108
|
+
# fields that specify start version and end versions. At times this is
|
109
|
+
# insufficient - we also need to specify whether the version is included in
|
110
|
+
# the range or is excluded from the range. This boolean is expected to be set
|
111
|
+
# to true when the version is included in a range.
|
104
112
|
# @!attribute [rw] kind
|
105
113
|
# @return [::Grafeas::V1::Version::VersionKind]
|
106
114
|
# Required. Distinguishes between sentinel MIN/MAX versions and normal
|