xref: /aosp_15_r20/external/googleapis/google/devtools/containeranalysis/v1beta1/common/common.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2018 The Grafeas Authors. All rights reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//    http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package grafeas.v1beta1;
18
19option go_package = "cloud.google.com/go/containeranalysis/apiv1beta1/containeranalysispb;containeranalysispb";
20option java_multiple_files = true;
21option java_package = "io.grafeas.v1beta1.common";
22option objc_class_prefix = "GRA";
23
24// Kind represents the kinds of notes supported.
25enum NoteKind {
26  // Unknown.
27  NOTE_KIND_UNSPECIFIED = 0;
28  // The note and occurrence represent a package vulnerability.
29  VULNERABILITY = 1;
30  // The note and occurrence assert build provenance.
31  BUILD = 2;
32  // This represents an image basis relationship.
33  IMAGE = 3;
34  // This represents a package installed via a package manager.
35  PACKAGE = 4;
36  // The note and occurrence track deployment events.
37  DEPLOYMENT = 5;
38  // The note and occurrence track the initial discovery status of a resource.
39  DISCOVERY = 6;
40  // This represents a logical "role" that can attest to artifacts.
41  ATTESTATION = 7;
42}
43
44// Metadata for any related URL information.
45message RelatedUrl {
46  // Specific URL associated with the resource.
47  string url = 1;
48  // Label to describe usage of the URL.
49  string label = 2;
50}
51
52// Verifiers (e.g. Kritis implementations) MUST verify signatures
53// with respect to the trust anchors defined in policy (e.g. a Kritis policy).
54// Typically this means that the verifier has been configured with a map from
55// `public_key_id` to public key material (and any required parameters, e.g.
56// signing algorithm).
57//
58// In particular, verification implementations MUST NOT treat the signature
59// `public_key_id` as anything more than a key lookup hint. The `public_key_id`
60// DOES NOT validate or authenticate a public key; it only provides a mechanism
61// for quickly selecting a public key ALREADY CONFIGURED on the verifier through
62// a trusted channel. Verification implementations MUST reject signatures in any
63// of the following circumstances:
64//   * The `public_key_id` is not recognized by the verifier.
65//   * The public key that `public_key_id` refers to does not verify the
66//     signature with respect to the payload.
67//
68// The `signature` contents SHOULD NOT be "attached" (where the payload is
69// included with the serialized `signature` bytes). Verifiers MUST ignore any
70// "attached" payload and only verify signatures with respect to explicitly
71// provided payload (e.g. a `payload` field on the proto message that holds
72// this Signature, or the canonical serialization of the proto message that
73// holds this signature).
74message Signature {
75  // The content of the signature, an opaque bytestring.
76  // The payload that this signature verifies MUST be unambiguously provided
77  // with the Signature during verification. A wrapper message might provide
78  // the payload explicitly. Alternatively, a message might have a canonical
79  // serialization that can always be unambiguously computed to derive the
80  // payload.
81  bytes signature = 1;
82
83  // The identifier for the public key that verifies this signature.
84  //   * The `public_key_id` is required.
85  //   * The `public_key_id` MUST be an RFC3986 conformant URI.
86  //   * When possible, the `public_key_id` SHOULD be an immutable reference,
87  //     such as a cryptographic digest.
88  //
89  // Examples of valid `public_key_id`s:
90  //
91  // OpenPGP V4 public key fingerprint:
92  //   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
93  // See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
94  // details on this scheme.
95  //
96  // RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
97  // serialization):
98  //   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
99  //   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
100  string public_key_id = 2;
101}
102