1// Copyright 2023 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19import "grafeas/v1/common.proto"; 20import "grafeas/v1/intoto_statement.proto"; 21 22option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 23option java_multiple_files = true; 24option java_package = "io.grafeas.v1"; 25option objc_class_prefix = "GRA"; 26 27// The note representing an SBOM reference. 28message SBOMReferenceNote { 29 // The format that SBOM takes. E.g. may be spdx, cyclonedx, etc... 30 string format = 1; 31 // The version of the format that the SBOM takes. E.g. if the format 32 // is spdx, the version may be 2.3. 33 string version = 2; 34} 35 36// The occurrence representing an SBOM reference as applied to a specific 37// resource. The occurrence follows the DSSE specification. See 38// https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more 39// details. 40message SBOMReferenceOccurrence { 41 // The actual payload that contains the SBOM reference data. 42 SbomReferenceIntotoPayload payload = 1; 43 // The kind of payload that SbomReferenceIntotoPayload takes. Since it's in 44 // the intoto format, this value is expected to be 45 // 'application/vnd.in-toto+json'. 46 string payload_type = 2; 47 // The signatures over the payload. 48 repeated EnvelopeSignature signatures = 3; 49} 50 51// The actual payload that contains the SBOM Reference data. 52// The payload follows the intoto statement specification. See 53// https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md 54// for more details. 55message SbomReferenceIntotoPayload { 56 // Identifier for the schema of the Statement. 57 string type = 1 [json_name = "_type"]; 58 // URI identifying the type of the Predicate. 59 string predicate_type = 2; 60 // Set of software artifacts that the attestation applies to. Each element 61 // represents a single software artifact. 62 repeated Subject subject = 3; 63 // Additional parameters of the Predicate. Includes the actual data about the 64 // SBOM. 65 SbomReferenceIntotoPredicate predicate = 4; 66} 67 68// A predicate which describes the SBOM being referenced. 69message SbomReferenceIntotoPredicate { 70 // The person or system referring this predicate to the consumer. 71 string referrer_id = 1; 72 // The location of the SBOM. 73 string location = 2; 74 // The mime type of the SBOM. 75 string mime_type = 3; 76 // A map of algorithm to digest of the contents of the SBOM. 77 map<string, string> digest = 4; 78} 79