1// Copyright 2019 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 20option java_multiple_files = true; 21option java_package = "io.grafeas.v1"; 22option objc_class_prefix = "GRA"; 23 24// Kind represents the kinds of notes supported. 25enum NoteKind { 26 // Default value. This value is unused. 27 NOTE_KIND_UNSPECIFIED = 0; 28 // The note and occurrence represent a package vulnerability. 29 VULNERABILITY = 1; 30 // The note and occurrence assert build provenance. 31 BUILD = 2; 32 // This represents an image basis relationship. 33 IMAGE = 3; 34 // This represents a package installed via a package manager. 35 PACKAGE = 4; 36 // The note and occurrence track deployment events. 37 DEPLOYMENT = 5; 38 // The note and occurrence track the initial discovery status of a resource. 39 DISCOVERY = 6; 40 // This represents a logical "role" that can attest to artifacts. 41 ATTESTATION = 7; 42 // This represents an available package upgrade. 43 UPGRADE = 8; 44 // This represents a Compliance Note 45 COMPLIANCE = 9; 46 // This represents a DSSE attestation Note 47 DSSE_ATTESTATION = 10; 48 // This represents a Vulnerability Assessment. 49 VULNERABILITY_ASSESSMENT = 11; 50} 51 52// Metadata for any related URL information. 53message RelatedUrl { 54 // Specific URL associated with the resource. 55 string url = 1; 56 // Label to describe usage of the URL. 57 string label = 2; 58} 59 60// Verifiers (e.g. Kritis implementations) MUST verify signatures 61// with respect to the trust anchors defined in policy (e.g. a Kritis policy). 62// Typically this means that the verifier has been configured with a map from 63// `public_key_id` to public key material (and any required parameters, e.g. 64// signing algorithm). 65// 66// In particular, verification implementations MUST NOT treat the signature 67// `public_key_id` as anything more than a key lookup hint. The `public_key_id` 68// DOES NOT validate or authenticate a public key; it only provides a mechanism 69// for quickly selecting a public key ALREADY CONFIGURED on the verifier through 70// a trusted channel. Verification implementations MUST reject signatures in any 71// of the following circumstances: 72// * The `public_key_id` is not recognized by the verifier. 73// * The public key that `public_key_id` refers to does not verify the 74// signature with respect to the payload. 75// 76// The `signature` contents SHOULD NOT be "attached" (where the payload is 77// included with the serialized `signature` bytes). Verifiers MUST ignore any 78// "attached" payload and only verify signatures with respect to explicitly 79// provided payload (e.g. a `payload` field on the proto message that holds 80// this Signature, or the canonical serialization of the proto message that 81// holds this signature). 82message Signature { 83 // The content of the signature, an opaque bytestring. 84 // The payload that this signature verifies MUST be unambiguously provided 85 // with the Signature during verification. A wrapper message might provide 86 // the payload explicitly. Alternatively, a message might have a canonical 87 // serialization that can always be unambiguously computed to derive the 88 // payload. 89 bytes signature = 1; 90 91 // The identifier for the public key that verifies this signature. 92 // * The `public_key_id` is required. 93 // * The `public_key_id` SHOULD be an RFC3986 conformant URI. 94 // * When possible, the `public_key_id` SHOULD be an immutable reference, 95 // such as a cryptographic digest. 96 // 97 // Examples of valid `public_key_id`s: 98 // 99 // OpenPGP V4 public key fingerprint: 100 // * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA" 101 // See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more 102 // details on this scheme. 103 // 104 // RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER 105 // serialization): 106 // * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU" 107 // * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5" 108 string public_key_id = 2; 109} 110 111// MUST match 112// https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An 113// authenticated message of arbitrary type. 114message Envelope { 115 bytes payload = 1; 116 string payload_type = 2; 117 repeated EnvelopeSignature signatures = 3; 118} 119 120message EnvelopeSignature { 121 bytes sig = 1; 122 string keyid = 2; 123} 124 125// Indicates the location at which a package was found. 126message FileLocation { 127 // For jars that are contained inside .war files, this filepath 128 // can indicate the path to war file combined with the path to jar file. 129 string file_path = 1; 130} 131 132// License information. 133message License { 134 // Often a single license can be used to represent the licensing terms. 135 // Sometimes it is necessary to include a choice of one or more licenses 136 // or some combination of license identifiers. 137 // Examples: "LGPL-2.1-only OR MIT", "LGPL-2.1-only AND MIT", 138 // "GPL-2.0-or-later WITH Bison-exception-2.2". 139 string expression = 1; 140 141 // Comments 142 string comments = 2; 143} 144 145// Digest information. 146message Digest { 147 // `SHA1`, `SHA512` etc. 148 string algo = 1; 149 150 // Value of the digest. 151 bytes digest_bytes = 2; 152} 153