From 9225ac7c884934206914685954818526606a24be Mon Sep 17 00:00:00 2001 From: Yoshi Automation Date: Wed, 24 May 2023 18:27:12 +0000 Subject: [PATCH] feat(ondemandscanning): update the api #### ondemandscanning:v1 The following keys were deleted: - schemas.Binary (Total Keys: 4) - schemas.PackageData.properties.binary.$ref (Total Keys: 1) The following keys were added: - schemas.Occurrence.properties.sbomReference.$ref (Total Keys: 1) - schemas.PackageData.properties.binaryVersion.$ref (Total Keys: 1) - schemas.PackageData.properties.sourceVersion.$ref (Total Keys: 1) - schemas.PackageVersion (Total Keys: 4) - schemas.SBOMReferenceOccurrence (Total Keys: 6) - schemas.SbomReferenceIntotoPayload (Total Keys: 7) - schemas.SbomReferenceIntotoPredicate (Total Keys: 7) #### ondemandscanning:v1beta1 The following keys were deleted: - schemas.Binary (Total Keys: 4) - schemas.PackageData.properties.binary.$ref (Total Keys: 1) The following keys were added: - schemas.Occurrence.properties.sbomReference.$ref (Total Keys: 1) - schemas.PackageData.properties.binaryVersion.$ref (Total Keys: 1) - schemas.PackageData.properties.sourceVersion.$ref (Total Keys: 1) - schemas.PackageVersion (Total Keys: 4) - schemas.SBOMReferenceOccurrence (Total Keys: 6) - schemas.SbomReferenceIntotoPayload (Total Keys: 7) - schemas.SbomReferenceIntotoPredicate (Total Keys: 7) --- ...dscanning_v1.projects.locations.scans.html | 6 +- ...jects.locations.scans.vulnerabilities.html | 29 ++++ ...ning_v1beta1.projects.locations.scans.html | 6 +- ...jects.locations.scans.vulnerabilities.html | 29 ++++ .../documents/ondemandscanning.v1.json | 140 +++++++++++++++--- .../documents/ondemandscanning.v1beta1.json | 140 +++++++++++++++--- 6 files changed, 306 insertions(+), 44 deletions(-) diff --git a/docs/dyn/ondemandscanning_v1.projects.locations.scans.html b/docs/dyn/ondemandscanning_v1.projects.locations.scans.html index 9c81930b945..46a4c663293 100644 --- a/docs/dyn/ondemandscanning_v1.projects.locations.scans.html +++ b/docs/dyn/ondemandscanning_v1.projects.locations.scans.html @@ -100,7 +100,7 @@

Method Details

"packages": [ # The packages to analyze. { "architecture": "A String", # The architecture of the package. - "binary": { # The binary package. This is significant when the source is different than the binary itself. Historically if they've differed, we've stored the name of the source and its version in the package/version fields, but we should also store the binary package info, as that's what's actually installed. See b/175908657#comment15. + "binaryVersion": { # The binary package. This is significant when the source is different than the binary itself. Historically if they've differed, we've stored the name of the source and its version in the package/version fields, but we should also store the binary package info, as that's what's actually installed. See b/175908657#comment15. "name": "A String", "version": "A String", }, @@ -128,6 +128,10 @@

Method Details

"patchedCve": [ # CVEs that this package is no longer vulnerable to go/drydock-dd-custom-binary-scanning "A String", ], + "sourceVersion": { # The source package. Similar to the above, this is significant when the source is different than the binary itself. Since the top-level package/version fields are based on an if/else, we need a separate field for both binary and source if we want to know definitively where the data is coming from. + "name": "A String", + "version": "A String", + }, "unused": "A String", "version": "A String", # The version of the package being analysed }, diff --git a/docs/dyn/ondemandscanning_v1.projects.locations.scans.vulnerabilities.html b/docs/dyn/ondemandscanning_v1.projects.locations.scans.vulnerabilities.html index 0513d594b59..3f67ba6c4b1 100644 --- a/docs/dyn/ondemandscanning_v1.projects.locations.scans.vulnerabilities.html +++ b/docs/dyn/ondemandscanning_v1.projects.locations.scans.vulnerabilities.html @@ -656,6 +656,35 @@

Method Details

}, "remediation": "A String", # A description of actions that can be taken to remedy the note. "resourceUri": "A String", # Required. Immutable. A URI that represents the resource for which the occurrence applies. For example, `https://gcr.io/project/image@sha256:123abc` for a Docker image. + "sbomReference": { # The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details. # Describes a specific SBOM reference occurrences. + "payload": { # The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details. # The actual payload that contains the SBOM reference data. + "_type": "A String", # Identifier for the schema of the Statement. + "predicate": { # A predicate which describes the SBOM being referenced. # Additional parameters of the Predicate. Includes the actual data about the SBOM. + "digest": { # A map of algorithm to digest of the contents of the SBOM. + "a_key": "A String", + }, + "location": "A String", # The location of the SBOM. + "mimeType": "A String", # The mime type of the SBOM. + "referrerId": "A String", # The person or system referring this predicate to the consumer. + }, + "predicateType": "A String", # URI identifying the type of the Predicate. + "subject": [ # Set of software artifacts that the attestation applies to. Each element represents a single software artifact. + { + "digest": { # `"": ""` Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet + "a_key": "A String", + }, + "name": "A String", + }, + ], + }, + "payloadType": "A String", # The kind of payload that SbomReferenceIntotoPayload takes. Since it's in the intoto format, this value is expected to be 'application/vnd.in-toto+json'. + "signatures": [ # The signatures over the payload. + { + "keyid": "A String", + "sig": "A String", + }, + ], + }, "updateTime": "A String", # Output only. The time this occurrence was last updated. "upgrade": { # An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability). For Windows, both distribution and windows_update contain information for the Windows update. # Describes an available package upgrade on the linked resource. "distribution": { # The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities. # Metadata about the upgrade for available for the specific operating system for the resource_url. This allows efficient filtering, as well as making it easier to use the occurrence. diff --git a/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.html b/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.html index 5424f1862ed..f7b281bf62d 100644 --- a/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.html +++ b/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.html @@ -99,7 +99,7 @@

Method Details

"packages": [ # The packages to analyze. { "architecture": "A String", # The architecture of the package. - "binary": { # The binary package. This is significant when the source is different than the binary itself. Historically if they've differed, we've stored the name of the source and its version in the package/version fields, but we should also store the binary package info, as that's what's actually installed. See b/175908657#comment15. + "binaryVersion": { # The binary package. This is significant when the source is different than the binary itself. Historically if they've differed, we've stored the name of the source and its version in the package/version fields, but we should also store the binary package info, as that's what's actually installed. See b/175908657#comment15. "name": "A String", "version": "A String", }, @@ -127,6 +127,10 @@

Method Details

"patchedCve": [ # CVEs that this package is no longer vulnerable to go/drydock-dd-custom-binary-scanning "A String", ], + "sourceVersion": { # The source package. Similar to the above, this is significant when the source is different than the binary itself. Since the top-level package/version fields are based on an if/else, we need a separate field for both binary and source if we want to know definitively where the data is coming from. + "name": "A String", + "version": "A String", + }, "unused": "A String", "version": "A String", # The version of the package being analysed }, diff --git a/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.vulnerabilities.html b/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.vulnerabilities.html index bd463c68189..30683c24d72 100644 --- a/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.vulnerabilities.html +++ b/docs/dyn/ondemandscanning_v1beta1.projects.locations.scans.vulnerabilities.html @@ -656,6 +656,35 @@

Method Details

}, "remediation": "A String", # A description of actions that can be taken to remedy the note. "resourceUri": "A String", # Required. Immutable. A URI that represents the resource for which the occurrence applies. For example, `https://gcr.io/project/image@sha256:123abc` for a Docker image. + "sbomReference": { # The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details. # Describes a specific SBOM reference occurrences. + "payload": { # The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details. # The actual payload that contains the SBOM reference data. + "_type": "A String", # Identifier for the schema of the Statement. + "predicate": { # A predicate which describes the SBOM being referenced. # Additional parameters of the Predicate. Includes the actual data about the SBOM. + "digest": { # A map of algorithm to digest of the contents of the SBOM. + "a_key": "A String", + }, + "location": "A String", # The location of the SBOM. + "mimeType": "A String", # The mime type of the SBOM. + "referrerId": "A String", # The person or system referring this predicate to the consumer. + }, + "predicateType": "A String", # URI identifying the type of the Predicate. + "subject": [ # Set of software artifacts that the attestation applies to. Each element represents a single software artifact. + { + "digest": { # `"": ""` Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet + "a_key": "A String", + }, + "name": "A String", + }, + ], + }, + "payloadType": "A String", # The kind of payload that SbomReferenceIntotoPayload takes. Since it's in the intoto format, this value is expected to be 'application/vnd.in-toto+json'. + "signatures": [ # The signatures over the payload. + { + "keyid": "A String", + "sig": "A String", + }, + ], + }, "updateTime": "A String", # Output only. The time this occurrence was last updated. "upgrade": { # An Upgrade Occurrence represents that a specific resource_url could install a specific upgrade. This presence is supplied via local sources (i.e. it is present in the mirror and the running system has noticed its availability). For Windows, both distribution and windows_update contain information for the Windows update. # Describes an available package upgrade on the linked resource. "distribution": { # The Upgrade Distribution represents metadata about the Upgrade for each operating system (CPE). Some distributions have additional metadata around updates, classifying them into various categories and severities. # Metadata about the upgrade for available for the specific operating system for the resource_url. This allows efficient filtering, as well as making it easier to use the occurrence. diff --git a/googleapiclient/discovery_cache/documents/ondemandscanning.v1.json b/googleapiclient/discovery_cache/documents/ondemandscanning.v1.json index 2ee0f1c65c9..c5acd690238 100644 --- a/googleapiclient/discovery_cache/documents/ondemandscanning.v1.json +++ b/googleapiclient/discovery_cache/documents/ondemandscanning.v1.json @@ -339,7 +339,7 @@ } } }, - "revision": "20230410", + "revision": "20230517", "rootUrl": "https://ondemandscanning.googleapis.com/", "schemas": { "AliasContext": { @@ -506,18 +506,6 @@ }, "type": "object" }, - "Binary": { - "id": "Binary", - "properties": { - "name": { - "type": "string" - }, - "version": { - "type": "string" - } - }, - "type": "object" - }, "BuildOccurrence": { "description": "Details of a build occurrence.", "id": "BuildOccurrence", @@ -629,9 +617,11 @@ "enum": [ "ATTACK_COMPLEXITY_UNSPECIFIED", "ATTACK_COMPLEXITY_LOW", - "ATTACK_COMPLEXITY_HIGH" + "ATTACK_COMPLEXITY_HIGH", + "ATTACK_COMPLEXITY_MEDIUM" ], "enumDescriptions": [ + "", "", "", "" @@ -676,9 +666,13 @@ "IMPACT_UNSPECIFIED", "IMPACT_HIGH", "IMPACT_LOW", - "IMPACT_NONE" + "IMPACT_NONE", + "IMPACT_PARTIAL", + "IMPACT_COMPLETE" ], "enumDescriptions": [ + "", + "", "", "", "", @@ -696,9 +690,13 @@ "IMPACT_UNSPECIFIED", "IMPACT_HIGH", "IMPACT_LOW", - "IMPACT_NONE" + "IMPACT_NONE", + "IMPACT_PARTIAL", + "IMPACT_COMPLETE" ], "enumDescriptions": [ + "", + "", "", "", "", @@ -719,9 +717,13 @@ "IMPACT_UNSPECIFIED", "IMPACT_HIGH", "IMPACT_LOW", - "IMPACT_NONE" + "IMPACT_NONE", + "IMPACT_PARTIAL", + "IMPACT_COMPLETE" ], "enumDescriptions": [ + "", + "", "", "", "", @@ -1646,7 +1648,8 @@ "UPGRADE", "COMPLIANCE", "DSSE_ATTESTATION", - "VULNERABILITY_ASSESSMENT" + "VULNERABILITY_ASSESSMENT", + "SBOM_REFERENCE" ], "enumDescriptions": [ "Default value. This value is unused.", @@ -1660,7 +1663,8 @@ "This represents an available package upgrade.", "This represents a Compliance Note", "This represents a DSSE attestation Note", - "This represents a Vulnerability Assessment." + "This represents a Vulnerability Assessment.", + "This represents an SBOM Reference." ], "type": "string" }, @@ -1684,6 +1688,10 @@ "description": "Required. Immutable. A URI that represents the resource for which the occurrence applies. For example, `https://gcr.io/project/image@sha256:123abc` for a Docker image.", "type": "string" }, + "sbomReference": { + "$ref": "SBOMReferenceOccurrence", + "description": "Describes a specific SBOM reference occurrences." + }, "updateTime": { "description": "Output only. The time this occurrence was last updated.", "format": "google-datetime", @@ -1742,8 +1750,8 @@ "description": "The architecture of the package.", "type": "string" }, - "binary": { - "$ref": "Binary", + "binaryVersion": { + "$ref": "PackageVersion", "description": "The binary package. This is significant when the source is different than the binary itself. Historically if they've differed, we've stored the name of the source and its version in the package/version fields, but we should also store the binary package info, as that's what's actually installed. See b/175908657#comment15." }, "cpeUri": { @@ -1813,6 +1821,10 @@ }, "type": "array" }, + "sourceVersion": { + "$ref": "PackageVersion", + "description": "The source package. Similar to the above, this is significant when the source is different than the binary itself. Since the top-level package/version fields are based on an if/else, we need a separate field for both binary and source if we want to know definitively where the data is coming from." + }, "unused": { "type": "string" }, @@ -1943,6 +1955,18 @@ }, "type": "object" }, + "PackageVersion": { + "id": "PackageVersion", + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object" + }, "ProjectRepoId": { "description": "Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.", "id": "ProjectRepoId", @@ -2065,6 +2089,80 @@ }, "type": "object" }, + "SBOMReferenceOccurrence": { + "description": "The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.", + "id": "SBOMReferenceOccurrence", + "properties": { + "payload": { + "$ref": "SbomReferenceIntotoPayload", + "description": "The actual payload that contains the SBOM reference data." + }, + "payloadType": { + "description": "The kind of payload that SbomReferenceIntotoPayload takes. Since it's in the intoto format, this value is expected to be 'application/vnd.in-toto+json'.", + "type": "string" + }, + "signatures": { + "description": "The signatures over the payload.", + "items": { + "$ref": "EnvelopeSignature" + }, + "type": "array" + } + }, + "type": "object" + }, + "SbomReferenceIntotoPayload": { + "description": "The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.", + "id": "SbomReferenceIntotoPayload", + "properties": { + "_type": { + "description": "Identifier for the schema of the Statement.", + "type": "string" + }, + "predicate": { + "$ref": "SbomReferenceIntotoPredicate", + "description": "Additional parameters of the Predicate. Includes the actual data about the SBOM." + }, + "predicateType": { + "description": "URI identifying the type of the Predicate.", + "type": "string" + }, + "subject": { + "description": "Set of software artifacts that the attestation applies to. Each element represents a single software artifact.", + "items": { + "$ref": "Subject" + }, + "type": "array" + } + }, + "type": "object" + }, + "SbomReferenceIntotoPredicate": { + "description": "A predicate which describes the SBOM being referenced.", + "id": "SbomReferenceIntotoPredicate", + "properties": { + "digest": { + "additionalProperties": { + "type": "string" + }, + "description": "A map of algorithm to digest of the contents of the SBOM.", + "type": "object" + }, + "location": { + "description": "The location of the SBOM.", + "type": "string" + }, + "mimeType": { + "description": "The mime type of the SBOM.", + "type": "string" + }, + "referrerId": { + "description": "The person or system referring this predicate to the consumer.", + "type": "string" + } + }, + "type": "object" + }, "Signature": { "description": "Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from `public_key_id` to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature `public_key_id` as anything more than a key lookup hint. The `public_key_id` DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: * The `public_key_id` is not recognized by the verifier. * The public key that `public_key_id` refers to does not verify the signature with respect to the payload. The `signature` contents SHOULD NOT be \"attached\" (where the payload is included with the serialized `signature` bytes). Verifiers MUST ignore any \"attached\" payload and only verify signatures with respect to explicitly provided payload (e.g. a `payload` field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).", "id": "Signature", diff --git a/googleapiclient/discovery_cache/documents/ondemandscanning.v1beta1.json b/googleapiclient/discovery_cache/documents/ondemandscanning.v1beta1.json index ef80ff8f1f2..2254ea6ab0f 100644 --- a/googleapiclient/discovery_cache/documents/ondemandscanning.v1beta1.json +++ b/googleapiclient/discovery_cache/documents/ondemandscanning.v1beta1.json @@ -339,7 +339,7 @@ } } }, - "revision": "20230410", + "revision": "20230517", "rootUrl": "https://ondemandscanning.googleapis.com/", "schemas": { "AliasContext": { @@ -502,18 +502,6 @@ }, "type": "object" }, - "Binary": { - "id": "Binary", - "properties": { - "name": { - "type": "string" - }, - "version": { - "type": "string" - } - }, - "type": "object" - }, "BuildOccurrence": { "description": "Details of a build occurrence.", "id": "BuildOccurrence", @@ -625,9 +613,11 @@ "enum": [ "ATTACK_COMPLEXITY_UNSPECIFIED", "ATTACK_COMPLEXITY_LOW", - "ATTACK_COMPLEXITY_HIGH" + "ATTACK_COMPLEXITY_HIGH", + "ATTACK_COMPLEXITY_MEDIUM" ], "enumDescriptions": [ + "", "", "", "" @@ -672,9 +662,13 @@ "IMPACT_UNSPECIFIED", "IMPACT_HIGH", "IMPACT_LOW", - "IMPACT_NONE" + "IMPACT_NONE", + "IMPACT_PARTIAL", + "IMPACT_COMPLETE" ], "enumDescriptions": [ + "", + "", "", "", "", @@ -692,9 +686,13 @@ "IMPACT_UNSPECIFIED", "IMPACT_HIGH", "IMPACT_LOW", - "IMPACT_NONE" + "IMPACT_NONE", + "IMPACT_PARTIAL", + "IMPACT_COMPLETE" ], "enumDescriptions": [ + "", + "", "", "", "", @@ -715,9 +713,13 @@ "IMPACT_UNSPECIFIED", "IMPACT_HIGH", "IMPACT_LOW", - "IMPACT_NONE" + "IMPACT_NONE", + "IMPACT_PARTIAL", + "IMPACT_COMPLETE" ], "enumDescriptions": [ + "", + "", "", "", "", @@ -1642,7 +1644,8 @@ "UPGRADE", "COMPLIANCE", "DSSE_ATTESTATION", - "VULNERABILITY_ASSESSMENT" + "VULNERABILITY_ASSESSMENT", + "SBOM_REFERENCE" ], "enumDescriptions": [ "Default value. This value is unused.", @@ -1656,7 +1659,8 @@ "This represents an available package upgrade.", "This represents a Compliance Note", "This represents a DSSE attestation Note", - "This represents a Vulnerability Assessment." + "This represents a Vulnerability Assessment.", + "This represents an SBOM Reference." ], "type": "string" }, @@ -1680,6 +1684,10 @@ "description": "Required. Immutable. A URI that represents the resource for which the occurrence applies. For example, `https://gcr.io/project/image@sha256:123abc` for a Docker image.", "type": "string" }, + "sbomReference": { + "$ref": "SBOMReferenceOccurrence", + "description": "Describes a specific SBOM reference occurrences." + }, "updateTime": { "description": "Output only. The time this occurrence was last updated.", "format": "google-datetime", @@ -1738,8 +1746,8 @@ "description": "The architecture of the package.", "type": "string" }, - "binary": { - "$ref": "Binary", + "binaryVersion": { + "$ref": "PackageVersion", "description": "The binary package. This is significant when the source is different than the binary itself. Historically if they've differed, we've stored the name of the source and its version in the package/version fields, but we should also store the binary package info, as that's what's actually installed. See b/175908657#comment15." }, "cpeUri": { @@ -1809,6 +1817,10 @@ }, "type": "array" }, + "sourceVersion": { + "$ref": "PackageVersion", + "description": "The source package. Similar to the above, this is significant when the source is different than the binary itself. Since the top-level package/version fields are based on an if/else, we need a separate field for both binary and source if we want to know definitively where the data is coming from." + }, "unused": { "type": "string" }, @@ -1939,6 +1951,18 @@ }, "type": "object" }, + "PackageVersion": { + "id": "PackageVersion", + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object" + }, "ProjectRepoId": { "description": "Selects a repo using a Google Cloud Platform project ID (e.g., winged-cargo-31) and a repo name within that project.", "id": "ProjectRepoId", @@ -2061,6 +2085,80 @@ }, "type": "object" }, + "SBOMReferenceOccurrence": { + "description": "The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.", + "id": "SBOMReferenceOccurrence", + "properties": { + "payload": { + "$ref": "SbomReferenceIntotoPayload", + "description": "The actual payload that contains the SBOM reference data." + }, + "payloadType": { + "description": "The kind of payload that SbomReferenceIntotoPayload takes. Since it's in the intoto format, this value is expected to be 'application/vnd.in-toto+json'.", + "type": "string" + }, + "signatures": { + "description": "The signatures over the payload.", + "items": { + "$ref": "EnvelopeSignature" + }, + "type": "array" + } + }, + "type": "object" + }, + "SbomReferenceIntotoPayload": { + "description": "The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.", + "id": "SbomReferenceIntotoPayload", + "properties": { + "_type": { + "description": "Identifier for the schema of the Statement.", + "type": "string" + }, + "predicate": { + "$ref": "SbomReferenceIntotoPredicate", + "description": "Additional parameters of the Predicate. Includes the actual data about the SBOM." + }, + "predicateType": { + "description": "URI identifying the type of the Predicate.", + "type": "string" + }, + "subject": { + "description": "Set of software artifacts that the attestation applies to. Each element represents a single software artifact.", + "items": { + "$ref": "Subject" + }, + "type": "array" + } + }, + "type": "object" + }, + "SbomReferenceIntotoPredicate": { + "description": "A predicate which describes the SBOM being referenced.", + "id": "SbomReferenceIntotoPredicate", + "properties": { + "digest": { + "additionalProperties": { + "type": "string" + }, + "description": "A map of algorithm to digest of the contents of the SBOM.", + "type": "object" + }, + "location": { + "description": "The location of the SBOM.", + "type": "string" + }, + "mimeType": { + "description": "The mime type of the SBOM.", + "type": "string" + }, + "referrerId": { + "description": "The person or system referring this predicate to the consumer.", + "type": "string" + } + }, + "type": "object" + }, "Signature": { "description": "Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from `public_key_id` to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature `public_key_id` as anything more than a key lookup hint. The `public_key_id` DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: * The `public_key_id` is not recognized by the verifier. * The public key that `public_key_id` refers to does not verify the signature with respect to the payload. The `signature` contents SHOULD NOT be \"attached\" (where the payload is included with the serialized `signature` bytes). Verifiers MUST ignore any \"attached\" payload and only verify signatures with respect to explicitly provided payload (e.g. a `payload` field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).", "id": "Signature",