-
Notifications
You must be signed in to change notification settings - Fork 591
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Updating the grafeas protos to include compliance and intoto at…
…testation protos (#352) * feat: Updating the grafeas protos to include compliance and intoto attestation protos PiperOrigin-RevId: 407119231 Source-Link: googleapis/googleapis@381ab78 Source-Link: googleapis/googleapis-gen@e90da8d Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiZTkwZGE4ZGQ4MzEwNTM3YjUzMTMzZWZiMTg2N2E4OTkwYWRiMTQ5YSJ9 * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
- Loading branch information
1 parent
f0b7337
commit 8566ce6
Showing
16 changed files
with
15,668 additions
and
5,265 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
79 changes: 79 additions & 0 deletions
79
packages/google-devtools-containeranalysis/protos/grafeas/v1/compliance.proto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
// Copyright 2021 The Grafeas Authors. All rights reserved. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
syntax = "proto3"; | ||
|
||
package grafeas.v1; | ||
|
||
import "grafeas/v1/vulnerability.proto"; | ||
|
||
option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; | ||
option java_multiple_files = true; | ||
option java_package = "io.grafeas.v1"; | ||
option objc_class_prefix = "GRA"; | ||
|
||
message ComplianceNote { | ||
// The title that identifies this compliance check. | ||
string title = 1; | ||
// A description about this compliance check. | ||
string description = 2; | ||
// The OS and config versions the benchmark applies to. | ||
repeated grafeas.v1.ComplianceVersion version = 3; | ||
// A rationale for the existence of this compliance check. | ||
string rationale = 4; | ||
// A description of remediation steps if the compliance check fails. | ||
string remediation = 5; | ||
// A compliance check that is a CIS benchmark. | ||
message CisBenchmark { | ||
int32 profile_level = 1; | ||
grafeas.v1.Severity severity = 2; | ||
} | ||
oneof compliance_type { | ||
CisBenchmark cis_benchmark = 6; | ||
} | ||
// Serialized scan instructions with a predefined format. | ||
bytes scan_instructions = 7; | ||
} | ||
|
||
// Describes the CIS benchmark version that is applicable to a given OS and | ||
// os version. | ||
message ComplianceVersion { | ||
// The CPE URI (https://cpe.mitre.org/specification/) this benchmark is | ||
// applicable to. | ||
string cpe_uri = 1; | ||
// The version of the benchmark. This is set to the version of the OS-specific | ||
// CIS document the benchmark is defined in. | ||
string version = 2; | ||
} | ||
|
||
// An indication that the compliance checks in the associated ComplianceNote | ||
// were not satisfied for particular resources or a specified reason. | ||
message ComplianceOccurrence { | ||
repeated NonCompliantFile non_compliant_files = 2; | ||
string non_compliance_reason = 3; | ||
} | ||
|
||
// Details about files that caused a compliance check to fail. | ||
message NonCompliantFile { | ||
// display_command is a single command that can be used to display a list of | ||
// non compliant files. When there is no such command, we can also iterate a | ||
// list of non compliant file using 'path'. | ||
|
||
// Empty if `display_command` is set. | ||
string path = 1; | ||
// Command to display the non-compliant files. | ||
string display_command = 2; | ||
// Explains why a file is non compliant for a CIS check. | ||
string reason = 3; | ||
} |
52 changes: 52 additions & 0 deletions
52
packages/google-devtools-containeranalysis/protos/grafeas/v1/dsse_attestation.proto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
// Copyright 2021 The Grafeas Authors. All rights reserved. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
syntax = "proto3"; | ||
|
||
package grafeas.v1; | ||
|
||
import "grafeas/v1/common.proto"; | ||
import "grafeas/v1/intoto_statement.proto"; | ||
|
||
option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; | ||
option java_multiple_files = true; | ||
option java_package = "io.grafeas.v1"; | ||
option objc_class_prefix = "GRA"; | ||
|
||
message DSSEAttestationNote { | ||
// This submessage provides human-readable hints about the purpose of the | ||
// authority. Because the name of a note acts as its resource reference, it is | ||
// important to disambiguate the canonical name of the Note (which might be a | ||
// UUID for security purposes) from "readable" names more suitable for debug | ||
// output. Note that these hints should not be used to look up authorities in | ||
// security sensitive contexts, such as when looking up attestations to | ||
// verify. | ||
message DSSEHint { | ||
// Required. The human readable name of this attestation authority, for | ||
// example "cloudbuild-prod". | ||
string human_readable_name = 1; | ||
} | ||
// DSSEHint hints at the purpose of the attestation authority. | ||
DSSEHint hint = 1; | ||
} | ||
|
||
// Deprecated. Prefer to use a regular Occurrence, and populate the | ||
// Envelope at the top level of the Occurrence. | ||
message DSSEAttestationOccurrence { | ||
// If doing something security critical, make sure to verify the signatures in | ||
// this metadata. | ||
Envelope envelope = 1; | ||
oneof decoded_payload { | ||
InTotoStatement statement = 2; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
112 changes: 112 additions & 0 deletions
112
packages/google-devtools-containeranalysis/protos/grafeas/v1/intoto_provenance.proto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
// Copyright 2021 The Grafeas Authors. All rights reserved. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
syntax = "proto3"; | ||
|
||
package grafeas.v1; | ||
|
||
import "google/protobuf/any.proto"; | ||
import "google/protobuf/timestamp.proto"; | ||
|
||
option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas"; | ||
option java_multiple_files = true; | ||
option java_package = "io.grafeas.v1"; | ||
option objc_class_prefix = "GRA"; | ||
|
||
// Spec defined at | ||
// https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md | ||
|
||
// Steps taken to build the artifact. | ||
// For a TaskRun, typically each container corresponds to one step in the | ||
// recipe. | ||
message Recipe { | ||
// URI indicating what type of recipe was performed. It determines the meaning | ||
// of recipe.entryPoint, recipe.arguments, recipe.environment, and materials. | ||
string type = 1; | ||
// Index in materials containing the recipe steps that are not implied by | ||
// recipe.type. For example, if the recipe type were "make", then this would | ||
// point to the source containing the Makefile, not the make program itself. | ||
// Set to -1 if the recipe doesn't come from a material, as zero is default | ||
// unset value for int64. | ||
int64 defined_in_material = 2; | ||
// String identifying the entry point into the build. | ||
// This is often a path to a configuration file and/or a target label within | ||
// that file. The syntax and meaning are defined by recipe.type. For example, | ||
// if the recipe type were "make", then this would reference the directory in | ||
// which to run make as well as which target to use. | ||
string entry_point = 3; | ||
// Collection of all external inputs that influenced the build on top of | ||
// recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe | ||
// type were "make", then this might be the flags passed to make aside from | ||
// the target, which is captured in recipe.entryPoint. Since the arguments | ||
// field can greatly vary in structure, depending on the builder and recipe | ||
// type, this is of form "Any". | ||
repeated google.protobuf.Any arguments = 4; | ||
// Any other builder-controlled inputs necessary for correctly evaluating the | ||
// recipe. Usually only needed for reproducing the build but not evaluated as | ||
// part of policy. Since the environment field can greatly vary in structure, | ||
// depending on the builder and recipe type, this is of form "Any". | ||
repeated google.protobuf.Any environment = 5; | ||
} | ||
|
||
// Indicates that the builder claims certain fields in this message to be | ||
// complete. | ||
message Completeness { | ||
// If true, the builder claims that recipe.arguments is complete, meaning that | ||
// all external inputs are properly captured in the recipe. | ||
bool arguments = 1; | ||
// If true, the builder claims that recipe.environment is claimed to be | ||
// complete. | ||
bool environment = 2; | ||
// If true, the builder claims that materials are complete, usually through | ||
// some controls to prevent network access. Sometimes called "hermetic". | ||
bool materials = 3; | ||
} | ||
|
||
// Other properties of the build. | ||
message Metadata { | ||
// Identifies the particular build invocation, which can be useful for finding | ||
// associated logs or other ad-hoc analysis. The value SHOULD be globally | ||
// unique, per in-toto Provenance spec. | ||
string build_invocation_id = 1; | ||
// The timestamp of when the build started. | ||
google.protobuf.Timestamp build_started_on = 2; | ||
// The timestamp of when the build completed. | ||
google.protobuf.Timestamp build_finished_on = 3; | ||
// Indicates that the builder claims certain fields in this message to be | ||
// complete. | ||
Completeness completeness = 4; | ||
// If true, the builder claims that running the recipe on materials will | ||
// produce bit-for-bit identical output. | ||
bool reproducible = 5; | ||
} | ||
|
||
message BuilderConfig { | ||
string id = 1; | ||
} | ||
|
||
message InTotoProvenance { | ||
BuilderConfig builder_config = 1; // required | ||
// Identifies the configuration used for the build. | ||
// When combined with materials, this SHOULD fully describe the build, | ||
// such that re-running this recipe results in bit-for-bit identical output | ||
// (if the build is reproducible). | ||
Recipe recipe = 2; // required | ||
Metadata metadata = 3; | ||
// The collection of artifacts that influenced the build including sources, | ||
// dependencies, build tools, base images, and so on. This is considered to be | ||
// incomplete unless metadata.completeness.materials is true. Unset or null is | ||
// equivalent to empty. | ||
repeated string materials = 4; | ||
} |
Oops, something went wrong.