1// Copyright 2019 The Grafeas Authors. All rights reserved. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package grafeas.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/protobuf/empty.proto"; 24import "google/protobuf/field_mask.proto"; 25import "google/protobuf/timestamp.proto"; 26import "grafeas/v1/attestation.proto"; 27import "grafeas/v1/build.proto"; 28import "grafeas/v1/common.proto"; 29import "grafeas/v1/compliance.proto"; 30import "grafeas/v1/deployment.proto"; 31import "grafeas/v1/discovery.proto"; 32import "grafeas/v1/dsse_attestation.proto"; 33import "grafeas/v1/image.proto"; 34import "grafeas/v1/package.proto"; 35import "grafeas/v1/upgrade.proto"; 36import "grafeas/v1/vex.proto"; 37import "grafeas/v1/vulnerability.proto"; 38 39option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; 40option java_multiple_files = true; 41option java_package = "io.grafeas.v1"; 42option objc_class_prefix = "GRA"; 43option (google.api.resource_definition) = { 44 type: "grafeas.io/Project" 45 pattern: "projects/{project}" 46}; 47 48// [Grafeas](https://grafeas.io) API. 49// 50// Retrieves analysis results of Cloud components such as Docker container 51// images. 52// 53// Analysis results are stored as a series of occurrences. An `Occurrence` 54// contains information about a specific analysis instance on a resource. An 55// occurrence refers to a `Note`. A note contains details describing the 56// analysis and is generally stored in a separate project, called a `Provider`. 57// Multiple occurrences can refer to the same note. 58// 59// For example, an SSL vulnerability could affect multiple images. In this case, 60// there would be one note for the vulnerability and an occurrence for each 61// image with the vulnerability referring to that note. 62service Grafeas { 63 option (google.api.default_host) = "containeranalysis.googleapis.com"; 64 65 // Gets the specified occurrence. 66 rpc GetOccurrence(GetOccurrenceRequest) returns (Occurrence) { 67 option (google.api.http) = { 68 get: "/v1/{name=projects/*/occurrences/*}" 69 }; 70 option (google.api.method_signature) = "name"; 71 } 72 73 // Lists occurrences for the specified project. 74 rpc ListOccurrences(ListOccurrencesRequest) 75 returns (ListOccurrencesResponse) { 76 option (google.api.http) = { 77 get: "/v1/{parent=projects/*}/occurrences" 78 }; 79 option (google.api.method_signature) = "parent,filter"; 80 } 81 82 // Deletes the specified occurrence. For example, use this method to delete an 83 // occurrence when the occurrence is no longer applicable for the given 84 // resource. 85 rpc DeleteOccurrence(DeleteOccurrenceRequest) 86 returns (google.protobuf.Empty) { 87 option (google.api.http) = { 88 delete: "/v1/{name=projects/*/occurrences/*}" 89 }; 90 option (google.api.method_signature) = "name"; 91 } 92 93 // Creates a new occurrence. 94 rpc CreateOccurrence(CreateOccurrenceRequest) returns (Occurrence) { 95 option (google.api.http) = { 96 post: "/v1/{parent=projects/*}/occurrences" 97 body: "occurrence" 98 }; 99 option (google.api.method_signature) = "parent,occurrence"; 100 } 101 102 // Creates new occurrences in batch. 103 rpc BatchCreateOccurrences(BatchCreateOccurrencesRequest) 104 returns (BatchCreateOccurrencesResponse) { 105 option (google.api.http) = { 106 post: "/v1/{parent=projects/*}/occurrences:batchCreate" 107 body: "*" 108 }; 109 option (google.api.method_signature) = "parent,occurrences"; 110 } 111 112 // Updates the specified occurrence. 113 rpc UpdateOccurrence(UpdateOccurrenceRequest) returns (Occurrence) { 114 option (google.api.http) = { 115 patch: "/v1/{name=projects/*/occurrences/*}" 116 body: "occurrence" 117 }; 118 option (google.api.method_signature) = "name,occurrence,update_mask"; 119 } 120 121 // Gets the note attached to the specified occurrence. Consumer projects can 122 // use this method to get a note that belongs to a provider project. 123 rpc GetOccurrenceNote(GetOccurrenceNoteRequest) returns (Note) { 124 option (google.api.http) = { 125 get: "/v1/{name=projects/*/occurrences/*}/notes" 126 }; 127 option (google.api.method_signature) = "name"; 128 } 129 130 // Gets the specified note. 131 rpc GetNote(GetNoteRequest) returns (Note) { 132 option (google.api.http) = { 133 get: "/v1/{name=projects/*/notes/*}" 134 }; 135 option (google.api.method_signature) = "name"; 136 } 137 138 // Lists notes for the specified project. 139 rpc ListNotes(ListNotesRequest) returns (ListNotesResponse) { 140 option (google.api.http) = { 141 get: "/v1/{parent=projects/*}/notes" 142 }; 143 option (google.api.method_signature) = "parent,filter"; 144 } 145 146 // Deletes the specified note. 147 rpc DeleteNote(DeleteNoteRequest) returns (google.protobuf.Empty) { 148 option (google.api.http) = { 149 delete: "/v1/{name=projects/*/notes/*}" 150 }; 151 option (google.api.method_signature) = "name"; 152 } 153 154 // Creates a new note. 155 rpc CreateNote(CreateNoteRequest) returns (Note) { 156 option (google.api.http) = { 157 post: "/v1/{parent=projects/*}/notes" 158 body: "note" 159 }; 160 option (google.api.method_signature) = "parent,note_id,note"; 161 } 162 163 // Creates new notes in batch. 164 rpc BatchCreateNotes(BatchCreateNotesRequest) 165 returns (BatchCreateNotesResponse) { 166 option (google.api.http) = { 167 post: "/v1/{parent=projects/*}/notes:batchCreate" 168 body: "*" 169 }; 170 option (google.api.method_signature) = "parent,notes"; 171 } 172 173 // Updates the specified note. 174 rpc UpdateNote(UpdateNoteRequest) returns (Note) { 175 option (google.api.http) = { 176 patch: "/v1/{name=projects/*/notes/*}" 177 body: "note" 178 }; 179 option (google.api.method_signature) = "name,note,update_mask"; 180 } 181 182 // Lists occurrences referencing the specified note. Provider projects can use 183 // this method to get all occurrences across consumer projects referencing the 184 // specified note. 185 rpc ListNoteOccurrences(ListNoteOccurrencesRequest) 186 returns (ListNoteOccurrencesResponse) { 187 option (google.api.http) = { 188 get: "/v1/{name=projects/*/notes/*}/occurrences" 189 }; 190 option (google.api.method_signature) = "name,filter"; 191 } 192} 193 194// An instance of an analysis type that has been found on a resource. 195message Occurrence { 196 option (google.api.resource) = { 197 type: "grafeas.io/Occurrence" 198 pattern: "projects/{project}/occurrences/{occurrence}" 199 }; 200 201 // Output only. The name of the occurrence in the form of 202 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 203 string name = 1; 204 205 // Required. Immutable. A URI that represents the resource for which the 206 // occurrence applies. For example, 207 // `https://gcr.io/project/image@sha256:123abc` for a Docker image. 208 string resource_uri = 2; 209 210 // Required. Immutable. The analysis note associated with this occurrence, in 211 // the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be 212 // used as a filter in list requests. 213 string note_name = 3; 214 215 // Output only. This explicitly denotes which of the occurrence details are 216 // specified. This field can be used as a filter in list requests. 217 grafeas.v1.NoteKind kind = 4; 218 219 // A description of actions that can be taken to remedy the note. 220 string remediation = 5; 221 222 // Output only. The time this occurrence was created. 223 google.protobuf.Timestamp create_time = 6; 224 225 // Output only. The time this occurrence was last updated. 226 google.protobuf.Timestamp update_time = 7; 227 228 // Required. Immutable. Describes the details of the note kind found on this 229 // resource. 230 oneof details { 231 // Describes a security vulnerability. 232 grafeas.v1.VulnerabilityOccurrence vulnerability = 8; 233 // Describes a verifiable build. 234 grafeas.v1.BuildOccurrence build = 9; 235 // Describes how this resource derives from the basis in the associated 236 // note. 237 grafeas.v1.ImageOccurrence image = 10; 238 // Describes the installation of a package on the linked resource. 239 grafeas.v1.PackageOccurrence package = 11; 240 // Describes the deployment of an artifact on a runtime. 241 grafeas.v1.DeploymentOccurrence deployment = 12; 242 // Describes when a resource was discovered. 243 grafeas.v1.DiscoveryOccurrence discovery = 13; 244 // Describes an attestation of an artifact. 245 grafeas.v1.AttestationOccurrence attestation = 14; 246 // Describes an available package upgrade on the linked resource. 247 grafeas.v1.UpgradeOccurrence upgrade = 15; 248 // Describes a compliance violation on a linked resource. 249 grafeas.v1.ComplianceOccurrence compliance = 16; 250 // Describes an attestation of an artifact using dsse. 251 grafeas.v1.DSSEAttestationOccurrence dsse_attestation = 17; 252 } 253 254 // https://github.com/secure-systems-lab/dsse 255 grafeas.v1.Envelope envelope = 18; 256} 257 258// A type of analysis that can be done for a resource. 259message Note { 260 option (google.api.resource) = { 261 type: "grafeas.io/Note" 262 pattern: "projects/{project}/notes/{note}" 263 }; 264 265 // Output only. The name of the note in the form of 266 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 267 string name = 1; 268 269 // A one sentence description of this note. 270 string short_description = 2; 271 272 // A detailed description of this note. 273 string long_description = 3; 274 275 // Output only. The type of analysis. This field can be used as a filter in 276 // list requests. 277 grafeas.v1.NoteKind kind = 4; 278 279 // URLs associated with this note. 280 repeated grafeas.v1.RelatedUrl related_url = 5; 281 282 // Time of expiration for this note. Empty if note does not expire. 283 google.protobuf.Timestamp expiration_time = 6; 284 285 // Output only. The time this note was created. This field can be used as a 286 // filter in list requests. 287 google.protobuf.Timestamp create_time = 7; 288 289 // Output only. The time this note was last updated. This field can be used as 290 // a filter in list requests. 291 google.protobuf.Timestamp update_time = 8; 292 293 // Other notes related to this note. 294 repeated string related_note_names = 9; 295 296 // Required. Immutable. The type of analysis this note represents. 297 oneof type { 298 // A note describing a package vulnerability. 299 grafeas.v1.VulnerabilityNote vulnerability = 10; 300 // A note describing build provenance for a verifiable build. 301 grafeas.v1.BuildNote build = 11; 302 // A note describing a base image. 303 grafeas.v1.ImageNote image = 12; 304 // A note describing a package hosted by various package managers. 305 grafeas.v1.PackageNote package = 13; 306 // A note describing something that can be deployed. 307 grafeas.v1.DeploymentNote deployment = 14; 308 // A note describing the initial analysis of a resource. 309 grafeas.v1.DiscoveryNote discovery = 15; 310 // A note describing an attestation role. 311 grafeas.v1.AttestationNote attestation = 16; 312 // A note describing available package upgrades. 313 grafeas.v1.UpgradeNote upgrade = 17; 314 // A note describing a compliance check. 315 grafeas.v1.ComplianceNote compliance = 18; 316 // A note describing a dsse attestation note. 317 grafeas.v1.DSSEAttestationNote dsse_attestation = 19; 318 // A note describing a vulnerability assessment. 319 grafeas.v1.VulnerabilityAssessmentNote vulnerability_assessment = 20; 320 } 321} 322 323// Request to get an occurrence. 324message GetOccurrenceRequest { 325 // The name of the occurrence in the form of 326 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 327 string name = 1 [ 328 (google.api.field_behavior) = REQUIRED, 329 (google.api.resource_reference).type = "grafeas.io/Occurrence" 330 ]; 331} 332 333// Request to list occurrences. 334message ListOccurrencesRequest { 335 // The name of the project to list occurrences for in the form of 336 // `projects/[PROJECT_ID]`. 337 string parent = 1 [ 338 (google.api.field_behavior) = REQUIRED, 339 (google.api.resource_reference).type = "grafeas.io/Project" 340 ]; 341 342 // The filter expression. 343 string filter = 2; 344 345 // Number of occurrences to return in the list. Must be positive. Max allowed 346 // page size is 1000. If not specified, page size defaults to 20. 347 int32 page_size = 3; 348 349 // Token to provide to skip to a particular spot in the list. 350 string page_token = 4; 351} 352 353// Response for listing occurrences. 354message ListOccurrencesResponse { 355 // The occurrences requested. 356 repeated Occurrence occurrences = 1; 357 // The next pagination token in the list response. It should be used as 358 // `page_token` for the following request. An empty value means no more 359 // results. 360 string next_page_token = 2; 361} 362 363// Request to delete an occurrence. 364message DeleteOccurrenceRequest { 365 // The name of the occurrence in the form of 366 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 367 string name = 1 [ 368 (google.api.field_behavior) = REQUIRED, 369 (google.api.resource_reference).type = "grafeas.io/Occurrence" 370 ]; 371} 372 373// Request to create a new occurrence. 374message CreateOccurrenceRequest { 375 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 376 // the occurrence is to be created. 377 string parent = 1 [ 378 (google.api.field_behavior) = REQUIRED, 379 (google.api.resource_reference).type = "grafeas.io/Project" 380 ]; 381 // The occurrence to create. 382 Occurrence occurrence = 2 [(google.api.field_behavior) = REQUIRED]; 383} 384 385// Request to update an occurrence. 386message UpdateOccurrenceRequest { 387 // The name of the occurrence in the form of 388 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 389 string name = 1 [ 390 (google.api.field_behavior) = REQUIRED, 391 (google.api.resource_reference).type = "grafeas.io/Occurrence" 392 ]; 393 // The updated occurrence. 394 Occurrence occurrence = 2 [(google.api.field_behavior) = REQUIRED]; 395 // The fields to update. 396 google.protobuf.FieldMask update_mask = 3; 397} 398 399// Request to get a note. 400message GetNoteRequest { 401 // The name of the note in the form of 402 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 403 string name = 1 [ 404 (google.api.field_behavior) = REQUIRED, 405 (google.api.resource_reference).type = "grafeas.io/Note" 406 ]; 407} 408 409// Request to get the note to which the specified occurrence is attached. 410message GetOccurrenceNoteRequest { 411 // The name of the occurrence in the form of 412 // `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. 413 string name = 1 [ 414 (google.api.field_behavior) = REQUIRED, 415 (google.api.resource_reference).type = "grafeas.io/Occurrence" 416 ]; 417} 418 419// Request to list notes. 420message ListNotesRequest { 421 // The name of the project to list notes for in the form of 422 // `projects/[PROJECT_ID]`. 423 string parent = 1 [ 424 (google.api.field_behavior) = REQUIRED, 425 (google.api.resource_reference).type = "grafeas.io/Project" 426 ]; 427 428 // The filter expression. 429 string filter = 2; 430 431 // Number of notes to return in the list. Must be positive. Max allowed page 432 // size is 1000. If not specified, page size defaults to 20. 433 int32 page_size = 3; 434 435 // Token to provide to skip to a particular spot in the list. 436 string page_token = 4; 437} 438 439// Response for listing notes. 440message ListNotesResponse { 441 // The notes requested. 442 repeated Note notes = 1; 443 // The next pagination token in the list response. It should be used as 444 // `page_token` for the following request. An empty value means no more 445 // results. 446 string next_page_token = 2; 447} 448 449// Request to delete a note. 450message DeleteNoteRequest { 451 // The name of the note in the form of 452 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 453 string name = 1 [ 454 (google.api.field_behavior) = REQUIRED, 455 (google.api.resource_reference).type = "grafeas.io/Note" 456 ]; 457} 458 459// Request to create a new note. 460message CreateNoteRequest { 461 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 462 // the note is to be created. 463 string parent = 1 [ 464 (google.api.field_behavior) = REQUIRED, 465 (google.api.resource_reference).type = "grafeas.io/Project" 466 ]; 467 // The ID to use for this note. 468 string note_id = 2 [(google.api.field_behavior) = REQUIRED]; 469 // The note to create. 470 Note note = 3 [(google.api.field_behavior) = REQUIRED]; 471} 472 473// Request to update a note. 474message UpdateNoteRequest { 475 // The name of the note in the form of 476 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 477 string name = 1 [ 478 (google.api.field_behavior) = REQUIRED, 479 (google.api.resource_reference).type = "grafeas.io/Note" 480 ]; 481 // The updated note. 482 Note note = 2 [(google.api.field_behavior) = REQUIRED]; 483 // The fields to update. 484 google.protobuf.FieldMask update_mask = 3; 485} 486 487// Request to list occurrences for a note. 488message ListNoteOccurrencesRequest { 489 // The name of the note to list occurrences for in the form of 490 // `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. 491 string name = 1 [ 492 (google.api.field_behavior) = REQUIRED, 493 (google.api.resource_reference).type = "grafeas.io/Note" 494 ]; 495 // The filter expression. 496 string filter = 2; 497 // Number of occurrences to return in the list. 498 int32 page_size = 3; 499 // Token to provide to skip to a particular spot in the list. 500 string page_token = 4; 501} 502 503// Response for listing occurrences for a note. 504message ListNoteOccurrencesResponse { 505 // The occurrences attached to the specified note. 506 repeated Occurrence occurrences = 1; 507 // Token to provide to skip to a particular spot in the list. 508 string next_page_token = 2; 509} 510 511// Request to create notes in batch. 512message BatchCreateNotesRequest { 513 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 514 // the notes are to be created. 515 string parent = 1 [ 516 (google.api.field_behavior) = REQUIRED, 517 (google.api.resource_reference).type = "grafeas.io/Project" 518 ]; 519 520 // The notes to create. Max allowed length is 1000. 521 map<string, Note> notes = 2 [(google.api.field_behavior) = REQUIRED]; 522} 523 524// Response for creating notes in batch. 525message BatchCreateNotesResponse { 526 // The notes that were created. 527 repeated Note notes = 1; 528} 529 530// Request to create occurrences in batch. 531message BatchCreateOccurrencesRequest { 532 // The name of the project in the form of `projects/[PROJECT_ID]`, under which 533 // the occurrences are to be created. 534 string parent = 1 [ 535 (google.api.field_behavior) = REQUIRED, 536 (google.api.resource_reference).type = "grafeas.io/Project" 537 ]; 538 539 // The occurrences to create. Max allowed length is 1000. 540 repeated Occurrence occurrences = 2 [(google.api.field_behavior) = REQUIRED]; 541} 542 543// Response for creating occurrences in batch. 544message BatchCreateOccurrencesResponse { 545 // The occurrences that were created. 546 repeated Occurrence occurrences = 1; 547} 548