1*9e94795aSAndroid Build Coastguard Worker// Copyright (C) 2023 The Android Open Source Project 2*9e94795aSAndroid Build Coastguard Worker// 3*9e94795aSAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*9e94795aSAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*9e94795aSAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*9e94795aSAndroid Build Coastguard Worker// 7*9e94795aSAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*9e94795aSAndroid Build Coastguard Worker// 9*9e94795aSAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*9e94795aSAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*9e94795aSAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*9e94795aSAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*9e94795aSAndroid Build Coastguard Worker// limitations under the License. 14*9e94795aSAndroid Build Coastguard Worker 15*9e94795aSAndroid Build Coastguard Workersyntax = "proto2"; 16*9e94795aSAndroid Build Coastguard Worker 17*9e94795aSAndroid Build Coastguard Workerpackage metadata_file; 18*9e94795aSAndroid Build Coastguard Worker 19*9e94795aSAndroid Build Coastguard Worker// Proto definition of METADATA files of packages in AOSP codebase. 20*9e94795aSAndroid Build Coastguard Workermessage Metadata { 21*9e94795aSAndroid Build Coastguard Worker // Name of the package. 22*9e94795aSAndroid Build Coastguard Worker optional string name = 1; 23*9e94795aSAndroid Build Coastguard Worker 24*9e94795aSAndroid Build Coastguard Worker // A short description (a few lines) of the package. 25*9e94795aSAndroid Build Coastguard Worker // Example: "Handles location lookups, throttling, batching, etc." 26*9e94795aSAndroid Build Coastguard Worker optional string description = 2; 27*9e94795aSAndroid Build Coastguard Worker 28*9e94795aSAndroid Build Coastguard Worker // Specifies additional data about third-party packages. 29*9e94795aSAndroid Build Coastguard Worker optional ThirdParty third_party = 3; 30*9e94795aSAndroid Build Coastguard Worker} 31*9e94795aSAndroid Build Coastguard Worker 32*9e94795aSAndroid Build Coastguard Workermessage ThirdParty { 33*9e94795aSAndroid Build Coastguard Worker // URL(s) associated with the package. 34*9e94795aSAndroid Build Coastguard Worker // 35*9e94795aSAndroid Build Coastguard Worker // At a minimum, all packages must specify a URL which identifies where it 36*9e94795aSAndroid Build Coastguard Worker // came from, containing a type of: ARCHIVE, GIT or OTHER. Typically, 37*9e94795aSAndroid Build Coastguard Worker // a package should contain only a single URL from these types. Occasionally, 38*9e94795aSAndroid Build Coastguard Worker // a package may be broken across multiple archive files for whatever reason, 39*9e94795aSAndroid Build Coastguard Worker // in which case having multiple ARCHIVE URLs is okay. However, this should 40*9e94795aSAndroid Build Coastguard Worker // not be used to combine different logical packages that are versioned and 41*9e94795aSAndroid Build Coastguard Worker // possibly licensed differently. 42*9e94795aSAndroid Build Coastguard Worker repeated URL url = 1; 43*9e94795aSAndroid Build Coastguard Worker 44*9e94795aSAndroid Build Coastguard Worker // The package version. In order of preference, this should contain: 45*9e94795aSAndroid Build Coastguard Worker // - If the package comes from Git or another source control system, 46*9e94795aSAndroid Build Coastguard Worker // a specific tag or revision in source control, such as "r123" or 47*9e94795aSAndroid Build Coastguard Worker // "58e27d2". This MUST NOT be a mutable ref such as a branch name. 48*9e94795aSAndroid Build Coastguard Worker // - a released package version such as "1.0", "2.3-beta", etc. 49*9e94795aSAndroid Build Coastguard Worker // - the date the package was retrieved, formatted as "As of YYYY-MM-DD". 50*9e94795aSAndroid Build Coastguard Worker optional string version = 2; 51*9e94795aSAndroid Build Coastguard Worker 52*9e94795aSAndroid Build Coastguard Worker // The date of the change in which the package was last upgraded from 53*9e94795aSAndroid Build Coastguard Worker // upstream. 54*9e94795aSAndroid Build Coastguard Worker // This should only identify package upgrades from upstream, not local 55*9e94795aSAndroid Build Coastguard Worker // modifications. This may identify the date of either the original or 56*9e94795aSAndroid Build Coastguard Worker // merged change. 57*9e94795aSAndroid Build Coastguard Worker // 58*9e94795aSAndroid Build Coastguard Worker // Note: this is NOT the date that this version of the package was released 59*9e94795aSAndroid Build Coastguard Worker // externally. 60*9e94795aSAndroid Build Coastguard Worker optional Date last_upgrade_date = 3; 61*9e94795aSAndroid Build Coastguard Worker 62*9e94795aSAndroid Build Coastguard Worker // License type that identifies how the package may be used. 63*9e94795aSAndroid Build Coastguard Worker optional LicenseType license_type = 4; 64*9e94795aSAndroid Build Coastguard Worker 65*9e94795aSAndroid Build Coastguard Worker // An additional note explaining the licensing of this package. This is most 66*9e94795aSAndroid Build Coastguard Worker // commonly used with commercial license. 67*9e94795aSAndroid Build Coastguard Worker optional string license_note = 5; 68*9e94795aSAndroid Build Coastguard Worker 69*9e94795aSAndroid Build Coastguard Worker // Description of local changes that have been made to the package. This does 70*9e94795aSAndroid Build Coastguard Worker // not need to (and in most cases should not) attempt to include an exhaustive 71*9e94795aSAndroid Build Coastguard Worker // list of all changes, but may instead direct readers to review the local 72*9e94795aSAndroid Build Coastguard Worker // commit history, a collection of patch files, a separate README.md (or 73*9e94795aSAndroid Build Coastguard Worker // similar) document, etc. 74*9e94795aSAndroid Build Coastguard Worker // Note: Use of this field to store IDs of advisories fixed with a backported 75*9e94795aSAndroid Build Coastguard Worker // patch is deprecated, use "security.mitigated_security_patch" instead. 76*9e94795aSAndroid Build Coastguard Worker optional string local_modifications = 6; 77*9e94795aSAndroid Build Coastguard Worker 78*9e94795aSAndroid Build Coastguard Worker // Security related metadata including risk category and any special 79*9e94795aSAndroid Build Coastguard Worker // instructions for using the package, as determined by an ISE-TPS review. 80*9e94795aSAndroid Build Coastguard Worker optional Security security = 7; 81*9e94795aSAndroid Build Coastguard Worker 82*9e94795aSAndroid Build Coastguard Worker // The type of directory this metadata represents. 83*9e94795aSAndroid Build Coastguard Worker optional DirectoryType type = 8 [default = PACKAGE]; 84*9e94795aSAndroid Build Coastguard Worker 85*9e94795aSAndroid Build Coastguard Worker // The homepage for the package. This will eventually replace 86*9e94795aSAndroid Build Coastguard Worker // `url { type: HOMEPAGE }` 87*9e94795aSAndroid Build Coastguard Worker optional string homepage = 9; 88*9e94795aSAndroid Build Coastguard Worker 89*9e94795aSAndroid Build Coastguard Worker // SBOM information of the package. It is mandatory for prebuilt packages. 90*9e94795aSAndroid Build Coastguard Worker oneof sbom { 91*9e94795aSAndroid Build Coastguard Worker // Reference to external SBOM document provided as URL. 92*9e94795aSAndroid Build Coastguard Worker SBOMRef sbom_ref = 10; 93*9e94795aSAndroid Build Coastguard Worker } 94*9e94795aSAndroid Build Coastguard Worker 95*9e94795aSAndroid Build Coastguard Worker // Identifiers for the package. 96*9e94795aSAndroid Build Coastguard Worker repeated Identifier identifier = 11; 97*9e94795aSAndroid Build Coastguard Worker} 98*9e94795aSAndroid Build Coastguard Worker 99*9e94795aSAndroid Build Coastguard Worker// URL associated with a third-party package. 100*9e94795aSAndroid Build Coastguard Workermessage URL { 101*9e94795aSAndroid Build Coastguard Worker enum Type { 102*9e94795aSAndroid Build Coastguard Worker // The homepage for the package. For example, "https://bazel.io/". This URL 103*9e94795aSAndroid Build Coastguard Worker // is optional, but encouraged to help disambiguate similarly named packages 104*9e94795aSAndroid Build Coastguard Worker // or to get more information about the package. This is especially helpful 105*9e94795aSAndroid Build Coastguard Worker // when no other URLs provide human readable resources (such as git:// or 106*9e94795aSAndroid Build Coastguard Worker // sso:// URLs). 107*9e94795aSAndroid Build Coastguard Worker HOMEPAGE = 1; 108*9e94795aSAndroid Build Coastguard Worker 109*9e94795aSAndroid Build Coastguard Worker // The URL of the archive containing the source code for the package, for 110*9e94795aSAndroid Build Coastguard Worker // example a zip or tgz file. 111*9e94795aSAndroid Build Coastguard Worker ARCHIVE = 2; 112*9e94795aSAndroid Build Coastguard Worker 113*9e94795aSAndroid Build Coastguard Worker // The URL of the upstream git repository this package is retrieved from. 114*9e94795aSAndroid Build Coastguard Worker // For example: 115*9e94795aSAndroid Build Coastguard Worker // - https://github.com/git/git.git 116*9e94795aSAndroid Build Coastguard Worker // - git://git.kernel.org/pub/scm/git/git.git 117*9e94795aSAndroid Build Coastguard Worker // 118*9e94795aSAndroid Build Coastguard Worker // Use of a git URL requires that the package "version" value must specify a 119*9e94795aSAndroid Build Coastguard Worker // specific git tag or revision. 120*9e94795aSAndroid Build Coastguard Worker GIT = 3; 121*9e94795aSAndroid Build Coastguard Worker 122*9e94795aSAndroid Build Coastguard Worker // The URL of the upstream SVN repository this package is retrieved from. 123*9e94795aSAndroid Build Coastguard Worker // For example: 124*9e94795aSAndroid Build Coastguard Worker // - http://llvm.org/svn/llvm-project/llvm/ 125*9e94795aSAndroid Build Coastguard Worker // 126*9e94795aSAndroid Build Coastguard Worker // Use of an SVN URL requires that the package "version" value must specify 127*9e94795aSAndroid Build Coastguard Worker // a specific SVN tag or revision. 128*9e94795aSAndroid Build Coastguard Worker SVN = 4; 129*9e94795aSAndroid Build Coastguard Worker 130*9e94795aSAndroid Build Coastguard Worker // The URL of the upstream mercurial repository this package is retrieved 131*9e94795aSAndroid Build Coastguard Worker // from. For example: 132*9e94795aSAndroid Build Coastguard Worker // - https://mercurial-scm.org/repo/evolve 133*9e94795aSAndroid Build Coastguard Worker // 134*9e94795aSAndroid Build Coastguard Worker // Use of a mercurial URL requires that the package "version" value must 135*9e94795aSAndroid Build Coastguard Worker // specify a specific tag or revision. 136*9e94795aSAndroid Build Coastguard Worker HG = 5; 137*9e94795aSAndroid Build Coastguard Worker 138*9e94795aSAndroid Build Coastguard Worker // The URL of the upstream darcs repository this package is retrieved 139*9e94795aSAndroid Build Coastguard Worker // from. For example: 140*9e94795aSAndroid Build Coastguard Worker // - https://hub.darcs.net/hu.dwim/hu.dwim.util 141*9e94795aSAndroid Build Coastguard Worker // 142*9e94795aSAndroid Build Coastguard Worker // Use of a DARCS URL requires that the package "version" value must 143*9e94795aSAndroid Build Coastguard Worker // specify a specific tag or revision. 144*9e94795aSAndroid Build Coastguard Worker DARCS = 6; 145*9e94795aSAndroid Build Coastguard Worker 146*9e94795aSAndroid Build Coastguard Worker PIPER = 7; 147*9e94795aSAndroid Build Coastguard Worker 148*9e94795aSAndroid Build Coastguard Worker // A URL that does not fit any other type. This may also indicate that the 149*9e94795aSAndroid Build Coastguard Worker // source code was received via email or some other out-of-band way. This is 150*9e94795aSAndroid Build Coastguard Worker // most commonly used with commercial software received directly from the 151*9e94795aSAndroid Build Coastguard Worker // vendor. In the case of email, the URL value can be used to provide 152*9e94795aSAndroid Build Coastguard Worker // additional information about how it was received. 153*9e94795aSAndroid Build Coastguard Worker OTHER = 8; 154*9e94795aSAndroid Build Coastguard Worker 155*9e94795aSAndroid Build Coastguard Worker // The URL identifying where the local copy of the package source code can 156*9e94795aSAndroid Build Coastguard Worker // be found. 157*9e94795aSAndroid Build Coastguard Worker // 158*9e94795aSAndroid Build Coastguard Worker // Typically, the metadata files describing a package reside in the same 159*9e94795aSAndroid Build Coastguard Worker // directory as the source code for the package. In a few rare cases where 160*9e94795aSAndroid Build Coastguard Worker // they are separate, the LOCAL_SOURCE URL identifies where to find the 161*9e94795aSAndroid Build Coastguard Worker // source code. This only describes where to find the local copy of the 162*9e94795aSAndroid Build Coastguard Worker // source; there should always be an additional URL describing where the 163*9e94795aSAndroid Build Coastguard Worker // package was retrieved from. 164*9e94795aSAndroid Build Coastguard Worker // 165*9e94795aSAndroid Build Coastguard Worker // Examples: 166*9e94795aSAndroid Build Coastguard Worker // - https://android.googlesource.com/platform/external/apache-http/ 167*9e94795aSAndroid Build Coastguard Worker LOCAL_SOURCE = 9; 168*9e94795aSAndroid Build Coastguard Worker } 169*9e94795aSAndroid Build Coastguard Worker 170*9e94795aSAndroid Build Coastguard Worker // The type of resource this URL identifies. 171*9e94795aSAndroid Build Coastguard Worker optional Type type = 1; 172*9e94795aSAndroid Build Coastguard Worker 173*9e94795aSAndroid Build Coastguard Worker // The actual URL value. URLs should be absolute and start with 'http://' or 174*9e94795aSAndroid Build Coastguard Worker // 'https://' (or occasionally 'git://' or 'ftp://' where appropriate). 175*9e94795aSAndroid Build Coastguard Worker optional string value = 2; 176*9e94795aSAndroid Build Coastguard Worker} 177*9e94795aSAndroid Build Coastguard Worker 178*9e94795aSAndroid Build Coastguard Worker// License type that identifies how the packages may be used. 179*9e94795aSAndroid Build Coastguard Workerenum LicenseType { 180*9e94795aSAndroid Build Coastguard Worker BY_EXCEPTION_ONLY = 1; 181*9e94795aSAndroid Build Coastguard Worker NOTICE = 2; 182*9e94795aSAndroid Build Coastguard Worker PERMISSIVE = 3; 183*9e94795aSAndroid Build Coastguard Worker RECIPROCAL = 4; 184*9e94795aSAndroid Build Coastguard Worker RESTRICTED_IF_STATICALLY_LINKED = 5; 185*9e94795aSAndroid Build Coastguard Worker RESTRICTED = 6; 186*9e94795aSAndroid Build Coastguard Worker UNENCUMBERED = 7; 187*9e94795aSAndroid Build Coastguard Worker} 188*9e94795aSAndroid Build Coastguard Worker 189*9e94795aSAndroid Build Coastguard Worker// Identifies security related metadata including risk category and any special 190*9e94795aSAndroid Build Coastguard Worker// instructions for using the package. 191*9e94795aSAndroid Build Coastguard Workermessage Security { 192*9e94795aSAndroid Build Coastguard Worker // Security risk category for a package, as determined by an ISE-TPS review. 193*9e94795aSAndroid Build Coastguard Worker enum Category { 194*9e94795aSAndroid Build Coastguard Worker CATEGORY_UNSPECIFIED = 0; 195*9e94795aSAndroid Build Coastguard Worker 196*9e94795aSAndroid Build Coastguard Worker // Package should only be used in a sandboxed environment. 197*9e94795aSAndroid Build Coastguard Worker // Package should have restricted visibility. 198*9e94795aSAndroid Build Coastguard Worker SANDBOXED_ONLY = 1; 199*9e94795aSAndroid Build Coastguard Worker 200*9e94795aSAndroid Build Coastguard Worker // Package should not be used to process user content. It is considered 201*9e94795aSAndroid Build Coastguard Worker // safe to use to process trusted data only. Package should have restricted 202*9e94795aSAndroid Build Coastguard Worker // visibility. 203*9e94795aSAndroid Build Coastguard Worker TRUSTED_DATA_ONLY = 2; 204*9e94795aSAndroid Build Coastguard Worker 205*9e94795aSAndroid Build Coastguard Worker // Package is considered safe to use. 206*9e94795aSAndroid Build Coastguard Worker REVIEWED_AND_SECURE = 3; 207*9e94795aSAndroid Build Coastguard Worker } 208*9e94795aSAndroid Build Coastguard Worker 209*9e94795aSAndroid Build Coastguard Worker // Identifies the security risk category for the package. This will be 210*9e94795aSAndroid Build Coastguard Worker // provided by the ISE-TPS team as the result of a security review of the 211*9e94795aSAndroid Build Coastguard Worker // package. 212*9e94795aSAndroid Build Coastguard Worker optional Category category = 1; 213*9e94795aSAndroid Build Coastguard Worker 214*9e94795aSAndroid Build Coastguard Worker // An additional security note for the package. 215*9e94795aSAndroid Build Coastguard Worker optional string note = 2; 216*9e94795aSAndroid Build Coastguard Worker 217*9e94795aSAndroid Build Coastguard Worker // Text tag to categorize the package. It's currently used by security to: 218*9e94795aSAndroid Build Coastguard Worker // - to disable OSV (https://osv.dev) 219*9e94795aSAndroid Build Coastguard Worker // support via the `OSV:disable` tag 220*9e94795aSAndroid Build Coastguard Worker // - to attach CPE to their corresponding packages, for vulnerability 221*9e94795aSAndroid Build Coastguard Worker // monitoring: 222*9e94795aSAndroid Build Coastguard Worker // 223*9e94795aSAndroid Build Coastguard Worker // Please do document your usecase here should you want to add one. 224*9e94795aSAndroid Build Coastguard Worker repeated string tag = 3; 225*9e94795aSAndroid Build Coastguard Worker 226*9e94795aSAndroid Build Coastguard Worker // ID of advisories fixed with a mitigated patch, for example CVE-2018-1111. 227*9e94795aSAndroid Build Coastguard Worker repeated string mitigated_security_patch = 4; 228*9e94795aSAndroid Build Coastguard Worker} 229*9e94795aSAndroid Build Coastguard Worker 230*9e94795aSAndroid Build Coastguard Workerenum DirectoryType { 231*9e94795aSAndroid Build Coastguard Worker UNDEFINED = 0; 232*9e94795aSAndroid Build Coastguard Worker 233*9e94795aSAndroid Build Coastguard Worker // This directory represents a package. 234*9e94795aSAndroid Build Coastguard Worker PACKAGE = 1; 235*9e94795aSAndroid Build Coastguard Worker 236*9e94795aSAndroid Build Coastguard Worker // This directory is designed to organize multiple third-party PACKAGE 237*9e94795aSAndroid Build Coastguard Worker // directories. 238*9e94795aSAndroid Build Coastguard Worker GROUP = 2; 239*9e94795aSAndroid Build Coastguard Worker 240*9e94795aSAndroid Build Coastguard Worker // This directory contains several PACKAGE directories representing 241*9e94795aSAndroid Build Coastguard Worker // different versions of the same third-party project. 242*9e94795aSAndroid Build Coastguard Worker VERSIONS = 3; 243*9e94795aSAndroid Build Coastguard Worker} 244*9e94795aSAndroid Build Coastguard Worker 245*9e94795aSAndroid Build Coastguard Worker// Represents a whole or partial calendar date, such as a birthday. The time of 246*9e94795aSAndroid Build Coastguard Worker// day and time zone are either specified elsewhere or are insignificant. The 247*9e94795aSAndroid Build Coastguard Worker// date is relative to the Gregorian Calendar. This can represent one of the 248*9e94795aSAndroid Build Coastguard Worker// following: 249*9e94795aSAndroid Build Coastguard Worker// 250*9e94795aSAndroid Build Coastguard Worker// * A full date, with non-zero year, month, and day values. 251*9e94795aSAndroid Build Coastguard Worker// * A month and day, with a zero year (for example, an anniversary). 252*9e94795aSAndroid Build Coastguard Worker// * A year on its own, with a zero month and a zero day. 253*9e94795aSAndroid Build Coastguard Worker// * A year and month, with a zero day (for example, a credit card expiration 254*9e94795aSAndroid Build Coastguard Worker// date). 255*9e94795aSAndroid Build Coastguard Workermessage Date { 256*9e94795aSAndroid Build Coastguard Worker // Year of the date. Must be from 1 to 9999, or 0 to specify a date without 257*9e94795aSAndroid Build Coastguard Worker // a year. 258*9e94795aSAndroid Build Coastguard Worker optional int32 year = 1; 259*9e94795aSAndroid Build Coastguard Worker // Month of a year. Must be from 1 to 12, or 0 to specify a year without a 260*9e94795aSAndroid Build Coastguard Worker // month and day. 261*9e94795aSAndroid Build Coastguard Worker optional int32 month = 2; 262*9e94795aSAndroid Build Coastguard Worker // Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 263*9e94795aSAndroid Build Coastguard Worker // to specify a year by itself or a year and month where the day isn't 264*9e94795aSAndroid Build Coastguard Worker // significant. 265*9e94795aSAndroid Build Coastguard Worker optional int32 day = 3; 266*9e94795aSAndroid Build Coastguard Worker} 267*9e94795aSAndroid Build Coastguard Worker 268*9e94795aSAndroid Build Coastguard Worker// Reference to external SBOM document and element corresponding to the package. 269*9e94795aSAndroid Build Coastguard Worker// See https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#66-external-document-references-field 270*9e94795aSAndroid Build Coastguard Workermessage SBOMRef { 271*9e94795aSAndroid Build Coastguard Worker // The URL that points to the SBOM document of the upstream package of this 272*9e94795aSAndroid Build Coastguard Worker // third_party package. 273*9e94795aSAndroid Build Coastguard Worker optional string url = 1; 274*9e94795aSAndroid Build Coastguard Worker // Checksum of the SBOM document the url field points to. 275*9e94795aSAndroid Build Coastguard Worker // Format: e.g. SHA1:<checksum>, or any algorithm defined in 276*9e94795aSAndroid Build Coastguard Worker // https://spdx.github.io/spdx-spec/v2.3/file-information/#8.4 277*9e94795aSAndroid Build Coastguard Worker optional string checksum = 2; 278*9e94795aSAndroid Build Coastguard Worker // SPDXID of the upstream package/file defined in the SBOM document the url field points to. 279*9e94795aSAndroid Build Coastguard Worker // Format: SPDXRef-[a-zA-Z0-9.-]+, see 280*9e94795aSAndroid Build Coastguard Worker // https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field or 281*9e94795aSAndroid Build Coastguard Worker // https://spdx.github.io/spdx-spec/v2.3/file-information/#82-file-spdx-identifier-field 282*9e94795aSAndroid Build Coastguard Worker optional string element_id = 3; 283*9e94795aSAndroid Build Coastguard Worker} 284*9e94795aSAndroid Build Coastguard Worker 285*9e94795aSAndroid Build Coastguard Worker// Identifier for a third-party package. 286*9e94795aSAndroid Build Coastguard Worker// See go/tp-metadata-id. 287*9e94795aSAndroid Build Coastguard Workermessage Identifier { 288*9e94795aSAndroid Build Coastguard Worker // The type of the identifier. Either an "ecosystem" value from 289*9e94795aSAndroid Build Coastguard Worker // https://ossf.github.io/osv-schema/#affectedpackage-field such as "Go", 290*9e94795aSAndroid Build Coastguard Worker // "npm" or "PyPI". The "value" and "version" fields follow the same rules as 291*9e94795aSAndroid Build Coastguard Worker // defined in the OSV spec. 292*9e94795aSAndroid Build Coastguard Worker 293*9e94795aSAndroid Build Coastguard Worker // Or one of: 294*9e94795aSAndroid Build Coastguard Worker // - "Git": The "value" field is the URL of the upstream git repository this 295*9e94795aSAndroid Build Coastguard Worker // package is retrieved from. 296*9e94795aSAndroid Build Coastguard Worker // For example: 297*9e94795aSAndroid Build Coastguard Worker // - https://github.com/git/git 298*9e94795aSAndroid Build Coastguard Worker // - git://git.kernel.org/pub/scm/git/git 299*9e94795aSAndroid Build Coastguard Worker // 300*9e94795aSAndroid Build Coastguard Worker // Use of a git URL requires that the package "version" value must specify a 301*9e94795aSAndroid Build Coastguard Worker // specific git tag or revision. This must not be a branch name. 302*9e94795aSAndroid Build Coastguard Worker // 303*9e94795aSAndroid Build Coastguard Worker // - "SVN": The "value" field is the URL of the upstream SVN repository this 304*9e94795aSAndroid Build Coastguard Worker // package is retrieved from. 305*9e94795aSAndroid Build Coastguard Worker // For example: 306*9e94795aSAndroid Build Coastguard Worker // - http://llvm.org/svn/llvm-project/llvm/ 307*9e94795aSAndroid Build Coastguard Worker // 308*9e94795aSAndroid Build Coastguard Worker // Use of an SVN URL requires that the package "version" value must specify 309*9e94795aSAndroid Build Coastguard Worker // a specific SVN tag or revision. This must not be a branch name. 310*9e94795aSAndroid Build Coastguard Worker // 311*9e94795aSAndroid Build Coastguard Worker // - "Hg": The "value" field is the URL of the upstream mercurial repository 312*9e94795aSAndroid Build Coastguard Worker // this package is retrieved from. 313*9e94795aSAndroid Build Coastguard Worker // For example: 314*9e94795aSAndroid Build Coastguard Worker // - https://mercurial-scm.org/repo/evolve 315*9e94795aSAndroid Build Coastguard Worker // 316*9e94795aSAndroid Build Coastguard Worker // Use of a mercurial URL requires that the package "version" value must 317*9e94795aSAndroid Build Coastguard Worker // specify a specific tag or revision. This must not be a branch name. 318*9e94795aSAndroid Build Coastguard Worker // 319*9e94795aSAndroid Build Coastguard Worker // - "Darcs": the "value" field is the URL of the upstream darcs repository 320*9e94795aSAndroid Build Coastguard Worker // this package is retrieved from. 321*9e94795aSAndroid Build Coastguard Worker // For example: 322*9e94795aSAndroid Build Coastguard Worker // - https://hub.darcs.net/hu.dwim/hu.dwim.util 323*9e94795aSAndroid Build Coastguard Worker // 324*9e94795aSAndroid Build Coastguard Worker // Use of a Darcs URL requires that the package "version" value must 325*9e94795aSAndroid Build Coastguard Worker // specify a specific tag or revision. This must not be a branch name. 326*9e94795aSAndroid Build Coastguard Worker // 327*9e94795aSAndroid Build Coastguard Worker // - "Piper": The "value" field is the URL of the upstream piper location. 328*9e94795aSAndroid Build Coastguard Worker // This is primarily used when a package is being migrated into third_party 329*9e94795aSAndroid Build Coastguard Worker // from elsewhere in Piper, or when a package is being newly developed in 330*9e94795aSAndroid Build Coastguard Worker // third_party. 331*9e94795aSAndroid Build Coastguard Worker // 332*9e94795aSAndroid Build Coastguard Worker // - "VCS": This is a generic fallback for an unlisted VCS system. The 333*9e94795aSAndroid Build Coastguard Worker // "value" field is the URL of the repository for this VCS. 334*9e94795aSAndroid Build Coastguard Worker // 335*9e94795aSAndroid Build Coastguard Worker // - "Archive": The "value" field is the URL of the archive containing the 336*9e94795aSAndroid Build Coastguard Worker // source code for the package, for example a zip or tgz file. 337*9e94795aSAndroid Build Coastguard Worker // 338*9e94795aSAndroid Build Coastguard Worker // - "PrebuiltByAlphabet": This type should be used for archives of primarily 339*9e94795aSAndroid Build Coastguard Worker // Google-owned source code (may contain non-Google-owned dependencies), 340*9e94795aSAndroid Build Coastguard Worker // which has been built using production Google infrastructure, and copied 341*9e94795aSAndroid Build Coastguard Worker // into Android. The "value" field is the URL of the prebuilt artifact or 342*9e94795aSAndroid Build Coastguard Worker // the relative path of the artifact to the root of a package. 343*9e94795aSAndroid Build Coastguard Worker // Example: 344*9e94795aSAndroid Build Coastguard Worker // identifier { 345*9e94795aSAndroid Build Coastguard Worker // type: "PrebuiltByAlphabet", 346*9e94795aSAndroid Build Coastguard Worker // version: "1", 347*9e94795aSAndroid Build Coastguard Worker // value: "v1/arm84_hdpi.apk", 348*9e94795aSAndroid Build Coastguard Worker // } 349*9e94795aSAndroid Build Coastguard Worker // identifier { 350*9e94795aSAndroid Build Coastguard Worker // type: "PrebuiltByAlphabet", 351*9e94795aSAndroid Build Coastguard Worker // version: "2", 352*9e94795aSAndroid Build Coastguard Worker // value: "v2/x86_64_xhdpi.apk", 353*9e94795aSAndroid Build Coastguard Worker // } 354*9e94795aSAndroid Build Coastguard Worker // 355*9e94795aSAndroid Build Coastguard Worker // - "LocalSource": The "value" field is the URL identifying where the local 356*9e94795aSAndroid Build Coastguard Worker // copy of the package source code can be found. 357*9e94795aSAndroid Build Coastguard Worker // Examples: 358*9e94795aSAndroid Build Coastguard Worker // - https://android.googlesource.com/platform/external/apache-http/ 359*9e94795aSAndroid Build Coastguard Worker // 360*9e94795aSAndroid Build Coastguard Worker // Typically, the metadata files describing a package reside in the same 361*9e94795aSAndroid Build Coastguard Worker // directory as the source code for the package. In a few rare cases where 362*9e94795aSAndroid Build Coastguard Worker // they are separate, the LocalSource URL identifies where to find the 363*9e94795aSAndroid Build Coastguard Worker // source code. This only describes where to find the local copy of the 364*9e94795aSAndroid Build Coastguard Worker // source; there should always be an additional URL describing where the 365*9e94795aSAndroid Build Coastguard Worker // package was retrieved from. 366*9e94795aSAndroid Build Coastguard Worker // 367*9e94795aSAndroid Build Coastguard Worker // - "Other": An identifier that does not fit any other type. This may also 368*9e94795aSAndroid Build Coastguard Worker // indicate that the Source code was received via email or some other 369*9e94795aSAndroid Build Coastguard Worker // out-of-band way. This is most commonly used with commercial software 370*9e94795aSAndroid Build Coastguard Worker // received directly from the Vendor. In the case of email, the "value" field 371*9e94795aSAndroid Build Coastguard Worker // can be used to provide additional information about how it was received. 372*9e94795aSAndroid Build Coastguard Worker optional string type = 1; 373*9e94795aSAndroid Build Coastguard Worker 374*9e94795aSAndroid Build Coastguard Worker // A human readable string to indicate why a third-package package does not 375*9e94795aSAndroid Build Coastguard Worker // have this identifier type set. 376*9e94795aSAndroid Build Coastguard Worker // Example: 377*9e94795aSAndroid Build Coastguard Worker // identifier { 378*9e94795aSAndroid Build Coastguard Worker // type: "PyPI" 379*9e94795aSAndroid Build Coastguard Worker // omission_reason: "Only on Git. Not published to PyPI." 380*9e94795aSAndroid Build Coastguard Worker // } 381*9e94795aSAndroid Build Coastguard Worker optional string omission_reason = 2; 382*9e94795aSAndroid Build Coastguard Worker 383*9e94795aSAndroid Build Coastguard Worker // The value of the package identifier as defined by the "type". 384*9e94795aSAndroid Build Coastguard Worker // Example: 385*9e94795aSAndroid Build Coastguard Worker // identifier { 386*9e94795aSAndroid Build Coastguard Worker // type: "PyPI" 387*9e94795aSAndroid Build Coastguard Worker // value: "django" 388*9e94795aSAndroid Build Coastguard Worker // version: "3.2.8" 389*9e94795aSAndroid Build Coastguard Worker // } 390*9e94795aSAndroid Build Coastguard Worker optional string value = 3; 391*9e94795aSAndroid Build Coastguard Worker 392*9e94795aSAndroid Build Coastguard Worker // The version associated with this package as defined by the "type". 393*9e94795aSAndroid Build Coastguard Worker // Example: 394*9e94795aSAndroid Build Coastguard Worker // identifier { 395*9e94795aSAndroid Build Coastguard Worker // type: "PyPI" 396*9e94795aSAndroid Build Coastguard Worker // value: "django" 397*9e94795aSAndroid Build Coastguard Worker // version: "3.2.8" 398*9e94795aSAndroid Build Coastguard Worker // } 399*9e94795aSAndroid Build Coastguard Worker optional string version = 4; 400*9e94795aSAndroid Build Coastguard Worker 401*9e94795aSAndroid Build Coastguard Worker // The closest version associated with this package as defined by the "type". 402*9e94795aSAndroid Build Coastguard Worker // This should only be set by automated infrastructure by applying automated 403*9e94795aSAndroid Build Coastguard Worker // heuristics, such as the closest git tag or package version from a package 404*9e94795aSAndroid Build Coastguard Worker // manifest file (e.g. pom.xml). 405*9e94795aSAndroid Build Coastguard Worker // 406*9e94795aSAndroid Build Coastguard Worker // For most identifier types, only one of `version` or `closest_version` 407*9e94795aSAndroid Build Coastguard Worker // should be set (not both). The exception is source repository types such as 408*9e94795aSAndroid Build Coastguard Worker // "Git", where `version` will refer to a git commit, and `closest_version` 409*9e94795aSAndroid Build Coastguard Worker // refers to a git tag. 410*9e94795aSAndroid Build Coastguard Worker // Example: 411*9e94795aSAndroid Build Coastguard Worker // identifier { 412*9e94795aSAndroid Build Coastguard Worker // type: "Git", 413*9e94795aSAndroid Build Coastguard Worker // value: "https://github.com/my/repo" 414*9e94795aSAndroid Build Coastguard Worker // version: "e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e" 415*9e94795aSAndroid Build Coastguard Worker // closest_version: "v1.4" 416*9e94795aSAndroid Build Coastguard Worker // } 417*9e94795aSAndroid Build Coastguard Worker optional string closest_version = 5; 418*9e94795aSAndroid Build Coastguard Worker 419*9e94795aSAndroid Build Coastguard Worker // When `true`, this Identifier represents the location from which the source 420*9e94795aSAndroid Build Coastguard Worker // code for this package was originally obtained. This should only be set for 421*9e94795aSAndroid Build Coastguard Worker // *one* Identifier in a third_party package's METADATA. 422*9e94795aSAndroid Build Coastguard Worker 423*9e94795aSAndroid Build Coastguard Worker // For external packages, this is typically for the Identifier associated 424*9e94795aSAndroid Build Coastguard Worker // with the version control system or package manager that was used to 425*9e94795aSAndroid Build Coastguard Worker // check out or download the code. 426*9e94795aSAndroid Build Coastguard Worker optional bool primary_source = 6; 427*9e94795aSAndroid Build Coastguard Worker}