|
610 | 610 | "SPDX_FILE", |
611 | 611 | "SPDX_RELATIONSHIP", |
612 | 612 | "DSSE_ATTESTATION", |
613 | | - "VULNERABILITY_ASSESSMENT" |
| 613 | + "VULNERABILITY_ASSESSMENT", |
| 614 | + "SBOM_REFERENCE" |
614 | 615 | ], |
615 | 616 | "enumDescriptions": [ |
616 | 617 | "Unknown", |
|
628 | 629 | "This represents an SPDX File.", |
629 | 630 | "This represents an SPDX Relationship.", |
630 | 631 | "This represents a DSSE attestation Note", |
631 | | - "This represents a Vulnerability Assessment." |
| 632 | + "This represents a Vulnerability Assessment.", |
| 633 | + "This represents a reference to an SBOM." |
632 | 634 | ], |
633 | 635 | "location": "query", |
634 | 636 | "type": "string" |
|
1231 | 1233 | } |
1232 | 1234 | } |
1233 | 1235 | }, |
1234 | | - "revision": "20230310", |
| 1236 | + "revision": "20230324", |
1235 | 1237 | "rootUrl": "https://containeranalysis.googleapis.com/", |
1236 | 1238 | "schemas": { |
1237 | 1239 | "AnalysisCompleted": { |
|
3438 | 3440 | "SPDX_FILE", |
3439 | 3441 | "SPDX_RELATIONSHIP", |
3440 | 3442 | "DSSE_ATTESTATION", |
3441 | | - "VULNERABILITY_ASSESSMENT" |
| 3443 | + "VULNERABILITY_ASSESSMENT", |
| 3444 | + "SBOM_REFERENCE" |
3442 | 3445 | ], |
3443 | 3446 | "enumDescriptions": [ |
3444 | 3447 | "Unknown", |
|
3456 | 3459 | "This represents an SPDX File.", |
3457 | 3460 | "This represents an SPDX Relationship.", |
3458 | 3461 | "This represents a DSSE attestation Note", |
3459 | | - "This represents a Vulnerability Assessment." |
| 3462 | + "This represents a Vulnerability Assessment.", |
| 3463 | + "This represents a reference to an SBOM." |
3460 | 3464 | ], |
3461 | 3465 | "type": "string" |
3462 | 3466 | } |
|
4615 | 4619 | "SPDX_FILE", |
4616 | 4620 | "SPDX_RELATIONSHIP", |
4617 | 4621 | "DSSE_ATTESTATION", |
4618 | | - "VULNERABILITY_ASSESSMENT" |
| 4622 | + "VULNERABILITY_ASSESSMENT", |
| 4623 | + "SBOM_REFERENCE" |
4619 | 4624 | ], |
4620 | 4625 | "enumDescriptions": [ |
4621 | 4626 | "Unknown", |
|
4633 | 4638 | "This represents an SPDX File.", |
4634 | 4639 | "This represents an SPDX Relationship.", |
4635 | 4640 | "This represents a DSSE attestation Note", |
4636 | | - "This represents a Vulnerability Assessment." |
| 4641 | + "This represents a Vulnerability Assessment.", |
| 4642 | + "This represents a reference to an SBOM." |
4637 | 4643 | ], |
4638 | 4644 | "type": "string" |
4639 | 4645 | }, |
|
4660 | 4666 | "$ref": "DocumentNote", |
4661 | 4667 | "description": "A note describing a software bill of materials." |
4662 | 4668 | }, |
| 4669 | + "sbomReference": { |
| 4670 | + "$ref": "SBOMReferenceNote", |
| 4671 | + "description": "A note describing a reference to an SBOM." |
| 4672 | + }, |
4663 | 4673 | "shortDescription": { |
4664 | 4674 | "description": "A one sentence description of this `Note`.", |
4665 | 4675 | "type": "string" |
|
4759 | 4769 | "SPDX_FILE", |
4760 | 4770 | "SPDX_RELATIONSHIP", |
4761 | 4771 | "DSSE_ATTESTATION", |
4762 | | - "VULNERABILITY_ASSESSMENT" |
| 4772 | + "VULNERABILITY_ASSESSMENT", |
| 4773 | + "SBOM_REFERENCE" |
4763 | 4774 | ], |
4764 | 4775 | "enumDescriptions": [ |
4765 | 4776 | "Unknown", |
|
4777 | 4788 | "This represents an SPDX File.", |
4778 | 4789 | "This represents an SPDX Relationship.", |
4779 | 4790 | "This represents a DSSE attestation Note", |
4780 | | - "This represents a Vulnerability Assessment." |
| 4791 | + "This represents a Vulnerability Assessment.", |
| 4792 | + "This represents a reference to an SBOM." |
4781 | 4793 | ], |
4782 | 4794 | "type": "string" |
4783 | 4795 | }, |
|
4805 | 4817 | "$ref": "DocumentOccurrence", |
4806 | 4818 | "description": "Describes a specific software bill of materials document." |
4807 | 4819 | }, |
| 4820 | + "sbomReference": { |
| 4821 | + "$ref": "SBOMReferenceOccurrence", |
| 4822 | + "description": "This represents an SBOM reference occurrence" |
| 4823 | + }, |
4808 | 4824 | "spdxFile": { |
4809 | 4825 | "$ref": "FileOccurrence", |
4810 | 4826 | "description": "Describes a specific SPDX File." |
|
5557 | 5573 | }, |
5558 | 5574 | "type": "object" |
5559 | 5575 | }, |
| 5576 | + "SBOMReferenceNote": { |
| 5577 | + "description": "The note representing an SBOM reference.", |
| 5578 | + "id": "SBOMReferenceNote", |
| 5579 | + "properties": { |
| 5580 | + "format": { |
| 5581 | + "description": "The format that SBOM takes. E.g. may be spdx, cyclonedx, etc...", |
| 5582 | + "type": "string" |
| 5583 | + }, |
| 5584 | + "version": { |
| 5585 | + "description": "The version of the format that the SBOM takes. E.g. if the format is spdx, the version may be 2.3.", |
| 5586 | + "type": "string" |
| 5587 | + } |
| 5588 | + }, |
| 5589 | + "type": "object" |
| 5590 | + }, |
| 5591 | + "SBOMReferenceOccurrence": { |
| 5592 | + "description": "The occurrence representing an SBOM reference as applied to a specific resource. The occurrence follows the DSSE specification. See https://github.com/secure-systems-lab/dsse/blob/master/envelope.md for more details.", |
| 5593 | + "id": "SBOMReferenceOccurrence", |
| 5594 | + "properties": { |
| 5595 | + "payload": { |
| 5596 | + "$ref": "SbomReferenceIntotoPayload", |
| 5597 | + "description": "The actual payload that contains the SBOM reference data." |
| 5598 | + }, |
| 5599 | + "payloadType": { |
| 5600 | + "description": "The kind of payload that SbomReferenceIntotoPayload takes. Since it's in the intoto format, this value is expected to be 'application/vnd.in-toto+json'.", |
| 5601 | + "type": "string" |
| 5602 | + }, |
| 5603 | + "signatures": { |
| 5604 | + "description": "The signatures over the payload.", |
| 5605 | + "items": { |
| 5606 | + "$ref": "EnvelopeSignature" |
| 5607 | + }, |
| 5608 | + "type": "array" |
| 5609 | + } |
| 5610 | + }, |
| 5611 | + "type": "object" |
| 5612 | + }, |
| 5613 | + "SbomReferenceIntotoPayload": { |
| 5614 | + "description": "The actual payload that contains the SBOM Reference data. The payload follows the intoto statement specification. See https://github.com/in-toto/attestation/blob/main/spec/v1.0/statement.md for more details.", |
| 5615 | + "id": "SbomReferenceIntotoPayload", |
| 5616 | + "properties": { |
| 5617 | + "_type": { |
| 5618 | + "description": "Identifier for the schema of the Statement.", |
| 5619 | + "type": "string" |
| 5620 | + }, |
| 5621 | + "predicate": { |
| 5622 | + "$ref": "SbomReferenceIntotoPredicate", |
| 5623 | + "description": "Additional parameters of the Predicate. Includes the actual data about the SBOM." |
| 5624 | + }, |
| 5625 | + "predicateType": { |
| 5626 | + "description": "URI identifying the type of the Predicate.", |
| 5627 | + "type": "string" |
| 5628 | + }, |
| 5629 | + "subject": { |
| 5630 | + "description": "Set of software artifacts that the attestation applies to. Each element represents a single software artifact.", |
| 5631 | + "items": { |
| 5632 | + "$ref": "Subject" |
| 5633 | + }, |
| 5634 | + "type": "array" |
| 5635 | + } |
| 5636 | + }, |
| 5637 | + "type": "object" |
| 5638 | + }, |
| 5639 | + "SbomReferenceIntotoPredicate": { |
| 5640 | + "description": "A predicate which describes the SBOM being referenced.", |
| 5641 | + "id": "SbomReferenceIntotoPredicate", |
| 5642 | + "properties": { |
| 5643 | + "digest": { |
| 5644 | + "additionalProperties": { |
| 5645 | + "type": "string" |
| 5646 | + }, |
| 5647 | + "description": "A map of algorithm to digest of the contents of the SBOM.", |
| 5648 | + "type": "object" |
| 5649 | + }, |
| 5650 | + "location": { |
| 5651 | + "description": "The location of the SBOM.", |
| 5652 | + "type": "string" |
| 5653 | + }, |
| 5654 | + "mimeType": { |
| 5655 | + "description": "The mime type of the SBOM.", |
| 5656 | + "type": "string" |
| 5657 | + }, |
| 5658 | + "referrerId": { |
| 5659 | + "description": "The person or system referring this predicate to the consumer.", |
| 5660 | + "type": "string" |
| 5661 | + } |
| 5662 | + }, |
| 5663 | + "type": "object" |
| 5664 | + }, |
5560 | 5665 | "ScanConfig": { |
5561 | 5666 | "description": "Indicates various scans and whether they are turned on or off.", |
5562 | 5667 | "id": "ScanConfig", |
|
0 commit comments