1// Copyright (C) 2023 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto2"; 16 17package metadata_file; 18 19// Proto definition of METADATA files of packages in AOSP codebase. 20message Metadata { 21 // Name of the package. 22 optional string name = 1; 23 24 // A short description (a few lines) of the package. 25 // Example: "Handles location lookups, throttling, batching, etc." 26 optional string description = 2; 27 28 // Specifies additional data about third-party packages. 29 optional ThirdParty third_party = 3; 30} 31 32message ThirdParty { 33 // URL(s) associated with the package. 34 // 35 // At a minimum, all packages must specify a URL which identifies where it 36 // came from, containing a type of: ARCHIVE, GIT or OTHER. Typically, 37 // a package should contain only a single URL from these types. Occasionally, 38 // a package may be broken across multiple archive files for whatever reason, 39 // in which case having multiple ARCHIVE URLs is okay. However, this should 40 // not be used to combine different logical packages that are versioned and 41 // possibly licensed differently. 42 repeated URL url = 1; 43 44 // The package version. In order of preference, this should contain: 45 // - If the package comes from Git or another source control system, 46 // a specific tag or revision in source control, such as "r123" or 47 // "58e27d2". This MUST NOT be a mutable ref such as a branch name. 48 // - a released package version such as "1.0", "2.3-beta", etc. 49 // - the date the package was retrieved, formatted as "As of YYYY-MM-DD". 50 optional string version = 2; 51 52 // The date of the change in which the package was last upgraded from 53 // upstream. 54 // This should only identify package upgrades from upstream, not local 55 // modifications. This may identify the date of either the original or 56 // merged change. 57 // 58 // Note: this is NOT the date that this version of the package was released 59 // externally. 60 optional Date last_upgrade_date = 3; 61 62 // License type that identifies how the package may be used. 63 optional LicenseType license_type = 4; 64 65 // An additional note explaining the licensing of this package. This is most 66 // commonly used with commercial license. 67 optional string license_note = 5; 68 69 // Description of local changes that have been made to the package. This does 70 // not need to (and in most cases should not) attempt to include an exhaustive 71 // list of all changes, but may instead direct readers to review the local 72 // commit history, a collection of patch files, a separate README.md (or 73 // similar) document, etc. 74 // Note: Use of this field to store IDs of advisories fixed with a backported 75 // patch is deprecated, use "security.mitigated_security_patch" instead. 76 optional string local_modifications = 6; 77 78 // Security related metadata including risk category and any special 79 // instructions for using the package, as determined by an ISE-TPS review. 80 optional Security security = 7; 81 82 // The type of directory this metadata represents. 83 optional DirectoryType type = 8 [default = PACKAGE]; 84 85 // The homepage for the package. This will eventually replace 86 // `url { type: HOMEPAGE }` 87 optional string homepage = 9; 88 89 // SBOM information of the package. It is mandatory for prebuilt packages. 90 oneof sbom { 91 // Reference to external SBOM document provided as URL. 92 SBOMRef sbom_ref = 10; 93 } 94 95} 96 97// URL associated with a third-party package. 98message URL { 99 enum Type { 100 // The homepage for the package. For example, "https://bazel.io/". This URL 101 // is optional, but encouraged to help disambiguate similarly named packages 102 // or to get more information about the package. This is especially helpful 103 // when no other URLs provide human readable resources (such as git:// or 104 // sso:// URLs). 105 HOMEPAGE = 1; 106 107 // The URL of the archive containing the source code for the package, for 108 // example a zip or tgz file. 109 ARCHIVE = 2; 110 111 // The URL of the upstream git repository this package is retrieved from. 112 // For example: 113 // - https://github.com/git/git.git 114 // - git://git.kernel.org/pub/scm/git/git.git 115 // 116 // Use of a git URL requires that the package "version" value must specify a 117 // specific git tag or revision. 118 GIT = 3; 119 120 // The URL of the upstream SVN repository this package is retrieved from. 121 // For example: 122 // - http://llvm.org/svn/llvm-project/llvm/ 123 // 124 // Use of an SVN URL requires that the package "version" value must specify 125 // a specific SVN tag or revision. 126 SVN = 4; 127 128 // The URL of the upstream mercurial repository this package is retrieved 129 // from. For example: 130 // - https://mercurial-scm.org/repo/evolve 131 // 132 // Use of a mercurial URL requires that the package "version" value must 133 // specify a specific tag or revision. 134 HG = 5; 135 136 // The URL of the upstream darcs repository this package is retrieved 137 // from. For example: 138 // - https://hub.darcs.net/hu.dwim/hu.dwim.util 139 // 140 // Use of a DARCS URL requires that the package "version" value must 141 // specify a specific tag or revision. 142 DARCS = 6; 143 144 PIPER = 7; 145 146 // A URL that does not fit any other type. This may also indicate that the 147 // source code was received via email or some other out-of-band way. This is 148 // most commonly used with commercial software received directly from the 149 // vendor. In the case of email, the URL value can be used to provide 150 // additional information about how it was received. 151 OTHER = 8; 152 153 // The URL identifying where the local copy of the package source code can 154 // be found. 155 // 156 // Typically, the metadata files describing a package reside in the same 157 // directory as the source code for the package. In a few rare cases where 158 // they are separate, the LOCAL_SOURCE URL identifies where to find the 159 // source code. This only describes where to find the local copy of the 160 // source; there should always be an additional URL describing where the 161 // package was retrieved from. 162 // 163 // Examples: 164 // - https://android.googlesource.com/platform/external/apache-http/ 165 LOCAL_SOURCE = 9; 166 } 167 168 // The type of resource this URL identifies. 169 optional Type type = 1; 170 171 // The actual URL value. URLs should be absolute and start with 'http://' or 172 // 'https://' (or occasionally 'git://' or 'ftp://' where appropriate). 173 optional string value = 2; 174} 175 176// License type that identifies how the packages may be used. 177enum LicenseType { 178 BY_EXCEPTION_ONLY = 1; 179 NOTICE = 2; 180 PERMISSIVE = 3; 181 RECIPROCAL = 4; 182 RESTRICTED_IF_STATICALLY_LINKED = 5; 183 RESTRICTED = 6; 184 UNENCUMBERED = 7; 185} 186 187// Identifies security related metadata including risk category and any special 188// instructions for using the package. 189message Security { 190 // Security risk category for a package, as determined by an ISE-TPS review. 191 enum Category { 192 CATEGORY_UNSPECIFIED = 0; 193 194 // Package should only be used in a sandboxed environment. 195 // Package should have restricted visibility. 196 SANDBOXED_ONLY = 1; 197 198 // Package should not be used to process user content. It is considered 199 // safe to use to process trusted data only. Package should have restricted 200 // visibility. 201 TRUSTED_DATA_ONLY = 2; 202 203 // Package is considered safe to use. 204 REVIEWED_AND_SECURE = 3; 205 } 206 207 // Identifies the security risk category for the package. This will be 208 // provided by the ISE-TPS team as the result of a security review of the 209 // package. 210 optional Category category = 1; 211 212 // An additional security note for the package. 213 optional string note = 2; 214 215 // Text tag to categorize the package. It's currently used by security to: 216 // - to disable OSV (https://osv.dev) 217 // support via the `OSV:disable` tag 218 // - to attach CPE to their corresponding packages, for vulnerability 219 // monitoring: 220 // 221 // Please do document your usecase here should you want to add one. 222 repeated string tag = 3; 223 224 // ID of advisories fixed with a mitigated patch, for example CVE-2018-1111. 225 repeated string mitigated_security_patch = 4; 226} 227 228enum DirectoryType { 229 UNDEFINED = 0; 230 231 // This directory represents a package. 232 PACKAGE = 1; 233 234 // This directory is designed to organize multiple third-party PACKAGE 235 // directories. 236 GROUP = 2; 237 238 // This directory contains several PACKAGE directories representing 239 // different versions of the same third-party project. 240 VERSIONS = 3; 241} 242 243// Represents a whole or partial calendar date, such as a birthday. The time of 244// day and time zone are either specified elsewhere or are insignificant. The 245// date is relative to the Gregorian Calendar. This can represent one of the 246// following: 247// 248// * A full date, with non-zero year, month, and day values. 249// * A month and day, with a zero year (for example, an anniversary). 250// * A year on its own, with a zero month and a zero day. 251// * A year and month, with a zero day (for example, a credit card expiration 252// date). 253message Date { 254 // Year of the date. Must be from 1 to 9999, or 0 to specify a date without 255 // a year. 256 optional int32 year = 1; 257 // Month of a year. Must be from 1 to 12, or 0 to specify a year without a 258 // month and day. 259 optional int32 month = 2; 260 // Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 261 // to specify a year by itself or a year and month where the day isn't 262 // significant. 263 optional int32 day = 3; 264} 265 266// Reference to external SBOM document and element corresponding to the package. 267// See https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#66-external-document-references-field 268message SBOMRef { 269 // The URL that points to the SBOM document of the upstream package of this 270 // third_party package. 271 optional string url = 1; 272 // Checksum of the SBOM document the url field points to. 273 // Format: e.g. SHA1:<checksum>, or any algorithm defined in 274 // https://spdx.github.io/spdx-spec/v2.3/file-information/#8.4 275 optional string checksum = 2; 276 // SPDXID of the upstream package/file defined in the SBOM document the url field points to. 277 // Format: SPDXRef-[a-zA-Z0-9.-]+, see 278 // https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field or 279 // https://spdx.github.io/spdx-spec/v2.3/file-information/#82-file-spdx-identifier-field 280 optional string element_id = 3; 281}