xref: /aosp_15_r20/external/googleapis/grafeas/v1/intoto_statement.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2021 The Grafeas Authors. All rights reserved.
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//    http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package grafeas.v1;
18
19import "google/protobuf/struct.proto";
20import "google/protobuf/timestamp.proto";
21import "grafeas/v1/intoto_provenance.proto";
22import "grafeas/v1/slsa_provenance.proto";
23import "grafeas/v1/slsa_provenance_zero_two.proto";
24
25option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
26option java_multiple_files = true;
27option java_package = "io.grafeas.v1";
28option objc_class_prefix = "GRA";
29option java_outer_classname = "InTotoStatementProto";
30
31// Spec defined at
32// https://github.com/in-toto/attestation/tree/main/spec#statement The
33// serialized InTotoStatement will be stored as Envelope.payload.
34// Envelope.payloadType is always "application/vnd.in-toto+json".
35message InTotoStatement {
36  // Always `https://in-toto.io/Statement/v0.1`.
37  string type = 1 [json_name = "_type"];
38  repeated Subject subject = 2;
39  // `https://slsa.dev/provenance/v0.1` for SlsaProvenance.
40  string predicate_type = 3;
41  oneof predicate {
42    InTotoProvenance provenance = 4;
43    SlsaProvenance slsa_provenance = 5;
44    SlsaProvenanceZeroTwo slsa_provenance_zero_two = 6;
45  }
46}
47message Subject {
48  string name = 1;
49  // `"<ALGORITHM>": "<HEX_VALUE>"`
50  // Algorithms can be e.g. sha256, sha512
51  // See
52  // https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
53  map<string, string> digest = 2;
54}
55
56message InTotoSlsaProvenanceV1 {
57  // InToto spec defined at
58  // https://github.com/in-toto/attestation/tree/main/spec#statement
59  string type = 1 [json_name = "_type"];
60  repeated Subject subject = 2;
61  string predicate_type = 3;
62  SlsaProvenanceV1 predicate = 4;
63
64  // Keep in sync with schema at
65  // https://github.com/slsa-framework/slsa/blob/main/docs/provenance/schema/v1/provenance.proto
66  // Builder renamed to ProvenanceBuilder because of Java conflicts.
67  message SlsaProvenanceV1 {
68    BuildDefinition build_definition = 1;
69    RunDetails run_details = 2;
70  }
71
72  message BuildDefinition {
73    string build_type = 1;
74    google.protobuf.Struct external_parameters = 2;
75    google.protobuf.Struct internal_parameters = 3;
76    repeated ResourceDescriptor resolved_dependencies = 4;
77  }
78
79  message ResourceDescriptor {
80    string name = 1;
81    string uri = 2;
82    map<string, string> digest = 3;
83    bytes content = 4;
84    string download_location = 5;
85    string media_type = 6;
86    map<string, google.protobuf.Value> annotations = 7;
87  }
88
89  message RunDetails {
90    ProvenanceBuilder builder = 1;
91    BuildMetadata metadata = 2;
92    repeated ResourceDescriptor byproducts = 3;
93  }
94
95  message ProvenanceBuilder {
96    string id = 1;
97    map<string, string> version = 2;
98    repeated ResourceDescriptor builder_dependencies = 3;
99  }
100
101  message BuildMetadata {
102    string invocation_id = 1;
103    google.protobuf.Timestamp started_on = 2;
104    google.protobuf.Timestamp finished_on = 3;
105  }
106}
107