xref: /aosp_15_r20/external/googleapis/grafeas/v1/slsa_provenance.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9)

// Copyright 2021 The Grafeas Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package grafeas.v1;

import "google/protobuf/any.proto";
import "google/protobuf/timestamp.proto";

option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
option java_multiple_files = true;
option java_package = "io.grafeas.v1";
option objc_class_prefix = "GRA";
option java_outer_classname = "SlsaProvenanceProto";

message SlsaProvenance {
  // Steps taken to build the artifact.
  // For a TaskRun, typically each container corresponds to one step in the
  // recipe.
  message SlsaRecipe {
    // URI indicating what type of recipe was performed. It determines the
    // meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and
    // materials.
    string type = 1;
    // Index in materials containing the recipe steps that are not implied by
    // recipe.type. For example, if the recipe type were "make", then this would
    // point to the source containing the Makefile, not the make program itself.
    // Set to -1 if the recipe doesn't come from a material, as zero is default
    // unset value for int64.
    int64 defined_in_material = 2;
    // String identifying the entry point into the build.
    // This is often a path to a configuration file and/or a target label within
    // that file. The syntax and meaning are defined by recipe.type. For
    // example, if the recipe type were "make", then this would reference the
    // directory in which to run make as well as which target to use.
    string entry_point = 3;
    // Collection of all external inputs that influenced the build on top of
    // recipe.definedInMaterial and recipe.entryPoint. For example, if the
    // recipe type were "make", then this might be the flags passed to make
    // aside from the target, which is captured in recipe.entryPoint. Depending
    // on the recipe Type, the structure may be different.
    google.protobuf.Any arguments = 4;
    // Any other builder-controlled inputs necessary for correctly evaluating
    // the recipe. Usually only needed for reproducing the build but not
    // evaluated as part of policy. Depending on the recipe Type, the structure
    // may be different.
    google.protobuf.Any environment = 5;
  }

  // Indicates that the builder claims certain fields in this message to be
  // complete.
  message SlsaCompleteness {
    // If true, the builder claims that recipe.arguments is complete, meaning
    // that all external inputs are properly captured in the recipe.
    bool arguments = 1;
    // If true, the builder claims that recipe.environment is claimed to be
    // complete.
    bool environment = 2;
    // If true, the builder claims that materials are complete, usually through
    // some controls to prevent network access. Sometimes called "hermetic".
    bool materials = 3;
  }

  // Other properties of the build.
  message SlsaMetadata {
    // Identifies the particular build invocation, which can be useful for
    // finding associated logs or other ad-hoc analysis. The value SHOULD be
    // globally unique, per in-toto Provenance spec.
    string build_invocation_id = 1;
    // The timestamp of when the build started.
    google.protobuf.Timestamp build_started_on = 2;
    // The timestamp of when the build completed.
    google.protobuf.Timestamp build_finished_on = 3;
    // Indicates that the builder claims certain fields in this message to be
    // complete.
    SlsaCompleteness completeness = 4;
    // If true, the builder claims that running the recipe on materials will
    // produce bit-for-bit identical output.
    bool reproducible = 5;
  }

  message SlsaBuilder {
    string id = 1;
  }

  message Material {
    string uri = 1;
    map<string, string> digest = 2;
  }

  SlsaBuilder builder = 1;  // required
  // Identifies the configuration used for the build.
  // When combined with materials, this SHOULD fully describe the build,
  // such that re-running this recipe results in bit-for-bit identical output
  // (if the build is reproducible).
  SlsaRecipe recipe = 2;  // required
  SlsaMetadata metadata = 3;
  // The collection of artifacts that influenced the build including sources,
  // dependencies, build tools, base images, and so on. This is considered to be
  // incomplete unless metadata.completeness.materials is true. Unset or null is
  // equivalent to empty.
  repeated Material materials = 4;
}