grafeas-v1 0.2.2 → 0.3.0

data/lib/grafeas/v1/provenance_pb.rb

@@ -1,9 +1,9 @@
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: grafeas/v1/provenance.proto
 
+require 'google/protobuf/timestamp_pb'
 require 'google/protobuf'
 
-require 'google/protobuf/timestamp_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("grafeas/v1/provenance.proto", :syntax => :proto3) do
     add_message "grafeas.v1.BuildProvenance" do

data/lib/grafeas/v1/slsa_provenance_pb.rb

@@ -0,0 +1,54 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: grafeas/v1/slsa_provenance.proto
+
+require 'google/protobuf/any_pb'
+require 'google/protobuf/timestamp_pb'
+require 'google/protobuf'
+
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("grafeas/v1/slsa_provenance.proto", :syntax => :proto3) do
+    add_message "grafeas.v1.SlsaProvenance" do
+      optional :builder, :message, 1, "grafeas.v1.SlsaProvenance.SlsaBuilder"
+      optional :recipe, :message, 2, "grafeas.v1.SlsaProvenance.SlsaRecipe"
+      optional :metadata, :message, 3, "grafeas.v1.SlsaProvenance.SlsaMetadata"
+      repeated :materials, :message, 4, "grafeas.v1.SlsaProvenance.Material"
+    end
+    add_message "grafeas.v1.SlsaProvenance.SlsaRecipe" do
+      optional :type, :string, 1
+      optional :defined_in_material, :int64, 2
+      optional :entry_point, :string, 3
+      optional :arguments, :message, 4, "google.protobuf.Any"
+      optional :environment, :message, 5, "google.protobuf.Any"
+    end
+    add_message "grafeas.v1.SlsaProvenance.SlsaCompleteness" do
+      optional :arguments, :bool, 1
+      optional :environment, :bool, 2
+      optional :materials, :bool, 3
+    end
+    add_message "grafeas.v1.SlsaProvenance.SlsaMetadata" do
+      optional :build_invocation_id, :string, 1
+      optional :build_started_on, :message, 2, "google.protobuf.Timestamp"
+      optional :build_finished_on, :message, 3, "google.protobuf.Timestamp"
+      optional :completeness, :message, 4, "grafeas.v1.SlsaProvenance.SlsaCompleteness"
+      optional :reproducible, :bool, 5
+    end
+    add_message "grafeas.v1.SlsaProvenance.SlsaBuilder" do
+      optional :id, :string, 1
+    end
+    add_message "grafeas.v1.SlsaProvenance.Material" do
+      optional :uri, :string, 1
+      map :digest, :string, :string, 2
+    end
+  end
+end
+
+module Grafeas
+  module V1
+    SlsaProvenance = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance").msgclass
+    SlsaProvenance::SlsaRecipe = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaRecipe").msgclass
+    SlsaProvenance::SlsaCompleteness = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaCompleteness").msgclass
+    SlsaProvenance::SlsaMetadata = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaMetadata").msgclass
+    SlsaProvenance::SlsaBuilder = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.SlsaBuilder").msgclass
+    SlsaProvenance::Material = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.SlsaProvenance.Material").msgclass
+  end
+end

data/lib/grafeas/v1/upgrade_pb.rb

@@ -1,10 +1,10 @@
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: grafeas/v1/upgrade.proto
 
-require 'google/protobuf'
-
 require 'google/protobuf/timestamp_pb'
 require 'grafeas/v1/package_pb'
+require 'google/protobuf'
+
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("grafeas/v1/upgrade.proto", :syntax => :proto3) do
     add_message "grafeas.v1.UpgradeNote" do

data/lib/grafeas/v1/version.rb

@@ -19,6 +19,6 @@
 
 module Grafeas
   module V1
-    VERSION = "0.2.2"
+    VERSION = "0.3.0"
   end
 end

data/lib/grafeas/v1/vulnerability_pb.rb

@@ -1,12 +1,13 @@
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: grafeas/v1/vulnerability.proto
 
-require 'google/protobuf'
-
+require 'google/api/field_behavior_pb'
 require 'google/protobuf/timestamp_pb'
 require 'grafeas/v1/common_pb'
 require 'grafeas/v1/cvss_pb'
 require 'grafeas/v1/package_pb'
+require 'google/protobuf'
+
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("grafeas/v1/vulnerability.proto", :syntax => :proto3) do
     add_message "grafeas.v1.VulnerabilityNote" do
@@ -30,6 +31,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :fixed_version, :message, 10, "grafeas.v1.Version"
       optional :is_obsolete, :bool, 11
       optional :source_update_time, :message, 12, "google.protobuf.Timestamp"
+      optional :source, :string, 13
+      optional :vendor, :string, 14
     end
     add_message "grafeas.v1.VulnerabilityNote.WindowsDetail" do
       optional :cpe_uri, :string, 1
@@ -45,6 +48,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :type, :string, 1
       optional :severity, :enum, 2, "grafeas.v1.Severity"
       optional :cvss_score, :float, 3
+      optional :cvssv3, :message, 10, "grafeas.v1.VulnerabilityOccurrence.CVSSV3"
       repeated :package_issue, :message, 4, "grafeas.v1.VulnerabilityOccurrence.PackageIssue"
       optional :short_description, :string, 5
       optional :long_description, :string, 6
@@ -52,6 +56,10 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :effective_severity, :enum, 8, "grafeas.v1.Severity"
       optional :fix_available, :bool, 9
     end
+    add_message "grafeas.v1.VulnerabilityOccurrence.CVSSV3" do
+      optional :base_score, :float, 1
+      optional :severity, :enum, 2, "grafeas.v1.Severity"
+    end
     add_message "grafeas.v1.VulnerabilityOccurrence.PackageIssue" do
       optional :affected_cpe_uri, :string, 1
       optional :affected_package, :string, 2
@@ -60,6 +68,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :fixed_package, :string, 5
       optional :fixed_version, :message, 6, "grafeas.v1.Version"
       optional :fix_available, :bool, 7
+      optional :package_type, :string, 8
+      optional :effective_severity, :enum, 9, "grafeas.v1.Severity"
     end
     add_enum "grafeas.v1.Severity" do
       value :SEVERITY_UNSPECIFIED, 0
@@ -79,6 +89,7 @@ module Grafeas
     VulnerabilityNote::WindowsDetail = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityNote.WindowsDetail").msgclass
     VulnerabilityNote::WindowsDetail::KnowledgeBase = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityNote.WindowsDetail.KnowledgeBase").msgclass
     VulnerabilityOccurrence = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence").msgclass
+    VulnerabilityOccurrence::CVSSV3 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence.CVSSV3").msgclass
     VulnerabilityOccurrence::PackageIssue = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.VulnerabilityOccurrence.PackageIssue").msgclass
     Severity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("grafeas.v1.Severity").enummodule
   end

data/proto_docs/grafeas/v1/attestation.rb

@@ -51,6 +51,16 @@ module Grafeas
       end
     end
 
+    # @!attribute [rw] compact_jwt
+    #   @return [::String]
+    #     The compact encoding of a JWS, which is always three base64 encoded strings
+    #     joined by periods. For details, see:
+    #     https://tools.ietf.org/html/rfc7515.html#section-3.1
+    class Jwt
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
     # Occurrence that represents a single "attestation". The authenticity of an
     # attestation can be verified using the attached signature. If the verifier
     # trusts the public key of the signer, then verifying the signature is
@@ -69,6 +79,17 @@ module Grafeas
     #     should consider this attestation message verified if at least one
     #     `signature` verifies `serialized_payload`.  See `Signature` in common.proto
     #     for more details on signature structure and verification.
+    # @!attribute [rw] jwts
+    #   @return [::Array<::Grafeas::V1::Jwt>]
+    #     One or more JWTs encoding a self-contained attestation.
+    #     Each JWT encodes the payload that it verifies within the JWT itself.
+    #     Verifier implementation SHOULD ignore the `serialized_payload` field
+    #     when verifying these JWTs.
+    #     If only JWTs are present on this AttestationOccurrence, then the
+    #     `serialized_payload` SHOULD be left empty.
+    #     Each JWT SHOULD encode a claim specific to the `resource_uri` of this
+    #     Occurrence, but this is not validated by Grafeas metadata API
+    #     implementations.  The JWT itself is opaque to Grafeas.
     class AttestationOccurrence
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/grafeas/v1/build.rb

@@ -32,7 +32,7 @@ module Grafeas
     # Details of a build occurrence.
     # @!attribute [rw] provenance
     #   @return [::Grafeas::V1::BuildProvenance]
-    #     Required. The actual provenance for the build.
+    #     The actual provenance for the build.
     # @!attribute [rw] provenance_bytes
     #   @return [::String]
     #     Serialized JSON representation of the provenance, used in generating the
@@ -46,6 +46,16 @@ module Grafeas
     #     The serialized form is captured both to avoid ambiguity in how the
     #     provenance is marshalled to json as well to prevent incompatibilities with
     #     future changes.
+    # @!attribute [rw] intoto_provenance
+    #   @return [::Grafeas::V1::InTotoProvenance]
+    #     Deprecated. See InTotoStatement for the replacement.
+    #     In-toto Provenance representation as defined in spec.
+    # @!attribute [rw] intoto_statement
+    #   @return [::Grafeas::V1::InTotoStatement]
+    #     In-toto Statement representation as defined in spec.
+    #     The intoto_statement can contain any type of provenance. The serialized
+    #     payload of the statement can be stored and signed in the Occurrence's
+    #     envelope.
     class BuildOccurrence
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/grafeas/v1/common.rb

@@ -65,7 +65,7 @@ module Grafeas
     #   @return [::String]
     #     The identifier for the public key that verifies this signature.
     #       * The `public_key_id` is required.
-    #       * The `public_key_id` MUST be an RFC3986 conformant URI.
+    #       * The `public_key_id` SHOULD be an RFC3986 conformant URI.
     #       * When possible, the `public_key_id` SHOULD be an immutable reference,
     #         such as a cryptographic digest.
     #
@@ -85,9 +85,32 @@ module Grafeas
       extend ::Google::Protobuf::MessageExts::ClassMethods
     end
 
+    # MUST match
+    # https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An
+    # authenticated message of arbitrary type.
+    # @!attribute [rw] payload
+    #   @return [::String]
+    # @!attribute [rw] payload_type
+    #   @return [::String]
+    # @!attribute [rw] signatures
+    #   @return [::Array<::Grafeas::V1::EnvelopeSignature>]
+    class Envelope
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # @!attribute [rw] sig
+    #   @return [::String]
+    # @!attribute [rw] keyid
+    #   @return [::String]
+    class EnvelopeSignature
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
     # Kind represents the kinds of notes supported.
     module NoteKind
-      # Unknown.
+      # Default value. This value is unused.
       NOTE_KIND_UNSPECIFIED = 0
 
       # The note and occurrence represent a package vulnerability.
@@ -113,6 +136,12 @@ module Grafeas
 
       # This represents an available package upgrade.
       UPGRADE = 8
+
+      # This represents a Compliance Note
+      COMPLIANCE = 9
+
+      # This represents a DSSE attestation Note
+      DSSE_ATTESTATION = 10
     end
   end
 end

data/proto_docs/grafeas/v1/compliance.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Grafeas
+  module V1
+    # @!attribute [rw] title
+    #   @return [::String]
+    #     The title that identifies this compliance check.
+    # @!attribute [rw] description
+    #   @return [::String]
+    #     A description about this compliance check.
+    # @!attribute [rw] version
+    #   @return [::Array<::Grafeas::V1::ComplianceVersion>]
+    #     The OS and config versions the benchmark applies to.
+    # @!attribute [rw] rationale
+    #   @return [::String]
+    #     A rationale for the existence of this compliance check.
+    # @!attribute [rw] remediation
+    #   @return [::String]
+    #     A description of remediation steps if the compliance check fails.
+    # @!attribute [rw] cis_benchmark
+    #   @return [::Grafeas::V1::ComplianceNote::CisBenchmark]
+    # @!attribute [rw] scan_instructions
+    #   @return [::String]
+    #     Serialized scan instructions with a predefined format.
+    class ComplianceNote
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+
+      # A compliance check that is a CIS benchmark.
+      # @!attribute [rw] profile_level
+      #   @return [::Integer]
+      # @!attribute [rw] severity
+      #   @return [::Grafeas::V1::Severity]
+      class CisBenchmark
+        include ::Google::Protobuf::MessageExts
+        extend ::Google::Protobuf::MessageExts::ClassMethods
+      end
+    end
+
+    # Describes the CIS benchmark version that is applicable to a given OS and
+    # os version.
+    # @!attribute [rw] cpe_uri
+    #   @return [::String]
+    #     The CPE URI (https://cpe.mitre.org/specification/) this benchmark is
+    #     applicable to.
+    # @!attribute [rw] version
+    #   @return [::String]
+    #     The version of the benchmark. This is set to the version of the OS-specific
+    #     CIS document the benchmark is defined in.
+    class ComplianceVersion
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # An indication that the compliance checks in the associated ComplianceNote
+    # were not satisfied for particular resources or a specified reason.
+    # @!attribute [rw] non_compliant_files
+    #   @return [::Array<::Grafeas::V1::NonCompliantFile>]
+    # @!attribute [rw] non_compliance_reason
+    #   @return [::String]
+    class ComplianceOccurrence
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # Details about files that caused a compliance check to fail.
+    # @!attribute [rw] path
+    #   @return [::String]
+    #     Empty if `display_command` is set.
+    # @!attribute [rw] display_command
+    #   @return [::String]
+    #     Command to display the non-compliant files.
+    # @!attribute [rw] reason
+    #   @return [::String]
+    #     Explains why a file is non compliant for a CIS check.
+    class NonCompliantFile
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+  end
+end

data/proto_docs/grafeas/v1/dsse_attestation.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Grafeas
+  module V1
+    # @!attribute [rw] hint
+    #   @return [::Grafeas::V1::DSSEAttestationNote::DSSEHint]
+    #     DSSEHint hints at the purpose of the attestation authority.
+    class DSSEAttestationNote
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+
+      # This submessage provides human-readable hints about the purpose of the
+      # authority. Because the name of a note acts as its resource reference, it is
+      # important to disambiguate the canonical name of the Note (which might be a
+      # UUID for security purposes) from "readable" names more suitable for debug
+      # output. Note that these hints should not be used to look up authorities in
+      # security sensitive contexts, such as when looking up attestations to
+      # verify.
+      # @!attribute [rw] human_readable_name
+      #   @return [::String]
+      #     Required. The human readable name of this attestation authority, for
+      #     example "cloudbuild-prod".
+      class DSSEHint
+        include ::Google::Protobuf::MessageExts
+        extend ::Google::Protobuf::MessageExts::ClassMethods
+      end
+    end
+
+    # Deprecated. Prefer to use a regular Occurrence, and populate the
+    # Envelope at the top level of the Occurrence.
+    # @!attribute [rw] envelope
+    #   @return [::Grafeas::V1::Envelope]
+    #     If doing something security critical, make sure to verify the signatures in
+    #     this metadata.
+    # @!attribute [rw] statement
+    #   @return [::Grafeas::V1::InTotoStatement]
+    class DSSEAttestationOccurrence
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+  end
+end

data/proto_docs/grafeas/v1/grafeas.rb

@@ -72,6 +72,15 @@ module Grafeas
     # @!attribute [rw] upgrade
     #   @return [::Grafeas::V1::UpgradeOccurrence]
     #     Describes an available package upgrade on the linked resource.
+    # @!attribute [rw] compliance
+    #   @return [::Grafeas::V1::ComplianceOccurrence]
+    #     Describes a compliance violation on a linked resource.
+    # @!attribute [rw] dsse_attestation
+    #   @return [::Grafeas::V1::DSSEAttestationOccurrence]
+    #     Describes an attestation of an artifact using dsse.
+    # @!attribute [rw] envelope
+    #   @return [::Grafeas::V1::Envelope]
+    #     https://github.com/secure-systems-lab/dsse
     class Occurrence
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -133,6 +142,12 @@ module Grafeas
     # @!attribute [rw] upgrade
     #   @return [::Grafeas::V1::UpgradeNote]
     #     A note describing available package upgrades.
+    # @!attribute [rw] compliance
+    #   @return [::Grafeas::V1::ComplianceNote]
+    #     A note describing a compliance check.
+    # @!attribute [rw] dsse_attestation
+    #   @return [::Grafeas::V1::DSSEAttestationNote]
+    #     A note describing a dsse attestation note.
     class Note
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/grafeas/v1/intoto_provenance.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Grafeas
+  module V1
+    # Steps taken to build the artifact.
+    # For a TaskRun, typically each container corresponds to one step in the
+    # recipe.
+    # @!attribute [rw] type
+    #   @return [::String]
+    #     URI indicating what type of recipe was performed. It determines the meaning
+    #     of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+    # @!attribute [rw] defined_in_material
+    #   @return [::Integer]
+    #     Index in materials containing the recipe steps that are not implied by
+    #     recipe.type. For example, if the recipe type were "make", then this would
+    #     point to the source containing the Makefile, not the make program itself.
+    #     Set to -1 if the recipe doesn't come from a material, as zero is default
+    #     unset value for int64.
+    # @!attribute [rw] entry_point
+    #   @return [::String]
+    #     String identifying the entry point into the build.
+    #     This is often a path to a configuration file and/or a target label within
+    #     that file. The syntax and meaning are defined by recipe.type. For example,
+    #     if the recipe type were "make", then this would reference the directory in
+    #     which to run make as well as which target to use.
+    # @!attribute [rw] arguments
+    #   @return [::Array<::Google::Protobuf::Any>]
+    #     Collection of all external inputs that influenced the build on top of
+    #     recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe
+    #     type were "make", then this might be the flags passed to make aside from
+    #     the target, which is captured in recipe.entryPoint. Since the arguments
+    #     field can greatly vary in structure, depending on the builder and recipe
+    #     type, this is of form "Any".
+    # @!attribute [rw] environment
+    #   @return [::Array<::Google::Protobuf::Any>]
+    #     Any other builder-controlled inputs necessary for correctly evaluating the
+    #     recipe. Usually only needed for reproducing the build but not evaluated as
+    #     part of policy. Since the environment field can greatly vary in structure,
+    #     depending on the builder and recipe type, this is of form "Any".
+    class Recipe
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # Indicates that the builder claims certain fields in this message to be
+    # complete.
+    # @!attribute [rw] arguments
+    #   @return [::Boolean]
+    #     If true, the builder claims that recipe.arguments is complete, meaning that
+    #     all external inputs are properly captured in the recipe.
+    # @!attribute [rw] environment
+    #   @return [::Boolean]
+    #     If true, the builder claims that recipe.environment is claimed to be
+    #     complete.
+    # @!attribute [rw] materials
+    #   @return [::Boolean]
+    #     If true, the builder claims that materials are complete, usually through
+    #     some controls to prevent network access. Sometimes called "hermetic".
+    class Completeness
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # Other properties of the build.
+    # @!attribute [rw] build_invocation_id
+    #   @return [::String]
+    #     Identifies the particular build invocation, which can be useful for finding
+    #     associated logs or other ad-hoc analysis. The value SHOULD be globally
+    #     unique, per in-toto Provenance spec.
+    # @!attribute [rw] build_started_on
+    #   @return [::Google::Protobuf::Timestamp]
+    #     The timestamp of when the build started.
+    # @!attribute [rw] build_finished_on
+    #   @return [::Google::Protobuf::Timestamp]
+    #     The timestamp of when the build completed.
+    # @!attribute [rw] completeness
+    #   @return [::Grafeas::V1::Completeness]
+    #     Indicates that the builder claims certain fields in this message to be
+    #     complete.
+    # @!attribute [rw] reproducible
+    #   @return [::Boolean]
+    #     If true, the builder claims that running the recipe on materials will
+    #     produce bit-for-bit identical output.
+    class Metadata
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # @!attribute [rw] id
+    #   @return [::String]
+    class BuilderConfig
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # @!attribute [rw] builder_config
+    #   @return [::Grafeas::V1::BuilderConfig]
+    # @!attribute [rw] recipe
+    #   @return [::Grafeas::V1::Recipe]
+    #     Identifies the configuration used for the build.
+    #     When combined with materials, this SHOULD fully describe the build,
+    #     such that re-running this recipe results in bit-for-bit identical output
+    #     (if the build is reproducible).
+    # @!attribute [rw] metadata
+    #   @return [::Grafeas::V1::Metadata]
+    # @!attribute [rw] materials
+    #   @return [::Array<::String>]
+    #     The collection of artifacts that influenced the build including sources,
+    #     dependencies, build tools, base images, and so on. This is considered to be
+    #     incomplete unless metadata.completeness.materials is true. Unset or null is
+    #     equivalent to empty.
+    class InTotoProvenance
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+  end
+end

data/proto_docs/grafeas/v1/intoto_statement.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Auto-generated by gapic-generator-ruby. DO NOT EDIT!
+
+
+module Grafeas
+  module V1
+    # Spec defined at
+    # https://github.com/in-toto/attestation/tree/main/spec#statement The
+    # serialized InTotoStatement will be stored as Envelope.payload.
+    # Envelope.payloadType is always "application/vnd.in-toto+json".
+    # @!attribute [rw] type
+    #   @return [::String]
+    #     Always `https://in-toto.io/Statement/v0.1`.
+    # @!attribute [rw] subject
+    #   @return [::Array<::Grafeas::V1::Subject>]
+    # @!attribute [rw] predicate_type
+    #   @return [::String]
+    #     `https://slsa.dev/provenance/v0.1` for SlsaProvenance.
+    # @!attribute [rw] provenance
+    #   @return [::Grafeas::V1::InTotoProvenance]
+    # @!attribute [rw] slsa_provenance
+    #   @return [::Grafeas::V1::SlsaProvenance]
+    class InTotoStatement
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+    end
+
+    # @!attribute [rw] name
+    #   @return [::String]
+    # @!attribute [rw] digest
+    #   @return [::Google::Protobuf::Map{::String => ::String}]
+    #     `"<ALGORITHM>": "<HEX_VALUE>"`
+    #     Algorithms can be e.g. sha256, sha512
+    #     See
+    #     https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+    class Subject
+      include ::Google::Protobuf::MessageExts
+      extend ::Google::Protobuf::MessageExts::ClassMethods
+
+      # @!attribute [rw] key
+      #   @return [::String]
+      # @!attribute [rw] value
+      #   @return [::String]
+      class DigestEntry
+        include ::Google::Protobuf::MessageExts
+        extend ::Google::Protobuf::MessageExts::ClassMethods
+      end
+    end
+  end
+end

data/proto_docs/grafeas/v1/package.rb

@@ -101,6 +101,14 @@ module Grafeas
     # @!attribute [rw] revision
     #   @return [::String]
     #     The iteration of the package build from the above version.
+    # @!attribute [rw] inclusive
+    #   @return [::Boolean]
+    #     Whether this version is specifying part of an inclusive range. Grafeas
+    #     does not have the capability to specify version ranges; instead we have
+    #     fields that specify start version and end versions. At times this is
+    #     insufficient - we also need to specify whether the version is included in
+    #     the range or is excluded from the range. This boolean is expected to be set
+    #     to true when the version is included in a range.
     # @!attribute [rw] kind
     #   @return [::Grafeas::V1::Version::VersionKind]
     #     Required. Distinguishes between sentinel MIN/MAX versions and normal