feat:Import of Grafeas from Github

PiperOrigin-RevId: 453542250

grafeas/v1/BUILD.bazel

@@ -37,6 +37,7 @@ proto_library(
         "provenance.proto",
         "severity.proto",
         "slsa_provenance.proto",
+        "slsa_provenance_zero_two.proto",
         "upgrade.proto",
         "vulnerability.proto",
     ],
@@ -49,6 +50,7 @@ proto_library(
         "@com_google_protobuf//:any_proto",
         "@com_google_protobuf//:empty_proto",
         "@com_google_protobuf//:field_mask_proto",
+        "@com_google_protobuf//:struct_proto",
         "@com_google_protobuf//:timestamp_proto",
     ],
 )

grafeas/v1/common.proto

@@ -119,3 +119,32 @@ message EnvelopeSignature {
   bytes sig = 1;
   string keyid = 2;
 }
+
+// Indicates the location at which a package was found.
+message FileLocation {
+  // For jars that are contained inside .war files, this filepath
+  // can indicate the path to war file combined with the path to jar file.
+  string file_path = 1;
+}
+
+// License information.
+message License {
+  // Often a single license can be used to represent the licensing terms.
+  // Sometimes it is necessary to include a choice of one or more licenses
+  // or some combination of license identifiers.
+  // Examples: "LGPL-2.1-only OR MIT", "LGPL-2.1-only AND MIT",
+  // "GPL-2.0-or-later WITH Bison-exception-2.2".
+  string expression = 1;
+
+  // Comments
+  string comments = 2;
+}
+
+// Digest information.
+message Digest {
+  // `SHA1`, `SHA512` etc.
+  string algo = 1;
+
+  // Value of the digest.
+  bytes digest_bytes = 2;
+}

grafeas/v1/compliance.proto

@@ -52,6 +52,9 @@ message ComplianceVersion {
   // The CPE URI (https://cpe.mitre.org/specification/) this benchmark is
   // applicable to.
   string cpe_uri = 1;
+  // The name of the document that defines this benchmark, e.g. "CIS
+  // Container-Optimized OS".
+  string benchmark_document = 3;
   // The version of the benchmark. This is set to the version of the OS-specific
   // CIS document the benchmark is defined in.
   string version = 2;

grafeas/v1/cvss.proto

@@ -19,8 +19,8 @@ package grafeas.v1;
 option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
 option java_multiple_files = true;
 option java_package = "io.grafeas.v1";
-option java_outer_classname = "CvssProto";
 option objc_class_prefix = "GRA";
+option java_outer_classname = "CVSSProto";
 
 // Common Vulnerability Scoring System version 3.
 // For details, see https://www.first.org/cvss/specification-document
@@ -87,10 +87,8 @@ message CVSSv3 {
 
 // Common Vulnerability Scoring System.
 // For details, see https://www.first.org/cvss/specification-document
-// This is a message we will try to use for storing multiple versions of
-// CVSS. The intention is that as new versions of CVSS scores get added, we
-// will be able to modify this message rather than adding new protos for each
-// new version of the score.
+// This is a message we will try to use for storing various versions of CVSS
+// rather than making a separate proto for storing a specific version.
 message CVSS {
   // The base score is a function of the base metric scores.
   float base_score = 1;

grafeas/v1/dsse_attestation.proto

@@ -49,4 +49,4 @@ message DSSEAttestationOccurrence {
   oneof decoded_payload {
     InTotoStatement statement = 2;
   }
-}
+}

grafeas/v1/intoto_statement.proto

@@ -18,6 +18,7 @@ package grafeas.v1;
 
 import "grafeas/v1/intoto_provenance.proto";
 import "grafeas/v1/slsa_provenance.proto";
+import "grafeas/v1/slsa_provenance_zero_two.proto";
 
 option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
 option java_multiple_files = true;
@@ -38,6 +39,7 @@ message InTotoStatement {
   oneof predicate {
     InTotoProvenance provenance = 4;
     SlsaProvenance slsa_provenance = 5;
+    SlsaProvenanceZeroTwo slsa_provenance_zero_two = 6;
   }
 }
 message Subject {

grafeas/v1/package.proto

@@ -16,6 +16,9 @@ syntax = "proto3";
 
 package grafeas.v1;
 
+import "google/api/field_behavior.proto";
+import "grafeas/v1/common.proto";
+
 option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
 option java_multiple_files = true;
 option java_package = "io.grafeas.v1";
@@ -34,9 +37,9 @@ enum Architecture {
 // This represents a particular channel of distribution for a given package.
 // E.g., Debian's jessie-backports dpkg mirror.
 message Distribution {
-  // Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)
+  // The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)
   // denoting the package manager version distributing a package.
-  string cpe_uri = 1;
+  string cpe_uri = 1 [(google.api.field_behavior) = REQUIRED];
 
   // The CPU architecture for which packages in this distribution channel were
   // built.
@@ -58,36 +61,93 @@ message Distribution {
 // An occurrence of a particular package installation found within a system's
 // filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
 message Location {
-  // Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
-  // denoting the package manager version distributing a package.
+  // Deprecated.
+  // The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
   string cpe_uri = 1;
 
+  // Deprecated.
   // The version installed at this location.
   Version version = 2;
 
   // The path from which we gathered that this package/version is installed.
   string path = 3;
 }
 
-// This represents a particular package that is distributed over various
-// channels. E.g., glibc (aka libc6) is distributed by many, at various
-// versions.
+// PackageNote represents a particular package version.
 message PackageNote {
-  // Required. Immutable. The name of the package.
-  string name = 1;
+  // The name of the package.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.field_behavior) = IMMUTABLE
+  ];
 
+  // Deprecated.
   // The various channels by which a package is distributed.
   repeated Distribution distribution = 10;
+
+  // The type of package; whether native or non native (e.g., ruby gems,
+  // node.js packages, etc.).
+  string package_type = 11;
+
+  // The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)
+  // denoting the package manager version distributing a package.
+  // The cpe_uri will be blank for language packages.
+  string cpe_uri = 12;
+
+  // The CPU architecture for which packages in this distribution channel were
+  // built. Architecture will be blank for language packages.
+  Architecture architecture = 13;
+
+  // The version of the package.
+  Version version = 14;
+
+  // A freeform text denoting the maintainer of this package.
+  string maintainer = 15;
+
+  // The homepage for this package.
+  string url = 16;
+
+  // The description of this package.
+  string description = 17;
+
+  // Licenses that have been declared by the authors of the package.
+  License license = 18;
+
+  // Hash value, typically a file digest, that allows unique
+  // identification a specific package.
+  repeated Digest digest = 19;
 }
 
 // Details on how a particular software package was installed on a system.
 message PackageOccurrence {
-  // Output only. The name of the installed package.
-  string name = 1;
+  // The name of the installed package.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
 
-  // Required. All of the places within the filesystem versions of this package
+  // All of the places within the filesystem versions of this package
   // have been found.
   repeated Location location = 2;
+
+  // The type of package; whether native or non native (e.g., ruby gems,
+  // node.js packages, etc.).
+  string package_type = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)
+  // denoting the package manager version distributing a package.
+  // The cpe_uri will be blank for language packages.
+  string cpe_uri = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // The CPU architecture for which packages in this distribution channel were
+  // built. Architecture will be blank for language packages.
+  Architecture architecture = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Licenses that have been declared by the authors of the package.
+  License license = 6;
+
+  // The version of the package.
+  Version version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // Version contains structured information about the version of a package.

grafeas/v1/slsa_provenance.proto

@@ -23,6 +23,7 @@ option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
 option java_multiple_files = true;
 option java_package = "io.grafeas.v1";
 option objc_class_prefix = "GRA";
+option java_outer_classname = "SlsaProvenanceProto";
 
 message SlsaProvenance {
   // Steps taken to build the artifact.
@@ -111,4 +112,4 @@ message SlsaProvenance {
   // incomplete unless metadata.completeness.materials is true. Unset or null is
   // equivalent to empty.
   repeated Material materials = 4;
-}
+}

grafeas/v1/slsa_provenance_zero_two.proto

@@ -0,0 +1,82 @@
+// Copyright 2021 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grafeas.v1;
+
+import "google/protobuf/struct.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1";
+option objc_class_prefix = "GRA";
+option java_outer_classname = "SlsaProvenanceZeroTwoProto";
+
+message SlsaProvenanceZeroTwo {
+  // See full explanation of fields at slsa.dev/provenance/v0.2.
+
+  // Identifies the entity that executed the recipe, which is trusted to have
+  // correctly performed the operation and populated this provenance.
+  message SlsaBuilder {
+    string id = 1;
+  }
+
+  // The collection of artifacts that influenced the build including sources,
+  // dependencies, build tools, base images, and so on.
+  message SlsaMaterial {
+    string uri = 1;
+    map<string, string> digest = 2;
+  }
+
+  // Identifies the event that kicked off the build.
+  message SlsaInvocation {
+    SlsaConfigSource config_source = 1;
+    google.protobuf.Struct parameters = 2;
+    google.protobuf.Struct environment = 3;
+  }
+
+  // Describes where the config file that kicked off the build came from.
+  // This is effectively a pointer to the source where buildConfig came from.
+  message SlsaConfigSource {
+    string uri = 1;
+    map<string, string> digest = 2;
+    string entry_point = 3;
+  }
+
+  // Other properties of the build.
+  message SlsaMetadata {
+    string build_invocation_id = 1;
+    google.protobuf.Timestamp build_started_on = 2;
+    google.protobuf.Timestamp build_finished_on = 3;
+    SlsaCompleteness completeness = 4;
+    bool reproducible = 5;
+  }
+
+  // Indicates that the builder claims certain fields in this message to be
+  // complete.
+  message SlsaCompleteness {
+    bool parameters = 1;
+    bool environment = 2;
+    bool materials = 3;
+  }
+
+  SlsaBuilder builder = 1;
+  string build_type = 2;
+  SlsaInvocation invocation = 3;
+  google.protobuf.Struct build_config = 4;
+  SlsaMetadata metadata = 5;
+  repeated SlsaMaterial materials = 6;
+}