feat: Updating the grafeas protos to include compliance and intoto attestation protos (#352)

* feat: Updating the grafeas protos to include compliance and intoto attestation protos

PiperOrigin-RevId: 407119231

Source-Link: googleapis/googleapis@381ab78

Source-Link: googleapis/googleapis-gen@e90da8d
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiZTkwZGE4ZGQ4MzEwNTM3YjUzMTMzZWZiMTg2N2E4OTkwYWRiMTQ5YSJ9

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

packages/google-devtools-containeranalysis/protos/grafeas/v1/attestation.proto

@@ -53,6 +53,13 @@ message AttestationNote {
   Hint hint = 1;
 }
 
+message Jwt {
+  // The compact encoding of a JWS, which is always three base64 encoded strings
+  // joined by periods. For details, see:
+  // https://tools.ietf.org/html/rfc7515.html#section-3.1
+  string compact_jwt = 1;
+}
+
 // Occurrence that represents a single "attestation". The authenticity of an
 // attestation can be verified using the attached signature. If the verifier
 // trusts the public key of the signer, then verifying the signature is
@@ -70,4 +77,14 @@ message AttestationOccurrence {
   // `signature` verifies `serialized_payload`.  See `Signature` in common.proto
   // for more details on signature structure and verification.
   repeated Signature signatures = 2;
+  // One or more JWTs encoding a self-contained attestation.
+  // Each JWT encodes the payload that it verifies within the JWT itself.
+  // Verifier implementation SHOULD ignore the `serialized_payload` field
+  // when verifying these JWTs.
+  // If only JWTs are present on this AttestationOccurrence, then the
+  // `serialized_payload` SHOULD be left empty.
+  // Each JWT SHOULD encode a claim specific to the `resource_uri` of this
+  // Occurrence, but this is not validated by Grafeas metadata API
+  // implementations.  The JWT itself is opaque to Grafeas.
+  repeated Jwt jwts = 3;
 }

packages/google-devtools-containeranalysis/protos/grafeas/v1/build.proto

@@ -16,6 +16,8 @@ syntax = "proto3";
 
 package grafeas.v1;
 
+import "grafeas/v1/intoto_provenance.proto";
+import "grafeas/v1/intoto_statement.proto";
 import "grafeas/v1/provenance.proto";
 
 option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
@@ -32,7 +34,7 @@ message BuildNote {
 
 // Details of a build occurrence.
 message BuildOccurrence {
-  // Required. The actual provenance for the build.
+  // The actual provenance for the build.
   grafeas.v1.BuildProvenance provenance = 1;
 
   // Serialized JSON representation of the provenance, used in generating the
@@ -47,4 +49,14 @@ message BuildOccurrence {
   // provenance is marshalled to json as well to prevent incompatibilities with
   // future changes.
   string provenance_bytes = 2;
+
+  // Deprecated. See InTotoStatement for the replacement.
+  // In-toto Provenance representation as defined in spec.
+  InTotoProvenance intoto_provenance = 3;
+
+  // In-toto Statement representation as defined in spec.
+  // The intoto_statement can contain any type of provenance. The serialized
+  // payload of the statement can be stored and signed in the Occurrence's
+  // envelope.
+  InTotoStatement intoto_statement = 4;
 }

packages/google-devtools-containeranalysis/protos/grafeas/v1/common.proto

@@ -23,7 +23,7 @@ option objc_class_prefix = "GRA";
 
 // Kind represents the kinds of notes supported.
 enum NoteKind {
-  // Unknown.
+  // Default value. This value is unused.
   NOTE_KIND_UNSPECIFIED = 0;
   // The note and occurrence represent a package vulnerability.
   VULNERABILITY = 1;
@@ -41,6 +41,10 @@ enum NoteKind {
   ATTESTATION = 7;
   // This represents an available package upgrade.
   UPGRADE = 8;
+  // This represents a Compliance Note
+  COMPLIANCE = 9;
+  // This represents a DSSE attestation Note
+  DSSE_ATTESTATION = 10;
 }
 
 // Metadata for any related URL information.
@@ -84,7 +88,7 @@ message Signature {
 
   // The identifier for the public key that verifies this signature.
   //   * The `public_key_id` is required.
-  //   * The `public_key_id` MUST be an RFC3986 conformant URI.
+  //   * The `public_key_id` SHOULD be an RFC3986 conformant URI.
   //   * When possible, the `public_key_id` SHOULD be an immutable reference,
   //     such as a cryptographic digest.
   //
@@ -101,3 +105,17 @@ message Signature {
   //   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
   string public_key_id = 2;
 }
+
+// MUST match
+// https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An
+// authenticated message of arbitrary type.
+message Envelope {
+  bytes payload = 1;
+  string payload_type = 2;
+  repeated EnvelopeSignature signatures = 3;
+}
+
+message EnvelopeSignature {
+  bytes sig = 1;
+  string keyid = 2;
+}

packages/google-devtools-containeranalysis/protos/grafeas/v1/compliance.proto

@@ -0,0 +1,79 @@
+// Copyright 2021 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grafeas.v1;
+
+import "grafeas/v1/vulnerability.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1";
+option objc_class_prefix = "GRA";
+
+message ComplianceNote {
+  // The title that identifies this compliance check.
+  string title = 1;
+  // A description about this compliance check.
+  string description = 2;
+  // The OS and config versions the benchmark applies to.
+  repeated grafeas.v1.ComplianceVersion version = 3;
+  // A rationale for the existence of this compliance check.
+  string rationale = 4;
+  // A description of remediation steps if the compliance check fails.
+  string remediation = 5;
+  // A compliance check that is a CIS benchmark.
+  message CisBenchmark {
+    int32 profile_level = 1;
+    grafeas.v1.Severity severity = 2;
+  }
+  oneof compliance_type {
+    CisBenchmark cis_benchmark = 6;
+  }
+  // Serialized scan instructions with a predefined format.
+  bytes scan_instructions = 7;
+}
+
+// Describes the CIS benchmark version that is applicable to a given OS and
+// os version.
+message ComplianceVersion {
+  // The CPE URI (https://cpe.mitre.org/specification/) this benchmark is
+  // applicable to.
+  string cpe_uri = 1;
+  // The version of the benchmark. This is set to the version of the OS-specific
+  // CIS document the benchmark is defined in.
+  string version = 2;
+}
+
+// An indication that the compliance checks in the associated ComplianceNote
+// were not satisfied for particular resources or a specified reason.
+message ComplianceOccurrence {
+  repeated NonCompliantFile non_compliant_files = 2;
+  string non_compliance_reason = 3;
+}
+
+// Details about files that caused a compliance check to fail.
+message NonCompliantFile {
+  // display_command is a single command that can be used to display a list of
+  // non compliant files. When there is no such command, we can also iterate a
+  // list of non compliant file using 'path'.
+
+  // Empty if `display_command` is set.
+  string path = 1;
+  // Command to display the non-compliant files.
+  string display_command = 2;
+  // Explains why a file is non compliant for a CIS check.
+  string reason = 3;
+}

packages/google-devtools-containeranalysis/protos/grafeas/v1/dsse_attestation.proto

@@ -0,0 +1,52 @@
+// Copyright 2021 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+syntax = "proto3";
+
+package grafeas.v1;
+
+import "grafeas/v1/common.proto";
+import "grafeas/v1/intoto_statement.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1";
+option objc_class_prefix = "GRA";
+
+message DSSEAttestationNote {
+  // This submessage provides human-readable hints about the purpose of the
+  // authority. Because the name of a note acts as its resource reference, it is
+  // important to disambiguate the canonical name of the Note (which might be a
+  // UUID for security purposes) from "readable" names more suitable for debug
+  // output. Note that these hints should not be used to look up authorities in
+  // security sensitive contexts, such as when looking up attestations to
+  // verify.
+  message DSSEHint {
+    // Required. The human readable name of this attestation authority, for
+    // example "cloudbuild-prod".
+    string human_readable_name = 1;
+  }
+  // DSSEHint hints at the purpose of the attestation authority.
+  DSSEHint hint = 1;
+}
+
+// Deprecated. Prefer to use a regular Occurrence, and populate the
+// Envelope at the top level of the Occurrence.
+message DSSEAttestationOccurrence {
+  // If doing something security critical, make sure to verify the signatures in
+  // this metadata.
+  Envelope envelope = 1;
+  oneof decoded_payload {
+    InTotoStatement statement = 2;
+  }
+}

packages/google-devtools-containeranalysis/protos/grafeas/v1/grafeas.proto

@@ -26,8 +26,10 @@ import "google/protobuf/timestamp.proto";
 import "grafeas/v1/attestation.proto";
 import "grafeas/v1/build.proto";
 import "grafeas/v1/common.proto";
+import "grafeas/v1/compliance.proto";
 import "grafeas/v1/deployment.proto";
 import "grafeas/v1/discovery.proto";
+import "grafeas/v1/dsse_attestation.proto";
 import "grafeas/v1/image.proto";
 import "grafeas/v1/package.proto";
 import "grafeas/v1/upgrade.proto";
@@ -242,7 +244,14 @@ message Occurrence {
     grafeas.v1.AttestationOccurrence attestation = 14;
     // Describes an available package upgrade on the linked resource.
     grafeas.v1.UpgradeOccurrence upgrade = 15;
+    // Describes a compliance violation on a linked resource.
+    grafeas.v1.ComplianceOccurrence compliance = 16;
+    // Describes an attestation of an artifact using dsse.
+    grafeas.v1.DSSEAttestationOccurrence dsse_attestation = 17;
   }
+
+  // https://github.com/secure-systems-lab/dsse
+  grafeas.v1.Envelope envelope = 18;
 }
 
 // A type of analysis that can be done for a resource.
@@ -301,6 +310,10 @@ message Note {
     grafeas.v1.AttestationNote attestation = 16;
     // A note describing available package upgrades.
     grafeas.v1.UpgradeNote upgrade = 17;
+    // A note describing a compliance check.
+    grafeas.v1.ComplianceNote compliance = 18;
+    // A note describing a dsse attestation note.
+    grafeas.v1.DSSEAttestationNote dsse_attestation = 19;
   }
 }
 

packages/google-devtools-containeranalysis/protos/grafeas/v1/intoto_provenance.proto

@@ -0,0 +1,112 @@
+// Copyright 2021 The Grafeas Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package grafeas.v1;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
+option java_multiple_files = true;
+option java_package = "io.grafeas.v1";
+option objc_class_prefix = "GRA";
+
+// Spec defined at
+// https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md
+
+// Steps taken to build the artifact.
+// For a TaskRun, typically each container corresponds to one step in the
+// recipe.
+message Recipe {
+  // URI indicating what type of recipe was performed. It determines the meaning
+  // of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+  string type = 1;
+  // Index in materials containing the recipe steps that are not implied by
+  // recipe.type. For example, if the recipe type were "make", then this would
+  // point to the source containing the Makefile, not the make program itself.
+  // Set to -1 if the recipe doesn't come from a material, as zero is default
+  // unset value for int64.
+  int64 defined_in_material = 2;
+  // String identifying the entry point into the build.
+  // This is often a path to a configuration file and/or a target label within
+  // that file. The syntax and meaning are defined by recipe.type. For example,
+  // if the recipe type were "make", then this would reference the directory in
+  // which to run make as well as which target to use.
+  string entry_point = 3;
+  // Collection of all external inputs that influenced the build on top of
+  // recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe
+  // type were "make", then this might be the flags passed to make aside from
+  // the target, which is captured in recipe.entryPoint. Since the arguments
+  // field can greatly vary in structure, depending on the builder and recipe
+  // type, this is of form "Any".
+  repeated google.protobuf.Any arguments = 4;
+  // Any other builder-controlled inputs necessary for correctly evaluating the
+  // recipe. Usually only needed for reproducing the build but not evaluated as
+  // part of policy. Since the environment field can greatly vary in structure,
+  // depending on the builder and recipe type, this is of form "Any".
+  repeated google.protobuf.Any environment = 5;
+}
+
+// Indicates that the builder claims certain fields in this message to be
+// complete.
+message Completeness {
+  // If true, the builder claims that recipe.arguments is complete, meaning that
+  // all external inputs are properly captured in the recipe.
+  bool arguments = 1;
+  // If true, the builder claims that recipe.environment is claimed to be
+  // complete.
+  bool environment = 2;
+  // If true, the builder claims that materials are complete, usually through
+  // some controls to prevent network access. Sometimes called "hermetic".
+  bool materials = 3;
+}
+
+// Other properties of the build.
+message Metadata {
+  // Identifies the particular build invocation, which can be useful for finding
+  // associated logs or other ad-hoc analysis. The value SHOULD be globally
+  // unique, per in-toto Provenance spec.
+  string build_invocation_id = 1;
+  // The timestamp of when the build started.
+  google.protobuf.Timestamp build_started_on = 2;
+  // The timestamp of when the build completed.
+  google.protobuf.Timestamp build_finished_on = 3;
+  // Indicates that the builder claims certain fields in this message to be
+  // complete.
+  Completeness completeness = 4;
+  // If true, the builder claims that running the recipe on materials will
+  // produce bit-for-bit identical output.
+  bool reproducible = 5;
+}
+
+message BuilderConfig {
+  string id = 1;
+}
+
+message InTotoProvenance {
+  BuilderConfig builder_config = 1;  // required
+  // Identifies the configuration used for the build.
+  // When combined with materials, this SHOULD fully describe the build,
+  // such that re-running this recipe results in bit-for-bit identical output
+  // (if the build is reproducible).
+  Recipe recipe = 2;  // required
+  Metadata metadata = 3;
+  // The collection of artifacts that influenced the build including sources,
+  // dependencies, build tools, base images, and so on. This is considered to be
+  // incomplete unless metadata.completeness.materials is true. Unset or null is
+  // equivalent to empty.
+  repeated string materials = 4;
+}