xref: /aosp_15_r20/external/googleapis/grafeas/v1/intoto_provenance.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9)

// Copyright 2021 The Grafeas Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package grafeas.v1;

import "google/protobuf/any.proto";
import "google/protobuf/timestamp.proto";

option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
option java_multiple_files = true;
option java_package = "io.grafeas.v1";
option objc_class_prefix = "GRA";
option java_outer_classname = "InTotoProvenanceProto";

// Spec defined at
// https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md

// Steps taken to build the artifact.
// For a TaskRun, typically each container corresponds to one step in the
// recipe.
message Recipe {
  // URI indicating what type of recipe was performed. It determines the meaning
  // of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
  string type = 1;
  // Index in materials containing the recipe steps that are not implied by
  // recipe.type. For example, if the recipe type were "make", then this would
  // point to the source containing the Makefile, not the make program itself.
  // Set to -1 if the recipe doesn't come from a material, as zero is default
  // unset value for int64.
  int64 defined_in_material = 2;
  // String identifying the entry point into the build.
  // This is often a path to a configuration file and/or a target label within
  // that file. The syntax and meaning are defined by recipe.type. For example,
  // if the recipe type were "make", then this would reference the directory in
  // which to run make as well as which target to use.
  string entry_point = 3;
  // Collection of all external inputs that influenced the build on top of
  // recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe
  // type were "make", then this might be the flags passed to make aside from
  // the target, which is captured in recipe.entryPoint. Since the arguments
  // field can greatly vary in structure, depending on the builder and recipe
  // type, this is of form "Any".
  repeated google.protobuf.Any arguments = 4;
  // Any other builder-controlled inputs necessary for correctly evaluating the
  // recipe. Usually only needed for reproducing the build but not evaluated as
  // part of policy. Since the environment field can greatly vary in structure,
  // depending on the builder and recipe type, this is of form "Any".
  repeated google.protobuf.Any environment = 5;
}

// Indicates that the builder claims certain fields in this message to be
// complete.
message Completeness {
  // If true, the builder claims that recipe.arguments is complete, meaning that
  // all external inputs are properly captured in the recipe.
  bool arguments = 1;
  // If true, the builder claims that recipe.environment is claimed to be
  // complete.
  bool environment = 2;
  // If true, the builder claims that materials are complete, usually through
  // some controls to prevent network access. Sometimes called "hermetic".
  bool materials = 3;
}

// Other properties of the build.
message Metadata {
  // Identifies the particular build invocation, which can be useful for finding
  // associated logs or other ad-hoc analysis. The value SHOULD be globally
  // unique, per in-toto Provenance spec.
  string build_invocation_id = 1;
  // The timestamp of when the build started.
  google.protobuf.Timestamp build_started_on = 2;
  // The timestamp of when the build completed.
  google.protobuf.Timestamp build_finished_on = 3;
  // Indicates that the builder claims certain fields in this message to be
  // complete.
  Completeness completeness = 4;
  // If true, the builder claims that running the recipe on materials will
  // produce bit-for-bit identical output.
  bool reproducible = 5;
}

message BuilderConfig {
  string id = 1;
}

message InTotoProvenance {
  BuilderConfig builder_config = 1;  // required
  // Identifies the configuration used for the build.
  // When combined with materials, this SHOULD fully describe the build,
  // such that re-running this recipe results in bit-for-bit identical output
  // (if the build is reproducible).
  Recipe recipe = 2;  // required
  Metadata metadata = 3;
  // The collection of artifacts that influenced the build including sources,
  // dependencies, build tools, base images, and so on. This is considered to be
  // incomplete unless metadata.completeness.materials is true. Unset or null is
  // equivalent to empty.
  repeated string materials = 4;
}