xref: /aosp_15_r20/external/google-cloud-java/java-grafeas/src/main/proto/grafeas/v1/intoto_provenance.proto (revision 55e87721aa1bc457b326496a7ca40f3ea1a63287) 
1// Copyright 2021 The Grafeas Authors. All rights reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//    http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package grafeas.v1;
18
19import "google/protobuf/any.proto";
20import "google/protobuf/timestamp.proto";
21
22option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
23option java_multiple_files = true;
24option java_package = "io.grafeas.v1";
25option objc_class_prefix = "GRA";
26option java_outer_classname = "InTotoProvenanceProto";
27
28// Spec defined at
29// https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md
30
31// Steps taken to build the artifact.
32// For a TaskRun, typically each container corresponds to one step in the
33// recipe.
34message Recipe {
35  // URI indicating what type of recipe was performed. It determines the meaning
36  // of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
37  string type = 1;
38  // Index in materials containing the recipe steps that are not implied by
39  // recipe.type. For example, if the recipe type were "make", then this would
40  // point to the source containing the Makefile, not the make program itself.
41  // Set to -1 if the recipe doesn't come from a material, as zero is default
42  // unset value for int64.
43  int64 defined_in_material = 2;
44  // String identifying the entry point into the build.
45  // This is often a path to a configuration file and/or a target label within
46  // that file. The syntax and meaning are defined by recipe.type. For example,
47  // if the recipe type were "make", then this would reference the directory in
48  // which to run make as well as which target to use.
49  string entry_point = 3;
50  // Collection of all external inputs that influenced the build on top of
51  // recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe
52  // type were "make", then this might be the flags passed to make aside from
53  // the target, which is captured in recipe.entryPoint. Since the arguments
54  // field can greatly vary in structure, depending on the builder and recipe
55  // type, this is of form "Any".
56  repeated google.protobuf.Any arguments = 4;
57  // Any other builder-controlled inputs necessary for correctly evaluating the
58  // recipe. Usually only needed for reproducing the build but not evaluated as
59  // part of policy. Since the environment field can greatly vary in structure,
60  // depending on the builder and recipe type, this is of form "Any".
61  repeated google.protobuf.Any environment = 5;
62}
63
64// Indicates that the builder claims certain fields in this message to be
65// complete.
66message Completeness {
67  // If true, the builder claims that recipe.arguments is complete, meaning that
68  // all external inputs are properly captured in the recipe.
69  bool arguments = 1;
70  // If true, the builder claims that recipe.environment is claimed to be
71  // complete.
72  bool environment = 2;
73  // If true, the builder claims that materials are complete, usually through
74  // some controls to prevent network access. Sometimes called "hermetic".
75  bool materials = 3;
76}
77
78// Other properties of the build.
79message Metadata {
80  // Identifies the particular build invocation, which can be useful for finding
81  // associated logs or other ad-hoc analysis. The value SHOULD be globally
82  // unique, per in-toto Provenance spec.
83  string build_invocation_id = 1;
84  // The timestamp of when the build started.
85  google.protobuf.Timestamp build_started_on = 2;
86  // The timestamp of when the build completed.
87  google.protobuf.Timestamp build_finished_on = 3;
88  // Indicates that the builder claims certain fields in this message to be
89  // complete.
90  Completeness completeness = 4;
91  // If true, the builder claims that running the recipe on materials will
92  // produce bit-for-bit identical output.
93  bool reproducible = 5;
94}
95
96message BuilderConfig {
97  string id = 1;
98}
99
100message InTotoProvenance {
101  BuilderConfig builder_config = 1;  // required
102  // Identifies the configuration used for the build.
103  // When combined with materials, this SHOULD fully describe the build,
104  // such that re-running this recipe results in bit-for-bit identical output
105  // (if the build is reproducible).
106  Recipe recipe = 2;  // required
107  Metadata metadata = 3;
108  // The collection of artifacts that influenced the build including sources,
109  // dependencies, build tools, base images, and so on. This is considered to be
110  // incomplete unless metadata.completeness.materials is true. Unset or null is
111  // equivalent to empty.
112  repeated string materials = 4;
113}
114