1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/dcl2crd: "true"
9 cnrm.cloud.google.com/managed-by-kcc: "true"
10 cnrm.cloud.google.com/stability-level: stable
11 cnrm.cloud.google.com/system: "true"
12 name: containeranalysisnotes.containeranalysis.cnrm.cloud.google.com
13spec:
14 group: containeranalysis.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: ContainerAnalysisNote
19 plural: containeranalysisnotes
20 shortNames:
21 - gcpcontaineranalysisnote
22 - gcpcontaineranalysisnotes
23 singular: containeranalysisnote
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 attestation:
62 description: A note describing an attestation role.
63 properties:
64 hint:
65 description: Hint hints at the purpose of the attestation authority.
66 properties:
67 humanReadableName:
68 description: Required. The human readable name of this attestation
69 authority, for example "qa".
70 type: string
71 required:
72 - humanReadableName
73 type: object
74 type: object
75 build:
76 description: A note describing build provenance for a verifiable build.
77 properties:
78 builderVersion:
79 description: Required. Immutable. Version of the builder which
80 produced this build.
81 type: string
82 required:
83 - builderVersion
84 type: object
85 deployment:
86 description: A note describing something that can be deployed.
87 properties:
88 resourceUri:
89 description: Required. Resource URI for the artifact being deployed.
90 items:
91 type: string
92 type: array
93 required:
94 - resourceUri
95 type: object
96 discovery:
97 description: A note describing the initial analysis of a resource.
98 properties:
99 analysisKind:
100 description: 'The kind of analysis that is handled by this discovery.
101 Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD,
102 IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
103 type: string
104 required:
105 - analysisKind
106 type: object
107 expirationTime:
108 description: Time of expiration for this note. Empty if note does
109 not expire.
110 format: date-time
111 type: string
112 image:
113 description: A note describing a base image.
114 properties:
115 fingerprint:
116 description: Required. Immutable. The fingerprint of the base
117 image.
118 properties:
119 v1Name:
120 description: Required. The layer ID of the final layer in
121 the Docker image's v1 representation.
122 type: string
123 v2Blob:
124 description: Required. The ordered list of v2 blobs that represent
125 a given image.
126 items:
127 type: string
128 type: array
129 required:
130 - v1Name
131 - v2Blob
132 type: object
133 resourceUrl:
134 description: Required. Immutable. The resource_url for the resource
135 representing the basis of associated occurrence images.
136 type: string
137 required:
138 - fingerprint
139 - resourceUrl
140 type: object
141 longDescription:
142 description: A detailed description of this note.
143 type: string
144 package:
145 description: Required for non-Windows OS. The package this Upgrade
146 is for.
147 properties:
148 distribution:
149 description: The various channels by which a package is distributed.
150 items:
151 properties:
152 architecture:
153 description: 'The CPU architecture for which packages in
154 this distribution channel were built Possible values:
155 ARCHITECTURE_UNSPECIFIED, X86, X64'
156 type: string
157 cpeUri:
158 description: The cpe_uri in [cpe format](https://cpe.mitre.org/specification/)
159 denoting the package manager version distributing a package.
160 type: string
161 description:
162 description: The distribution channel-specific description
163 of this package.
164 type: string
165 latestVersion:
166 description: The latest available version of this package
167 in this distribution channel.
168 properties:
169 epoch:
170 description: Used to correct mistakes in the version
171 numbering scheme.
172 format: int64
173 type: integer
174 fullName:
175 description: Human readable version string. This string
176 is of the form :- and is only set when kind is NORMAL.
177 type: string
178 kind:
179 description: 'Distinguish between sentinel MIN/MAX versions
180 and normal versions. If kind is not NORMAL, then the
181 other fields are ignored. Possible values: VERSION_KIND_UNSPECIFIED,
182 NORMAL, MINIMUM, MAXIMUM'
183 type: string
184 name:
185 description: The main part of the version name.
186 type: string
187 revision:
188 description: The iteration of the package build from
189 the above version.
190 type: string
191 required:
192 - kind
193 type: object
194 maintainer:
195 description: A freeform string denoting the maintainer of
196 this package.
197 type: string
198 url:
199 description: The distribution channel-specific homepage
200 for this package.
201 type: string
202 required:
203 - cpeUri
204 type: object
205 type: array
206 name:
207 description: The name of the package.
208 type: string
209 required:
210 - name
211 type: object
212 relatedNoteNames:
213 items:
214 oneOf:
215 - not:
216 required:
217 - external
218 required:
219 - name
220 - not:
221 anyOf:
222 - required:
223 - name
224 - required:
225 - namespace
226 required:
227 - external
228 properties:
229 external:
230 description: 'Allowed value: The Google Cloud resource name
231 of a `ContainerAnalysisNote` resource (format: `projects/{{project}}/notes/{{name}}`).'
232 type: string
233 name:
234 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
235 type: string
236 namespace:
237 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
238 type: string
239 type: object
240 type: array
241 relatedUrl:
242 description: URLs associated with this note.
243 items:
244 properties:
245 label:
246 description: Label to describe usage of the URL
247 type: string
248 url:
249 description: Specific URL to associate with the note
250 type: string
251 type: object
252 type: array
253 resourceID:
254 description: Immutable. Optional. The name of the resource. Used for
255 creation and acquisition. When unset, the value of `metadata.name`
256 is used as the default.
257 type: string
258 shortDescription:
259 description: A one sentence description of this note.
260 type: string
261 vulnerability:
262 description: A note describing a package vulnerability.
263 properties:
264 cvssScore:
265 description: The CVSS score of this vulnerability. CVSS score
266 is on a scale of 0 - 10 where 0 indicates low severity and 10
267 indicates high severity.
268 format: double
269 type: number
270 cvssV3:
271 description: The full description of the CVSSv3 for this vulnerability.
272 properties:
273 attackComplexity:
274 description: ' Possible values: ATTACK_COMPLEXITY_UNSPECIFIED,
275 ATTACK_COMPLEXITY_LOW, ATTACK_COMPLEXITY_HIGH'
276 type: string
277 attackVector:
278 description: 'Base Metrics Represents the intrinsic characteristics
279 of a vulnerability that are constant over time and across
280 user environments. Possible values: ATTACK_VECTOR_UNSPECIFIED,
281 ATTACK_VECTOR_NETWORK, ATTACK_VECTOR_ADJACENT, ATTACK_VECTOR_LOCAL,
282 ATTACK_VECTOR_PHYSICAL'
283 type: string
284 availabilityImpact:
285 description: ' Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH,
286 IMPACT_LOW, IMPACT_NONE'
287 type: string
288 baseScore:
289 description: The base score is a function of the base metric
290 scores.
291 format: double
292 type: number
293 confidentialityImpact:
294 description: ' Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH,
295 IMPACT_LOW, IMPACT_NONE'
296 type: string
297 exploitabilityScore:
298 format: double
299 type: number
300 impactScore:
301 format: double
302 type: number
303 integrityImpact:
304 description: ' Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH,
305 IMPACT_LOW, IMPACT_NONE'
306 type: string
307 privilegesRequired:
308 description: ' Possible values: PRIVILEGES_REQUIRED_UNSPECIFIED,
309 PRIVILEGES_REQUIRED_NONE, PRIVILEGES_REQUIRED_LOW, PRIVILEGES_REQUIRED_HIGH'
310 type: string
311 scope:
312 description: ' Possible values: SCOPE_UNSPECIFIED, SCOPE_UNCHANGED,
313 SCOPE_CHANGED'
314 type: string
315 userInteraction:
316 description: ' Possible values: USER_INTERACTION_UNSPECIFIED,
317 USER_INTERACTION_NONE, USER_INTERACTION_REQUIRED'
318 type: string
319 type: object
320 details:
321 description: Details of all known distros and packages affected
322 by this vulnerability.
323 items:
324 properties:
325 affectedCpeUri:
326 description: Required. The (https://cpe.mitre.org/specification/)
327 this vulnerability affects.
328 type: string
329 affectedPackage:
330 description: Required. The package this vulnerability affects.
331 type: string
332 affectedVersionEnd:
333 description: 'The version number at the end of an interval
334 in which this vulnerability exists. A vulnerability can
335 affect a package between version numbers that are disjoint
336 sets of intervals (example: ) each of which will be represented
337 in its own Detail. If a specific affected version is provided
338 by a vulnerability database, affected_version_start and
339 affected_version_end will be the same in that Detail.'
340 properties:
341 epoch:
342 description: Used to correct mistakes in the version
343 numbering scheme.
344 format: int64
345 type: integer
346 fullName:
347 description: Human readable version string. This string
348 is of the form :- and is only set when kind is NORMAL.
349 type: string
350 kind:
351 description: 'Required. Distinguishes between sentinel
352 MIN/MAX versions and normal versions. Possible values:
353 NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE,
354 PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
355 type: string
356 name:
357 description: Required only when version kind is NORMAL.
358 The main part of the version name.
359 type: string
360 revision:
361 description: The iteration of the package build from
362 the above version.
363 type: string
364 required:
365 - kind
366 type: object
367 affectedVersionStart:
368 description: 'The version number at the start of an interval
369 in which this vulnerability exists. A vulnerability can
370 affect a package between version numbers that are disjoint
371 sets of intervals (example: ) each of which will be represented
372 in its own Detail. If a specific affected version is provided
373 by a vulnerability database, affected_version_start and
374 affected_version_end will be the same in that Detail.'
375 properties:
376 epoch:
377 description: Used to correct mistakes in the version
378 numbering scheme.
379 format: int64
380 type: integer
381 fullName:
382 description: Human readable version string. This string
383 is of the form :- and is only set when kind is NORMAL.
384 type: string
385 kind:
386 description: 'Required. Distinguishes between sentinel
387 MIN/MAX versions and normal versions. Possible values:
388 NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE,
389 PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
390 type: string
391 name:
392 description: Required only when version kind is NORMAL.
393 The main part of the version name.
394 type: string
395 revision:
396 description: The iteration of the package build from
397 the above version.
398 type: string
399 required:
400 - kind
401 type: object
402 description:
403 description: A vendor-specific description of this vulnerability.
404 type: string
405 fixedCpeUri:
406 description: The distro recommended (https://cpe.mitre.org/specification/)
407 to update to that contains a fix for this vulnerability.
408 It is possible for this to be different from the affected_cpe_uri.
409 type: string
410 fixedPackage:
411 description: The distro recommended package to update to
412 that contains a fix for this vulnerability. It is possible
413 for this to be different from the affected_package.
414 type: string
415 fixedVersion:
416 description: The distro recommended version to update to
417 that contains a fix for this vulnerability. Setting this
418 to VersionKind.MAXIMUM means no such version is yet available.
419 properties:
420 epoch:
421 description: Used to correct mistakes in the version
422 numbering scheme.
423 format: int64
424 type: integer
425 fullName:
426 description: Human readable version string. This string
427 is of the form :- and is only set when kind is NORMAL.
428 type: string
429 kind:
430 description: 'Required. Distinguishes between sentinel
431 MIN/MAX versions and normal versions. Possible values:
432 NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE,
433 PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
434 type: string
435 name:
436 description: Required only when version kind is NORMAL.
437 The main part of the version name.
438 type: string
439 revision:
440 description: The iteration of the package build from
441 the above version.
442 type: string
443 required:
444 - kind
445 type: object
446 isObsolete:
447 description: Whether this detail is obsolete. Occurrences
448 are expected not to point to obsolete details.
449 type: boolean
450 packageType:
451 description: The type of package; whether native or non
452 native (e.g., ruby gems, node.js packages, etc.).
453 type: string
454 severityName:
455 description: The distro assigned severity of this vulnerability.
456 type: string
457 sourceUpdateTime:
458 description: The time this information was last changed
459 at the source. This is an upstream timestamp from the
460 underlying information source - e.g. Ubuntu security tracker.
461 format: date-time
462 type: string
463 required:
464 - affectedCpeUri
465 - affectedPackage
466 type: object
467 type: array
468 severity:
469 description: 'The note provider assigned severity of this vulnerability.
470 Possible values: SEVERITY_UNSPECIFIED, MINIMAL, LOW, MEDIUM,
471 HIGH, CRITICAL'
472 type: string
473 sourceUpdateTime:
474 description: The time this information was last changed at the
475 source. This is an upstream timestamp from the underlying information
476 source - e.g. Ubuntu security tracker.
477 format: date-time
478 type: string
479 windowsDetails:
480 description: Windows details get their own format because the
481 information format and model don't match a normal detail. Specifically
482 Windows updates are done as patches, thus Windows vulnerabilities
483 really are a missing package, rather than a package being at
484 an incorrect version.
485 items:
486 properties:
487 cpeUri:
488 description: Required. The (https://cpe.mitre.org/specification/)
489 this vulnerability affects.
490 type: string
491 description:
492 description: The description of this vulnerability.
493 type: string
494 fixingKbs:
495 description: Required. The names of the KBs which have hotfixes
496 to mitigate this vulnerability. Note that there may be
497 multiple hotfixes (and thus multiple KBs) that mitigate
498 a given vulnerability. Currently any listed KBs presence
499 is considered a fix.
500 items:
501 properties:
502 name:
503 description: The KB name (generally of the form KB+
504 (e.g., KB123456)).
505 type: string
506 url:
507 description: A link to the KB in the (https://www.catalog.update.microsoft.com/).
508 type: string
509 type: object
510 type: array
511 name:
512 description: Required. The name of this vulnerability.
513 type: string
514 required:
515 - cpeUri
516 - fixingKbs
517 - name
518 type: object
519 type: array
520 type: object
521 type: object
522 status:
523 properties:
524 conditions:
525 description: Conditions represent the latest available observation
526 of the resource's current state.
527 items:
528 properties:
529 lastTransitionTime:
530 description: Last time the condition transitioned from one status
531 to another.
532 type: string
533 message:
534 description: Human-readable message indicating details about
535 last transition.
536 type: string
537 reason:
538 description: Unique, one-word, CamelCase reason for the condition's
539 last transition.
540 type: string
541 status:
542 description: Status is the status of the condition. Can be True,
543 False, Unknown.
544 type: string
545 type:
546 description: Type is the type of the condition.
547 type: string
548 type: object
549 type: array
550 createTime:
551 description: Output only. The time this note was created. This field
552 can be used as a filter in list requests.
553 format: date-time
554 type: string
555 image:
556 properties:
557 fingerprint:
558 properties:
559 v2Name:
560 description: 'Output only. The name of the image''s v2 blobs
561 computed via: ) Only the name of the final blob is kept.'
562 type: string
563 type: object
564 type: object
565 observedGeneration:
566 description: ObservedGeneration is the generation of the resource
567 that was most recently observed by the Config Connector controller.
568 If this is equal to metadata.generation, then that means that the
569 current reported status reflects the most recent desired state of
570 the resource.
571 type: integer
572 updateTime:
573 description: Output only. The time this note was last updated. This
574 field can be used as a filter in list requests.
575 format: date-time
576 type: string
577 type: object
578 type: object
579 served: true
580 storage: true
581 subresources:
582 status: {}
583status:
584 acceptedNames:
585 kind: ""
586 plural: ""
587 conditions: []
588 storedVersions: []
View as plain text