1// Copyright 2019 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/protobuf/empty.proto"; 24import "google/protobuf/field_mask.proto"; 25import "google/protobuf/timestamp.proto"; 26import "grafeas/v1/attestation.proto"; 27import "grafeas/v1/build.proto"; 28import "grafeas/v1/common.proto"; 29import "grafeas/v1/compliance.proto"; 30import "grafeas/v1/deployment.proto"; 31import "grafeas/v1/discovery.proto"; 32import "grafeas/v1/dsse_attestation.proto"; 33import "grafeas/v1/image.proto"; 34import "grafeas/v1/package.proto"; 35import "grafeas/v1/sbom.proto"; 36import "grafeas/v1/upgrade.proto"; 37import "grafeas/v1/vex.proto"; 38import "grafeas/v1/vulnerability.proto"; 39 40option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 41option java_multiple_files = true; 42option java_package = "io.grafeas.v1"; 43option objc_class_prefix = "GRA"; 44option (google.api.resource_definition) = { 45 type: "grafeas.io/Project" 46 pattern: "projects/{project}" 47}; 48 49// [Grafeas](https://grafeas.io) API. 50// 51// Retrieves analysis results of Cloud components such as Docker container 52// images. 53// 54// Analysis results are stored as a series of occurrences. An `Occurrence` 55// contains information about a specific analysis instance on a resource. An 56// occurrence refers to a `Note`. A note contains details describing the 57// analysis and is generally stored in a separate project, called a `Provider`. 58// Multiple occurrences can refer to the same note. 59// 60// For example, an SSL vulnerability could affect multiple images. In this case, 61// there would be one note for the vulnerability and an occurrence for each 62// image with the vulnerability referring to that note. 63service Grafeas { 64 option (google.api.default_host) = "containeranalysis.googleapis.com"; 65 66 // Gets the specified occurrence. 67 rpc GetOccurrence(GetOccurrenceRequest) returns (Occurrence) { 68 option (google.api.http) = { 69 get: "/v1/{name=projects/*/occurrences/*}" 70 additional_bindings { 71 get: "/v1/{name=projects/*/locations/*/occurrences/*}" 72 } 73 }; 74 option (google.api.method_signature) = "name"; 75 } 76 77 // Lists occurrences for the specified project. 78 rpc ListOccurrences(ListOccurrencesRequest) 79 returns (ListOccurrencesResponse) { 80 option (google.api.http) = { 81 get: "/v1/{parent=projects/*}/occurrences" 82 additional_bindings { 83 get: "/v1/{parent=projects/*/locations/*}/occurrences" 84 } 85 }; 86 option (google.api.method_signature) = "parent,filter"; 87 } 88 89 // Deletes the specified occurrence. For example, use this method to delete an 90 // occurrence when the occurrence is no longer applicable for the given 91 // resource. 92 rpc DeleteOccurrence(DeleteOccurrenceRequest) 93 returns (google.protobuf.Empty) { 94 option (google.api.http) = { 95 delete: "/v1/{name=projects/*/occurrences/*}" 96 }; 97 option (google.api.method_signature) = "name"; 98 } 99 100 // Creates a new occurrence. 101 rpc CreateOccurrence(CreateOccurrenceRequest) returns (Occurrence) { 102 option (google.api.http) = { 103 post: "/v1/{parent=projects/*}/occurrences" 104 body: "occurrence" 105 }; 106 option (google.api.method_signature) = "parent,occurrence"; 107 } 108 109 // Creates new occurrences in batch. 110 rpc BatchCreateOccurrences(BatchCreateOccurrencesRequest) 111 returns (BatchCreateOccurrencesResponse) { 112 option (google.api.http) = { 113 post: "/v1/{parent=projects/*}/occurrences:batchCreate" 114 body: "*" 115 }; 116 option (google.api.method_signature) = "parent,occurrences"; 117 } 118 119 // Updates the specified occurrence. 120 rpc UpdateOccurrence(UpdateOccurrenceRequest) returns (Occurrence) { 121 option (google.api.http) = { 122 patch: "/v1/{name=projects/*/occurrences/*}" 123 body: "occurrence" 124 }; 125 option (google.api.method_signature) = "name,occurrence,update_mask"; 126 } 127 128 // Gets the note attached to the specified occurrence. Consumer projects can 129 // use this method to get a note that belongs to a provider project. 130 rpc GetOccurrenceNote(GetOccurrenceNoteRequest) returns (Note) { 131 option (google.api.http) = { 132 get: "/v1/{name=projects/*/occurrences/*}/notes" 133 additional_bindings { 134 get: "/v1/{name=projects/*/locations/*/occurrences/*}/notes" 135 } 136 }; 137 option (google.api.method_signature) = "name"; 138 } 139 140 // Gets the specified note. 141 rpc GetNote(GetNoteRequest) returns (Note) { 142 option (google.api.http) = { 143 get: "/v1/{name=projects/*/notes/*}" 144 additional_bindings { get: "/v1/{name=projects/*/locations/*/notes/*}" } 145 }; 146 option (google.api.method_signature) = "name"; 147 } 148 149 // Lists notes for the specified project. 150 rpc ListNotes(ListNotesRequest) returns (ListNotesResponse) { 151 option (google.api.http) = { 152 get: "/v1/{parent=projects/*}/notes" 153 additional_bindings { get: "/v1/{parent=projects/*/locations/*}/notes" } 154 }; 155 option (google.api.method_signature) = "parent,filter"; 156 } 157 158 // Deletes the specified note. 159 rpc DeleteNote(DeleteNoteRequest) returns (google.protobuf.Empty) { 160 option (google.api.http) = { 161 delete: "/v1/{name=projects/*/notes/*}" 162 }; 163 option (google.api.method_signature) = "name"; 164 } 165 166 // Creates a new note. 167 rpc CreateNote(CreateNoteRequest) returns (Note) { 168 option (google.api.http) = { 169 post: "/v1/{parent=projects/*}/notes" 170 body: "note" 171 }; 172 option (google.api.method_signature) = "parent,note_id,note"; 173 } 174 175 // Creates new notes in batch. 176 rpc BatchCreateNotes(BatchCreateNotesRequest) 177 returns (BatchCreateNotesResponse) { 178 option (google.api.http) = { 179 post: "/v1/{parent=projects/*}/notes:batchCreate" 180 body: "*" 181 }; 182 option (google.api.method_signature) = "parent,notes"; 183 } 184 185 // Updates the specified note. 186 rpc UpdateNote(UpdateNoteRequest) returns (Note) { 187 option (google.api.http) = { 188 patch: "/v1/{name=projects/*/notes/*}" 189 body: "note" 190 }; 191 option (google.api.method_signature) = "name,note,update_mask"; 192 } 193 194 // Lists occurrences referencing the specified note. Provider projects can use 195 // this method to get all occurrences across consumer projects referencing the 196 // specified note. 197 rpc ListNoteOccurrences(ListNoteOccurrencesRequest) 198 returns (ListNoteOccurrencesResponse) { 199 option (google.api.http) = { 200 get: "/v1/{name=projects/*/notes/*}/occurrences" 201 additional_bindings { 202 get: "/v1/{name=projects/*/locations/*/notes/*}/occurrences" 203 } 204 }; 205 option (google.api.method_signature) = "name,filter"; 206 } 207} 208 209// An instance of an analysis type that has been found on a resource. 210message Occurrence { 211 option (google.api.resource) = { 212 type: "grafeas.io/Occurrence" 213 pattern: "projects/{project}/occurrences/{occurrence}" 214 }; 215 216 // Output only. The name of the occurrence in the form of 217 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 218 string name = 1; 219 220 // Required. Immutable. A URI that represents the resource for which the 221 // occurrence applies. For example, 222 // `https://gcr.io/project/image@sha256:123abc` for a Docker image. 223 string resource_uri = 2; 224 225 // Required. Immutable. The analysis note associated with this occurrence, in 226 // the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 227 // used as a filter in list requests. 228 string note_name = 3; 229 230 // Output only. This explicitly denotes which of the occurrence details are 231 // specified. This field can be used as a filter in list requests. 232 grafeas.v1.NoteKind kind = 4; 233 234 // A description of actions that can be taken to remedy the note. 235 string remediation = 5; 236 237 // Output only. The time this occurrence was created. 238 google.protobuf.Timestamp create_time = 6; 239 240 // Output only. The time this occurrence was last updated. 241 google.protobuf.Timestamp update_time = 7; 242 243 // Required. Immutable. Describes the details of the note kind found on this 244 // resource. 245 oneof details { 246 // Describes a security vulnerability. 247 grafeas.v1.VulnerabilityOccurrence vulnerability = 8; 248 // Describes a verifiable build. 249 grafeas.v1.BuildOccurrence build = 9; 250 // Describes how this resource derives from the basis in the associated 251 // note. 252 grafeas.v1.ImageOccurrence image = 10; 253 // Describes the installation of a package on the linked resource. 254 grafeas.v1.PackageOccurrence package = 11; 255 // Describes the deployment of an artifact on a runtime. 256 grafeas.v1.DeploymentOccurrence deployment = 12; 257 // Describes when a resource was discovered. 258 grafeas.v1.DiscoveryOccurrence discovery = 13; 259 // Describes an attestation of an artifact. 260 grafeas.v1.AttestationOccurrence attestation = 14; 261 // Describes an available package upgrade on the linked resource. 262 grafeas.v1.UpgradeOccurrence upgrade = 15; 263 // Describes a compliance violation on a linked resource. 264 grafeas.v1.ComplianceOccurrence compliance = 16; 265 // Describes an attestation of an artifact using dsse. 266 grafeas.v1.DSSEAttestationOccurrence dsse_attestation = 17; 267 // Describes a specific SBOM reference occurrences. 268 grafeas.v1.SBOMReferenceOccurrence sbom_reference = 19; 269 } 270 271 // https://github.com/secure-systems-lab/dsse 272 grafeas.v1.Envelope envelope = 18; 273} 274 275// A type of analysis that can be done for a resource. 276message Note { 277 option (google.api.resource) = { 278 type: "grafeas.io/Note" 279 pattern: "projects/{project}/notes/{note}" 280 }; 281 282 // Output only. The name of the note in the form of 283 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 284 string name = 1; 285 286 // A one sentence description of this note. 287 string short_description = 2; 288 289 // A detailed description of this note. 290 string long_description = 3; 291 292 // Output only. The type of analysis. This field can be used as a filter in 293 // list requests. 294 grafeas.v1.NoteKind kind = 4; 295 296 // URLs associated with this note. 297 repeated grafeas.v1.RelatedUrl related_url = 5; 298 299 // Time of expiration for this note. Empty if note does not expire. 300 google.protobuf.Timestamp expiration_time = 6; 301 302 // Output only. The time this note was created. This field can be used as a 303 // filter in list requests. 304 google.protobuf.Timestamp create_time = 7; 305 306 // Output only. The time this note was last updated. This field can be used as 307 // a filter in list requests. 308 google.protobuf.Timestamp update_time = 8; 309 310 // Other notes related to this note. 311 repeated string related_note_names = 9; 312 313 // Required. Immutable. The type of analysis this note represents. 314 oneof type { 315 // A note describing a package vulnerability. 316 grafeas.v1.VulnerabilityNote vulnerability = 10; 317 // A note describing build provenance for a verifiable build. 318 grafeas.v1.BuildNote build = 11; 319 // A note describing a base image. 320 grafeas.v1.ImageNote image = 12; 321 // A note describing a package hosted by various package managers. 322 grafeas.v1.PackageNote package = 13; 323 // A note describing something that can be deployed. 324 grafeas.v1.DeploymentNote deployment = 14; 325 // A note describing the initial analysis of a resource. 326 grafeas.v1.DiscoveryNote discovery = 15; 327 // A note describing an attestation role. 328 grafeas.v1.AttestationNote attestation = 16; 329 // A note describing available package upgrades. 330 grafeas.v1.UpgradeNote upgrade = 17; 331 // A note describing a compliance check. 332 grafeas.v1.ComplianceNote compliance = 18; 333 // A note describing a dsse attestation note. 334 grafeas.v1.DSSEAttestationNote dsse_attestation = 19; 335 // A note describing a vulnerability assessment. 336 grafeas.v1.VulnerabilityAssessmentNote vulnerability_assessment = 20; 337 // A note describing an SBOM reference. 338 grafeas.v1.SBOMReferenceNote sbom_reference = 21; 339 } 340} 341 342// Request to get an occurrence. 343message GetOccurrenceRequest { 344 // The name of the occurrence in the form of 345 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 346 string name = 1 [ 347 (google.api.field_behavior) = REQUIRED, 348 (google.api.resource_reference).type = "grafeas.io/Occurrence" 349 ]; 350} 351 352// Request to list occurrences. 353message ListOccurrencesRequest { 354 // The name of the project to list occurrences for in the form of 355 // `projects/[PROJECT_ID]`. 356 string parent = 1 [ 357 (google.api.field_behavior) = REQUIRED, 358 (google.api.resource_reference).type = "grafeas.io/Project" 359 ]; 360 361 // The filter expression. 362 string filter = 2; 363 364 // Number of occurrences to return in the list. Must be positive. Max allowed 365 // page size is 1000. If not specified, page size defaults to 20. 366 int32 page_size = 3; 367 368 // Token to provide to skip to a particular spot in the list. 369 string page_token = 4; 370} 371 372// Response for listing occurrences. 373message ListOccurrencesResponse { 374 // The occurrences requested. 375 repeated Occurrence occurrences = 1; 376 // The next pagination token in the list response. It should be used as 377 // `page_token` for the following request. An empty value means no more 378 // results. 379 string next_page_token = 2; 380} 381 382// Request to delete an occurrence. 383message DeleteOccurrenceRequest { 384 // The name of the occurrence in the form of 385 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 386 string name = 1 [ 387 (google.api.field_behavior) = REQUIRED, 388 (google.api.resource_reference).type = "grafeas.io/Occurrence" 389 ]; 390} 391 392// Request to create a new occurrence. 393message CreateOccurrenceRequest { 394 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 395 // the occurrence is to be created. 396 string parent = 1 [ 397 (google.api.field_behavior) = REQUIRED, 398 (google.api.resource_reference).type = "grafeas.io/Project" 399 ]; 400 // The occurrence to create. 401 Occurrence occurrence = 2 [(google.api.field_behavior) = REQUIRED]; 402} 403 404// Request to update an occurrence. 405message UpdateOccurrenceRequest { 406 // The name of the occurrence in the form of 407 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 408 string name = 1 [ 409 (google.api.field_behavior) = REQUIRED, 410 (google.api.resource_reference).type = "grafeas.io/Occurrence" 411 ]; 412 // The updated occurrence. 413 Occurrence occurrence = 2 [(google.api.field_behavior) = REQUIRED]; 414 // The fields to update. 415 google.protobuf.FieldMask update_mask = 3; 416} 417 418// Request to get a note. 419message GetNoteRequest { 420 // The name of the note in the form of 421 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 422 string name = 1 [ 423 (google.api.field_behavior) = REQUIRED, 424 (google.api.resource_reference).type = "grafeas.io/Note" 425 ]; 426} 427 428// Request to get the note to which the specified occurrence is attached. 429message GetOccurrenceNoteRequest { 430 // The name of the occurrence in the form of 431 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 432 string name = 1 [ 433 (google.api.field_behavior) = REQUIRED, 434 (google.api.resource_reference).type = "grafeas.io/Occurrence" 435 ]; 436} 437 438// Request to list notes. 439message ListNotesRequest { 440 // The name of the project to list notes for in the form of 441 // `projects/[PROJECT_ID]`. 442 string parent = 1 [ 443 (google.api.field_behavior) = REQUIRED, 444 (google.api.resource_reference).type = "grafeas.io/Project" 445 ]; 446 447 // The filter expression. 448 string filter = 2; 449 450 // Number of notes to return in the list. Must be positive. Max allowed page 451 // size is 1000. If not specified, page size defaults to 20. 452 int32 page_size = 3; 453 454 // Token to provide to skip to a particular spot in the list. 455 string page_token = 4; 456} 457 458// Response for listing notes. 459message ListNotesResponse { 460 // The notes requested. 461 repeated Note notes = 1; 462 // The next pagination token in the list response. It should be used as 463 // `page_token` for the following request. An empty value means no more 464 // results. 465 string next_page_token = 2; 466} 467 468// Request to delete a note. 469message DeleteNoteRequest { 470 // The name of the note in the form of 471 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 472 string name = 1 [ 473 (google.api.field_behavior) = REQUIRED, 474 (google.api.resource_reference).type = "grafeas.io/Note" 475 ]; 476} 477 478// Request to create a new note. 479message CreateNoteRequest { 480 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 481 // the note is to be created. 482 string parent = 1 [ 483 (google.api.field_behavior) = REQUIRED, 484 (google.api.resource_reference).type = "grafeas.io/Project" 485 ]; 486 // The ID to use for this note. 487 string note_id = 2 [(google.api.field_behavior) = REQUIRED]; 488 // The note to create. 489 Note note = 3 [(google.api.field_behavior) = REQUIRED]; 490} 491 492// Request to update a note. 493message UpdateNoteRequest { 494 // The name of the note in the form of 495 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 496 string name = 1 [ 497 (google.api.field_behavior) = REQUIRED, 498 (google.api.resource_reference).type = "grafeas.io/Note" 499 ]; 500 // The updated note. 501 Note note = 2 [(google.api.field_behavior) = REQUIRED]; 502 // The fields to update. 503 google.protobuf.FieldMask update_mask = 3; 504} 505 506// Request to list occurrences for a note. 507message ListNoteOccurrencesRequest { 508 // The name of the note to list occurrences for in the form of 509 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 510 string name = 1 [ 511 (google.api.field_behavior) = REQUIRED, 512 (google.api.resource_reference).type = "grafeas.io/Note" 513 ]; 514 // The filter expression. 515 string filter = 2; 516 // Number of occurrences to return in the list. 517 int32 page_size = 3; 518 // Token to provide to skip to a particular spot in the list. 519 string page_token = 4; 520} 521 522// Response for listing occurrences for a note. 523message ListNoteOccurrencesResponse { 524 // The occurrences attached to the specified note. 525 repeated Occurrence occurrences = 1; 526 // Token to provide to skip to a particular spot in the list. 527 string next_page_token = 2; 528} 529 530// Request to create notes in batch. 531message BatchCreateNotesRequest { 532 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 533 // the notes are to be created. 534 string parent = 1 [ 535 (google.api.field_behavior) = REQUIRED, 536 (google.api.resource_reference).type = "grafeas.io/Project" 537 ]; 538 539 // The notes to create. Max allowed length is 1000. 540 map<string, Note> notes = 2 [(google.api.field_behavior) = REQUIRED]; 541} 542 543// Response for creating notes in batch. 544message BatchCreateNotesResponse { 545 // The notes that were created. 546 repeated Note notes = 1; 547} 548 549// Request to create occurrences in batch. 550message BatchCreateOccurrencesRequest { 551 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 552 // the occurrences are to be created. 553 string parent = 1 [ 554 (google.api.field_behavior) = REQUIRED, 555 (google.api.resource_reference).type = "grafeas.io/Project" 556 ]; 557 558 // The occurrences to create. Max allowed length is 1000. 559 repeated Occurrence occurrences = 2 [(google.api.field_behavior) = REQUIRED]; 560} 561 562// Response for creating occurrences in batch. 563message BatchCreateOccurrencesResponse { 564 // The occurrences that were created. 565 repeated Occurrence occurrences = 1; 566} 567