1// Copyright 2019 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 20option java_multiple_files = true; 21option java_package = "io.grafeas.v1"; 22option objc_class_prefix = "GRA"; 23 24// Kind represents the kinds of notes supported. 25enum NoteKind { 26 // Default value. This value is unused. 27 NOTE_KIND_UNSPECIFIED = 0; 28 // The note and occurrence represent a package vulnerability. 29 VULNERABILITY = 1; 30 // The note and occurrence assert build provenance. 31 BUILD = 2; 32 // This represents an image basis relationship. 33 IMAGE = 3; 34 // This represents a package installed via a package manager. 35 PACKAGE = 4; 36 // The note and occurrence track deployment events. 37 DEPLOYMENT = 5; 38 // The note and occurrence track the initial discovery status of a resource. 39 DISCOVERY = 6; 40 // This represents a logical "role" that can attest to artifacts. 41 ATTESTATION = 7; 42 // This represents an available package upgrade. 43 UPGRADE = 8; 44 // This represents a Compliance Note 45 COMPLIANCE = 9; 46 // This represents a DSSE attestation Note 47 DSSE_ATTESTATION = 10; 48 // This represents a Vulnerability Assessment. 49 VULNERABILITY_ASSESSMENT = 11; 50 // This represents an SBOM Reference. 51 SBOM_REFERENCE = 12; 52} 53 54// Metadata for any related URL information. 55message RelatedUrl { 56 // Specific URL associated with the resource. 57 string url = 1; 58 // Label to describe usage of the URL. 59 string label = 2; 60} 61 62// Verifiers (e.g. Kritis implementations) MUST verify signatures 63// with respect to the trust anchors defined in policy (e.g. a Kritis policy). 64// Typically this means that the verifier has been configured with a map from 65// `public_key_id` to public key material (and any required parameters, e.g. 66// signing algorithm). 67// 68// In particular, verification implementations MUST NOT treat the signature 69// `public_key_id` as anything more than a key lookup hint. The `public_key_id` 70// DOES NOT validate or authenticate a public key; it only provides a mechanism 71// for quickly selecting a public key ALREADY CONFIGURED on the verifier through 72// a trusted channel. Verification implementations MUST reject signatures in any 73// of the following circumstances: 74// * The `public_key_id` is not recognized by the verifier. 75// * The public key that `public_key_id` refers to does not verify the 76// signature with respect to the payload. 77// 78// The `signature` contents SHOULD NOT be "attached" (where the payload is 79// included with the serialized `signature` bytes). Verifiers MUST ignore any 80// "attached" payload and only verify signatures with respect to explicitly 81// provided payload (e.g. a `payload` field on the proto message that holds 82// this Signature, or the canonical serialization of the proto message that 83// holds this signature). 84message Signature { 85 // The content of the signature, an opaque bytestring. 86 // The payload that this signature verifies MUST be unambiguously provided 87 // with the Signature during verification. A wrapper message might provide 88 // the payload explicitly. Alternatively, a message might have a canonical 89 // serialization that can always be unambiguously computed to derive the 90 // payload. 91 bytes signature = 1; 92 93 // The identifier for the public key that verifies this signature. 94 // * The `public_key_id` is required. 95 // * The `public_key_id` SHOULD be an RFC3986 conformant URI. 96 // * When possible, the `public_key_id` SHOULD be an immutable reference, 97 // such as a cryptographic digest. 98 // 99 // Examples of valid `public_key_id`s: 100 // 101 // OpenPGP V4 public key fingerprint: 102 // * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 103 // See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 104 // details on this scheme. 105 // 106 // RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 107 // serialization): 108 // * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 109 // * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 110 string public_key_id = 2; 111} 112 113// MUST match 114// https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An 115// authenticated message of arbitrary type. 116message Envelope { 117 bytes payload = 1; 118 string payload_type = 2; 119 repeated EnvelopeSignature signatures = 3; 120} 121 122message EnvelopeSignature { 123 bytes sig = 1; 124 string keyid = 2; 125} 126 127// Indicates the location at which a package was found. 128message FileLocation { 129 // For jars that are contained inside .war files, this filepath 130 // can indicate the path to war file combined with the path to jar file. 131 string file_path = 1; 132} 133 134// License information. 135message License { 136 // Often a single license can be used to represent the licensing terms. 137 // Sometimes it is necessary to include a choice of one or more licenses 138 // or some combination of license identifiers. 139 // Examples: "LGPL-2.1-only OR MIT", "LGPL-2.1-only AND MIT", 140 // "GPL-2.0-or-later WITH Bison-exception-2.2". 141 string expression = 1; 142 143 // Comments 144 string comments = 2; 145} 146 147// Digest information. 148message Digest { 149 // `SHA1`, `SHA512` etc. 150 string algo = 1; 151 152 // Value of the digest. 153 bytes digest_bytes = 2; 154} 155