xref: /aosp_15_r20/external/google-cloud-java/java-grafeas/src/main/proto/grafeas/v1/slsa_provenance.proto (revision 55e87721aa1bc457b326496a7ca40f3ea1a63287) 
1// Copyright 2021 The Grafeas Authors. All rights reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//    http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package grafeas.v1;
18
19import "google/protobuf/any.proto";
20import "google/protobuf/timestamp.proto";
21
22option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
23option java_multiple_files = true;
24option java_package = "io.grafeas.v1";
25option objc_class_prefix = "GRA";
26option java_outer_classname = "SlsaProvenanceProto";
27
28message SlsaProvenance {
29  // Steps taken to build the artifact.
30  // For a TaskRun, typically each container corresponds to one step in the
31  // recipe.
32  message SlsaRecipe {
33    // URI indicating what type of recipe was performed. It determines the
34    // meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and
35    // materials.
36    string type = 1;
37    // Index in materials containing the recipe steps that are not implied by
38    // recipe.type. For example, if the recipe type were "make", then this would
39    // point to the source containing the Makefile, not the make program itself.
40    // Set to -1 if the recipe doesn't come from a material, as zero is default
41    // unset value for int64.
42    int64 defined_in_material = 2;
43    // String identifying the entry point into the build.
44    // This is often a path to a configuration file and/or a target label within
45    // that file. The syntax and meaning are defined by recipe.type. For
46    // example, if the recipe type were "make", then this would reference the
47    // directory in which to run make as well as which target to use.
48    string entry_point = 3;
49    // Collection of all external inputs that influenced the build on top of
50    // recipe.definedInMaterial and recipe.entryPoint. For example, if the
51    // recipe type were "make", then this might be the flags passed to make
52    // aside from the target, which is captured in recipe.entryPoint. Depending
53    // on the recipe Type, the structure may be different.
54    google.protobuf.Any arguments = 4;
55    // Any other builder-controlled inputs necessary for correctly evaluating
56    // the recipe. Usually only needed for reproducing the build but not
57    // evaluated as part of policy. Depending on the recipe Type, the structure
58    // may be different.
59    google.protobuf.Any environment = 5;
60  }
61
62  // Indicates that the builder claims certain fields in this message to be
63  // complete.
64  message SlsaCompleteness {
65    // If true, the builder claims that recipe.arguments is complete, meaning
66    // that all external inputs are properly captured in the recipe.
67    bool arguments = 1;
68    // If true, the builder claims that recipe.environment is claimed to be
69    // complete.
70    bool environment = 2;
71    // If true, the builder claims that materials are complete, usually through
72    // some controls to prevent network access. Sometimes called "hermetic".
73    bool materials = 3;
74  }
75
76  // Other properties of the build.
77  message SlsaMetadata {
78    // Identifies the particular build invocation, which can be useful for
79    // finding associated logs or other ad-hoc analysis. The value SHOULD be
80    // globally unique, per in-toto Provenance spec.
81    string build_invocation_id = 1;
82    // The timestamp of when the build started.
83    google.protobuf.Timestamp build_started_on = 2;
84    // The timestamp of when the build completed.
85    google.protobuf.Timestamp build_finished_on = 3;
86    // Indicates that the builder claims certain fields in this message to be
87    // complete.
88    SlsaCompleteness completeness = 4;
89    // If true, the builder claims that running the recipe on materials will
90    // produce bit-for-bit identical output.
91    bool reproducible = 5;
92  }
93
94  message SlsaBuilder {
95    string id = 1;
96  }
97
98  message Material {
99    string uri = 1;
100    map<string, string> digest = 2;
101  }
102
103  SlsaBuilder builder = 1;  // required
104  // Identifies the configuration used for the build.
105  // When combined with materials, this SHOULD fully describe the build,
106  // such that re-running this recipe results in bit-for-bit identical output
107  // (if the build is reproducible).
108  SlsaRecipe recipe = 2;  // required
109  SlsaMetadata metadata = 3;
110  // The collection of artifacts that influenced the build including sources,
111  // dependencies, build tools, base images, and so on. This is considered to be
112  // incomplete unless metadata.completeness.materials is true. Unset or null is
113  // equivalent to empty.
114  repeated Material materials = 4;
115}
116