\\SrSSKJr SSKJr SSKJr SSKrSSKrSSKJr SSKJ r SSK J r SS K J r SSKr"S S 5r"S S 5r"SS5r"SS5r"SS5r"SS5r"SS5r"SS5r"SS5r"SS5r"SS5r"S S!5r"S"S#5rS$rS%rS&rS'r S(r!S)r"S*r#S+r$S,r%S-r&S.r'S/r(g)0z3Utility for interacting with containeranalysis API.)absolute_import)division)unicode_literalsN) filter_util)requests) enable_api) exceptionsc@\rSrSrSrSrS SjrSrSrSr Sr S r g ) ContainerAnalysisMetadatazSContainerAnalysisMetadata defines metadata retrieved from containeranalysis API. cl[5Ul[5Ul[ 5Ul[ 5Ul[5Ul [5Ul [5Ul [5Ul[!5Ul[%5Ul[)5Ul[-5UlgN)PackageVulnerabilitySummary vulnerabilityImageBasisSummaryimageDiscoverySummary discoveryDeploymentSummary deployment BuildSummarybuildProvenanceSummary provenancePackageSummarypackageAttestationSummary attestationUpgradeSummaryupgradeComplianceSummary complianceDsseAttestaionSummarydsse_attestationSbomReferenceSummarysbom_referenceselfs Blib/googlecloudsdk/command_lib/artifacts/containeranalysis_util.py__init__"ContainerAnalysisMetadata.__init__#s}46D"$DJ%'DN')DODJ')DO!#DL)+D!#DL')DO13D.0DcZ[R"5nURURRR :XaUR RU5 GO0URURRR:XaURRU5 GOURURRR:XaURRU5 GOURURRR:XaURRU5 GOOURURRR:XaURRU5 GOURURRR :XadUR"(aSUR"R$(dUR"R&(aURRU5 GOrURURRR(:XaUR*RU5 GO'URURRR,:XaUR.RU5 OURURRR0:XaUR2RU5 OURURRR4:XaUR6RU5 OIURURRR8:XaUR:RU5 URURRR:XaUR<RU5 URURRR :Xa$U(aUR"RU5 ggg)a Adds occurrences retrieved from containeranalysis API. Generally we have a 1-1 correspondence between type and summary it's added to. The exceptions (due to backwards compatibility issues) are: BUILD: If you pass in --show-provenance, there will be a provenance section (for intoto builds) but no build section. If you pass in --show-all-metadata or --show-build-details, there will be a provenance section (for intoto builds) and a builds section (for every build). That does mean an occurrence may be in both provenance_summary and build_summary. DSSE_ATTESTATION: We always return it in both the DSSE_ATTESTATION section and the provenance section. Args: occ: the occurrence retrieved from the API. include_build: whether build-kind occurrences should be added to build. N) ca_requests GetMessageskind OccurrenceKindValueValuesEnum VULNERABILITYr AddOccurrenceIMAGEr DEPLOYMENTr DISCOVERYrDSSE_ATTESTATIONrBUILDrintotoStatementinTotoSlsaProvenanceV1PACKAGEr ATTESTATIONrUPGRADEr COMPLIANCEr"SBOM_REFERENCEr&r$)r(occ include_buildmessagess r)r4'ContainerAnalysisMetadata.AddOccurrence1s"&&(H xx8&&::HHH &&s+ X((<<BB B jjs# X((<<GG G oo##C( X((<<FF F nn""3' X((<<MM M oo##C( H'';;AAA II YY & &#))*J*J oo##C( X((<<DD D ll  % X((<<HH H $$S) X((<<DD D ll  % X((<<GG G oo##C( X((<<KK K '', xx8&&::KKK ))#. H'';;AAA  jjs#  Br,cl0nURR(aURRUS'URR(aURRUS'URR(aURRUS'UR R (aUR R US'URR(aURRUS'URR(aURRUS'URR(aURRUS'URR(aURRUS'URR (aURR US 'UR"R$(aUR"R$US 'UR'UR(R+55 U$) zzReturns a dictionary representing the metadata. The returned dictionary is used by artifacts docker images list command. r5r6r7r9r<r=r>r?r8r@)r base_imagesr deploymentsrr build_detailsrpackagesr attestationsr upgradesr" compliancesr$dsse_attestationsr&sbom_referencesupdaterImagesListView)r(views r)rP(ContainerAnalysisMetadata.ImagesListViewis} D zzjj,,d7m ""??66d< ~~..22d; zzjj..d7m || --d9o $$ ,,99d= || --d9o ""??66d< ..!%!6!6!H!Hd  **#22BBd KK""1134 Kr,c0nURR(aURUS'URR(aURUS'URR(aURUS'UR R (aUR US'URR5nU(aX!S'URR(aURUS'URR(aURUS'URR(aURUS'URR(aURUS 'UR R"(aUR US 'UR$R&(aUR$US 'UR(R*(aUR(US 'U$) z~Returns a dictionary representing the metadata. The returned dictionary is used by artifacts docker images describe command. image_basis_summarydeployment_summarydiscovery_summarybuild_details_summarypackage_vulnerability_summaryprovenance_summarypackage_summaryattestation_summaryupgrade_summarycompliance_summarydsse_attestation_summary sbom_summary)rrFrrGrrrHrArtifactsDescribeViewrrrIrrJr rKr"rLr$rMr&rN)r(rQvulns r)r`/ContainerAnalysisMetadata.ArtifactsDescribeViewsm D zz$(JJd ! ""#'??d   ~~"&..d  zz&*jjd "#    3 3 5D .2 *+ !!#'??d   || $ d  $$$($4$4d ! || $ d  ""#'??d   ..)-)>)>d %& **!00d> Kr,cxURR(a[URR5$g)z(Returns SLSA build level 0-3 or unknown.unknown)r_ComputeSLSABuildLevelr's r)SLSABuildLevel(ContainerAnalysisMetadata.SLSABuildLevels' !! #DOO$>$> ?? r,cURRVs/sH-nURRRR PM/ sn$s snfr)r&rN sbomReferencepayload predicatelocation)r(sbom_refs r) SbomLocations'ContainerAnalysisMetadata.SbomLocationssM++;; ;H &&0099;  s4A) rrr"rrr$rrrr&r rN)T) __name__ __module__ __qualname____firstlineno____doc__r*r4rPr`rfrn__static_attributes__r,r)r r s' 16$p:B r,r c<\rSrSrSrSrSrSrSrSr Sr S r g ) rzDPackageVulnerabilitySummary holds package vulnerability information.c 0Ul/Ulgr)vulnerabilitiescountsr's r)r*$PackageVulnerabilitySummary.__init__sDDKr,c[R"URR5nURR U/5R U5 gr)six text_typereffectiveSeverityrz setdefaultappend)r(rAsevs r)r4)PackageVulnerabilitySummary.AddOccurrences= --));; >!Kr,c:URRU5 gr)r{r)r(counts r)AddCount$PackageVulnerabilitySummary.AddCountsKKur,cR[R"5n0nUR(aURUS'URH_nURUR R R:XdM3URUR- US'URUS' U$ U$)zReturns a dictionary representing package vulnerability metadata. The returned dictionary is used by artifacts docker images describe command. rznot_fixed_vulnerability_counttotal_vulnerability_count) r.r/rzr{severityFixableTotalByDigestSeverityValueValuesEnumSEVERITY_UNSPECIFIED totalCount fixableCount)r(rCrQrs r)r`1PackageVulnerabilitySummary.ArtifactsDescribeViews &&(H D  $ 4 4d  ..H99 " "#7#7 8   u11 1 ,-,1,<,< () K Kr,c[R"5n0nUR(aURUS'0nURHlnURnU(dMXQR R R:wdM=URXSRUS5UR-05 Mn U(aX2S'U$)zReturns a dictionary representing package vulnerability metadata. The returned dictionary is used by artifacts docker images list command. PACKAGE_VULNERABILITYr vuln_counts) r.r/rzr{rrrrrOgetr)r(rCrQrrrs r)rP*PackageVulnerabilitySummary.ImagesListViews &&(H D &*&:&:d "#K NNc ##66NN   Ca!85;K;K!KLM  '= Kr,)r{rzN) rprqrrrsrtr*r4rrr`rPrurvr,r)rrs#L9"&r,rc$\rSrSrSrSrSrSrg)rz0ImageBasisSummary holds image basis information.c/UlgrrFr's r)r*ImageBasisSummary.__init__ Dr,c:URRU5 gr)rFrr(rAs r)r4ImageBasisSummary.AddOccurrenceC r,rNrprqrrrsrtr*r4rurvr,r)rrs8!r,rc$\rSrSrSrSrSrSrg)rz+BuildSummary holds image build information.c/UlgrrHr's r)r*BuildSummary.__init__s Dr,c:URRU5 gr)rHrrs r)r4BuildSummary.AddOccurrencesc"r,rNrrvr,r)rrs3#r,rc$\rSrSrSrSrSrSrg)riz5DeploymentSummary holds image deployment information.c/UlgrrGr's r)r*DeploymentSummary.__init__rr,c:URRU5 gr)rGrrs r)r4DeploymentSummary.AddOccurrencerr,rNrrvr,r)rr=!r,rc$\rSrSrSrSrSrSrg)ri zADiscoverySummary holds image vulnerability discovery information.c/Ulgrrr's r)r*DiscoverySummary.__init__s DNr,c:URRU5 gr)rrrs r)r4DiscoverySummary.AddOccurrencesNN#r,rNrrvr,r)rr sIr,rc$\rSrSrSrSrSrSrg)riz5ProvenanceSummary holds image provenance information.c/Ulgrrr's r)r*ProvenanceSummary.__init__s DOr,c:URRU5 gr)rrrs r)r4ProvenanceSummary.AddOccurrencesOO3r,rNrrvr,r)rrs= r,rc$\rSrSrSrSrSrSrg)riz/PackageSummary holds image package information.c/UlgrrIr's r)r*PackageSummary.__init__" DMr,c:URRU5 gr)rIrrs r)r4PackageSummary.AddOccurrence%MMr,rNrrvr,r)rr7r,rc$\rSrSrSrSrSrSrg)ri)z7AttestationSummary holds image attestation information.c/UlgrrJr's r)r*AttestationSummary.__init__,s Dr,c:URRU5 gr)rJrrs r)r4 AttestationSummary.AddOccurrence/sS!r,rNrrvr,r)rr)s?"r,rc$\rSrSrSrSrSrSrg)ri3z/UpgradeSummary holds image upgrade information.c/UlgrrKr's r)r*UpgradeSummary.__init__6rr,c:URRU5 gr)rKrrs r)r4UpgradeSummary.AddOccurrence9rr,rNrrvr,r)rr3rr,rc$\rSrSrSrSrSrSrg)r!i=z5ComplianceSummary holds image compliance information.c/UlgrrLr's r)r*ComplianceSummary.__init__@rr,c:URRU5 gr)rLrrs r)r4ComplianceSummary.AddOccurrenceCrr,rNrrvr,r)r!r!=rr,r!c$\rSrSrSrSrSrSrg)r#iGz?DsseAttestaionSummary holds image dsse_attestation information.c/UlgrrMr's r)r*DsseAttestaionSummary.__init__Js Dr,c:URRU5 gr)rMrrs r)r4#DsseAttestaionSummary.AddOccurrenceMs!!#&r,rNrrvr,r)r#r#GsG 'r,r#c$\rSrSrSrSrSrSrg)r%iQz ?(-779:##%(VDVc,,S1VDD*&xJO+66}7L7L7BD+ c 1355B]35G 779NN j)*>*>*@<<_.)g    # %''4}XXe_  /%EsFc[R"5nSS/nURU5 URU/5 UR 5$)z>Builds filters for containeranalysis APIs for Maven Artifacts.r3r7rr WithKindsrr)maven_resourcer filter_kindss r)rrsH224*!;/, |$ N+,    r,c[R"5nSS/nURU5 URU5 UR 5$)zIBuilds filters for containeranalysis APIs for build and SBOM occurrences.r9r@r)rrr s r)rrsF224*+,, |$ 6"    r,c[R"5n/nUR(GdUR(aUR S5 UR (a"UR S5 UR S5 UR (aUR S5 UR(aUR S5 UR(a"UR S5 UR S5 UR(aUR S5 U(dUR(dgURU5 URUR5 URU5 UR5$) aParses `docker images describe` arguments into a filter to send to containeranalysis API. The returned filter will combine the user-provided filter specified by the --metadata-filter flag and occurrence kind filters specified by flags such as --show-package-vulnerability. Returns None if there is no information to fetch from containeranalysis API. Args: images: list, the fully-qualified path of docker images. args: user provided command line arguments. Returns: A filter string to send to the containeranalysis API. For example, given a user input: gcloud docker images describe \ us-west1-docker.pkg.dev/my-project/my-repo/ubuntu@sha256:abc \ --show-package-vulnerability \ --show-image-basis \ --metadata-filter='createTime>"2019-04-10T"' this method will create a filter: ''' ((kind="VULNERABILITY") OR (kind="IMAGE")) AND (createTime>"2019-04-10T") AND (resourceUrl=us-west1-docker.pkg.dev/my-project/my-repo/ubuntu@sha256:abc' OR resourceUrl=https://us-west1-docker.pkg.dev/my-project/my-repo/ubuntu@sha256:abc')) ''' r9r3r7r5r6r8r@N)rrrrrshow_package_vulnerabilityshow_image_basisshow_deploymentshow_provenanceshow_sbom_referencesrrWithCustomFilterrr)rrrr s r)rrsB224*,    '" &&/*+& '" ,' ,-'"   *+  4 4  |$ d223 6"    r,c[R"5nURU5 URU5 UR U5 UR 5$)aCreates a list of filters from a docker image prefix, a custom filter and fully-qualified image URLs. Args: prefixes: URL prefixes. Only metadata of images with any of these prefixes will be retrieved. custom_filter: user provided filter string. images: fully-qualified docker image URLs. Only metadata of these images will be retrieved. Returns: A filter string to send to the containeranalysis API. )rrrrr(r)r custom_filterrrs r)r r +sK224* !!(+ 6" m,  ( ( **r,cU(dgSnUVs/sH4o"R(dMURR(dM2UPM6 nnUHnURRnUR(dM,URR(dMIURRR(dMpURRRR (dMURRRR U:XdM g UVs/sH4o"R(dMURR (dM2UPM6 nnU(dgUSnURR n[U5(a#[U5(a[U5(aggggs snfs snf)amComputes SLSA build level from a build provenance. Determines SLSA Level based on a list of occurrences, preferring data from SLSA v1.0 occurrences over others. Args: provenance: build provenance list containing build occurrences. Returns: A string `unknown` if build provenance doesn't exist, otherwise an integer from 0 to 3 indicating SLSA build level. rd4https://cloudbuild.googleapis.com/GoogleHostedWorkerr) rr;rk runDetailsbuilderidr: _HasSteps _HasValidKey_HasLevel3BuildVersion)r builder_id_v1p builds_v1build_v1 provenance_v1 builds_v0_1intotos r)rere?s[  H-Awwa177+I+Ia hNN99M   # # . . .  # # . . 6 6 6  # # . . 6 6 9 9 9  # # . . 6 6 9 9] J  Awwa177+B+Ba  1~*    + +&vJ  ' '  A$s"F;F;F;'G?GGcU(a[US5(a[URS5(a[URRS5(ak[URRRS5(a<URRRRn[ SU55$g)zCheck whether a build provenance contains build steps. Args: intoto: intoto statement in build occurrence. Returns: A boolean value indicating whether intoto contains build steps. slsaProvenancerecipe argumentsadditionalPropertiesc3d# UH&oRS:H=(a URv M( g7f)stepsN)keyvalue).0r7s r) _HasSteps..s#@Zuu+AGG+Zs.0F)hasattrr>r?r@rAany)r< propertiess r)r3r3ss &* + + &'' 2 2 &''.. < <     & & 0 02H  &&--77LLJ @Z@ @@ r,c^U(av[US5(ae[URS5(aJURR(a/SmU4Sjn[XRR5nU(agg)zCheck whether a build provenance contains valid signature and key id. Args: build: container analysis build occurrence. Returns: A boolean value indicating whether build occurrence contains valid signature and key id. envelope signatureszd^projects/verified-builder/locations/.+/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1$c>[US5=(aG UR=(a4 [US5=(a! [R"TUR5$)Nsigkeyid)rIrPrematchrQ) signaturekey_id_patterns r)CheckSignature$_HasValidKey..CheckSignaturesFi'8mm8i)8hh~y79r,TF)rIrMrNfilter)rrVfilteredrUs @r)r4r4s\ % $ $ %.., / / .. # #{N9 nnn&?&?@H  r,cU(a[US5(a[URS5(a[URRS5(aURRR(atURRRR S5upUS:Xa=U(a6UR S5up4[ U5S:=(d [ U5S:$g ) zCheck whether a build provenance contains level 3 build version. Args: intoto: intoto statement in build occurrence. Returns: A boolean value indicating whether intoto contains level 3 build version. r>r1r2z@vr,.rr-F)rIr>r1r2splitint)r<uriversion major_version minor_versions r)r5r5s &* + + &'' 3 3 &''// 6 6    ' ' * ***2255;;DANS EE '.}}S'9$}  ! # >s='9Q'>> r,))rt __future__rrrr rR(googlecloudsdk.api_lib.containeranalysisrrr.googlecloudsdk.api_lib.servicesrr rr~r rrrrrrrrrr!r#r%rrrrrrrr rer3r4r5rvr,r)res:&' @L6Q RRj66r!!##!!  ""!!''%%4#L *Z  = @+(1 h.:r,