1<html><body> 2<style> 3 4body, h1, h2, h3, div, span, p, pre, a { 5 margin: 0; 6 padding: 0; 7 border: 0; 8 font-weight: inherit; 9 font-style: inherit; 10 font-size: 100%; 11 font-family: inherit; 12 vertical-align: baseline; 13} 14 15body { 16 font-size: 13px; 17 padding: 1em; 18} 19 20h1 { 21 font-size: 26px; 22 margin-bottom: 1em; 23} 24 25h2 { 26 font-size: 24px; 27 margin-bottom: 1em; 28} 29 30h3 { 31 font-size: 20px; 32 margin-bottom: 1em; 33 margin-top: 1em; 34} 35 36pre, code { 37 line-height: 1.5; 38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; 39} 40 41pre { 42 margin-top: 0.5em; 43} 44 45h1, h2, h3, p { 46 font-family: Arial, sans serif; 47} 48 49h1, h2, h3 { 50 border-bottom: solid #CCC 1px; 51} 52 53.toc_element { 54 margin-top: 0.5em; 55} 56 57.firstline { 58 margin-left: 2 em; 59} 60 61.method { 62 margin-top: 1em; 63 border: solid 1px #CCC; 64 padding: 1em; 65 background: #EEE; 66} 67 68.details { 69 font-weight: bold; 70 font-size: 14px; 71} 72 73</style> 74 75<h1><a href="containeranalysis_v1beta1.html">Container Analysis API</a> . <a href="containeranalysis_v1beta1.projects.html">projects</a> . <a href="containeranalysis_v1beta1.projects.occurrences.html">occurrences</a></h1> 76<h2>Instance Methods</h2> 77<p class="toc_element"> 78 <code><a href="#batchCreate">batchCreate(parent, body, x__xgafv=None)</a></code></p> 79<p class="firstline">Creates new occurrences in batch.</p> 80<p class="toc_element"> 81 <code><a href="#create">create(parent, body, x__xgafv=None)</a></code></p> 82<p class="firstline">Creates a new occurrence.</p> 83<p class="toc_element"> 84 <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p> 85<p class="firstline">Deletes the specified occurrence. For example, use this method to delete an</p> 86<p class="toc_element"> 87 <code><a href="#get">get(name, x__xgafv=None)</a></code></p> 88<p class="firstline">Gets the specified occurrence.</p> 89<p class="toc_element"> 90 <code><a href="#getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</a></code></p> 91<p class="firstline">Gets the access control policy for a note or an occurrence resource.</p> 92<p class="toc_element"> 93 <code><a href="#getNotes">getNotes(name, x__xgafv=None)</a></code></p> 94<p class="firstline">Gets the note attached to the specified occurrence. Consumer projects can</p> 95<p class="toc_element"> 96 <code><a href="#getVulnerabilitySummary">getVulnerabilitySummary(parent, x__xgafv=None, filter=None)</a></code></p> 97<p class="firstline">Gets a summary of the number and severity of occurrences.</p> 98<p class="toc_element"> 99 <code><a href="#list">list(parent, pageSize=None, pageToken=None, x__xgafv=None, filter=None)</a></code></p> 100<p class="firstline">Lists occurrences for the specified project.</p> 101<p class="toc_element"> 102 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p> 103<p class="firstline">Retrieves the next page of results.</p> 104<p class="toc_element"> 105 <code><a href="#patch">patch(name, body, updateMask=None, x__xgafv=None)</a></code></p> 106<p class="firstline">Updates the specified occurrence.</p> 107<p class="toc_element"> 108 <code><a href="#setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</a></code></p> 109<p class="firstline">Sets the access control policy on the specified note or occurrence.</p> 110<p class="toc_element"> 111 <code><a href="#testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</a></code></p> 112<p class="firstline">Returns the permissions that a caller has on the specified note or</p> 113<h3>Method Details</h3> 114<div class="method"> 115 <code class="details" id="batchCreate">batchCreate(parent, body, x__xgafv=None)</code> 116 <pre>Creates new occurrences in batch. 117 118Args: 119 parent: string, The name of the project in the form of `projects/[PROJECT_ID]`, under which 120the occurrences are to be created. (required) 121 body: object, The request body. (required) 122 The object takes the form of: 123 124{ # Request to create occurrences in batch. 125 "occurrences": [ # The occurrences to create. Max allowed length is 1000. 126 { # An instance of an analysis type that has been found on a resource. 127 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 128 # specified. This field can be used as a filter in list requests. 129 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 130 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 131 # 132 # The hash of the resource content. For example, the Docker digest. 133 "type": "A String", # Required. The type of hash that was performed. 134 "value": "A String", # Required. The hash value. 135 }, 136 "uri": "A String", # Required. The unique URI of the resource. For example, 137 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 138 "name": "A String", # Deprecated, do not use. Use uri instead. 139 # 140 # The name of the resource. For example, the name of a Docker image - 141 # "Debian". 142 }, 143 "name": "A String", # Output only. The name of the occurrence in the form of 144 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 145 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 146 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 147 # scale of 0-10 where 0 indicates low severity and 10 indicates high 148 # severity. 149 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 150 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 151 # packages etc) 152 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 153 # available, and note provider assigned severity when distro has not yet 154 # assigned a severity for this vulnerability. 155 "relatedUrls": [ # Output only. URLs related to this vulnerability. 156 { # Metadata for any related URL information. 157 "url": "A String", # Specific URL associated with the resource. 158 "label": "A String", # Label to describe usage of the URL. 159 }, 160 ], 161 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 162 # within the associated resource. 163 { # This message wraps a location affected by a vulnerability and its 164 # associated fix (if one is available). 165 "severityName": "A String", # Deprecated, use Details.effective_severity instead 166 # The severity (e.g., distro assigned severity) for this vulnerability. 167 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 168 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 169 # format. Examples include distro or storage location for vulnerable jar. 170 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 171 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 172 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 173 # versions. 174 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 175 # name. 176 "revision": "A String", # The iteration of the package build from the above version. 177 }, 178 "package": "A String", # Required. The package being described. 179 }, 180 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 181 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 182 # format. Examples include distro or storage location for vulnerable jar. 183 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 184 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 185 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 186 # versions. 187 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 188 # name. 189 "revision": "A String", # The iteration of the package build from the above version. 190 }, 191 "package": "A String", # Required. The package being described. 192 }, 193 }, 194 ], 195 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 196 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 197 }, 198 "updateTime": "A String", # Output only. The time this occurrence was last updated. 199 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 200 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 201 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 202 # Deprecated, do not use. 203 "analysisStatus": "A String", # The status of discovery for the resource. 204 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 205 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 206 # details to show to the user. The LocalizedMessage is output only and 207 # populated by the API. 208 # different programming environments, including REST APIs and RPC APIs. It is 209 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 210 # three pieces of data: error code, error message, and error details. 211 # 212 # You can find out more about this error model and how to work with it in the 213 # [API Design Guide](https://cloud.google.com/apis/design/errors). 214 "message": "A String", # A developer-facing error message, which should be in English. Any 215 # user-facing error message should be localized and sent in the 216 # google.rpc.Status.details field, or localized by the client. 217 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 218 "details": [ # A list of messages that carry the error details. There is a common set of 219 # message types for APIs to use. 220 { 221 "a_key": "", # Properties of the object. Contains field @type with type URL. 222 }, 223 ], 224 }, 225 }, 226 }, 227 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 228 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 229 # attestation can be verified using the attached signature. If the verifier 230 # trusts the public key of the signer, then verifying the signature is 231 # sufficient to establish trust. In this circumstance, the authority to which 232 # this attestation is attached is primarily useful for look-up (how to find 233 # this attestation if you already know the authority and artifact to be 234 # verified) and intent (which authority was this attestation intended to sign 235 # for). 236 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 237 # supports `ATTACHED` signatures, where the payload that is signed is included 238 # alongside the signature itself in the same file. 239 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 240 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 241 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 242 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 243 # Implementations may choose to acknowledge "LONG", "SHORT", or other 244 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 245 # In gpg, the full fingerprint can be retrieved from the `fpr` field 246 # returned when calling --list-keys with --with-colons. For example: 247 # ``` 248 # gpg --with-colons --with-fingerprint --force-v4-certs \ 249 # --list-keys attester@example.com 250 # tru::1:1513631572:0:3:1:5 251 # pub:...<SNIP>... 252 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 253 # ``` 254 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 255 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 256 # The verifier must ensure that the provided type is one that the verifier 257 # supports, and that the attestation payload is a valid instantiation of that 258 # type (for example by validating a JSON schema). 259 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 260 # (GPG) or equivalent. Since this message only supports attached signatures, 261 # the payload that was signed must be attached. While the signature format 262 # supported is dependent on the verification implementation, currently only 263 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 264 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 265 # --output=signature.gpg payload.json` will create the signature content 266 # expected in this field in `signature.gpg` for the `payload.json` 267 # attestation payload. 268 }, 269 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 270 # This attestation must define the `serialized_payload` that the `signatures` 271 # verify and any metadata necessary to interpret that plaintext. The 272 # signatures should always be over the `serialized_payload` bytestring. 273 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 274 # should consider this attestation message verified if at least one 275 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 276 # for more details on signature structure and verification. 277 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 278 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 279 # Typically this means that the verifier has been configured with a map from 280 # `public_key_id` to public key material (and any required parameters, e.g. 281 # signing algorithm). 282 # 283 # In particular, verification implementations MUST NOT treat the signature 284 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 285 # DOES NOT validate or authenticate a public key; it only provides a mechanism 286 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 287 # a trusted channel. Verification implementations MUST reject signatures in any 288 # of the following circumstances: 289 # * The `public_key_id` is not recognized by the verifier. 290 # * The public key that `public_key_id` refers to does not verify the 291 # signature with respect to the payload. 292 # 293 # The `signature` contents SHOULD NOT be "attached" (where the payload is 294 # included with the serialized `signature` bytes). Verifiers MUST ignore any 295 # "attached" payload and only verify signatures with respect to explicitly 296 # provided payload (e.g. a `payload` field on the proto message that holds 297 # this Signature, or the canonical serialization of the proto message that 298 # holds this signature). 299 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 300 # * The `public_key_id` is required. 301 # * The `public_key_id` MUST be an RFC3986 conformant URI. 302 # * When possible, the `public_key_id` SHOULD be an immutable reference, 303 # such as a cryptographic digest. 304 # 305 # Examples of valid `public_key_id`s: 306 # 307 # OpenPGP V4 public key fingerprint: 308 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 309 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 310 # details on this scheme. 311 # 312 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 313 # serialization): 314 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 315 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 316 "signature": "A String", # The content of the signature, an opaque bytestring. 317 # The payload that this signature verifies MUST be unambiguously provided 318 # with the Signature during verification. A wrapper message might provide 319 # the payload explicitly. Alternatively, a message might have a canonical 320 # serialization that can always be unambiguously computed to derive the 321 # payload. 322 }, 323 ], 324 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 325 # The verifier must ensure that the provided type is one that the verifier 326 # supports, and that the attestation payload is a valid instantiation of that 327 # type (for example by validating a JSON schema). 328 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 329 # The encoding and semantic meaning of this payload must match what is set in 330 # `content_type`. 331 }, 332 }, 333 }, 334 "build": { # Details of a build occurrence. # Describes a verifiable build. 335 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 336 # details about the build from source to completion. 337 "commands": [ # Commands requested by the build. 338 { # Command describes a step performed as part of the build pipeline. 339 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 340 "A String", 341 ], 342 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 343 # command is packaged as a Docker container, as presented to `docker pull`. 344 "args": [ # Command-line arguments used when executing this command. 345 "A String", 346 ], 347 "env": [ # Environment variables set before running this command. 348 "A String", 349 ], 350 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 351 # this command as a dependency. 352 "dir": "A String", # Working directory (relative to project source root) used when running this 353 # command. 354 }, 355 ], 356 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 357 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 358 # source integrity was maintained in the build. 359 # 360 # The keys to this map are file paths used as build source and the values 361 # contain the hash values for those files. 362 # 363 # If the build source came in a single package such as a gzipped tarfile 364 # (.tar.gz), the FileHash will be for the single path to that file. 365 "a_key": { # Container message for hashes of byte content of files, used in source 366 # messages to verify integrity of source input to the build. 367 "fileHash": [ # Required. Collection of file hashes. 368 { # Container message for hash values. 369 "type": "A String", # Required. The type of hash that was performed. 370 "value": "A String", # Required. The hash value. 371 }, 372 ], 373 }, 374 }, 375 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 376 # location. 377 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 378 # these locations, in the case where the source repository had multiple 379 # remotes or submodules. This list will not include the context specified in 380 # the context field. 381 { # A SourceContext is a reference to a tree of files. A SourceContext together 382 # with a path point to a unique revision of a single file or directory. 383 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 384 # repository (e.g., GitHub). 385 "url": "A String", # Git repository URL. 386 "revisionId": "A String", # Git commit hash. 387 }, 388 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 389 # Source Repo. 390 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 391 "kind": "A String", # The alias kind. 392 "name": "A String", # The alias name. 393 }, 394 "revisionId": "A String", # A revision ID. 395 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 396 "uid": "A String", # A server-assigned, globally unique identifier. 397 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 398 # winged-cargo-31) and a repo name within that project. 399 "projectId": "A String", # The ID of the project. 400 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 401 }, 402 }, 403 }, 404 "labels": { # Labels with user defined metadata. 405 "a_key": "A String", 406 }, 407 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 408 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 409 "kind": "A String", # The alias kind. 410 "name": "A String", # The alias name. 411 }, 412 "revisionId": "A String", # A revision (commit) ID. 413 "hostUri": "A String", # The URI of a running Gerrit instance. 414 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 415 # "project/subproject" is a valid project name. The "repo name" is the 416 # hostURI/project. 417 }, 418 }, 419 ], 420 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 421 # with a path point to a unique revision of a single file or directory. 422 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 423 # repository (e.g., GitHub). 424 "url": "A String", # Git repository URL. 425 "revisionId": "A String", # Git commit hash. 426 }, 427 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 428 # Source Repo. 429 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 430 "kind": "A String", # The alias kind. 431 "name": "A String", # The alias name. 432 }, 433 "revisionId": "A String", # A revision ID. 434 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 435 "uid": "A String", # A server-assigned, globally unique identifier. 436 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 437 # winged-cargo-31) and a repo name within that project. 438 "projectId": "A String", # The ID of the project. 439 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 440 }, 441 }, 442 }, 443 "labels": { # Labels with user defined metadata. 444 "a_key": "A String", 445 }, 446 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 447 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 448 "kind": "A String", # The alias kind. 449 "name": "A String", # The alias name. 450 }, 451 "revisionId": "A String", # A revision (commit) ID. 452 "hostUri": "A String", # The URI of a running Gerrit instance. 453 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 454 # "project/subproject" is a valid project name. The "repo name" is the 455 # hostURI/project. 456 }, 457 }, 458 }, 459 "buildOptions": { # Special options applied to this build. This is a catch-all field where 460 # build providers can enter any desired additional details. 461 "a_key": "A String", 462 }, 463 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 464 # user's e-mail address at the time the build was initiated; this address may 465 # not represent the same end-user for all time. 466 "projectId": "A String", # ID of the project. 467 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 468 "createTime": "A String", # Time at which the build was created. 469 "builtArtifacts": [ # Output of the build. 470 { # Artifact describes a build product. 471 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 472 # container. 473 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 474 # like `gcr.io/projectID/imagename@sha256:123456`. 475 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 476 # the case of a container build, the name used to push the container image to 477 # Google Container Registry, as presented to `docker push`. Note that a 478 # single Artifact ID can have multiple names, for example if two tags are 479 # applied to one image. 480 "A String", 481 ], 482 }, 483 ], 484 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 485 "startTime": "A String", # Time at which execution of the build was started. 486 "endTime": "A String", # Time at which execution of the build was finished. 487 "id": "A String", # Required. Unique identifier of the build. 488 "logsUri": "A String", # URI where any logs for this provenance were written. 489 }, 490 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 491 # build signature in the corresponding build note. After verifying the 492 # signature, `provenance_bytes` can be unmarshalled and compared to the 493 # provenance to confirm that it is unchanged. A base64-encoded string 494 # representation of the provenance bytes is used for the signature in order 495 # to interoperate with openssl which expects this format for signature 496 # verification. 497 # 498 # The serialized form is captured both to avoid ambiguity in how the 499 # provenance is marshalled to json as well to prevent incompatibilities with 500 # future changes. 501 }, 502 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 503 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 504 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 505 # the deployable field with the same name. 506 "A String", 507 ], 508 "userEmail": "A String", # Identity of the user that triggered this deployment. 509 "address": "A String", # Address of the runtime element hosting this deployment. 510 "platform": "A String", # Platform hosting this deployment. 511 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 512 "undeployTime": "A String", # End of the lifetime of this deployment. 513 "config": "A String", # Configuration used to create this deployment. 514 }, 515 }, 516 "remediation": "A String", # A description of actions that can be taken to remedy the note. 517 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 518 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 519 # system. 520 "location": [ # Required. All of the places within the filesystem versions of this package 521 # have been found. 522 { # An occurrence of a particular package installation found within a system's 523 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 524 "path": "A String", # The path from which we gathered that this package/version is installed. 525 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 526 # denoting the package manager version distributing a package. 527 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 528 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 529 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 530 # versions. 531 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 532 # name. 533 "revision": "A String", # The iteration of the package build from the above version. 534 }, 535 }, 536 ], 537 "name": "A String", # Output only. The name of the installed package. 538 }, 539 }, 540 "createTime": "A String", # Output only. The time this occurrence was created. 541 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 542 # note. 543 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 544 # relationship. This image would be produced from a Dockerfile with FROM 545 # <DockerImage.Basis in attached Note>. 546 "distance": 42, # Output only. The number of layers by which this image differs from the 547 # associated image basis. 548 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 549 # occurrence. 550 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 551 # "distance" and is ordered with [distance] being the layer immediately 552 # following the base image and [1] being the final layer. 553 { # Layer holds metadata specific to a layer of a Docker image. 554 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 555 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 556 }, 557 ], 558 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 559 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 560 # representation. 561 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 562 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 563 # Only the name of the final blob is kept. 564 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 565 "A String", 566 ], 567 }, 568 }, 569 }, 570 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 571 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 572 # used as a filter in list requests. 573 }, 574 ], 575 } 576 577 x__xgafv: string, V1 error format. 578 Allowed values 579 1 - v1 error format 580 2 - v2 error format 581 582Returns: 583 An object of the form: 584 585 { # Response for creating occurrences in batch. 586 "occurrences": [ # The occurrences that were created. 587 { # An instance of an analysis type that has been found on a resource. 588 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 589 # specified. This field can be used as a filter in list requests. 590 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 591 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 592 # 593 # The hash of the resource content. For example, the Docker digest. 594 "type": "A String", # Required. The type of hash that was performed. 595 "value": "A String", # Required. The hash value. 596 }, 597 "uri": "A String", # Required. The unique URI of the resource. For example, 598 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 599 "name": "A String", # Deprecated, do not use. Use uri instead. 600 # 601 # The name of the resource. For example, the name of a Docker image - 602 # "Debian". 603 }, 604 "name": "A String", # Output only. The name of the occurrence in the form of 605 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 606 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 607 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 608 # scale of 0-10 where 0 indicates low severity and 10 indicates high 609 # severity. 610 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 611 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 612 # packages etc) 613 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 614 # available, and note provider assigned severity when distro has not yet 615 # assigned a severity for this vulnerability. 616 "relatedUrls": [ # Output only. URLs related to this vulnerability. 617 { # Metadata for any related URL information. 618 "url": "A String", # Specific URL associated with the resource. 619 "label": "A String", # Label to describe usage of the URL. 620 }, 621 ], 622 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 623 # within the associated resource. 624 { # This message wraps a location affected by a vulnerability and its 625 # associated fix (if one is available). 626 "severityName": "A String", # Deprecated, use Details.effective_severity instead 627 # The severity (e.g., distro assigned severity) for this vulnerability. 628 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 629 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 630 # format. Examples include distro or storage location for vulnerable jar. 631 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 632 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 633 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 634 # versions. 635 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 636 # name. 637 "revision": "A String", # The iteration of the package build from the above version. 638 }, 639 "package": "A String", # Required. The package being described. 640 }, 641 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 642 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 643 # format. Examples include distro or storage location for vulnerable jar. 644 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 645 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 646 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 647 # versions. 648 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 649 # name. 650 "revision": "A String", # The iteration of the package build from the above version. 651 }, 652 "package": "A String", # Required. The package being described. 653 }, 654 }, 655 ], 656 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 657 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 658 }, 659 "updateTime": "A String", # Output only. The time this occurrence was last updated. 660 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 661 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 662 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 663 # Deprecated, do not use. 664 "analysisStatus": "A String", # The status of discovery for the resource. 665 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 666 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 667 # details to show to the user. The LocalizedMessage is output only and 668 # populated by the API. 669 # different programming environments, including REST APIs and RPC APIs. It is 670 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 671 # three pieces of data: error code, error message, and error details. 672 # 673 # You can find out more about this error model and how to work with it in the 674 # [API Design Guide](https://cloud.google.com/apis/design/errors). 675 "message": "A String", # A developer-facing error message, which should be in English. Any 676 # user-facing error message should be localized and sent in the 677 # google.rpc.Status.details field, or localized by the client. 678 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 679 "details": [ # A list of messages that carry the error details. There is a common set of 680 # message types for APIs to use. 681 { 682 "a_key": "", # Properties of the object. Contains field @type with type URL. 683 }, 684 ], 685 }, 686 }, 687 }, 688 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 689 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 690 # attestation can be verified using the attached signature. If the verifier 691 # trusts the public key of the signer, then verifying the signature is 692 # sufficient to establish trust. In this circumstance, the authority to which 693 # this attestation is attached is primarily useful for look-up (how to find 694 # this attestation if you already know the authority and artifact to be 695 # verified) and intent (which authority was this attestation intended to sign 696 # for). 697 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 698 # supports `ATTACHED` signatures, where the payload that is signed is included 699 # alongside the signature itself in the same file. 700 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 701 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 702 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 703 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 704 # Implementations may choose to acknowledge "LONG", "SHORT", or other 705 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 706 # In gpg, the full fingerprint can be retrieved from the `fpr` field 707 # returned when calling --list-keys with --with-colons. For example: 708 # ``` 709 # gpg --with-colons --with-fingerprint --force-v4-certs \ 710 # --list-keys attester@example.com 711 # tru::1:1513631572:0:3:1:5 712 # pub:...<SNIP>... 713 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 714 # ``` 715 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 716 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 717 # The verifier must ensure that the provided type is one that the verifier 718 # supports, and that the attestation payload is a valid instantiation of that 719 # type (for example by validating a JSON schema). 720 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 721 # (GPG) or equivalent. Since this message only supports attached signatures, 722 # the payload that was signed must be attached. While the signature format 723 # supported is dependent on the verification implementation, currently only 724 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 725 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 726 # --output=signature.gpg payload.json` will create the signature content 727 # expected in this field in `signature.gpg` for the `payload.json` 728 # attestation payload. 729 }, 730 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 731 # This attestation must define the `serialized_payload` that the `signatures` 732 # verify and any metadata necessary to interpret that plaintext. The 733 # signatures should always be over the `serialized_payload` bytestring. 734 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 735 # should consider this attestation message verified if at least one 736 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 737 # for more details on signature structure and verification. 738 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 739 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 740 # Typically this means that the verifier has been configured with a map from 741 # `public_key_id` to public key material (and any required parameters, e.g. 742 # signing algorithm). 743 # 744 # In particular, verification implementations MUST NOT treat the signature 745 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 746 # DOES NOT validate or authenticate a public key; it only provides a mechanism 747 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 748 # a trusted channel. Verification implementations MUST reject signatures in any 749 # of the following circumstances: 750 # * The `public_key_id` is not recognized by the verifier. 751 # * The public key that `public_key_id` refers to does not verify the 752 # signature with respect to the payload. 753 # 754 # The `signature` contents SHOULD NOT be "attached" (where the payload is 755 # included with the serialized `signature` bytes). Verifiers MUST ignore any 756 # "attached" payload and only verify signatures with respect to explicitly 757 # provided payload (e.g. a `payload` field on the proto message that holds 758 # this Signature, or the canonical serialization of the proto message that 759 # holds this signature). 760 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 761 # * The `public_key_id` is required. 762 # * The `public_key_id` MUST be an RFC3986 conformant URI. 763 # * When possible, the `public_key_id` SHOULD be an immutable reference, 764 # such as a cryptographic digest. 765 # 766 # Examples of valid `public_key_id`s: 767 # 768 # OpenPGP V4 public key fingerprint: 769 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 770 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 771 # details on this scheme. 772 # 773 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 774 # serialization): 775 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 776 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 777 "signature": "A String", # The content of the signature, an opaque bytestring. 778 # The payload that this signature verifies MUST be unambiguously provided 779 # with the Signature during verification. A wrapper message might provide 780 # the payload explicitly. Alternatively, a message might have a canonical 781 # serialization that can always be unambiguously computed to derive the 782 # payload. 783 }, 784 ], 785 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 786 # The verifier must ensure that the provided type is one that the verifier 787 # supports, and that the attestation payload is a valid instantiation of that 788 # type (for example by validating a JSON schema). 789 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 790 # The encoding and semantic meaning of this payload must match what is set in 791 # `content_type`. 792 }, 793 }, 794 }, 795 "build": { # Details of a build occurrence. # Describes a verifiable build. 796 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 797 # details about the build from source to completion. 798 "commands": [ # Commands requested by the build. 799 { # Command describes a step performed as part of the build pipeline. 800 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 801 "A String", 802 ], 803 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 804 # command is packaged as a Docker container, as presented to `docker pull`. 805 "args": [ # Command-line arguments used when executing this command. 806 "A String", 807 ], 808 "env": [ # Environment variables set before running this command. 809 "A String", 810 ], 811 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 812 # this command as a dependency. 813 "dir": "A String", # Working directory (relative to project source root) used when running this 814 # command. 815 }, 816 ], 817 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 818 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 819 # source integrity was maintained in the build. 820 # 821 # The keys to this map are file paths used as build source and the values 822 # contain the hash values for those files. 823 # 824 # If the build source came in a single package such as a gzipped tarfile 825 # (.tar.gz), the FileHash will be for the single path to that file. 826 "a_key": { # Container message for hashes of byte content of files, used in source 827 # messages to verify integrity of source input to the build. 828 "fileHash": [ # Required. Collection of file hashes. 829 { # Container message for hash values. 830 "type": "A String", # Required. The type of hash that was performed. 831 "value": "A String", # Required. The hash value. 832 }, 833 ], 834 }, 835 }, 836 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 837 # location. 838 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 839 # these locations, in the case where the source repository had multiple 840 # remotes or submodules. This list will not include the context specified in 841 # the context field. 842 { # A SourceContext is a reference to a tree of files. A SourceContext together 843 # with a path point to a unique revision of a single file or directory. 844 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 845 # repository (e.g., GitHub). 846 "url": "A String", # Git repository URL. 847 "revisionId": "A String", # Git commit hash. 848 }, 849 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 850 # Source Repo. 851 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 852 "kind": "A String", # The alias kind. 853 "name": "A String", # The alias name. 854 }, 855 "revisionId": "A String", # A revision ID. 856 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 857 "uid": "A String", # A server-assigned, globally unique identifier. 858 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 859 # winged-cargo-31) and a repo name within that project. 860 "projectId": "A String", # The ID of the project. 861 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 862 }, 863 }, 864 }, 865 "labels": { # Labels with user defined metadata. 866 "a_key": "A String", 867 }, 868 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 869 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 870 "kind": "A String", # The alias kind. 871 "name": "A String", # The alias name. 872 }, 873 "revisionId": "A String", # A revision (commit) ID. 874 "hostUri": "A String", # The URI of a running Gerrit instance. 875 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 876 # "project/subproject" is a valid project name. The "repo name" is the 877 # hostURI/project. 878 }, 879 }, 880 ], 881 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 882 # with a path point to a unique revision of a single file or directory. 883 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 884 # repository (e.g., GitHub). 885 "url": "A String", # Git repository URL. 886 "revisionId": "A String", # Git commit hash. 887 }, 888 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 889 # Source Repo. 890 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 891 "kind": "A String", # The alias kind. 892 "name": "A String", # The alias name. 893 }, 894 "revisionId": "A String", # A revision ID. 895 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 896 "uid": "A String", # A server-assigned, globally unique identifier. 897 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 898 # winged-cargo-31) and a repo name within that project. 899 "projectId": "A String", # The ID of the project. 900 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 901 }, 902 }, 903 }, 904 "labels": { # Labels with user defined metadata. 905 "a_key": "A String", 906 }, 907 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 908 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 909 "kind": "A String", # The alias kind. 910 "name": "A String", # The alias name. 911 }, 912 "revisionId": "A String", # A revision (commit) ID. 913 "hostUri": "A String", # The URI of a running Gerrit instance. 914 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 915 # "project/subproject" is a valid project name. The "repo name" is the 916 # hostURI/project. 917 }, 918 }, 919 }, 920 "buildOptions": { # Special options applied to this build. This is a catch-all field where 921 # build providers can enter any desired additional details. 922 "a_key": "A String", 923 }, 924 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 925 # user's e-mail address at the time the build was initiated; this address may 926 # not represent the same end-user for all time. 927 "projectId": "A String", # ID of the project. 928 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 929 "createTime": "A String", # Time at which the build was created. 930 "builtArtifacts": [ # Output of the build. 931 { # Artifact describes a build product. 932 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 933 # container. 934 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 935 # like `gcr.io/projectID/imagename@sha256:123456`. 936 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 937 # the case of a container build, the name used to push the container image to 938 # Google Container Registry, as presented to `docker push`. Note that a 939 # single Artifact ID can have multiple names, for example if two tags are 940 # applied to one image. 941 "A String", 942 ], 943 }, 944 ], 945 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 946 "startTime": "A String", # Time at which execution of the build was started. 947 "endTime": "A String", # Time at which execution of the build was finished. 948 "id": "A String", # Required. Unique identifier of the build. 949 "logsUri": "A String", # URI where any logs for this provenance were written. 950 }, 951 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 952 # build signature in the corresponding build note. After verifying the 953 # signature, `provenance_bytes` can be unmarshalled and compared to the 954 # provenance to confirm that it is unchanged. A base64-encoded string 955 # representation of the provenance bytes is used for the signature in order 956 # to interoperate with openssl which expects this format for signature 957 # verification. 958 # 959 # The serialized form is captured both to avoid ambiguity in how the 960 # provenance is marshalled to json as well to prevent incompatibilities with 961 # future changes. 962 }, 963 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 964 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 965 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 966 # the deployable field with the same name. 967 "A String", 968 ], 969 "userEmail": "A String", # Identity of the user that triggered this deployment. 970 "address": "A String", # Address of the runtime element hosting this deployment. 971 "platform": "A String", # Platform hosting this deployment. 972 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 973 "undeployTime": "A String", # End of the lifetime of this deployment. 974 "config": "A String", # Configuration used to create this deployment. 975 }, 976 }, 977 "remediation": "A String", # A description of actions that can be taken to remedy the note. 978 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 979 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 980 # system. 981 "location": [ # Required. All of the places within the filesystem versions of this package 982 # have been found. 983 { # An occurrence of a particular package installation found within a system's 984 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 985 "path": "A String", # The path from which we gathered that this package/version is installed. 986 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 987 # denoting the package manager version distributing a package. 988 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 989 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 990 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 991 # versions. 992 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 993 # name. 994 "revision": "A String", # The iteration of the package build from the above version. 995 }, 996 }, 997 ], 998 "name": "A String", # Output only. The name of the installed package. 999 }, 1000 }, 1001 "createTime": "A String", # Output only. The time this occurrence was created. 1002 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 1003 # note. 1004 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 1005 # relationship. This image would be produced from a Dockerfile with FROM 1006 # <DockerImage.Basis in attached Note>. 1007 "distance": 42, # Output only. The number of layers by which this image differs from the 1008 # associated image basis. 1009 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 1010 # occurrence. 1011 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 1012 # "distance" and is ordered with [distance] being the layer immediately 1013 # following the base image and [1] being the final layer. 1014 { # Layer holds metadata specific to a layer of a Docker image. 1015 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 1016 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 1017 }, 1018 ], 1019 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 1020 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 1021 # representation. 1022 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 1023 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 1024 # Only the name of the final blob is kept. 1025 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 1026 "A String", 1027 ], 1028 }, 1029 }, 1030 }, 1031 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 1032 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 1033 # used as a filter in list requests. 1034 }, 1035 ], 1036 }</pre> 1037</div> 1038 1039<div class="method"> 1040 <code class="details" id="create">create(parent, body, x__xgafv=None)</code> 1041 <pre>Creates a new occurrence. 1042 1043Args: 1044 parent: string, The name of the project in the form of `projects/[PROJECT_ID]`, under which 1045the occurrence is to be created. (required) 1046 body: object, The request body. (required) 1047 The object takes the form of: 1048 1049{ # An instance of an analysis type that has been found on a resource. 1050 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 1051 # specified. This field can be used as a filter in list requests. 1052 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 1053 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 1054 # 1055 # The hash of the resource content. For example, the Docker digest. 1056 "type": "A String", # Required. The type of hash that was performed. 1057 "value": "A String", # Required. The hash value. 1058 }, 1059 "uri": "A String", # Required. The unique URI of the resource. For example, 1060 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 1061 "name": "A String", # Deprecated, do not use. Use uri instead. 1062 # 1063 # The name of the resource. For example, the name of a Docker image - 1064 # "Debian". 1065 }, 1066 "name": "A String", # Output only. The name of the occurrence in the form of 1067 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 1068 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 1069 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 1070 # scale of 0-10 where 0 indicates low severity and 10 indicates high 1071 # severity. 1072 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 1073 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 1074 # packages etc) 1075 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 1076 # available, and note provider assigned severity when distro has not yet 1077 # assigned a severity for this vulnerability. 1078 "relatedUrls": [ # Output only. URLs related to this vulnerability. 1079 { # Metadata for any related URL information. 1080 "url": "A String", # Specific URL associated with the resource. 1081 "label": "A String", # Label to describe usage of the URL. 1082 }, 1083 ], 1084 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 1085 # within the associated resource. 1086 { # This message wraps a location affected by a vulnerability and its 1087 # associated fix (if one is available). 1088 "severityName": "A String", # Deprecated, use Details.effective_severity instead 1089 # The severity (e.g., distro assigned severity) for this vulnerability. 1090 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 1091 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 1092 # format. Examples include distro or storage location for vulnerable jar. 1093 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 1094 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 1095 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 1096 # versions. 1097 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 1098 # name. 1099 "revision": "A String", # The iteration of the package build from the above version. 1100 }, 1101 "package": "A String", # Required. The package being described. 1102 }, 1103 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 1104 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 1105 # format. Examples include distro or storage location for vulnerable jar. 1106 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 1107 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 1108 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 1109 # versions. 1110 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 1111 # name. 1112 "revision": "A String", # The iteration of the package build from the above version. 1113 }, 1114 "package": "A String", # Required. The package being described. 1115 }, 1116 }, 1117 ], 1118 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 1119 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 1120 }, 1121 "updateTime": "A String", # Output only. The time this occurrence was last updated. 1122 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 1123 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 1124 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 1125 # Deprecated, do not use. 1126 "analysisStatus": "A String", # The status of discovery for the resource. 1127 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 1128 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 1129 # details to show to the user. The LocalizedMessage is output only and 1130 # populated by the API. 1131 # different programming environments, including REST APIs and RPC APIs. It is 1132 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 1133 # three pieces of data: error code, error message, and error details. 1134 # 1135 # You can find out more about this error model and how to work with it in the 1136 # [API Design Guide](https://cloud.google.com/apis/design/errors). 1137 "message": "A String", # A developer-facing error message, which should be in English. Any 1138 # user-facing error message should be localized and sent in the 1139 # google.rpc.Status.details field, or localized by the client. 1140 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 1141 "details": [ # A list of messages that carry the error details. There is a common set of 1142 # message types for APIs to use. 1143 { 1144 "a_key": "", # Properties of the object. Contains field @type with type URL. 1145 }, 1146 ], 1147 }, 1148 }, 1149 }, 1150 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 1151 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 1152 # attestation can be verified using the attached signature. If the verifier 1153 # trusts the public key of the signer, then verifying the signature is 1154 # sufficient to establish trust. In this circumstance, the authority to which 1155 # this attestation is attached is primarily useful for look-up (how to find 1156 # this attestation if you already know the authority and artifact to be 1157 # verified) and intent (which authority was this attestation intended to sign 1158 # for). 1159 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 1160 # supports `ATTACHED` signatures, where the payload that is signed is included 1161 # alongside the signature itself in the same file. 1162 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 1163 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 1164 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 1165 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 1166 # Implementations may choose to acknowledge "LONG", "SHORT", or other 1167 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 1168 # In gpg, the full fingerprint can be retrieved from the `fpr` field 1169 # returned when calling --list-keys with --with-colons. For example: 1170 # ``` 1171 # gpg --with-colons --with-fingerprint --force-v4-certs \ 1172 # --list-keys attester@example.com 1173 # tru::1:1513631572:0:3:1:5 1174 # pub:...<SNIP>... 1175 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 1176 # ``` 1177 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 1178 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 1179 # The verifier must ensure that the provided type is one that the verifier 1180 # supports, and that the attestation payload is a valid instantiation of that 1181 # type (for example by validating a JSON schema). 1182 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 1183 # (GPG) or equivalent. Since this message only supports attached signatures, 1184 # the payload that was signed must be attached. While the signature format 1185 # supported is dependent on the verification implementation, currently only 1186 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 1187 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 1188 # --output=signature.gpg payload.json` will create the signature content 1189 # expected in this field in `signature.gpg` for the `payload.json` 1190 # attestation payload. 1191 }, 1192 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 1193 # This attestation must define the `serialized_payload` that the `signatures` 1194 # verify and any metadata necessary to interpret that plaintext. The 1195 # signatures should always be over the `serialized_payload` bytestring. 1196 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 1197 # should consider this attestation message verified if at least one 1198 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 1199 # for more details on signature structure and verification. 1200 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 1201 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 1202 # Typically this means that the verifier has been configured with a map from 1203 # `public_key_id` to public key material (and any required parameters, e.g. 1204 # signing algorithm). 1205 # 1206 # In particular, verification implementations MUST NOT treat the signature 1207 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 1208 # DOES NOT validate or authenticate a public key; it only provides a mechanism 1209 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 1210 # a trusted channel. Verification implementations MUST reject signatures in any 1211 # of the following circumstances: 1212 # * The `public_key_id` is not recognized by the verifier. 1213 # * The public key that `public_key_id` refers to does not verify the 1214 # signature with respect to the payload. 1215 # 1216 # The `signature` contents SHOULD NOT be "attached" (where the payload is 1217 # included with the serialized `signature` bytes). Verifiers MUST ignore any 1218 # "attached" payload and only verify signatures with respect to explicitly 1219 # provided payload (e.g. a `payload` field on the proto message that holds 1220 # this Signature, or the canonical serialization of the proto message that 1221 # holds this signature). 1222 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 1223 # * The `public_key_id` is required. 1224 # * The `public_key_id` MUST be an RFC3986 conformant URI. 1225 # * When possible, the `public_key_id` SHOULD be an immutable reference, 1226 # such as a cryptographic digest. 1227 # 1228 # Examples of valid `public_key_id`s: 1229 # 1230 # OpenPGP V4 public key fingerprint: 1231 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 1232 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 1233 # details on this scheme. 1234 # 1235 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 1236 # serialization): 1237 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 1238 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 1239 "signature": "A String", # The content of the signature, an opaque bytestring. 1240 # The payload that this signature verifies MUST be unambiguously provided 1241 # with the Signature during verification. A wrapper message might provide 1242 # the payload explicitly. Alternatively, a message might have a canonical 1243 # serialization that can always be unambiguously computed to derive the 1244 # payload. 1245 }, 1246 ], 1247 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 1248 # The verifier must ensure that the provided type is one that the verifier 1249 # supports, and that the attestation payload is a valid instantiation of that 1250 # type (for example by validating a JSON schema). 1251 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 1252 # The encoding and semantic meaning of this payload must match what is set in 1253 # `content_type`. 1254 }, 1255 }, 1256 }, 1257 "build": { # Details of a build occurrence. # Describes a verifiable build. 1258 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 1259 # details about the build from source to completion. 1260 "commands": [ # Commands requested by the build. 1261 { # Command describes a step performed as part of the build pipeline. 1262 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 1263 "A String", 1264 ], 1265 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 1266 # command is packaged as a Docker container, as presented to `docker pull`. 1267 "args": [ # Command-line arguments used when executing this command. 1268 "A String", 1269 ], 1270 "env": [ # Environment variables set before running this command. 1271 "A String", 1272 ], 1273 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 1274 # this command as a dependency. 1275 "dir": "A String", # Working directory (relative to project source root) used when running this 1276 # command. 1277 }, 1278 ], 1279 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 1280 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 1281 # source integrity was maintained in the build. 1282 # 1283 # The keys to this map are file paths used as build source and the values 1284 # contain the hash values for those files. 1285 # 1286 # If the build source came in a single package such as a gzipped tarfile 1287 # (.tar.gz), the FileHash will be for the single path to that file. 1288 "a_key": { # Container message for hashes of byte content of files, used in source 1289 # messages to verify integrity of source input to the build. 1290 "fileHash": [ # Required. Collection of file hashes. 1291 { # Container message for hash values. 1292 "type": "A String", # Required. The type of hash that was performed. 1293 "value": "A String", # Required. The hash value. 1294 }, 1295 ], 1296 }, 1297 }, 1298 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 1299 # location. 1300 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 1301 # these locations, in the case where the source repository had multiple 1302 # remotes or submodules. This list will not include the context specified in 1303 # the context field. 1304 { # A SourceContext is a reference to a tree of files. A SourceContext together 1305 # with a path point to a unique revision of a single file or directory. 1306 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 1307 # repository (e.g., GitHub). 1308 "url": "A String", # Git repository URL. 1309 "revisionId": "A String", # Git commit hash. 1310 }, 1311 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 1312 # Source Repo. 1313 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1314 "kind": "A String", # The alias kind. 1315 "name": "A String", # The alias name. 1316 }, 1317 "revisionId": "A String", # A revision ID. 1318 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 1319 "uid": "A String", # A server-assigned, globally unique identifier. 1320 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 1321 # winged-cargo-31) and a repo name within that project. 1322 "projectId": "A String", # The ID of the project. 1323 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 1324 }, 1325 }, 1326 }, 1327 "labels": { # Labels with user defined metadata. 1328 "a_key": "A String", 1329 }, 1330 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 1331 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1332 "kind": "A String", # The alias kind. 1333 "name": "A String", # The alias name. 1334 }, 1335 "revisionId": "A String", # A revision (commit) ID. 1336 "hostUri": "A String", # The URI of a running Gerrit instance. 1337 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 1338 # "project/subproject" is a valid project name. The "repo name" is the 1339 # hostURI/project. 1340 }, 1341 }, 1342 ], 1343 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 1344 # with a path point to a unique revision of a single file or directory. 1345 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 1346 # repository (e.g., GitHub). 1347 "url": "A String", # Git repository URL. 1348 "revisionId": "A String", # Git commit hash. 1349 }, 1350 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 1351 # Source Repo. 1352 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1353 "kind": "A String", # The alias kind. 1354 "name": "A String", # The alias name. 1355 }, 1356 "revisionId": "A String", # A revision ID. 1357 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 1358 "uid": "A String", # A server-assigned, globally unique identifier. 1359 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 1360 # winged-cargo-31) and a repo name within that project. 1361 "projectId": "A String", # The ID of the project. 1362 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 1363 }, 1364 }, 1365 }, 1366 "labels": { # Labels with user defined metadata. 1367 "a_key": "A String", 1368 }, 1369 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 1370 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1371 "kind": "A String", # The alias kind. 1372 "name": "A String", # The alias name. 1373 }, 1374 "revisionId": "A String", # A revision (commit) ID. 1375 "hostUri": "A String", # The URI of a running Gerrit instance. 1376 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 1377 # "project/subproject" is a valid project name. The "repo name" is the 1378 # hostURI/project. 1379 }, 1380 }, 1381 }, 1382 "buildOptions": { # Special options applied to this build. This is a catch-all field where 1383 # build providers can enter any desired additional details. 1384 "a_key": "A String", 1385 }, 1386 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 1387 # user's e-mail address at the time the build was initiated; this address may 1388 # not represent the same end-user for all time. 1389 "projectId": "A String", # ID of the project. 1390 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 1391 "createTime": "A String", # Time at which the build was created. 1392 "builtArtifacts": [ # Output of the build. 1393 { # Artifact describes a build product. 1394 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 1395 # container. 1396 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 1397 # like `gcr.io/projectID/imagename@sha256:123456`. 1398 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 1399 # the case of a container build, the name used to push the container image to 1400 # Google Container Registry, as presented to `docker push`. Note that a 1401 # single Artifact ID can have multiple names, for example if two tags are 1402 # applied to one image. 1403 "A String", 1404 ], 1405 }, 1406 ], 1407 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 1408 "startTime": "A String", # Time at which execution of the build was started. 1409 "endTime": "A String", # Time at which execution of the build was finished. 1410 "id": "A String", # Required. Unique identifier of the build. 1411 "logsUri": "A String", # URI where any logs for this provenance were written. 1412 }, 1413 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 1414 # build signature in the corresponding build note. After verifying the 1415 # signature, `provenance_bytes` can be unmarshalled and compared to the 1416 # provenance to confirm that it is unchanged. A base64-encoded string 1417 # representation of the provenance bytes is used for the signature in order 1418 # to interoperate with openssl which expects this format for signature 1419 # verification. 1420 # 1421 # The serialized form is captured both to avoid ambiguity in how the 1422 # provenance is marshalled to json as well to prevent incompatibilities with 1423 # future changes. 1424 }, 1425 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 1426 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 1427 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 1428 # the deployable field with the same name. 1429 "A String", 1430 ], 1431 "userEmail": "A String", # Identity of the user that triggered this deployment. 1432 "address": "A String", # Address of the runtime element hosting this deployment. 1433 "platform": "A String", # Platform hosting this deployment. 1434 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 1435 "undeployTime": "A String", # End of the lifetime of this deployment. 1436 "config": "A String", # Configuration used to create this deployment. 1437 }, 1438 }, 1439 "remediation": "A String", # A description of actions that can be taken to remedy the note. 1440 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 1441 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 1442 # system. 1443 "location": [ # Required. All of the places within the filesystem versions of this package 1444 # have been found. 1445 { # An occurrence of a particular package installation found within a system's 1446 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 1447 "path": "A String", # The path from which we gathered that this package/version is installed. 1448 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 1449 # denoting the package manager version distributing a package. 1450 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 1451 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 1452 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 1453 # versions. 1454 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 1455 # name. 1456 "revision": "A String", # The iteration of the package build from the above version. 1457 }, 1458 }, 1459 ], 1460 "name": "A String", # Output only. The name of the installed package. 1461 }, 1462 }, 1463 "createTime": "A String", # Output only. The time this occurrence was created. 1464 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 1465 # note. 1466 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 1467 # relationship. This image would be produced from a Dockerfile with FROM 1468 # <DockerImage.Basis in attached Note>. 1469 "distance": 42, # Output only. The number of layers by which this image differs from the 1470 # associated image basis. 1471 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 1472 # occurrence. 1473 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 1474 # "distance" and is ordered with [distance] being the layer immediately 1475 # following the base image and [1] being the final layer. 1476 { # Layer holds metadata specific to a layer of a Docker image. 1477 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 1478 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 1479 }, 1480 ], 1481 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 1482 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 1483 # representation. 1484 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 1485 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 1486 # Only the name of the final blob is kept. 1487 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 1488 "A String", 1489 ], 1490 }, 1491 }, 1492 }, 1493 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 1494 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 1495 # used as a filter in list requests. 1496} 1497 1498 x__xgafv: string, V1 error format. 1499 Allowed values 1500 1 - v1 error format 1501 2 - v2 error format 1502 1503Returns: 1504 An object of the form: 1505 1506 { # An instance of an analysis type that has been found on a resource. 1507 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 1508 # specified. This field can be used as a filter in list requests. 1509 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 1510 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 1511 # 1512 # The hash of the resource content. For example, the Docker digest. 1513 "type": "A String", # Required. The type of hash that was performed. 1514 "value": "A String", # Required. The hash value. 1515 }, 1516 "uri": "A String", # Required. The unique URI of the resource. For example, 1517 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 1518 "name": "A String", # Deprecated, do not use. Use uri instead. 1519 # 1520 # The name of the resource. For example, the name of a Docker image - 1521 # "Debian". 1522 }, 1523 "name": "A String", # Output only. The name of the occurrence in the form of 1524 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 1525 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 1526 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 1527 # scale of 0-10 where 0 indicates low severity and 10 indicates high 1528 # severity. 1529 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 1530 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 1531 # packages etc) 1532 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 1533 # available, and note provider assigned severity when distro has not yet 1534 # assigned a severity for this vulnerability. 1535 "relatedUrls": [ # Output only. URLs related to this vulnerability. 1536 { # Metadata for any related URL information. 1537 "url": "A String", # Specific URL associated with the resource. 1538 "label": "A String", # Label to describe usage of the URL. 1539 }, 1540 ], 1541 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 1542 # within the associated resource. 1543 { # This message wraps a location affected by a vulnerability and its 1544 # associated fix (if one is available). 1545 "severityName": "A String", # Deprecated, use Details.effective_severity instead 1546 # The severity (e.g., distro assigned severity) for this vulnerability. 1547 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 1548 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 1549 # format. Examples include distro or storage location for vulnerable jar. 1550 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 1551 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 1552 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 1553 # versions. 1554 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 1555 # name. 1556 "revision": "A String", # The iteration of the package build from the above version. 1557 }, 1558 "package": "A String", # Required. The package being described. 1559 }, 1560 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 1561 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 1562 # format. Examples include distro or storage location for vulnerable jar. 1563 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 1564 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 1565 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 1566 # versions. 1567 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 1568 # name. 1569 "revision": "A String", # The iteration of the package build from the above version. 1570 }, 1571 "package": "A String", # Required. The package being described. 1572 }, 1573 }, 1574 ], 1575 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 1576 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 1577 }, 1578 "updateTime": "A String", # Output only. The time this occurrence was last updated. 1579 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 1580 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 1581 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 1582 # Deprecated, do not use. 1583 "analysisStatus": "A String", # The status of discovery for the resource. 1584 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 1585 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 1586 # details to show to the user. The LocalizedMessage is output only and 1587 # populated by the API. 1588 # different programming environments, including REST APIs and RPC APIs. It is 1589 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 1590 # three pieces of data: error code, error message, and error details. 1591 # 1592 # You can find out more about this error model and how to work with it in the 1593 # [API Design Guide](https://cloud.google.com/apis/design/errors). 1594 "message": "A String", # A developer-facing error message, which should be in English. Any 1595 # user-facing error message should be localized and sent in the 1596 # google.rpc.Status.details field, or localized by the client. 1597 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 1598 "details": [ # A list of messages that carry the error details. There is a common set of 1599 # message types for APIs to use. 1600 { 1601 "a_key": "", # Properties of the object. Contains field @type with type URL. 1602 }, 1603 ], 1604 }, 1605 }, 1606 }, 1607 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 1608 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 1609 # attestation can be verified using the attached signature. If the verifier 1610 # trusts the public key of the signer, then verifying the signature is 1611 # sufficient to establish trust. In this circumstance, the authority to which 1612 # this attestation is attached is primarily useful for look-up (how to find 1613 # this attestation if you already know the authority and artifact to be 1614 # verified) and intent (which authority was this attestation intended to sign 1615 # for). 1616 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 1617 # supports `ATTACHED` signatures, where the payload that is signed is included 1618 # alongside the signature itself in the same file. 1619 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 1620 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 1621 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 1622 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 1623 # Implementations may choose to acknowledge "LONG", "SHORT", or other 1624 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 1625 # In gpg, the full fingerprint can be retrieved from the `fpr` field 1626 # returned when calling --list-keys with --with-colons. For example: 1627 # ``` 1628 # gpg --with-colons --with-fingerprint --force-v4-certs \ 1629 # --list-keys attester@example.com 1630 # tru::1:1513631572:0:3:1:5 1631 # pub:...<SNIP>... 1632 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 1633 # ``` 1634 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 1635 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 1636 # The verifier must ensure that the provided type is one that the verifier 1637 # supports, and that the attestation payload is a valid instantiation of that 1638 # type (for example by validating a JSON schema). 1639 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 1640 # (GPG) or equivalent. Since this message only supports attached signatures, 1641 # the payload that was signed must be attached. While the signature format 1642 # supported is dependent on the verification implementation, currently only 1643 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 1644 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 1645 # --output=signature.gpg payload.json` will create the signature content 1646 # expected in this field in `signature.gpg` for the `payload.json` 1647 # attestation payload. 1648 }, 1649 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 1650 # This attestation must define the `serialized_payload` that the `signatures` 1651 # verify and any metadata necessary to interpret that plaintext. The 1652 # signatures should always be over the `serialized_payload` bytestring. 1653 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 1654 # should consider this attestation message verified if at least one 1655 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 1656 # for more details on signature structure and verification. 1657 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 1658 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 1659 # Typically this means that the verifier has been configured with a map from 1660 # `public_key_id` to public key material (and any required parameters, e.g. 1661 # signing algorithm). 1662 # 1663 # In particular, verification implementations MUST NOT treat the signature 1664 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 1665 # DOES NOT validate or authenticate a public key; it only provides a mechanism 1666 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 1667 # a trusted channel. Verification implementations MUST reject signatures in any 1668 # of the following circumstances: 1669 # * The `public_key_id` is not recognized by the verifier. 1670 # * The public key that `public_key_id` refers to does not verify the 1671 # signature with respect to the payload. 1672 # 1673 # The `signature` contents SHOULD NOT be "attached" (where the payload is 1674 # included with the serialized `signature` bytes). Verifiers MUST ignore any 1675 # "attached" payload and only verify signatures with respect to explicitly 1676 # provided payload (e.g. a `payload` field on the proto message that holds 1677 # this Signature, or the canonical serialization of the proto message that 1678 # holds this signature). 1679 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 1680 # * The `public_key_id` is required. 1681 # * The `public_key_id` MUST be an RFC3986 conformant URI. 1682 # * When possible, the `public_key_id` SHOULD be an immutable reference, 1683 # such as a cryptographic digest. 1684 # 1685 # Examples of valid `public_key_id`s: 1686 # 1687 # OpenPGP V4 public key fingerprint: 1688 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 1689 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 1690 # details on this scheme. 1691 # 1692 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 1693 # serialization): 1694 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 1695 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 1696 "signature": "A String", # The content of the signature, an opaque bytestring. 1697 # The payload that this signature verifies MUST be unambiguously provided 1698 # with the Signature during verification. A wrapper message might provide 1699 # the payload explicitly. Alternatively, a message might have a canonical 1700 # serialization that can always be unambiguously computed to derive the 1701 # payload. 1702 }, 1703 ], 1704 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 1705 # The verifier must ensure that the provided type is one that the verifier 1706 # supports, and that the attestation payload is a valid instantiation of that 1707 # type (for example by validating a JSON schema). 1708 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 1709 # The encoding and semantic meaning of this payload must match what is set in 1710 # `content_type`. 1711 }, 1712 }, 1713 }, 1714 "build": { # Details of a build occurrence. # Describes a verifiable build. 1715 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 1716 # details about the build from source to completion. 1717 "commands": [ # Commands requested by the build. 1718 { # Command describes a step performed as part of the build pipeline. 1719 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 1720 "A String", 1721 ], 1722 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 1723 # command is packaged as a Docker container, as presented to `docker pull`. 1724 "args": [ # Command-line arguments used when executing this command. 1725 "A String", 1726 ], 1727 "env": [ # Environment variables set before running this command. 1728 "A String", 1729 ], 1730 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 1731 # this command as a dependency. 1732 "dir": "A String", # Working directory (relative to project source root) used when running this 1733 # command. 1734 }, 1735 ], 1736 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 1737 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 1738 # source integrity was maintained in the build. 1739 # 1740 # The keys to this map are file paths used as build source and the values 1741 # contain the hash values for those files. 1742 # 1743 # If the build source came in a single package such as a gzipped tarfile 1744 # (.tar.gz), the FileHash will be for the single path to that file. 1745 "a_key": { # Container message for hashes of byte content of files, used in source 1746 # messages to verify integrity of source input to the build. 1747 "fileHash": [ # Required. Collection of file hashes. 1748 { # Container message for hash values. 1749 "type": "A String", # Required. The type of hash that was performed. 1750 "value": "A String", # Required. The hash value. 1751 }, 1752 ], 1753 }, 1754 }, 1755 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 1756 # location. 1757 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 1758 # these locations, in the case where the source repository had multiple 1759 # remotes or submodules. This list will not include the context specified in 1760 # the context field. 1761 { # A SourceContext is a reference to a tree of files. A SourceContext together 1762 # with a path point to a unique revision of a single file or directory. 1763 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 1764 # repository (e.g., GitHub). 1765 "url": "A String", # Git repository URL. 1766 "revisionId": "A String", # Git commit hash. 1767 }, 1768 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 1769 # Source Repo. 1770 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1771 "kind": "A String", # The alias kind. 1772 "name": "A String", # The alias name. 1773 }, 1774 "revisionId": "A String", # A revision ID. 1775 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 1776 "uid": "A String", # A server-assigned, globally unique identifier. 1777 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 1778 # winged-cargo-31) and a repo name within that project. 1779 "projectId": "A String", # The ID of the project. 1780 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 1781 }, 1782 }, 1783 }, 1784 "labels": { # Labels with user defined metadata. 1785 "a_key": "A String", 1786 }, 1787 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 1788 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1789 "kind": "A String", # The alias kind. 1790 "name": "A String", # The alias name. 1791 }, 1792 "revisionId": "A String", # A revision (commit) ID. 1793 "hostUri": "A String", # The URI of a running Gerrit instance. 1794 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 1795 # "project/subproject" is a valid project name. The "repo name" is the 1796 # hostURI/project. 1797 }, 1798 }, 1799 ], 1800 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 1801 # with a path point to a unique revision of a single file or directory. 1802 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 1803 # repository (e.g., GitHub). 1804 "url": "A String", # Git repository URL. 1805 "revisionId": "A String", # Git commit hash. 1806 }, 1807 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 1808 # Source Repo. 1809 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1810 "kind": "A String", # The alias kind. 1811 "name": "A String", # The alias name. 1812 }, 1813 "revisionId": "A String", # A revision ID. 1814 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 1815 "uid": "A String", # A server-assigned, globally unique identifier. 1816 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 1817 # winged-cargo-31) and a repo name within that project. 1818 "projectId": "A String", # The ID of the project. 1819 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 1820 }, 1821 }, 1822 }, 1823 "labels": { # Labels with user defined metadata. 1824 "a_key": "A String", 1825 }, 1826 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 1827 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 1828 "kind": "A String", # The alias kind. 1829 "name": "A String", # The alias name. 1830 }, 1831 "revisionId": "A String", # A revision (commit) ID. 1832 "hostUri": "A String", # The URI of a running Gerrit instance. 1833 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 1834 # "project/subproject" is a valid project name. The "repo name" is the 1835 # hostURI/project. 1836 }, 1837 }, 1838 }, 1839 "buildOptions": { # Special options applied to this build. This is a catch-all field where 1840 # build providers can enter any desired additional details. 1841 "a_key": "A String", 1842 }, 1843 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 1844 # user's e-mail address at the time the build was initiated; this address may 1845 # not represent the same end-user for all time. 1846 "projectId": "A String", # ID of the project. 1847 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 1848 "createTime": "A String", # Time at which the build was created. 1849 "builtArtifacts": [ # Output of the build. 1850 { # Artifact describes a build product. 1851 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 1852 # container. 1853 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 1854 # like `gcr.io/projectID/imagename@sha256:123456`. 1855 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 1856 # the case of a container build, the name used to push the container image to 1857 # Google Container Registry, as presented to `docker push`. Note that a 1858 # single Artifact ID can have multiple names, for example if two tags are 1859 # applied to one image. 1860 "A String", 1861 ], 1862 }, 1863 ], 1864 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 1865 "startTime": "A String", # Time at which execution of the build was started. 1866 "endTime": "A String", # Time at which execution of the build was finished. 1867 "id": "A String", # Required. Unique identifier of the build. 1868 "logsUri": "A String", # URI where any logs for this provenance were written. 1869 }, 1870 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 1871 # build signature in the corresponding build note. After verifying the 1872 # signature, `provenance_bytes` can be unmarshalled and compared to the 1873 # provenance to confirm that it is unchanged. A base64-encoded string 1874 # representation of the provenance bytes is used for the signature in order 1875 # to interoperate with openssl which expects this format for signature 1876 # verification. 1877 # 1878 # The serialized form is captured both to avoid ambiguity in how the 1879 # provenance is marshalled to json as well to prevent incompatibilities with 1880 # future changes. 1881 }, 1882 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 1883 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 1884 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 1885 # the deployable field with the same name. 1886 "A String", 1887 ], 1888 "userEmail": "A String", # Identity of the user that triggered this deployment. 1889 "address": "A String", # Address of the runtime element hosting this deployment. 1890 "platform": "A String", # Platform hosting this deployment. 1891 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 1892 "undeployTime": "A String", # End of the lifetime of this deployment. 1893 "config": "A String", # Configuration used to create this deployment. 1894 }, 1895 }, 1896 "remediation": "A String", # A description of actions that can be taken to remedy the note. 1897 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 1898 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 1899 # system. 1900 "location": [ # Required. All of the places within the filesystem versions of this package 1901 # have been found. 1902 { # An occurrence of a particular package installation found within a system's 1903 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 1904 "path": "A String", # The path from which we gathered that this package/version is installed. 1905 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 1906 # denoting the package manager version distributing a package. 1907 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 1908 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 1909 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 1910 # versions. 1911 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 1912 # name. 1913 "revision": "A String", # The iteration of the package build from the above version. 1914 }, 1915 }, 1916 ], 1917 "name": "A String", # Output only. The name of the installed package. 1918 }, 1919 }, 1920 "createTime": "A String", # Output only. The time this occurrence was created. 1921 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 1922 # note. 1923 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 1924 # relationship. This image would be produced from a Dockerfile with FROM 1925 # <DockerImage.Basis in attached Note>. 1926 "distance": 42, # Output only. The number of layers by which this image differs from the 1927 # associated image basis. 1928 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 1929 # occurrence. 1930 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 1931 # "distance" and is ordered with [distance] being the layer immediately 1932 # following the base image and [1] being the final layer. 1933 { # Layer holds metadata specific to a layer of a Docker image. 1934 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 1935 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 1936 }, 1937 ], 1938 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 1939 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 1940 # representation. 1941 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 1942 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 1943 # Only the name of the final blob is kept. 1944 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 1945 "A String", 1946 ], 1947 }, 1948 }, 1949 }, 1950 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 1951 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 1952 # used as a filter in list requests. 1953 }</pre> 1954</div> 1955 1956<div class="method"> 1957 <code class="details" id="delete">delete(name, x__xgafv=None)</code> 1958 <pre>Deletes the specified occurrence. For example, use this method to delete an 1959occurrence when the occurrence is no longer applicable for the given 1960resource. 1961 1962Args: 1963 name: string, The name of the occurrence in the form of 1964`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required) 1965 x__xgafv: string, V1 error format. 1966 Allowed values 1967 1 - v1 error format 1968 2 - v2 error format 1969 1970Returns: 1971 An object of the form: 1972 1973 { # A generic empty message that you can re-use to avoid defining duplicated 1974 # empty messages in your APIs. A typical example is to use it as the request 1975 # or the response type of an API method. For instance: 1976 # 1977 # service Foo { 1978 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); 1979 # } 1980 # 1981 # The JSON representation for `Empty` is empty JSON object `{}`. 1982 }</pre> 1983</div> 1984 1985<div class="method"> 1986 <code class="details" id="get">get(name, x__xgafv=None)</code> 1987 <pre>Gets the specified occurrence. 1988 1989Args: 1990 name: string, The name of the occurrence in the form of 1991`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required) 1992 x__xgafv: string, V1 error format. 1993 Allowed values 1994 1 - v1 error format 1995 2 - v2 error format 1996 1997Returns: 1998 An object of the form: 1999 2000 { # An instance of an analysis type that has been found on a resource. 2001 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 2002 # specified. This field can be used as a filter in list requests. 2003 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 2004 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 2005 # 2006 # The hash of the resource content. For example, the Docker digest. 2007 "type": "A String", # Required. The type of hash that was performed. 2008 "value": "A String", # Required. The hash value. 2009 }, 2010 "uri": "A String", # Required. The unique URI of the resource. For example, 2011 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 2012 "name": "A String", # Deprecated, do not use. Use uri instead. 2013 # 2014 # The name of the resource. For example, the name of a Docker image - 2015 # "Debian". 2016 }, 2017 "name": "A String", # Output only. The name of the occurrence in the form of 2018 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 2019 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 2020 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 2021 # scale of 0-10 where 0 indicates low severity and 10 indicates high 2022 # severity. 2023 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 2024 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 2025 # packages etc) 2026 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 2027 # available, and note provider assigned severity when distro has not yet 2028 # assigned a severity for this vulnerability. 2029 "relatedUrls": [ # Output only. URLs related to this vulnerability. 2030 { # Metadata for any related URL information. 2031 "url": "A String", # Specific URL associated with the resource. 2032 "label": "A String", # Label to describe usage of the URL. 2033 }, 2034 ], 2035 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 2036 # within the associated resource. 2037 { # This message wraps a location affected by a vulnerability and its 2038 # associated fix (if one is available). 2039 "severityName": "A String", # Deprecated, use Details.effective_severity instead 2040 # The severity (e.g., distro assigned severity) for this vulnerability. 2041 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 2042 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 2043 # format. Examples include distro or storage location for vulnerable jar. 2044 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 2045 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 2046 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 2047 # versions. 2048 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 2049 # name. 2050 "revision": "A String", # The iteration of the package build from the above version. 2051 }, 2052 "package": "A String", # Required. The package being described. 2053 }, 2054 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 2055 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 2056 # format. Examples include distro or storage location for vulnerable jar. 2057 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 2058 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 2059 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 2060 # versions. 2061 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 2062 # name. 2063 "revision": "A String", # The iteration of the package build from the above version. 2064 }, 2065 "package": "A String", # Required. The package being described. 2066 }, 2067 }, 2068 ], 2069 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 2070 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 2071 }, 2072 "updateTime": "A String", # Output only. The time this occurrence was last updated. 2073 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 2074 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 2075 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 2076 # Deprecated, do not use. 2077 "analysisStatus": "A String", # The status of discovery for the resource. 2078 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 2079 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 2080 # details to show to the user. The LocalizedMessage is output only and 2081 # populated by the API. 2082 # different programming environments, including REST APIs and RPC APIs. It is 2083 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 2084 # three pieces of data: error code, error message, and error details. 2085 # 2086 # You can find out more about this error model and how to work with it in the 2087 # [API Design Guide](https://cloud.google.com/apis/design/errors). 2088 "message": "A String", # A developer-facing error message, which should be in English. Any 2089 # user-facing error message should be localized and sent in the 2090 # google.rpc.Status.details field, or localized by the client. 2091 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 2092 "details": [ # A list of messages that carry the error details. There is a common set of 2093 # message types for APIs to use. 2094 { 2095 "a_key": "", # Properties of the object. Contains field @type with type URL. 2096 }, 2097 ], 2098 }, 2099 }, 2100 }, 2101 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 2102 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 2103 # attestation can be verified using the attached signature. If the verifier 2104 # trusts the public key of the signer, then verifying the signature is 2105 # sufficient to establish trust. In this circumstance, the authority to which 2106 # this attestation is attached is primarily useful for look-up (how to find 2107 # this attestation if you already know the authority and artifact to be 2108 # verified) and intent (which authority was this attestation intended to sign 2109 # for). 2110 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 2111 # supports `ATTACHED` signatures, where the payload that is signed is included 2112 # alongside the signature itself in the same file. 2113 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 2114 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 2115 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 2116 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 2117 # Implementations may choose to acknowledge "LONG", "SHORT", or other 2118 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 2119 # In gpg, the full fingerprint can be retrieved from the `fpr` field 2120 # returned when calling --list-keys with --with-colons. For example: 2121 # ``` 2122 # gpg --with-colons --with-fingerprint --force-v4-certs \ 2123 # --list-keys attester@example.com 2124 # tru::1:1513631572:0:3:1:5 2125 # pub:...<SNIP>... 2126 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 2127 # ``` 2128 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 2129 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 2130 # The verifier must ensure that the provided type is one that the verifier 2131 # supports, and that the attestation payload is a valid instantiation of that 2132 # type (for example by validating a JSON schema). 2133 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 2134 # (GPG) or equivalent. Since this message only supports attached signatures, 2135 # the payload that was signed must be attached. While the signature format 2136 # supported is dependent on the verification implementation, currently only 2137 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 2138 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 2139 # --output=signature.gpg payload.json` will create the signature content 2140 # expected in this field in `signature.gpg` for the `payload.json` 2141 # attestation payload. 2142 }, 2143 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 2144 # This attestation must define the `serialized_payload` that the `signatures` 2145 # verify and any metadata necessary to interpret that plaintext. The 2146 # signatures should always be over the `serialized_payload` bytestring. 2147 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 2148 # should consider this attestation message verified if at least one 2149 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 2150 # for more details on signature structure and verification. 2151 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 2152 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 2153 # Typically this means that the verifier has been configured with a map from 2154 # `public_key_id` to public key material (and any required parameters, e.g. 2155 # signing algorithm). 2156 # 2157 # In particular, verification implementations MUST NOT treat the signature 2158 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 2159 # DOES NOT validate or authenticate a public key; it only provides a mechanism 2160 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 2161 # a trusted channel. Verification implementations MUST reject signatures in any 2162 # of the following circumstances: 2163 # * The `public_key_id` is not recognized by the verifier. 2164 # * The public key that `public_key_id` refers to does not verify the 2165 # signature with respect to the payload. 2166 # 2167 # The `signature` contents SHOULD NOT be "attached" (where the payload is 2168 # included with the serialized `signature` bytes). Verifiers MUST ignore any 2169 # "attached" payload and only verify signatures with respect to explicitly 2170 # provided payload (e.g. a `payload` field on the proto message that holds 2171 # this Signature, or the canonical serialization of the proto message that 2172 # holds this signature). 2173 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 2174 # * The `public_key_id` is required. 2175 # * The `public_key_id` MUST be an RFC3986 conformant URI. 2176 # * When possible, the `public_key_id` SHOULD be an immutable reference, 2177 # such as a cryptographic digest. 2178 # 2179 # Examples of valid `public_key_id`s: 2180 # 2181 # OpenPGP V4 public key fingerprint: 2182 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 2183 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 2184 # details on this scheme. 2185 # 2186 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 2187 # serialization): 2188 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 2189 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 2190 "signature": "A String", # The content of the signature, an opaque bytestring. 2191 # The payload that this signature verifies MUST be unambiguously provided 2192 # with the Signature during verification. A wrapper message might provide 2193 # the payload explicitly. Alternatively, a message might have a canonical 2194 # serialization that can always be unambiguously computed to derive the 2195 # payload. 2196 }, 2197 ], 2198 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 2199 # The verifier must ensure that the provided type is one that the verifier 2200 # supports, and that the attestation payload is a valid instantiation of that 2201 # type (for example by validating a JSON schema). 2202 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 2203 # The encoding and semantic meaning of this payload must match what is set in 2204 # `content_type`. 2205 }, 2206 }, 2207 }, 2208 "build": { # Details of a build occurrence. # Describes a verifiable build. 2209 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 2210 # details about the build from source to completion. 2211 "commands": [ # Commands requested by the build. 2212 { # Command describes a step performed as part of the build pipeline. 2213 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 2214 "A String", 2215 ], 2216 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 2217 # command is packaged as a Docker container, as presented to `docker pull`. 2218 "args": [ # Command-line arguments used when executing this command. 2219 "A String", 2220 ], 2221 "env": [ # Environment variables set before running this command. 2222 "A String", 2223 ], 2224 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 2225 # this command as a dependency. 2226 "dir": "A String", # Working directory (relative to project source root) used when running this 2227 # command. 2228 }, 2229 ], 2230 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 2231 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 2232 # source integrity was maintained in the build. 2233 # 2234 # The keys to this map are file paths used as build source and the values 2235 # contain the hash values for those files. 2236 # 2237 # If the build source came in a single package such as a gzipped tarfile 2238 # (.tar.gz), the FileHash will be for the single path to that file. 2239 "a_key": { # Container message for hashes of byte content of files, used in source 2240 # messages to verify integrity of source input to the build. 2241 "fileHash": [ # Required. Collection of file hashes. 2242 { # Container message for hash values. 2243 "type": "A String", # Required. The type of hash that was performed. 2244 "value": "A String", # Required. The hash value. 2245 }, 2246 ], 2247 }, 2248 }, 2249 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 2250 # location. 2251 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 2252 # these locations, in the case where the source repository had multiple 2253 # remotes or submodules. This list will not include the context specified in 2254 # the context field. 2255 { # A SourceContext is a reference to a tree of files. A SourceContext together 2256 # with a path point to a unique revision of a single file or directory. 2257 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 2258 # repository (e.g., GitHub). 2259 "url": "A String", # Git repository URL. 2260 "revisionId": "A String", # Git commit hash. 2261 }, 2262 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 2263 # Source Repo. 2264 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 2265 "kind": "A String", # The alias kind. 2266 "name": "A String", # The alias name. 2267 }, 2268 "revisionId": "A String", # A revision ID. 2269 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 2270 "uid": "A String", # A server-assigned, globally unique identifier. 2271 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 2272 # winged-cargo-31) and a repo name within that project. 2273 "projectId": "A String", # The ID of the project. 2274 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 2275 }, 2276 }, 2277 }, 2278 "labels": { # Labels with user defined metadata. 2279 "a_key": "A String", 2280 }, 2281 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 2282 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 2283 "kind": "A String", # The alias kind. 2284 "name": "A String", # The alias name. 2285 }, 2286 "revisionId": "A String", # A revision (commit) ID. 2287 "hostUri": "A String", # The URI of a running Gerrit instance. 2288 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 2289 # "project/subproject" is a valid project name. The "repo name" is the 2290 # hostURI/project. 2291 }, 2292 }, 2293 ], 2294 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 2295 # with a path point to a unique revision of a single file or directory. 2296 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 2297 # repository (e.g., GitHub). 2298 "url": "A String", # Git repository URL. 2299 "revisionId": "A String", # Git commit hash. 2300 }, 2301 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 2302 # Source Repo. 2303 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 2304 "kind": "A String", # The alias kind. 2305 "name": "A String", # The alias name. 2306 }, 2307 "revisionId": "A String", # A revision ID. 2308 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 2309 "uid": "A String", # A server-assigned, globally unique identifier. 2310 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 2311 # winged-cargo-31) and a repo name within that project. 2312 "projectId": "A String", # The ID of the project. 2313 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 2314 }, 2315 }, 2316 }, 2317 "labels": { # Labels with user defined metadata. 2318 "a_key": "A String", 2319 }, 2320 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 2321 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 2322 "kind": "A String", # The alias kind. 2323 "name": "A String", # The alias name. 2324 }, 2325 "revisionId": "A String", # A revision (commit) ID. 2326 "hostUri": "A String", # The URI of a running Gerrit instance. 2327 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 2328 # "project/subproject" is a valid project name. The "repo name" is the 2329 # hostURI/project. 2330 }, 2331 }, 2332 }, 2333 "buildOptions": { # Special options applied to this build. This is a catch-all field where 2334 # build providers can enter any desired additional details. 2335 "a_key": "A String", 2336 }, 2337 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 2338 # user's e-mail address at the time the build was initiated; this address may 2339 # not represent the same end-user for all time. 2340 "projectId": "A String", # ID of the project. 2341 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 2342 "createTime": "A String", # Time at which the build was created. 2343 "builtArtifacts": [ # Output of the build. 2344 { # Artifact describes a build product. 2345 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 2346 # container. 2347 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 2348 # like `gcr.io/projectID/imagename@sha256:123456`. 2349 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 2350 # the case of a container build, the name used to push the container image to 2351 # Google Container Registry, as presented to `docker push`. Note that a 2352 # single Artifact ID can have multiple names, for example if two tags are 2353 # applied to one image. 2354 "A String", 2355 ], 2356 }, 2357 ], 2358 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 2359 "startTime": "A String", # Time at which execution of the build was started. 2360 "endTime": "A String", # Time at which execution of the build was finished. 2361 "id": "A String", # Required. Unique identifier of the build. 2362 "logsUri": "A String", # URI where any logs for this provenance were written. 2363 }, 2364 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 2365 # build signature in the corresponding build note. After verifying the 2366 # signature, `provenance_bytes` can be unmarshalled and compared to the 2367 # provenance to confirm that it is unchanged. A base64-encoded string 2368 # representation of the provenance bytes is used for the signature in order 2369 # to interoperate with openssl which expects this format for signature 2370 # verification. 2371 # 2372 # The serialized form is captured both to avoid ambiguity in how the 2373 # provenance is marshalled to json as well to prevent incompatibilities with 2374 # future changes. 2375 }, 2376 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 2377 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 2378 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 2379 # the deployable field with the same name. 2380 "A String", 2381 ], 2382 "userEmail": "A String", # Identity of the user that triggered this deployment. 2383 "address": "A String", # Address of the runtime element hosting this deployment. 2384 "platform": "A String", # Platform hosting this deployment. 2385 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 2386 "undeployTime": "A String", # End of the lifetime of this deployment. 2387 "config": "A String", # Configuration used to create this deployment. 2388 }, 2389 }, 2390 "remediation": "A String", # A description of actions that can be taken to remedy the note. 2391 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 2392 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 2393 # system. 2394 "location": [ # Required. All of the places within the filesystem versions of this package 2395 # have been found. 2396 { # An occurrence of a particular package installation found within a system's 2397 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 2398 "path": "A String", # The path from which we gathered that this package/version is installed. 2399 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 2400 # denoting the package manager version distributing a package. 2401 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 2402 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 2403 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 2404 # versions. 2405 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 2406 # name. 2407 "revision": "A String", # The iteration of the package build from the above version. 2408 }, 2409 }, 2410 ], 2411 "name": "A String", # Output only. The name of the installed package. 2412 }, 2413 }, 2414 "createTime": "A String", # Output only. The time this occurrence was created. 2415 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 2416 # note. 2417 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 2418 # relationship. This image would be produced from a Dockerfile with FROM 2419 # <DockerImage.Basis in attached Note>. 2420 "distance": 42, # Output only. The number of layers by which this image differs from the 2421 # associated image basis. 2422 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 2423 # occurrence. 2424 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 2425 # "distance" and is ordered with [distance] being the layer immediately 2426 # following the base image and [1] being the final layer. 2427 { # Layer holds metadata specific to a layer of a Docker image. 2428 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 2429 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 2430 }, 2431 ], 2432 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 2433 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 2434 # representation. 2435 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 2436 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 2437 # Only the name of the final blob is kept. 2438 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 2439 "A String", 2440 ], 2441 }, 2442 }, 2443 }, 2444 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 2445 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 2446 # used as a filter in list requests. 2447 }</pre> 2448</div> 2449 2450<div class="method"> 2451 <code class="details" id="getIamPolicy">getIamPolicy(resource, body=None, x__xgafv=None)</code> 2452 <pre>Gets the access control policy for a note or an occurrence resource. 2453Requires `containeranalysis.notes.setIamPolicy` or 2454`containeranalysis.occurrences.setIamPolicy` permission if the resource is 2455a note or occurrence, respectively. 2456 2457The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for 2458notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for 2459occurrences. 2460 2461Args: 2462 resource: string, REQUIRED: The resource for which the policy is being requested. 2463See the operation documentation for the appropriate value for this field. (required) 2464 body: object, The request body. 2465 The object takes the form of: 2466 2467{ # Request message for `GetIamPolicy` method. 2468 } 2469 2470 x__xgafv: string, V1 error format. 2471 Allowed values 2472 1 - v1 error format 2473 2 - v2 error format 2474 2475Returns: 2476 An object of the form: 2477 2478 { # Defines an Identity and Access Management (IAM) policy. It is used to 2479 # specify access control policies for Cloud Platform resources. 2480 # 2481 # 2482 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 2483 # `members` to a `role`, where the members can be user accounts, Google groups, 2484 # Google domains, and service accounts. A `role` is a named list of permissions 2485 # defined by IAM. 2486 # 2487 # **JSON Example** 2488 # 2489 # { 2490 # "bindings": [ 2491 # { 2492 # "role": "roles/owner", 2493 # "members": [ 2494 # "user:mike@example.com", 2495 # "group:admins@example.com", 2496 # "domain:google.com", 2497 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 2498 # ] 2499 # }, 2500 # { 2501 # "role": "roles/viewer", 2502 # "members": ["user:sean@example.com"] 2503 # } 2504 # ] 2505 # } 2506 # 2507 # **YAML Example** 2508 # 2509 # bindings: 2510 # - members: 2511 # - user:mike@example.com 2512 # - group:admins@example.com 2513 # - domain:google.com 2514 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 2515 # role: roles/owner 2516 # - members: 2517 # - user:sean@example.com 2518 # role: roles/viewer 2519 # 2520 # 2521 # For a description of IAM and its features, see the 2522 # [IAM developer's guide](https://cloud.google.com/iam/docs). 2523 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 2524 { # Specifies the audit configuration for a service. 2525 # The configuration determines which permission types are logged, and what 2526 # identities, if any, are exempted from logging. 2527 # An AuditConfig must have one or more AuditLogConfigs. 2528 # 2529 # If there are AuditConfigs for both `allServices` and a specific service, 2530 # the union of the two AuditConfigs is used for that service: the log_types 2531 # specified in each AuditConfig are enabled, and the exempted_members in each 2532 # AuditLogConfig are exempted. 2533 # 2534 # Example Policy with multiple AuditConfigs: 2535 # 2536 # { 2537 # "audit_configs": [ 2538 # { 2539 # "service": "allServices" 2540 # "audit_log_configs": [ 2541 # { 2542 # "log_type": "DATA_READ", 2543 # "exempted_members": [ 2544 # "user:foo@gmail.com" 2545 # ] 2546 # }, 2547 # { 2548 # "log_type": "DATA_WRITE", 2549 # }, 2550 # { 2551 # "log_type": "ADMIN_READ", 2552 # } 2553 # ] 2554 # }, 2555 # { 2556 # "service": "fooservice.googleapis.com" 2557 # "audit_log_configs": [ 2558 # { 2559 # "log_type": "DATA_READ", 2560 # }, 2561 # { 2562 # "log_type": "DATA_WRITE", 2563 # "exempted_members": [ 2564 # "user:bar@gmail.com" 2565 # ] 2566 # } 2567 # ] 2568 # } 2569 # ] 2570 # } 2571 # 2572 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 2573 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 2574 # bar@gmail.com from DATA_WRITE logging. 2575 "auditLogConfigs": [ # The configuration for logging of each type of permission. 2576 { # Provides the configuration for logging a type of permissions. 2577 # Example: 2578 # 2579 # { 2580 # "audit_log_configs": [ 2581 # { 2582 # "log_type": "DATA_READ", 2583 # "exempted_members": [ 2584 # "user:foo@gmail.com" 2585 # ] 2586 # }, 2587 # { 2588 # "log_type": "DATA_WRITE", 2589 # } 2590 # ] 2591 # } 2592 # 2593 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 2594 # foo@gmail.com from DATA_READ logging. 2595 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 2596 # permission. 2597 # Follows the same format of Binding.members. 2598 "A String", 2599 ], 2600 "logType": "A String", # The log type that this config enables. 2601 }, 2602 ], 2603 "service": "A String", # Specifies a service that will be enabled for audit logging. 2604 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 2605 # `allServices` is a special value that covers all services. 2606 }, 2607 ], 2608 "version": 42, # Deprecated. 2609 "bindings": [ # Associates a list of `members` to a `role`. 2610 # `bindings` with no members will result in an error. 2611 { # Associates `members` with a `role`. 2612 "role": "A String", # Role that is assigned to `members`. 2613 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 2614 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 2615 # `members` can have the following values: 2616 # 2617 # * `allUsers`: A special identifier that represents anyone who is 2618 # on the internet; with or without a Google account. 2619 # 2620 # * `allAuthenticatedUsers`: A special identifier that represents anyone 2621 # who is authenticated with a Google account or a service account. 2622 # 2623 # * `user:{emailid}`: An email address that represents a specific Google 2624 # account. For example, `alice@gmail.com` . 2625 # 2626 # 2627 # * `serviceAccount:{emailid}`: An email address that represents a service 2628 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 2629 # 2630 # * `group:{emailid}`: An email address that represents a Google group. 2631 # For example, `admins@example.com`. 2632 # 2633 # 2634 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 2635 # users of that domain. For example, `google.com` or `example.com`. 2636 # 2637 "A String", 2638 ], 2639 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 2640 # NOTE: An unsatisfied condition will not allow user access via current 2641 # binding. Different bindings, including their conditions, are examined 2642 # independently. 2643 # 2644 # title: "User account presence" 2645 # description: "Determines whether the request has a user account" 2646 # expression: "size(request.user) > 0" 2647 "location": "A String", # An optional string indicating the location of the expression for error 2648 # reporting, e.g. a file name and a position in the file. 2649 "expression": "A String", # Textual representation of an expression in 2650 # Common Expression Language syntax. 2651 # 2652 # The application context of the containing message determines which 2653 # well-known feature set of CEL is supported. 2654 "description": "A String", # An optional description of the expression. This is a longer text which 2655 # describes the expression, e.g. when hovered over it in a UI. 2656 "title": "A String", # An optional title for the expression, i.e. a short string describing 2657 # its purpose. This can be used e.g. in UIs which allow to enter the 2658 # expression. 2659 }, 2660 }, 2661 ], 2662 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 2663 # prevent simultaneous updates of a policy from overwriting each other. 2664 # It is strongly suggested that systems make use of the `etag` in the 2665 # read-modify-write cycle to perform policy updates in order to avoid race 2666 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 2667 # systems are expected to put that etag in the request to `setIamPolicy` to 2668 # ensure that their change will be applied to the same version of the policy. 2669 # 2670 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 2671 # policy is overwritten blindly. 2672 }</pre> 2673</div> 2674 2675<div class="method"> 2676 <code class="details" id="getNotes">getNotes(name, x__xgafv=None)</code> 2677 <pre>Gets the note attached to the specified occurrence. Consumer projects can 2678use this method to get a note that belongs to a provider project. 2679 2680Args: 2681 name: string, The name of the occurrence in the form of 2682`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required) 2683 x__xgafv: string, V1 error format. 2684 Allowed values 2685 1 - v1 error format 2686 2 - v2 error format 2687 2688Returns: 2689 An object of the form: 2690 2691 { # A type of analysis that can be done for a resource. 2692 "updateTime": "A String", # Output only. The time this note was last updated. This field can be used as 2693 # a filter in list requests. 2694 "relatedNoteNames": [ # Other notes related to this note. 2695 "A String", 2696 ], 2697 "name": "A String", # Output only. The name of the note in the form of 2698 # `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 2699 "package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers. 2700 # channels. E.g., glibc (aka libc6) is distributed by many, at various 2701 # versions. 2702 "distribution": [ # The various channels by which a package is distributed. 2703 { # This represents a particular channel of distribution for a given package. 2704 # E.g., Debian's jessie-backports dpkg mirror. 2705 "cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/) 2706 # denoting the package manager version distributing a package. 2707 "maintainer": "A String", # A freeform string denoting the maintainer of this package. 2708 "description": "A String", # The distribution channel-specific description of this package. 2709 "url": "A String", # The distribution channel-specific homepage for this package. 2710 "architecture": "A String", # The CPU architecture for which packages in this distribution channel were 2711 # built. 2712 "latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel. 2713 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 2714 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 2715 # versions. 2716 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 2717 # name. 2718 "revision": "A String", # The iteration of the package build from the above version. 2719 }, 2720 }, 2721 ], 2722 "name": "A String", # Required. Immutable. The name of the package. 2723 }, 2724 "vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability. 2725 "windowsDetails": [ # Windows details get their own format because the information format and 2726 # model don't match a normal detail. Specifically Windows updates are done as 2727 # patches, thus Windows vulnerabilities really are a missing package, rather 2728 # than a package being at an incorrect version. 2729 { 2730 "cpeUri": "A String", # Required. The CPE URI in 2731 # [cpe format](https://cpe.mitre.org/specification/) in which the 2732 # vulnerability manifests. Examples include distro or storage location for 2733 # vulnerable jar. 2734 "fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this 2735 # vulnerability. Note that there may be multiple hotfixes (and thus 2736 # multiple KBs) that mitigate a given vulnerability. Currently any listed 2737 # kb's presence is considered a fix. 2738 { 2739 "url": "A String", # A link to the KB in the Windows update catalog - 2740 # https://www.catalog.update.microsoft.com/ 2741 "name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456). 2742 }, 2743 ], 2744 "name": "A String", # Required. The name of the vulnerability. 2745 "description": "A String", # The description of the vulnerability. 2746 }, 2747 ], 2748 "cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3. 2749 # For details, see https://www.first.org/cvss/specification-document 2750 "attackComplexity": "A String", 2751 "attackVector": "A String", # Base Metrics 2752 # Represents the intrinsic characteristics of a vulnerability that are 2753 # constant over time and across user environments. 2754 "availabilityImpact": "A String", 2755 "userInteraction": "A String", 2756 "baseScore": 3.14, # The base score is a function of the base metric scores. 2757 "privilegesRequired": "A String", 2758 "impactScore": 3.14, 2759 "exploitabilityScore": 3.14, 2760 "confidentialityImpact": "A String", 2761 "integrityImpact": "A String", 2762 "scope": "A String", 2763 }, 2764 "cvssScore": 3.14, # The CVSS score for this vulnerability. 2765 "severity": "A String", # Note provider assigned impact of the vulnerability. 2766 "details": [ # All information about the package to specifically identify this 2767 # vulnerability. One entry per (version range and cpe_uri) the package 2768 # vulnerability has manifested in. 2769 { # Identifies all appearances of this vulnerability in the package for a 2770 # specific distro/location. For example: glibc in 2771 # cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2 2772 "severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability. 2773 "cpeUri": "A String", # Required. The CPE URI in 2774 # [cpe format](https://cpe.mitre.org/specification/) in which the 2775 # vulnerability manifests. Examples include distro or storage location for 2776 # vulnerable jar. 2777 "description": "A String", # A vendor-specific description of this note. 2778 "minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists. 2779 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 2780 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 2781 # versions. 2782 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 2783 # name. 2784 "revision": "A String", # The iteration of the package build from the above version. 2785 }, 2786 "package": "A String", # Required. The name of the package where the vulnerability was found. 2787 "packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js 2788 # packages etc). 2789 "isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to 2790 # obsolete details. 2791 "maxAffectedVersion": { # Version contains structured information about the version of a package. # Deprecated, do not use. Use fixed_location instead. 2792 # 2793 # The max version of the package in which the vulnerability exists. 2794 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 2795 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 2796 # versions. 2797 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 2798 # name. 2799 "revision": "A String", # The iteration of the package build from the above version. 2800 }, 2801 "fixedLocation": { # The location of the vulnerability. # The fix for this specific package version. 2802 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 2803 # format. Examples include distro or storage location for vulnerable jar. 2804 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 2805 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 2806 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 2807 # versions. 2808 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 2809 # name. 2810 "revision": "A String", # The iteration of the package build from the above version. 2811 }, 2812 "package": "A String", # Required. The package being described. 2813 }, 2814 }, 2815 ], 2816 }, 2817 "kind": "A String", # Output only. The type of analysis. This field can be used as a filter in 2818 # list requests. 2819 "relatedUrl": [ # URLs associated with this note. 2820 { # Metadata for any related URL information. 2821 "url": "A String", # Specific URL associated with the resource. 2822 "label": "A String", # Label to describe usage of the URL. 2823 }, 2824 ], 2825 "longDescription": "A String", # A detailed description of this note. 2826 "attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role. 2827 # example, an organization might have one `Authority` for "QA" and one for 2828 # "build". This note is intended to act strictly as a grouping mechanism for 2829 # the attached occurrences (Attestations). This grouping mechanism also 2830 # provides a security boundary, since IAM ACLs gate the ability for a principle 2831 # to attach an occurrence to a given note. It also provides a single point of 2832 # lookup to find all attached attestation occurrences, even if they don't all 2833 # live in the same project. 2834 "hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority. 2835 # authority. Because the name of a note acts as its resource reference, it is 2836 # important to disambiguate the canonical name of the Note (which might be a 2837 # UUID for security purposes) from "readable" names more suitable for debug 2838 # output. Note that these hints should not be used to look up authorities in 2839 # security sensitive contexts, such as when looking up attestations to 2840 # verify. 2841 "humanReadableName": "A String", # Required. The human readable name of this attestation authority, for 2842 # example "qa". 2843 }, 2844 }, 2845 "build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build. 2846 # provenance message in the build details occurrence. 2847 "builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build. 2848 "signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note 2849 # containing build details. 2850 "publicKey": "A String", # Public key of the builder which can be used to verify that the related 2851 # findings are valid and unchanged. If `key_type` is empty, this defaults 2852 # to PEM encoded public keys. 2853 # 2854 # This field may be empty if `key_id` references an external key. 2855 # 2856 # For Cloud Build based signatures, this is a PEM encoded public 2857 # key. To verify the Cloud Build signature, place the contents of 2858 # this field into a file (public.pem). The signature field is base64-decoded 2859 # into its binary representation in signature.bin, and the provenance bytes 2860 # from `BuildDetails` are base64-decoded into a binary representation in 2861 # signed.bin. OpenSSL can then verify the signature: 2862 # `openssl sha256 -verify public.pem -signature signature.bin signed.bin` 2863 "keyType": "A String", # The type of the key, either stored in `public_key` or referenced in 2864 # `key_id`. 2865 "keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key 2866 # stored in `public_key` (such as the ID or fingerprint for a PGP key, or the 2867 # CN for a cert), or a reference to an external key (such as a reference to a 2868 # key in Cloud Key Management Service). 2869 "signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is 2870 # base-64 encoded. 2871 }, 2872 }, 2873 "baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image. 2874 # relationship. Linked occurrences are derived from this or an 2875 # equivalent image via: 2876 # FROM <Basis.resource_url> 2877 # Or an equivalent reference, e.g. a tag of the resource_url. 2878 "resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the 2879 # basis of associated occurrence images. 2880 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image. 2881 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 2882 # representation. 2883 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 2884 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 2885 # Only the name of the final blob is kept. 2886 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 2887 "A String", 2888 ], 2889 }, 2890 }, 2891 "expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire. 2892 "deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed. 2893 "resourceUri": [ # Required. Resource URI for the artifact being deployed. 2894 "A String", 2895 ], 2896 }, 2897 "shortDescription": "A String", # A one sentence description of this note. 2898 "createTime": "A String", # Output only. The time this note was created. This field can be used as a 2899 # filter in list requests. 2900 "discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource. 2901 # exists in a provider's project. A `Discovery` occurrence is created in a 2902 # consumer's project at the start of analysis. 2903 "analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this 2904 # discovery. 2905 }, 2906 }</pre> 2907</div> 2908 2909<div class="method"> 2910 <code class="details" id="getVulnerabilitySummary">getVulnerabilitySummary(parent, x__xgafv=None, filter=None)</code> 2911 <pre>Gets a summary of the number and severity of occurrences. 2912 2913Args: 2914 parent: string, The name of the project to get a vulnerability summary for in the form of 2915`projects/[PROJECT_ID]`. (required) 2916 x__xgafv: string, V1 error format. 2917 Allowed values 2918 1 - v1 error format 2919 2 - v2 error format 2920 filter: string, The filter expression. 2921 2922Returns: 2923 An object of the form: 2924 2925 { # A summary of how many vulnerability occurrences there are per resource and 2926 # severity type. 2927 "counts": [ # A listing by resource of the number of fixable and total vulnerabilities. 2928 { # Per resource and severity counts of fixable and total vulnerabilities. 2929 "totalCount": "A String", # The total number of vulnerabilities associated with this resource. 2930 "resource": { # An entity that can have metadata. For example, a Docker image. # The affected resource. 2931 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 2932 # 2933 # The hash of the resource content. For example, the Docker digest. 2934 "type": "A String", # Required. The type of hash that was performed. 2935 "value": "A String", # Required. The hash value. 2936 }, 2937 "uri": "A String", # Required. The unique URI of the resource. For example, 2938 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 2939 "name": "A String", # Deprecated, do not use. Use uri instead. 2940 # 2941 # The name of the resource. For example, the name of a Docker image - 2942 # "Debian". 2943 }, 2944 "severity": "A String", # The severity for this count. SEVERITY_UNSPECIFIED indicates total across 2945 # all severities. 2946 "fixableCount": "A String", # The number of fixable vulnerabilities associated with this resource. 2947 }, 2948 ], 2949 }</pre> 2950</div> 2951 2952<div class="method"> 2953 <code class="details" id="list">list(parent, pageSize=None, pageToken=None, x__xgafv=None, filter=None)</code> 2954 <pre>Lists occurrences for the specified project. 2955 2956Args: 2957 parent: string, The name of the project to list occurrences for in the form of 2958`projects/[PROJECT_ID]`. (required) 2959 pageSize: integer, Number of occurrences to return in the list. Must be positive. Max allowed 2960page size is 1000. If not specified, page size defaults to 20. 2961 pageToken: string, Token to provide to skip to a particular spot in the list. 2962 x__xgafv: string, V1 error format. 2963 Allowed values 2964 1 - v1 error format 2965 2 - v2 error format 2966 filter: string, The filter expression. 2967 2968Returns: 2969 An object of the form: 2970 2971 { # Response for listing occurrences. 2972 "nextPageToken": "A String", # The next pagination token in the list response. It should be used as 2973 # `page_token` for the following request. An empty value means no more 2974 # results. 2975 "occurrences": [ # The occurrences requested. 2976 { # An instance of an analysis type that has been found on a resource. 2977 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 2978 # specified. This field can be used as a filter in list requests. 2979 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 2980 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 2981 # 2982 # The hash of the resource content. For example, the Docker digest. 2983 "type": "A String", # Required. The type of hash that was performed. 2984 "value": "A String", # Required. The hash value. 2985 }, 2986 "uri": "A String", # Required. The unique URI of the resource. For example, 2987 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 2988 "name": "A String", # Deprecated, do not use. Use uri instead. 2989 # 2990 # The name of the resource. For example, the name of a Docker image - 2991 # "Debian". 2992 }, 2993 "name": "A String", # Output only. The name of the occurrence in the form of 2994 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 2995 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 2996 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 2997 # scale of 0-10 where 0 indicates low severity and 10 indicates high 2998 # severity. 2999 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 3000 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 3001 # packages etc) 3002 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 3003 # available, and note provider assigned severity when distro has not yet 3004 # assigned a severity for this vulnerability. 3005 "relatedUrls": [ # Output only. URLs related to this vulnerability. 3006 { # Metadata for any related URL information. 3007 "url": "A String", # Specific URL associated with the resource. 3008 "label": "A String", # Label to describe usage of the URL. 3009 }, 3010 ], 3011 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 3012 # within the associated resource. 3013 { # This message wraps a location affected by a vulnerability and its 3014 # associated fix (if one is available). 3015 "severityName": "A String", # Deprecated, use Details.effective_severity instead 3016 # The severity (e.g., distro assigned severity) for this vulnerability. 3017 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 3018 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 3019 # format. Examples include distro or storage location for vulnerable jar. 3020 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 3021 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3022 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3023 # versions. 3024 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3025 # name. 3026 "revision": "A String", # The iteration of the package build from the above version. 3027 }, 3028 "package": "A String", # Required. The package being described. 3029 }, 3030 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 3031 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 3032 # format. Examples include distro or storage location for vulnerable jar. 3033 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 3034 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3035 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3036 # versions. 3037 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3038 # name. 3039 "revision": "A String", # The iteration of the package build from the above version. 3040 }, 3041 "package": "A String", # Required. The package being described. 3042 }, 3043 }, 3044 ], 3045 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 3046 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 3047 }, 3048 "updateTime": "A String", # Output only. The time this occurrence was last updated. 3049 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 3050 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 3051 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 3052 # Deprecated, do not use. 3053 "analysisStatus": "A String", # The status of discovery for the resource. 3054 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 3055 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 3056 # details to show to the user. The LocalizedMessage is output only and 3057 # populated by the API. 3058 # different programming environments, including REST APIs and RPC APIs. It is 3059 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 3060 # three pieces of data: error code, error message, and error details. 3061 # 3062 # You can find out more about this error model and how to work with it in the 3063 # [API Design Guide](https://cloud.google.com/apis/design/errors). 3064 "message": "A String", # A developer-facing error message, which should be in English. Any 3065 # user-facing error message should be localized and sent in the 3066 # google.rpc.Status.details field, or localized by the client. 3067 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 3068 "details": [ # A list of messages that carry the error details. There is a common set of 3069 # message types for APIs to use. 3070 { 3071 "a_key": "", # Properties of the object. Contains field @type with type URL. 3072 }, 3073 ], 3074 }, 3075 }, 3076 }, 3077 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 3078 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 3079 # attestation can be verified using the attached signature. If the verifier 3080 # trusts the public key of the signer, then verifying the signature is 3081 # sufficient to establish trust. In this circumstance, the authority to which 3082 # this attestation is attached is primarily useful for look-up (how to find 3083 # this attestation if you already know the authority and artifact to be 3084 # verified) and intent (which authority was this attestation intended to sign 3085 # for). 3086 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 3087 # supports `ATTACHED` signatures, where the payload that is signed is included 3088 # alongside the signature itself in the same file. 3089 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 3090 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 3091 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 3092 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 3093 # Implementations may choose to acknowledge "LONG", "SHORT", or other 3094 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 3095 # In gpg, the full fingerprint can be retrieved from the `fpr` field 3096 # returned when calling --list-keys with --with-colons. For example: 3097 # ``` 3098 # gpg --with-colons --with-fingerprint --force-v4-certs \ 3099 # --list-keys attester@example.com 3100 # tru::1:1513631572:0:3:1:5 3101 # pub:...<SNIP>... 3102 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 3103 # ``` 3104 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 3105 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 3106 # The verifier must ensure that the provided type is one that the verifier 3107 # supports, and that the attestation payload is a valid instantiation of that 3108 # type (for example by validating a JSON schema). 3109 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 3110 # (GPG) or equivalent. Since this message only supports attached signatures, 3111 # the payload that was signed must be attached. While the signature format 3112 # supported is dependent on the verification implementation, currently only 3113 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 3114 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 3115 # --output=signature.gpg payload.json` will create the signature content 3116 # expected in this field in `signature.gpg` for the `payload.json` 3117 # attestation payload. 3118 }, 3119 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 3120 # This attestation must define the `serialized_payload` that the `signatures` 3121 # verify and any metadata necessary to interpret that plaintext. The 3122 # signatures should always be over the `serialized_payload` bytestring. 3123 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 3124 # should consider this attestation message verified if at least one 3125 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 3126 # for more details on signature structure and verification. 3127 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 3128 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 3129 # Typically this means that the verifier has been configured with a map from 3130 # `public_key_id` to public key material (and any required parameters, e.g. 3131 # signing algorithm). 3132 # 3133 # In particular, verification implementations MUST NOT treat the signature 3134 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 3135 # DOES NOT validate or authenticate a public key; it only provides a mechanism 3136 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 3137 # a trusted channel. Verification implementations MUST reject signatures in any 3138 # of the following circumstances: 3139 # * The `public_key_id` is not recognized by the verifier. 3140 # * The public key that `public_key_id` refers to does not verify the 3141 # signature with respect to the payload. 3142 # 3143 # The `signature` contents SHOULD NOT be "attached" (where the payload is 3144 # included with the serialized `signature` bytes). Verifiers MUST ignore any 3145 # "attached" payload and only verify signatures with respect to explicitly 3146 # provided payload (e.g. a `payload` field on the proto message that holds 3147 # this Signature, or the canonical serialization of the proto message that 3148 # holds this signature). 3149 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 3150 # * The `public_key_id` is required. 3151 # * The `public_key_id` MUST be an RFC3986 conformant URI. 3152 # * When possible, the `public_key_id` SHOULD be an immutable reference, 3153 # such as a cryptographic digest. 3154 # 3155 # Examples of valid `public_key_id`s: 3156 # 3157 # OpenPGP V4 public key fingerprint: 3158 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 3159 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 3160 # details on this scheme. 3161 # 3162 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 3163 # serialization): 3164 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 3165 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 3166 "signature": "A String", # The content of the signature, an opaque bytestring. 3167 # The payload that this signature verifies MUST be unambiguously provided 3168 # with the Signature during verification. A wrapper message might provide 3169 # the payload explicitly. Alternatively, a message might have a canonical 3170 # serialization that can always be unambiguously computed to derive the 3171 # payload. 3172 }, 3173 ], 3174 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 3175 # The verifier must ensure that the provided type is one that the verifier 3176 # supports, and that the attestation payload is a valid instantiation of that 3177 # type (for example by validating a JSON schema). 3178 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 3179 # The encoding and semantic meaning of this payload must match what is set in 3180 # `content_type`. 3181 }, 3182 }, 3183 }, 3184 "build": { # Details of a build occurrence. # Describes a verifiable build. 3185 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 3186 # details about the build from source to completion. 3187 "commands": [ # Commands requested by the build. 3188 { # Command describes a step performed as part of the build pipeline. 3189 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 3190 "A String", 3191 ], 3192 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 3193 # command is packaged as a Docker container, as presented to `docker pull`. 3194 "args": [ # Command-line arguments used when executing this command. 3195 "A String", 3196 ], 3197 "env": [ # Environment variables set before running this command. 3198 "A String", 3199 ], 3200 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 3201 # this command as a dependency. 3202 "dir": "A String", # Working directory (relative to project source root) used when running this 3203 # command. 3204 }, 3205 ], 3206 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 3207 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 3208 # source integrity was maintained in the build. 3209 # 3210 # The keys to this map are file paths used as build source and the values 3211 # contain the hash values for those files. 3212 # 3213 # If the build source came in a single package such as a gzipped tarfile 3214 # (.tar.gz), the FileHash will be for the single path to that file. 3215 "a_key": { # Container message for hashes of byte content of files, used in source 3216 # messages to verify integrity of source input to the build. 3217 "fileHash": [ # Required. Collection of file hashes. 3218 { # Container message for hash values. 3219 "type": "A String", # Required. The type of hash that was performed. 3220 "value": "A String", # Required. The hash value. 3221 }, 3222 ], 3223 }, 3224 }, 3225 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 3226 # location. 3227 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 3228 # these locations, in the case where the source repository had multiple 3229 # remotes or submodules. This list will not include the context specified in 3230 # the context field. 3231 { # A SourceContext is a reference to a tree of files. A SourceContext together 3232 # with a path point to a unique revision of a single file or directory. 3233 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 3234 # repository (e.g., GitHub). 3235 "url": "A String", # Git repository URL. 3236 "revisionId": "A String", # Git commit hash. 3237 }, 3238 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 3239 # Source Repo. 3240 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3241 "kind": "A String", # The alias kind. 3242 "name": "A String", # The alias name. 3243 }, 3244 "revisionId": "A String", # A revision ID. 3245 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 3246 "uid": "A String", # A server-assigned, globally unique identifier. 3247 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 3248 # winged-cargo-31) and a repo name within that project. 3249 "projectId": "A String", # The ID of the project. 3250 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 3251 }, 3252 }, 3253 }, 3254 "labels": { # Labels with user defined metadata. 3255 "a_key": "A String", 3256 }, 3257 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 3258 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3259 "kind": "A String", # The alias kind. 3260 "name": "A String", # The alias name. 3261 }, 3262 "revisionId": "A String", # A revision (commit) ID. 3263 "hostUri": "A String", # The URI of a running Gerrit instance. 3264 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 3265 # "project/subproject" is a valid project name. The "repo name" is the 3266 # hostURI/project. 3267 }, 3268 }, 3269 ], 3270 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 3271 # with a path point to a unique revision of a single file or directory. 3272 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 3273 # repository (e.g., GitHub). 3274 "url": "A String", # Git repository URL. 3275 "revisionId": "A String", # Git commit hash. 3276 }, 3277 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 3278 # Source Repo. 3279 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3280 "kind": "A String", # The alias kind. 3281 "name": "A String", # The alias name. 3282 }, 3283 "revisionId": "A String", # A revision ID. 3284 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 3285 "uid": "A String", # A server-assigned, globally unique identifier. 3286 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 3287 # winged-cargo-31) and a repo name within that project. 3288 "projectId": "A String", # The ID of the project. 3289 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 3290 }, 3291 }, 3292 }, 3293 "labels": { # Labels with user defined metadata. 3294 "a_key": "A String", 3295 }, 3296 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 3297 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3298 "kind": "A String", # The alias kind. 3299 "name": "A String", # The alias name. 3300 }, 3301 "revisionId": "A String", # A revision (commit) ID. 3302 "hostUri": "A String", # The URI of a running Gerrit instance. 3303 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 3304 # "project/subproject" is a valid project name. The "repo name" is the 3305 # hostURI/project. 3306 }, 3307 }, 3308 }, 3309 "buildOptions": { # Special options applied to this build. This is a catch-all field where 3310 # build providers can enter any desired additional details. 3311 "a_key": "A String", 3312 }, 3313 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 3314 # user's e-mail address at the time the build was initiated; this address may 3315 # not represent the same end-user for all time. 3316 "projectId": "A String", # ID of the project. 3317 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 3318 "createTime": "A String", # Time at which the build was created. 3319 "builtArtifacts": [ # Output of the build. 3320 { # Artifact describes a build product. 3321 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 3322 # container. 3323 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 3324 # like `gcr.io/projectID/imagename@sha256:123456`. 3325 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 3326 # the case of a container build, the name used to push the container image to 3327 # Google Container Registry, as presented to `docker push`. Note that a 3328 # single Artifact ID can have multiple names, for example if two tags are 3329 # applied to one image. 3330 "A String", 3331 ], 3332 }, 3333 ], 3334 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 3335 "startTime": "A String", # Time at which execution of the build was started. 3336 "endTime": "A String", # Time at which execution of the build was finished. 3337 "id": "A String", # Required. Unique identifier of the build. 3338 "logsUri": "A String", # URI where any logs for this provenance were written. 3339 }, 3340 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 3341 # build signature in the corresponding build note. After verifying the 3342 # signature, `provenance_bytes` can be unmarshalled and compared to the 3343 # provenance to confirm that it is unchanged. A base64-encoded string 3344 # representation of the provenance bytes is used for the signature in order 3345 # to interoperate with openssl which expects this format for signature 3346 # verification. 3347 # 3348 # The serialized form is captured both to avoid ambiguity in how the 3349 # provenance is marshalled to json as well to prevent incompatibilities with 3350 # future changes. 3351 }, 3352 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 3353 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 3354 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 3355 # the deployable field with the same name. 3356 "A String", 3357 ], 3358 "userEmail": "A String", # Identity of the user that triggered this deployment. 3359 "address": "A String", # Address of the runtime element hosting this deployment. 3360 "platform": "A String", # Platform hosting this deployment. 3361 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 3362 "undeployTime": "A String", # End of the lifetime of this deployment. 3363 "config": "A String", # Configuration used to create this deployment. 3364 }, 3365 }, 3366 "remediation": "A String", # A description of actions that can be taken to remedy the note. 3367 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 3368 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 3369 # system. 3370 "location": [ # Required. All of the places within the filesystem versions of this package 3371 # have been found. 3372 { # An occurrence of a particular package installation found within a system's 3373 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 3374 "path": "A String", # The path from which we gathered that this package/version is installed. 3375 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 3376 # denoting the package manager version distributing a package. 3377 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 3378 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3379 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3380 # versions. 3381 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3382 # name. 3383 "revision": "A String", # The iteration of the package build from the above version. 3384 }, 3385 }, 3386 ], 3387 "name": "A String", # Output only. The name of the installed package. 3388 }, 3389 }, 3390 "createTime": "A String", # Output only. The time this occurrence was created. 3391 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 3392 # note. 3393 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 3394 # relationship. This image would be produced from a Dockerfile with FROM 3395 # <DockerImage.Basis in attached Note>. 3396 "distance": 42, # Output only. The number of layers by which this image differs from the 3397 # associated image basis. 3398 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 3399 # occurrence. 3400 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 3401 # "distance" and is ordered with [distance] being the layer immediately 3402 # following the base image and [1] being the final layer. 3403 { # Layer holds metadata specific to a layer of a Docker image. 3404 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 3405 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 3406 }, 3407 ], 3408 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 3409 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 3410 # representation. 3411 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 3412 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 3413 # Only the name of the final blob is kept. 3414 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 3415 "A String", 3416 ], 3417 }, 3418 }, 3419 }, 3420 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 3421 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 3422 # used as a filter in list requests. 3423 }, 3424 ], 3425 }</pre> 3426</div> 3427 3428<div class="method"> 3429 <code class="details" id="list_next">list_next(previous_request, previous_response)</code> 3430 <pre>Retrieves the next page of results. 3431 3432Args: 3433 previous_request: The request for the previous page. (required) 3434 previous_response: The response from the request for the previous page. (required) 3435 3436Returns: 3437 A request object that you can call 'execute()' on to request the next 3438 page. Returns None if there are no more items in the collection. 3439 </pre> 3440</div> 3441 3442<div class="method"> 3443 <code class="details" id="patch">patch(name, body, updateMask=None, x__xgafv=None)</code> 3444 <pre>Updates the specified occurrence. 3445 3446Args: 3447 name: string, The name of the occurrence in the form of 3448`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required) 3449 body: object, The request body. (required) 3450 The object takes the form of: 3451 3452{ # An instance of an analysis type that has been found on a resource. 3453 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 3454 # specified. This field can be used as a filter in list requests. 3455 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 3456 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 3457 # 3458 # The hash of the resource content. For example, the Docker digest. 3459 "type": "A String", # Required. The type of hash that was performed. 3460 "value": "A String", # Required. The hash value. 3461 }, 3462 "uri": "A String", # Required. The unique URI of the resource. For example, 3463 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 3464 "name": "A String", # Deprecated, do not use. Use uri instead. 3465 # 3466 # The name of the resource. For example, the name of a Docker image - 3467 # "Debian". 3468 }, 3469 "name": "A String", # Output only. The name of the occurrence in the form of 3470 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 3471 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 3472 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 3473 # scale of 0-10 where 0 indicates low severity and 10 indicates high 3474 # severity. 3475 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 3476 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 3477 # packages etc) 3478 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 3479 # available, and note provider assigned severity when distro has not yet 3480 # assigned a severity for this vulnerability. 3481 "relatedUrls": [ # Output only. URLs related to this vulnerability. 3482 { # Metadata for any related URL information. 3483 "url": "A String", # Specific URL associated with the resource. 3484 "label": "A String", # Label to describe usage of the URL. 3485 }, 3486 ], 3487 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 3488 # within the associated resource. 3489 { # This message wraps a location affected by a vulnerability and its 3490 # associated fix (if one is available). 3491 "severityName": "A String", # Deprecated, use Details.effective_severity instead 3492 # The severity (e.g., distro assigned severity) for this vulnerability. 3493 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 3494 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 3495 # format. Examples include distro or storage location for vulnerable jar. 3496 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 3497 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3498 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3499 # versions. 3500 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3501 # name. 3502 "revision": "A String", # The iteration of the package build from the above version. 3503 }, 3504 "package": "A String", # Required. The package being described. 3505 }, 3506 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 3507 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 3508 # format. Examples include distro or storage location for vulnerable jar. 3509 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 3510 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3511 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3512 # versions. 3513 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3514 # name. 3515 "revision": "A String", # The iteration of the package build from the above version. 3516 }, 3517 "package": "A String", # Required. The package being described. 3518 }, 3519 }, 3520 ], 3521 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 3522 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 3523 }, 3524 "updateTime": "A String", # Output only. The time this occurrence was last updated. 3525 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 3526 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 3527 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 3528 # Deprecated, do not use. 3529 "analysisStatus": "A String", # The status of discovery for the resource. 3530 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 3531 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 3532 # details to show to the user. The LocalizedMessage is output only and 3533 # populated by the API. 3534 # different programming environments, including REST APIs and RPC APIs. It is 3535 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 3536 # three pieces of data: error code, error message, and error details. 3537 # 3538 # You can find out more about this error model and how to work with it in the 3539 # [API Design Guide](https://cloud.google.com/apis/design/errors). 3540 "message": "A String", # A developer-facing error message, which should be in English. Any 3541 # user-facing error message should be localized and sent in the 3542 # google.rpc.Status.details field, or localized by the client. 3543 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 3544 "details": [ # A list of messages that carry the error details. There is a common set of 3545 # message types for APIs to use. 3546 { 3547 "a_key": "", # Properties of the object. Contains field @type with type URL. 3548 }, 3549 ], 3550 }, 3551 }, 3552 }, 3553 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 3554 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 3555 # attestation can be verified using the attached signature. If the verifier 3556 # trusts the public key of the signer, then verifying the signature is 3557 # sufficient to establish trust. In this circumstance, the authority to which 3558 # this attestation is attached is primarily useful for look-up (how to find 3559 # this attestation if you already know the authority and artifact to be 3560 # verified) and intent (which authority was this attestation intended to sign 3561 # for). 3562 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 3563 # supports `ATTACHED` signatures, where the payload that is signed is included 3564 # alongside the signature itself in the same file. 3565 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 3566 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 3567 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 3568 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 3569 # Implementations may choose to acknowledge "LONG", "SHORT", or other 3570 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 3571 # In gpg, the full fingerprint can be retrieved from the `fpr` field 3572 # returned when calling --list-keys with --with-colons. For example: 3573 # ``` 3574 # gpg --with-colons --with-fingerprint --force-v4-certs \ 3575 # --list-keys attester@example.com 3576 # tru::1:1513631572:0:3:1:5 3577 # pub:...<SNIP>... 3578 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 3579 # ``` 3580 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 3581 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 3582 # The verifier must ensure that the provided type is one that the verifier 3583 # supports, and that the attestation payload is a valid instantiation of that 3584 # type (for example by validating a JSON schema). 3585 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 3586 # (GPG) or equivalent. Since this message only supports attached signatures, 3587 # the payload that was signed must be attached. While the signature format 3588 # supported is dependent on the verification implementation, currently only 3589 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 3590 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 3591 # --output=signature.gpg payload.json` will create the signature content 3592 # expected in this field in `signature.gpg` for the `payload.json` 3593 # attestation payload. 3594 }, 3595 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 3596 # This attestation must define the `serialized_payload` that the `signatures` 3597 # verify and any metadata necessary to interpret that plaintext. The 3598 # signatures should always be over the `serialized_payload` bytestring. 3599 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 3600 # should consider this attestation message verified if at least one 3601 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 3602 # for more details on signature structure and verification. 3603 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 3604 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 3605 # Typically this means that the verifier has been configured with a map from 3606 # `public_key_id` to public key material (and any required parameters, e.g. 3607 # signing algorithm). 3608 # 3609 # In particular, verification implementations MUST NOT treat the signature 3610 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 3611 # DOES NOT validate or authenticate a public key; it only provides a mechanism 3612 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 3613 # a trusted channel. Verification implementations MUST reject signatures in any 3614 # of the following circumstances: 3615 # * The `public_key_id` is not recognized by the verifier. 3616 # * The public key that `public_key_id` refers to does not verify the 3617 # signature with respect to the payload. 3618 # 3619 # The `signature` contents SHOULD NOT be "attached" (where the payload is 3620 # included with the serialized `signature` bytes). Verifiers MUST ignore any 3621 # "attached" payload and only verify signatures with respect to explicitly 3622 # provided payload (e.g. a `payload` field on the proto message that holds 3623 # this Signature, or the canonical serialization of the proto message that 3624 # holds this signature). 3625 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 3626 # * The `public_key_id` is required. 3627 # * The `public_key_id` MUST be an RFC3986 conformant URI. 3628 # * When possible, the `public_key_id` SHOULD be an immutable reference, 3629 # such as a cryptographic digest. 3630 # 3631 # Examples of valid `public_key_id`s: 3632 # 3633 # OpenPGP V4 public key fingerprint: 3634 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 3635 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 3636 # details on this scheme. 3637 # 3638 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 3639 # serialization): 3640 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 3641 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 3642 "signature": "A String", # The content of the signature, an opaque bytestring. 3643 # The payload that this signature verifies MUST be unambiguously provided 3644 # with the Signature during verification. A wrapper message might provide 3645 # the payload explicitly. Alternatively, a message might have a canonical 3646 # serialization that can always be unambiguously computed to derive the 3647 # payload. 3648 }, 3649 ], 3650 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 3651 # The verifier must ensure that the provided type is one that the verifier 3652 # supports, and that the attestation payload is a valid instantiation of that 3653 # type (for example by validating a JSON schema). 3654 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 3655 # The encoding and semantic meaning of this payload must match what is set in 3656 # `content_type`. 3657 }, 3658 }, 3659 }, 3660 "build": { # Details of a build occurrence. # Describes a verifiable build. 3661 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 3662 # details about the build from source to completion. 3663 "commands": [ # Commands requested by the build. 3664 { # Command describes a step performed as part of the build pipeline. 3665 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 3666 "A String", 3667 ], 3668 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 3669 # command is packaged as a Docker container, as presented to `docker pull`. 3670 "args": [ # Command-line arguments used when executing this command. 3671 "A String", 3672 ], 3673 "env": [ # Environment variables set before running this command. 3674 "A String", 3675 ], 3676 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 3677 # this command as a dependency. 3678 "dir": "A String", # Working directory (relative to project source root) used when running this 3679 # command. 3680 }, 3681 ], 3682 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 3683 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 3684 # source integrity was maintained in the build. 3685 # 3686 # The keys to this map are file paths used as build source and the values 3687 # contain the hash values for those files. 3688 # 3689 # If the build source came in a single package such as a gzipped tarfile 3690 # (.tar.gz), the FileHash will be for the single path to that file. 3691 "a_key": { # Container message for hashes of byte content of files, used in source 3692 # messages to verify integrity of source input to the build. 3693 "fileHash": [ # Required. Collection of file hashes. 3694 { # Container message for hash values. 3695 "type": "A String", # Required. The type of hash that was performed. 3696 "value": "A String", # Required. The hash value. 3697 }, 3698 ], 3699 }, 3700 }, 3701 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 3702 # location. 3703 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 3704 # these locations, in the case where the source repository had multiple 3705 # remotes or submodules. This list will not include the context specified in 3706 # the context field. 3707 { # A SourceContext is a reference to a tree of files. A SourceContext together 3708 # with a path point to a unique revision of a single file or directory. 3709 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 3710 # repository (e.g., GitHub). 3711 "url": "A String", # Git repository URL. 3712 "revisionId": "A String", # Git commit hash. 3713 }, 3714 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 3715 # Source Repo. 3716 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3717 "kind": "A String", # The alias kind. 3718 "name": "A String", # The alias name. 3719 }, 3720 "revisionId": "A String", # A revision ID. 3721 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 3722 "uid": "A String", # A server-assigned, globally unique identifier. 3723 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 3724 # winged-cargo-31) and a repo name within that project. 3725 "projectId": "A String", # The ID of the project. 3726 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 3727 }, 3728 }, 3729 }, 3730 "labels": { # Labels with user defined metadata. 3731 "a_key": "A String", 3732 }, 3733 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 3734 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3735 "kind": "A String", # The alias kind. 3736 "name": "A String", # The alias name. 3737 }, 3738 "revisionId": "A String", # A revision (commit) ID. 3739 "hostUri": "A String", # The URI of a running Gerrit instance. 3740 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 3741 # "project/subproject" is a valid project name. The "repo name" is the 3742 # hostURI/project. 3743 }, 3744 }, 3745 ], 3746 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 3747 # with a path point to a unique revision of a single file or directory. 3748 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 3749 # repository (e.g., GitHub). 3750 "url": "A String", # Git repository URL. 3751 "revisionId": "A String", # Git commit hash. 3752 }, 3753 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 3754 # Source Repo. 3755 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3756 "kind": "A String", # The alias kind. 3757 "name": "A String", # The alias name. 3758 }, 3759 "revisionId": "A String", # A revision ID. 3760 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 3761 "uid": "A String", # A server-assigned, globally unique identifier. 3762 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 3763 # winged-cargo-31) and a repo name within that project. 3764 "projectId": "A String", # The ID of the project. 3765 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 3766 }, 3767 }, 3768 }, 3769 "labels": { # Labels with user defined metadata. 3770 "a_key": "A String", 3771 }, 3772 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 3773 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 3774 "kind": "A String", # The alias kind. 3775 "name": "A String", # The alias name. 3776 }, 3777 "revisionId": "A String", # A revision (commit) ID. 3778 "hostUri": "A String", # The URI of a running Gerrit instance. 3779 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 3780 # "project/subproject" is a valid project name. The "repo name" is the 3781 # hostURI/project. 3782 }, 3783 }, 3784 }, 3785 "buildOptions": { # Special options applied to this build. This is a catch-all field where 3786 # build providers can enter any desired additional details. 3787 "a_key": "A String", 3788 }, 3789 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 3790 # user's e-mail address at the time the build was initiated; this address may 3791 # not represent the same end-user for all time. 3792 "projectId": "A String", # ID of the project. 3793 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 3794 "createTime": "A String", # Time at which the build was created. 3795 "builtArtifacts": [ # Output of the build. 3796 { # Artifact describes a build product. 3797 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 3798 # container. 3799 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 3800 # like `gcr.io/projectID/imagename@sha256:123456`. 3801 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 3802 # the case of a container build, the name used to push the container image to 3803 # Google Container Registry, as presented to `docker push`. Note that a 3804 # single Artifact ID can have multiple names, for example if two tags are 3805 # applied to one image. 3806 "A String", 3807 ], 3808 }, 3809 ], 3810 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 3811 "startTime": "A String", # Time at which execution of the build was started. 3812 "endTime": "A String", # Time at which execution of the build was finished. 3813 "id": "A String", # Required. Unique identifier of the build. 3814 "logsUri": "A String", # URI where any logs for this provenance were written. 3815 }, 3816 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 3817 # build signature in the corresponding build note. After verifying the 3818 # signature, `provenance_bytes` can be unmarshalled and compared to the 3819 # provenance to confirm that it is unchanged. A base64-encoded string 3820 # representation of the provenance bytes is used for the signature in order 3821 # to interoperate with openssl which expects this format for signature 3822 # verification. 3823 # 3824 # The serialized form is captured both to avoid ambiguity in how the 3825 # provenance is marshalled to json as well to prevent incompatibilities with 3826 # future changes. 3827 }, 3828 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 3829 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 3830 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 3831 # the deployable field with the same name. 3832 "A String", 3833 ], 3834 "userEmail": "A String", # Identity of the user that triggered this deployment. 3835 "address": "A String", # Address of the runtime element hosting this deployment. 3836 "platform": "A String", # Platform hosting this deployment. 3837 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 3838 "undeployTime": "A String", # End of the lifetime of this deployment. 3839 "config": "A String", # Configuration used to create this deployment. 3840 }, 3841 }, 3842 "remediation": "A String", # A description of actions that can be taken to remedy the note. 3843 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 3844 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 3845 # system. 3846 "location": [ # Required. All of the places within the filesystem versions of this package 3847 # have been found. 3848 { # An occurrence of a particular package installation found within a system's 3849 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 3850 "path": "A String", # The path from which we gathered that this package/version is installed. 3851 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 3852 # denoting the package manager version distributing a package. 3853 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 3854 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3855 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3856 # versions. 3857 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3858 # name. 3859 "revision": "A String", # The iteration of the package build from the above version. 3860 }, 3861 }, 3862 ], 3863 "name": "A String", # Output only. The name of the installed package. 3864 }, 3865 }, 3866 "createTime": "A String", # Output only. The time this occurrence was created. 3867 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 3868 # note. 3869 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 3870 # relationship. This image would be produced from a Dockerfile with FROM 3871 # <DockerImage.Basis in attached Note>. 3872 "distance": 42, # Output only. The number of layers by which this image differs from the 3873 # associated image basis. 3874 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 3875 # occurrence. 3876 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 3877 # "distance" and is ordered with [distance] being the layer immediately 3878 # following the base image and [1] being the final layer. 3879 { # Layer holds metadata specific to a layer of a Docker image. 3880 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 3881 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 3882 }, 3883 ], 3884 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 3885 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 3886 # representation. 3887 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 3888 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 3889 # Only the name of the final blob is kept. 3890 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 3891 "A String", 3892 ], 3893 }, 3894 }, 3895 }, 3896 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 3897 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 3898 # used as a filter in list requests. 3899} 3900 3901 updateMask: string, The fields to update. 3902 x__xgafv: string, V1 error format. 3903 Allowed values 3904 1 - v1 error format 3905 2 - v2 error format 3906 3907Returns: 3908 An object of the form: 3909 3910 { # An instance of an analysis type that has been found on a resource. 3911 "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are 3912 # specified. This field can be used as a filter in list requests. 3913 "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies. 3914 "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead. 3915 # 3916 # The hash of the resource content. For example, the Docker digest. 3917 "type": "A String", # Required. The type of hash that was performed. 3918 "value": "A String", # Required. The hash value. 3919 }, 3920 "uri": "A String", # Required. The unique URI of the resource. For example, 3921 # `https://gcr.io/project/image@sha256:foo` for a Docker image. 3922 "name": "A String", # Deprecated, do not use. Use uri instead. 3923 # 3924 # The name of the resource. For example, the name of a Docker image - 3925 # "Debian". 3926 }, 3927 "name": "A String", # Output only. The name of the occurrence in the form of 3928 # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 3929 "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability. 3930 "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a 3931 # scale of 0-10 where 0 indicates low severity and 10 indicates high 3932 # severity. 3933 "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability. 3934 "type": "A String", # The type of package; whether native or non native(ruby gems, node.js 3935 # packages etc) 3936 "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is 3937 # available, and note provider assigned severity when distro has not yet 3938 # assigned a severity for this vulnerability. 3939 "relatedUrls": [ # Output only. URLs related to this vulnerability. 3940 { # Metadata for any related URL information. 3941 "url": "A String", # Specific URL associated with the resource. 3942 "label": "A String", # Label to describe usage of the URL. 3943 }, 3944 ], 3945 "packageIssue": [ # Required. The set of affected locations and their fixes (if available) 3946 # within the associated resource. 3947 { # This message wraps a location affected by a vulnerability and its 3948 # associated fix (if one is available). 3949 "severityName": "A String", # Deprecated, use Details.effective_severity instead 3950 # The severity (e.g., distro assigned severity) for this vulnerability. 3951 "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability. 3952 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 3953 # format. Examples include distro or storage location for vulnerable jar. 3954 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 3955 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3956 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3957 # versions. 3958 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3959 # name. 3960 "revision": "A String", # The iteration of the package build from the above version. 3961 }, 3962 "package": "A String", # Required. The package being described. 3963 }, 3964 "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability. 3965 "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/) 3966 # format. Examples include distro or storage location for vulnerable jar. 3967 "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described. 3968 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 3969 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 3970 # versions. 3971 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 3972 # name. 3973 "revision": "A String", # The iteration of the package build from the above version. 3974 }, 3975 "package": "A String", # Required. The package being described. 3976 }, 3977 }, 3978 ], 3979 "longDescription": "A String", # Output only. A detailed description of this vulnerability. 3980 "shortDescription": "A String", # Output only. A one sentence description of this vulnerability. 3981 }, 3982 "updateTime": "A String", # Output only. The time this occurrence was last updated. 3983 "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered. 3984 "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource. 3985 "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource. 3986 # Deprecated, do not use. 3987 "analysisStatus": "A String", # The status of discovery for the resource. 3988 "continuousAnalysis": "A String", # Whether the resource is continuously analyzed. 3989 "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under 3990 # details to show to the user. The LocalizedMessage is output only and 3991 # populated by the API. 3992 # different programming environments, including REST APIs and RPC APIs. It is 3993 # used by [gRPC](https://github.com/grpc). Each `Status` message contains 3994 # three pieces of data: error code, error message, and error details. 3995 # 3996 # You can find out more about this error model and how to work with it in the 3997 # [API Design Guide](https://cloud.google.com/apis/design/errors). 3998 "message": "A String", # A developer-facing error message, which should be in English. Any 3999 # user-facing error message should be localized and sent in the 4000 # google.rpc.Status.details field, or localized by the client. 4001 "code": 42, # The status code, which should be an enum value of google.rpc.Code. 4002 "details": [ # A list of messages that carry the error details. There is a common set of 4003 # message types for APIs to use. 4004 { 4005 "a_key": "", # Properties of the object. Contains field @type with type URL. 4006 }, 4007 ], 4008 }, 4009 }, 4010 }, 4011 "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact. 4012 "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource. 4013 # attestation can be verified using the attached signature. If the verifier 4014 # trusts the public key of the signer, then verifying the signature is 4015 # sufficient to establish trust. In this circumstance, the authority to which 4016 # this attestation is attached is primarily useful for look-up (how to find 4017 # this attestation if you already know the authority and artifact to be 4018 # verified) and intent (which authority was this attestation intended to sign 4019 # for). 4020 "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation. 4021 # supports `ATTACHED` signatures, where the payload that is signed is included 4022 # alongside the signature itself in the same file. 4023 "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature, 4024 # as output by, e.g. `gpg --list-keys`. This should be the version 4, full 4025 # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See 4026 # https://tools.ietf.org/html/rfc4880#section-12.2 for details. 4027 # Implementations may choose to acknowledge "LONG", "SHORT", or other 4028 # abbreviated key IDs, but only the full fingerprint is guaranteed to work. 4029 # In gpg, the full fingerprint can be retrieved from the `fpr` field 4030 # returned when calling --list-keys with --with-colons. For example: 4031 # ``` 4032 # gpg --with-colons --with-fingerprint --force-v4-certs \ 4033 # --list-keys attester@example.com 4034 # tru::1:1513631572:0:3:1:5 4035 # pub:...<SNIP>... 4036 # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB: 4037 # ``` 4038 # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`. 4039 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 4040 # The verifier must ensure that the provided type is one that the verifier 4041 # supports, and that the attestation payload is a valid instantiation of that 4042 # type (for example by validating a JSON schema). 4043 "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard 4044 # (GPG) or equivalent. Since this message only supports attached signatures, 4045 # the payload that was signed must be attached. While the signature format 4046 # supported is dependent on the verification implementation, currently only 4047 # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than 4048 # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor 4049 # --output=signature.gpg payload.json` will create the signature content 4050 # expected in this field in `signature.gpg` for the `payload.json` 4051 # attestation payload. 4052 }, 4053 "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message. 4054 # This attestation must define the `serialized_payload` that the `signatures` 4055 # verify and any metadata necessary to interpret that plaintext. The 4056 # signatures should always be over the `serialized_payload` bytestring. 4057 "signatures": [ # One or more signatures over `serialized_payload`. Verifier implementations 4058 # should consider this attestation message verified if at least one 4059 # `signature` verifies `serialized_payload`. See `Signature` in common.proto 4060 # for more details on signature structure and verification. 4061 { # Verifiers (e.g. Kritis implementations) MUST verify signatures 4062 # with respect to the trust anchors defined in policy (e.g. a Kritis policy). 4063 # Typically this means that the verifier has been configured with a map from 4064 # `public_key_id` to public key material (and any required parameters, e.g. 4065 # signing algorithm). 4066 # 4067 # In particular, verification implementations MUST NOT treat the signature 4068 # `public_key_id` as anything more than a key lookup hint. The `public_key_id` 4069 # DOES NOT validate or authenticate a public key; it only provides a mechanism 4070 # for quickly selecting a public key ALREADY CONFIGURED on the verifier through 4071 # a trusted channel. Verification implementations MUST reject signatures in any 4072 # of the following circumstances: 4073 # * The `public_key_id` is not recognized by the verifier. 4074 # * The public key that `public_key_id` refers to does not verify the 4075 # signature with respect to the payload. 4076 # 4077 # The `signature` contents SHOULD NOT be "attached" (where the payload is 4078 # included with the serialized `signature` bytes). Verifiers MUST ignore any 4079 # "attached" payload and only verify signatures with respect to explicitly 4080 # provided payload (e.g. a `payload` field on the proto message that holds 4081 # this Signature, or the canonical serialization of the proto message that 4082 # holds this signature). 4083 "publicKeyId": "A String", # The identifier for the public key that verifies this signature. 4084 # * The `public_key_id` is required. 4085 # * The `public_key_id` MUST be an RFC3986 conformant URI. 4086 # * When possible, the `public_key_id` SHOULD be an immutable reference, 4087 # such as a cryptographic digest. 4088 # 4089 # Examples of valid `public_key_id`s: 4090 # 4091 # OpenPGP V4 public key fingerprint: 4092 # * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 4093 # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 4094 # details on this scheme. 4095 # 4096 # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 4097 # serialization): 4098 # * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 4099 # * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 4100 "signature": "A String", # The content of the signature, an opaque bytestring. 4101 # The payload that this signature verifies MUST be unambiguously provided 4102 # with the Signature during verification. A wrapper message might provide 4103 # the payload explicitly. Alternatively, a message might have a canonical 4104 # serialization that can always be unambiguously computed to derive the 4105 # payload. 4106 }, 4107 ], 4108 "contentType": "A String", # Type (for example schema) of the attestation payload that was signed. 4109 # The verifier must ensure that the provided type is one that the verifier 4110 # supports, and that the attestation payload is a valid instantiation of that 4111 # type (for example by validating a JSON schema). 4112 "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`. 4113 # The encoding and semantic meaning of this payload must match what is set in 4114 # `content_type`. 4115 }, 4116 }, 4117 }, 4118 "build": { # Details of a build occurrence. # Describes a verifiable build. 4119 "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build. 4120 # details about the build from source to completion. 4121 "commands": [ # Commands requested by the build. 4122 { # Command describes a step performed as part of the build pipeline. 4123 "waitFor": [ # The ID(s) of the command(s) that this command depends on. 4124 "A String", 4125 ], 4126 "name": "A String", # Required. Name of the command, as presented on the command line, or if the 4127 # command is packaged as a Docker container, as presented to `docker pull`. 4128 "args": [ # Command-line arguments used when executing this command. 4129 "A String", 4130 ], 4131 "env": [ # Environment variables set before running this command. 4132 "A String", 4133 ], 4134 "id": "A String", # Optional unique identifier for this command, used in wait_for to reference 4135 # this command as a dependency. 4136 "dir": "A String", # Working directory (relative to project source root) used when running this 4137 # command. 4138 }, 4139 ], 4140 "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build. 4141 "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original 4142 # source integrity was maintained in the build. 4143 # 4144 # The keys to this map are file paths used as build source and the values 4145 # contain the hash values for those files. 4146 # 4147 # If the build source came in a single package such as a gzipped tarfile 4148 # (.tar.gz), the FileHash will be for the single path to that file. 4149 "a_key": { # Container message for hashes of byte content of files, used in source 4150 # messages to verify integrity of source input to the build. 4151 "fileHash": [ # Required. Collection of file hashes. 4152 { # Container message for hash values. 4153 "type": "A String", # Required. The type of hash that was performed. 4154 "value": "A String", # Required. The hash value. 4155 }, 4156 ], 4157 }, 4158 }, 4159 "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this 4160 # location. 4161 "additionalContexts": [ # If provided, some of the source code used for the build may be found in 4162 # these locations, in the case where the source repository had multiple 4163 # remotes or submodules. This list will not include the context specified in 4164 # the context field. 4165 { # A SourceContext is a reference to a tree of files. A SourceContext together 4166 # with a path point to a unique revision of a single file or directory. 4167 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 4168 # repository (e.g., GitHub). 4169 "url": "A String", # Git repository URL. 4170 "revisionId": "A String", # Git commit hash. 4171 }, 4172 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 4173 # Source Repo. 4174 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 4175 "kind": "A String", # The alias kind. 4176 "name": "A String", # The alias name. 4177 }, 4178 "revisionId": "A String", # A revision ID. 4179 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 4180 "uid": "A String", # A server-assigned, globally unique identifier. 4181 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 4182 # winged-cargo-31) and a repo name within that project. 4183 "projectId": "A String", # The ID of the project. 4184 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 4185 }, 4186 }, 4187 }, 4188 "labels": { # Labels with user defined metadata. 4189 "a_key": "A String", 4190 }, 4191 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 4192 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 4193 "kind": "A String", # The alias kind. 4194 "name": "A String", # The alias name. 4195 }, 4196 "revisionId": "A String", # A revision (commit) ID. 4197 "hostUri": "A String", # The URI of a running Gerrit instance. 4198 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 4199 # "project/subproject" is a valid project name. The "repo name" is the 4200 # hostURI/project. 4201 }, 4202 }, 4203 ], 4204 "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location. 4205 # with a path point to a unique revision of a single file or directory. 4206 "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub). 4207 # repository (e.g., GitHub). 4208 "url": "A String", # Git repository URL. 4209 "revisionId": "A String", # Git commit hash. 4210 }, 4211 "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo. 4212 # Source Repo. 4213 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 4214 "kind": "A String", # The alias kind. 4215 "name": "A String", # The alias name. 4216 }, 4217 "revisionId": "A String", # A revision ID. 4218 "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo. 4219 "uid": "A String", # A server-assigned, globally unique identifier. 4220 "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name. 4221 # winged-cargo-31) and a repo name within that project. 4222 "projectId": "A String", # The ID of the project. 4223 "repoName": "A String", # The name of the repo. Leave empty for the default repo. 4224 }, 4225 }, 4226 }, 4227 "labels": { # Labels with user defined metadata. 4228 "a_key": "A String", 4229 }, 4230 "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project. 4231 "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag. 4232 "kind": "A String", # The alias kind. 4233 "name": "A String", # The alias name. 4234 }, 4235 "revisionId": "A String", # A revision (commit) ID. 4236 "hostUri": "A String", # The URI of a running Gerrit instance. 4237 "gerritProject": "A String", # The full project name within the host. Projects may be nested, so 4238 # "project/subproject" is a valid project name. The "repo name" is the 4239 # hostURI/project. 4240 }, 4241 }, 4242 }, 4243 "buildOptions": { # Special options applied to this build. This is a catch-all field where 4244 # build providers can enter any desired additional details. 4245 "a_key": "A String", 4246 }, 4247 "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the 4248 # user's e-mail address at the time the build was initiated; this address may 4249 # not represent the same end-user for all time. 4250 "projectId": "A String", # ID of the project. 4251 "builderVersion": "A String", # Version string of the builder at the time this build was executed. 4252 "createTime": "A String", # Time at which the build was created. 4253 "builtArtifacts": [ # Output of the build. 4254 { # Artifact describes a build product. 4255 "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a 4256 # container. 4257 "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest 4258 # like `gcr.io/projectID/imagename@sha256:123456`. 4259 "names": [ # Related artifact names. This may be the path to a binary or jar file, or in 4260 # the case of a container build, the name used to push the container image to 4261 # Google Container Registry, as presented to `docker push`. Note that a 4262 # single Artifact ID can have multiple names, for example if two tags are 4263 # applied to one image. 4264 "A String", 4265 ], 4266 }, 4267 ], 4268 "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not. 4269 "startTime": "A String", # Time at which execution of the build was started. 4270 "endTime": "A String", # Time at which execution of the build was finished. 4271 "id": "A String", # Required. Unique identifier of the build. 4272 "logsUri": "A String", # URI where any logs for this provenance were written. 4273 }, 4274 "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the 4275 # build signature in the corresponding build note. After verifying the 4276 # signature, `provenance_bytes` can be unmarshalled and compared to the 4277 # provenance to confirm that it is unchanged. A base64-encoded string 4278 # representation of the provenance bytes is used for the signature in order 4279 # to interoperate with openssl which expects this format for signature 4280 # verification. 4281 # 4282 # The serialized form is captured both to avoid ambiguity in how the 4283 # provenance is marshalled to json as well to prevent incompatibilities with 4284 # future changes. 4285 }, 4286 "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime. 4287 "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource. 4288 "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from 4289 # the deployable field with the same name. 4290 "A String", 4291 ], 4292 "userEmail": "A String", # Identity of the user that triggered this deployment. 4293 "address": "A String", # Address of the runtime element hosting this deployment. 4294 "platform": "A String", # Platform hosting this deployment. 4295 "deployTime": "A String", # Required. Beginning of the lifetime of this deployment. 4296 "undeployTime": "A String", # End of the lifetime of this deployment. 4297 "config": "A String", # Configuration used to create this deployment. 4298 }, 4299 }, 4300 "remediation": "A String", # A description of actions that can be taken to remedy the note. 4301 "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource. 4302 "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed. 4303 # system. 4304 "location": [ # Required. All of the places within the filesystem versions of this package 4305 # have been found. 4306 { # An occurrence of a particular package installation found within a system's 4307 # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`. 4308 "path": "A String", # The path from which we gathered that this package/version is installed. 4309 "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/) 4310 # denoting the package manager version distributing a package. 4311 "version": { # Version contains structured information about the version of a package. # The version installed at this location. 4312 "epoch": 42, # Used to correct mistakes in the version numbering scheme. 4313 "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal 4314 # versions. 4315 "name": "A String", # Required only when version kind is NORMAL. The main part of the version 4316 # name. 4317 "revision": "A String", # The iteration of the package build from the above version. 4318 }, 4319 }, 4320 ], 4321 "name": "A String", # Output only. The name of the installed package. 4322 }, 4323 }, 4324 "createTime": "A String", # Output only. The time this occurrence was created. 4325 "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated 4326 # note. 4327 "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image. 4328 # relationship. This image would be produced from a Dockerfile with FROM 4329 # <DockerImage.Basis in attached Note>. 4330 "distance": 42, # Output only. The number of layers by which this image differs from the 4331 # associated image basis. 4332 "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image 4333 # occurrence. 4334 "layerInfo": [ # This contains layer-specific metadata, if populated it has length 4335 # "distance" and is ordered with [distance] being the layer immediately 4336 # following the base image and [1] being the final layer. 4337 { # Layer holds metadata specific to a layer of a Docker image. 4338 "arguments": "A String", # The recovered arguments to the Dockerfile directive. 4339 "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer. 4340 }, 4341 ], 4342 "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image. 4343 "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1 4344 # representation. 4345 "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via: 4346 # [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1]) 4347 # Only the name of the final blob is kept. 4348 "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image. 4349 "A String", 4350 ], 4351 }, 4352 }, 4353 }, 4354 "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in 4355 # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 4356 # used as a filter in list requests. 4357 }</pre> 4358</div> 4359 4360<div class="method"> 4361 <code class="details" id="setIamPolicy">setIamPolicy(resource, body, x__xgafv=None)</code> 4362 <pre>Sets the access control policy on the specified note or occurrence. 4363Requires `containeranalysis.notes.setIamPolicy` or 4364`containeranalysis.occurrences.setIamPolicy` permission if the resource is 4365a note or an occurrence, respectively. 4366 4367The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for 4368notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for 4369occurrences. 4370 4371Args: 4372 resource: string, REQUIRED: The resource for which the policy is being specified. 4373See the operation documentation for the appropriate value for this field. (required) 4374 body: object, The request body. (required) 4375 The object takes the form of: 4376 4377{ # Request message for `SetIamPolicy` method. 4378 "policy": { # Defines an Identity and Access Management (IAM) policy. It is used to # REQUIRED: The complete policy to be applied to the `resource`. The size of 4379 # the policy is limited to a few 10s of KB. An empty policy is a 4380 # valid policy but certain Cloud Platform services (such as Projects) 4381 # might reject them. 4382 # specify access control policies for Cloud Platform resources. 4383 # 4384 # 4385 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 4386 # `members` to a `role`, where the members can be user accounts, Google groups, 4387 # Google domains, and service accounts. A `role` is a named list of permissions 4388 # defined by IAM. 4389 # 4390 # **JSON Example** 4391 # 4392 # { 4393 # "bindings": [ 4394 # { 4395 # "role": "roles/owner", 4396 # "members": [ 4397 # "user:mike@example.com", 4398 # "group:admins@example.com", 4399 # "domain:google.com", 4400 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 4401 # ] 4402 # }, 4403 # { 4404 # "role": "roles/viewer", 4405 # "members": ["user:sean@example.com"] 4406 # } 4407 # ] 4408 # } 4409 # 4410 # **YAML Example** 4411 # 4412 # bindings: 4413 # - members: 4414 # - user:mike@example.com 4415 # - group:admins@example.com 4416 # - domain:google.com 4417 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 4418 # role: roles/owner 4419 # - members: 4420 # - user:sean@example.com 4421 # role: roles/viewer 4422 # 4423 # 4424 # For a description of IAM and its features, see the 4425 # [IAM developer's guide](https://cloud.google.com/iam/docs). 4426 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 4427 { # Specifies the audit configuration for a service. 4428 # The configuration determines which permission types are logged, and what 4429 # identities, if any, are exempted from logging. 4430 # An AuditConfig must have one or more AuditLogConfigs. 4431 # 4432 # If there are AuditConfigs for both `allServices` and a specific service, 4433 # the union of the two AuditConfigs is used for that service: the log_types 4434 # specified in each AuditConfig are enabled, and the exempted_members in each 4435 # AuditLogConfig are exempted. 4436 # 4437 # Example Policy with multiple AuditConfigs: 4438 # 4439 # { 4440 # "audit_configs": [ 4441 # { 4442 # "service": "allServices" 4443 # "audit_log_configs": [ 4444 # { 4445 # "log_type": "DATA_READ", 4446 # "exempted_members": [ 4447 # "user:foo@gmail.com" 4448 # ] 4449 # }, 4450 # { 4451 # "log_type": "DATA_WRITE", 4452 # }, 4453 # { 4454 # "log_type": "ADMIN_READ", 4455 # } 4456 # ] 4457 # }, 4458 # { 4459 # "service": "fooservice.googleapis.com" 4460 # "audit_log_configs": [ 4461 # { 4462 # "log_type": "DATA_READ", 4463 # }, 4464 # { 4465 # "log_type": "DATA_WRITE", 4466 # "exempted_members": [ 4467 # "user:bar@gmail.com" 4468 # ] 4469 # } 4470 # ] 4471 # } 4472 # ] 4473 # } 4474 # 4475 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 4476 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 4477 # bar@gmail.com from DATA_WRITE logging. 4478 "auditLogConfigs": [ # The configuration for logging of each type of permission. 4479 { # Provides the configuration for logging a type of permissions. 4480 # Example: 4481 # 4482 # { 4483 # "audit_log_configs": [ 4484 # { 4485 # "log_type": "DATA_READ", 4486 # "exempted_members": [ 4487 # "user:foo@gmail.com" 4488 # ] 4489 # }, 4490 # { 4491 # "log_type": "DATA_WRITE", 4492 # } 4493 # ] 4494 # } 4495 # 4496 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 4497 # foo@gmail.com from DATA_READ logging. 4498 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 4499 # permission. 4500 # Follows the same format of Binding.members. 4501 "A String", 4502 ], 4503 "logType": "A String", # The log type that this config enables. 4504 }, 4505 ], 4506 "service": "A String", # Specifies a service that will be enabled for audit logging. 4507 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 4508 # `allServices` is a special value that covers all services. 4509 }, 4510 ], 4511 "version": 42, # Deprecated. 4512 "bindings": [ # Associates a list of `members` to a `role`. 4513 # `bindings` with no members will result in an error. 4514 { # Associates `members` with a `role`. 4515 "role": "A String", # Role that is assigned to `members`. 4516 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 4517 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 4518 # `members` can have the following values: 4519 # 4520 # * `allUsers`: A special identifier that represents anyone who is 4521 # on the internet; with or without a Google account. 4522 # 4523 # * `allAuthenticatedUsers`: A special identifier that represents anyone 4524 # who is authenticated with a Google account or a service account. 4525 # 4526 # * `user:{emailid}`: An email address that represents a specific Google 4527 # account. For example, `alice@gmail.com` . 4528 # 4529 # 4530 # * `serviceAccount:{emailid}`: An email address that represents a service 4531 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 4532 # 4533 # * `group:{emailid}`: An email address that represents a Google group. 4534 # For example, `admins@example.com`. 4535 # 4536 # 4537 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 4538 # users of that domain. For example, `google.com` or `example.com`. 4539 # 4540 "A String", 4541 ], 4542 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 4543 # NOTE: An unsatisfied condition will not allow user access via current 4544 # binding. Different bindings, including their conditions, are examined 4545 # independently. 4546 # 4547 # title: "User account presence" 4548 # description: "Determines whether the request has a user account" 4549 # expression: "size(request.user) > 0" 4550 "location": "A String", # An optional string indicating the location of the expression for error 4551 # reporting, e.g. a file name and a position in the file. 4552 "expression": "A String", # Textual representation of an expression in 4553 # Common Expression Language syntax. 4554 # 4555 # The application context of the containing message determines which 4556 # well-known feature set of CEL is supported. 4557 "description": "A String", # An optional description of the expression. This is a longer text which 4558 # describes the expression, e.g. when hovered over it in a UI. 4559 "title": "A String", # An optional title for the expression, i.e. a short string describing 4560 # its purpose. This can be used e.g. in UIs which allow to enter the 4561 # expression. 4562 }, 4563 }, 4564 ], 4565 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 4566 # prevent simultaneous updates of a policy from overwriting each other. 4567 # It is strongly suggested that systems make use of the `etag` in the 4568 # read-modify-write cycle to perform policy updates in order to avoid race 4569 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 4570 # systems are expected to put that etag in the request to `setIamPolicy` to 4571 # ensure that their change will be applied to the same version of the policy. 4572 # 4573 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 4574 # policy is overwritten blindly. 4575 }, 4576 "updateMask": "A String", # OPTIONAL: A FieldMask specifying which fields of the policy to modify. Only 4577 # the fields in the mask will be modified. If no mask is provided, the 4578 # following default mask is used: 4579 # paths: "bindings, etag" 4580 # This field is only used by Cloud IAM. 4581 } 4582 4583 x__xgafv: string, V1 error format. 4584 Allowed values 4585 1 - v1 error format 4586 2 - v2 error format 4587 4588Returns: 4589 An object of the form: 4590 4591 { # Defines an Identity and Access Management (IAM) policy. It is used to 4592 # specify access control policies for Cloud Platform resources. 4593 # 4594 # 4595 # A `Policy` consists of a list of `bindings`. A `binding` binds a list of 4596 # `members` to a `role`, where the members can be user accounts, Google groups, 4597 # Google domains, and service accounts. A `role` is a named list of permissions 4598 # defined by IAM. 4599 # 4600 # **JSON Example** 4601 # 4602 # { 4603 # "bindings": [ 4604 # { 4605 # "role": "roles/owner", 4606 # "members": [ 4607 # "user:mike@example.com", 4608 # "group:admins@example.com", 4609 # "domain:google.com", 4610 # "serviceAccount:my-other-app@appspot.gserviceaccount.com" 4611 # ] 4612 # }, 4613 # { 4614 # "role": "roles/viewer", 4615 # "members": ["user:sean@example.com"] 4616 # } 4617 # ] 4618 # } 4619 # 4620 # **YAML Example** 4621 # 4622 # bindings: 4623 # - members: 4624 # - user:mike@example.com 4625 # - group:admins@example.com 4626 # - domain:google.com 4627 # - serviceAccount:my-other-app@appspot.gserviceaccount.com 4628 # role: roles/owner 4629 # - members: 4630 # - user:sean@example.com 4631 # role: roles/viewer 4632 # 4633 # 4634 # For a description of IAM and its features, see the 4635 # [IAM developer's guide](https://cloud.google.com/iam/docs). 4636 "auditConfigs": [ # Specifies cloud audit logging configuration for this policy. 4637 { # Specifies the audit configuration for a service. 4638 # The configuration determines which permission types are logged, and what 4639 # identities, if any, are exempted from logging. 4640 # An AuditConfig must have one or more AuditLogConfigs. 4641 # 4642 # If there are AuditConfigs for both `allServices` and a specific service, 4643 # the union of the two AuditConfigs is used for that service: the log_types 4644 # specified in each AuditConfig are enabled, and the exempted_members in each 4645 # AuditLogConfig are exempted. 4646 # 4647 # Example Policy with multiple AuditConfigs: 4648 # 4649 # { 4650 # "audit_configs": [ 4651 # { 4652 # "service": "allServices" 4653 # "audit_log_configs": [ 4654 # { 4655 # "log_type": "DATA_READ", 4656 # "exempted_members": [ 4657 # "user:foo@gmail.com" 4658 # ] 4659 # }, 4660 # { 4661 # "log_type": "DATA_WRITE", 4662 # }, 4663 # { 4664 # "log_type": "ADMIN_READ", 4665 # } 4666 # ] 4667 # }, 4668 # { 4669 # "service": "fooservice.googleapis.com" 4670 # "audit_log_configs": [ 4671 # { 4672 # "log_type": "DATA_READ", 4673 # }, 4674 # { 4675 # "log_type": "DATA_WRITE", 4676 # "exempted_members": [ 4677 # "user:bar@gmail.com" 4678 # ] 4679 # } 4680 # ] 4681 # } 4682 # ] 4683 # } 4684 # 4685 # For fooservice, this policy enables DATA_READ, DATA_WRITE and ADMIN_READ 4686 # logging. It also exempts foo@gmail.com from DATA_READ logging, and 4687 # bar@gmail.com from DATA_WRITE logging. 4688 "auditLogConfigs": [ # The configuration for logging of each type of permission. 4689 { # Provides the configuration for logging a type of permissions. 4690 # Example: 4691 # 4692 # { 4693 # "audit_log_configs": [ 4694 # { 4695 # "log_type": "DATA_READ", 4696 # "exempted_members": [ 4697 # "user:foo@gmail.com" 4698 # ] 4699 # }, 4700 # { 4701 # "log_type": "DATA_WRITE", 4702 # } 4703 # ] 4704 # } 4705 # 4706 # This enables 'DATA_READ' and 'DATA_WRITE' logging, while exempting 4707 # foo@gmail.com from DATA_READ logging. 4708 "exemptedMembers": [ # Specifies the identities that do not cause logging for this type of 4709 # permission. 4710 # Follows the same format of Binding.members. 4711 "A String", 4712 ], 4713 "logType": "A String", # The log type that this config enables. 4714 }, 4715 ], 4716 "service": "A String", # Specifies a service that will be enabled for audit logging. 4717 # For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. 4718 # `allServices` is a special value that covers all services. 4719 }, 4720 ], 4721 "version": 42, # Deprecated. 4722 "bindings": [ # Associates a list of `members` to a `role`. 4723 # `bindings` with no members will result in an error. 4724 { # Associates `members` with a `role`. 4725 "role": "A String", # Role that is assigned to `members`. 4726 # For example, `roles/viewer`, `roles/editor`, or `roles/owner`. 4727 "members": [ # Specifies the identities requesting access for a Cloud Platform resource. 4728 # `members` can have the following values: 4729 # 4730 # * `allUsers`: A special identifier that represents anyone who is 4731 # on the internet; with or without a Google account. 4732 # 4733 # * `allAuthenticatedUsers`: A special identifier that represents anyone 4734 # who is authenticated with a Google account or a service account. 4735 # 4736 # * `user:{emailid}`: An email address that represents a specific Google 4737 # account. For example, `alice@gmail.com` . 4738 # 4739 # 4740 # * `serviceAccount:{emailid}`: An email address that represents a service 4741 # account. For example, `my-other-app@appspot.gserviceaccount.com`. 4742 # 4743 # * `group:{emailid}`: An email address that represents a Google group. 4744 # For example, `admins@example.com`. 4745 # 4746 # 4747 # * `domain:{domain}`: The G Suite domain (primary) that represents all the 4748 # users of that domain. For example, `google.com` or `example.com`. 4749 # 4750 "A String", 4751 ], 4752 "condition": { # Represents an expression text. Example: # The condition that is associated with this binding. 4753 # NOTE: An unsatisfied condition will not allow user access via current 4754 # binding. Different bindings, including their conditions, are examined 4755 # independently. 4756 # 4757 # title: "User account presence" 4758 # description: "Determines whether the request has a user account" 4759 # expression: "size(request.user) > 0" 4760 "location": "A String", # An optional string indicating the location of the expression for error 4761 # reporting, e.g. a file name and a position in the file. 4762 "expression": "A String", # Textual representation of an expression in 4763 # Common Expression Language syntax. 4764 # 4765 # The application context of the containing message determines which 4766 # well-known feature set of CEL is supported. 4767 "description": "A String", # An optional description of the expression. This is a longer text which 4768 # describes the expression, e.g. when hovered over it in a UI. 4769 "title": "A String", # An optional title for the expression, i.e. a short string describing 4770 # its purpose. This can be used e.g. in UIs which allow to enter the 4771 # expression. 4772 }, 4773 }, 4774 ], 4775 "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help 4776 # prevent simultaneous updates of a policy from overwriting each other. 4777 # It is strongly suggested that systems make use of the `etag` in the 4778 # read-modify-write cycle to perform policy updates in order to avoid race 4779 # conditions: An `etag` is returned in the response to `getIamPolicy`, and 4780 # systems are expected to put that etag in the request to `setIamPolicy` to 4781 # ensure that their change will be applied to the same version of the policy. 4782 # 4783 # If no `etag` is provided in the call to `setIamPolicy`, then the existing 4784 # policy is overwritten blindly. 4785 }</pre> 4786</div> 4787 4788<div class="method"> 4789 <code class="details" id="testIamPermissions">testIamPermissions(resource, body, x__xgafv=None)</code> 4790 <pre>Returns the permissions that a caller has on the specified note or 4791occurrence. Requires list permission on the project (for example, 4792`containeranalysis.notes.list`). 4793 4794The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for 4795notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for 4796occurrences. 4797 4798Args: 4799 resource: string, REQUIRED: The resource for which the policy detail is being requested. 4800See the operation documentation for the appropriate value for this field. (required) 4801 body: object, The request body. (required) 4802 The object takes the form of: 4803 4804{ # Request message for `TestIamPermissions` method. 4805 "permissions": [ # The set of permissions to check for the `resource`. Permissions with 4806 # wildcards (such as '*' or 'storage.*') are not allowed. For more 4807 # information see 4808 # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions). 4809 "A String", 4810 ], 4811 } 4812 4813 x__xgafv: string, V1 error format. 4814 Allowed values 4815 1 - v1 error format 4816 2 - v2 error format 4817 4818Returns: 4819 An object of the form: 4820 4821 { # Response message for `TestIamPermissions` method. 4822 "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is 4823 # allowed. 4824 "A String", 4825 ], 4826 }</pre> 4827</div> 4828 4829</body></html>