1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: containeranalysisnotes.containeranalysis.cnrm.cloud.google.com
27spec:
28 group: containeranalysis.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: ContainerAnalysisNote
33 plural: containeranalysisnotes
34 shortNames:
35 - gcpcontaineranalysisnote
36 - gcpcontaineranalysisnotes
37 singular: containeranalysisnote
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 attestation:
75 description: A note describing an attestation role.
76 properties:
77 hint:
78 description: Hint hints at the purpose of the attestation authority.
79 properties:
80 humanReadableName:
81 description: Required. The human readable name of this attestation
82 authority, for example "qa".
83 type: string
84 required:
85 - humanReadableName
86 type: object
87 type: object
88 build:
89 description: A note describing build provenance for a verifiable build.
90 properties:
91 builderVersion:
92 description: Required. Immutable. Version of the builder which
93 produced this build.
94 type: string
95 required:
96 - builderVersion
97 type: object
98 deployment:
99 description: A note describing something that can be deployed.
100 properties:
101 resourceUri:
102 description: Required. Resource URI for the artifact being deployed.
103 items:
104 type: string
105 type: array
106 required:
107 - resourceUri
108 type: object
109 discovery:
110 description: A note describing the initial analysis of a resource.
111 properties:
112 analysisKind:
113 description: 'The kind of analysis that is handled by this discovery.
114 Possible values: NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD,
115 IMAGE, PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
116 type: string
117 required:
118 - analysisKind
119 type: object
120 expirationTime:
121 description: Time of expiration for this note. Empty if note does
122 not expire.
123 format: date-time
124 type: string
125 image:
126 description: A note describing a base image.
127 properties:
128 fingerprint:
129 description: Required. Immutable. The fingerprint of the base
130 image.
131 properties:
132 v1Name:
133 description: Required. The layer ID of the final layer in
134 the Docker image's v1 representation.
135 type: string
136 v2Blob:
137 description: Required. The ordered list of v2 blobs that represent
138 a given image.
139 items:
140 type: string
141 type: array
142 required:
143 - v1Name
144 - v2Blob
145 type: object
146 resourceUrl:
147 description: Required. Immutable. The resource_url for the resource
148 representing the basis of associated occurrence images.
149 type: string
150 required:
151 - fingerprint
152 - resourceUrl
153 type: object
154 longDescription:
155 description: A detailed description of this note.
156 type: string
157 package:
158 description: Required for non-Windows OS. The package this Upgrade
159 is for.
160 properties:
161 distribution:
162 description: The various channels by which a package is distributed.
163 items:
164 properties:
165 architecture:
166 description: 'The CPU architecture for which packages in
167 this distribution channel were built Possible values:
168 ARCHITECTURE_UNSPECIFIED, X86, X64'
169 type: string
170 cpeUri:
171 description: The cpe_uri in [cpe format](https://cpe.mitre.org/specification/)
172 denoting the package manager version distributing a package.
173 type: string
174 description:
175 description: The distribution channel-specific description
176 of this package.
177 type: string
178 latestVersion:
179 description: The latest available version of this package
180 in this distribution channel.
181 properties:
182 epoch:
183 description: Used to correct mistakes in the version
184 numbering scheme.
185 format: int64
186 type: integer
187 fullName:
188 description: Human readable version string. This string
189 is of the form :- and is only set when kind is NORMAL.
190 type: string
191 kind:
192 description: 'Distinguish between sentinel MIN/MAX versions
193 and normal versions. If kind is not NORMAL, then the
194 other fields are ignored. Possible values: VERSION_KIND_UNSPECIFIED,
195 NORMAL, MINIMUM, MAXIMUM'
196 type: string
197 name:
198 description: The main part of the version name.
199 type: string
200 revision:
201 description: The iteration of the package build from
202 the above version.
203 type: string
204 required:
205 - kind
206 type: object
207 maintainer:
208 description: A freeform string denoting the maintainer of
209 this package.
210 type: string
211 url:
212 description: The distribution channel-specific homepage
213 for this package.
214 type: string
215 required:
216 - cpeUri
217 type: object
218 type: array
219 name:
220 description: The name of the package.
221 type: string
222 required:
223 - name
224 type: object
225 relatedNoteNames:
226 items:
227 oneOf:
228 - not:
229 required:
230 - external
231 required:
232 - name
233 - not:
234 anyOf:
235 - required:
236 - name
237 - required:
238 - namespace
239 required:
240 - external
241 properties:
242 external:
243 description: 'Allowed value: The Google Cloud resource name
244 of a `ContainerAnalysisNote` resource (format: `projects/{{project}}/notes/{{name}}`).'
245 type: string
246 name:
247 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
248 type: string
249 namespace:
250 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
251 type: string
252 type: object
253 type: array
254 relatedUrl:
255 description: URLs associated with this note.
256 items:
257 properties:
258 label:
259 description: Label to describe usage of the URL
260 type: string
261 url:
262 description: Specific URL to associate with the note
263 type: string
264 type: object
265 type: array
266 resourceID:
267 description: Immutable. Optional. The name of the resource. Used for
268 creation and acquisition. When unset, the value of `metadata.name`
269 is used as the default.
270 type: string
271 shortDescription:
272 description: A one sentence description of this note.
273 type: string
274 vulnerability:
275 description: A note describing a package vulnerability.
276 properties:
277 cvssScore:
278 description: The CVSS score of this vulnerability. CVSS score
279 is on a scale of 0 - 10 where 0 indicates low severity and 10
280 indicates high severity.
281 format: double
282 type: number
283 cvssV3:
284 description: The full description of the CVSSv3 for this vulnerability.
285 properties:
286 attackComplexity:
287 description: ' Possible values: ATTACK_COMPLEXITY_UNSPECIFIED,
288 ATTACK_COMPLEXITY_LOW, ATTACK_COMPLEXITY_HIGH'
289 type: string
290 attackVector:
291 description: 'Base Metrics Represents the intrinsic characteristics
292 of a vulnerability that are constant over time and across
293 user environments. Possible values: ATTACK_VECTOR_UNSPECIFIED,
294 ATTACK_VECTOR_NETWORK, ATTACK_VECTOR_ADJACENT, ATTACK_VECTOR_LOCAL,
295 ATTACK_VECTOR_PHYSICAL'
296 type: string
297 availabilityImpact:
298 description: ' Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH,
299 IMPACT_LOW, IMPACT_NONE'
300 type: string
301 baseScore:
302 description: The base score is a function of the base metric
303 scores.
304 format: double
305 type: number
306 confidentialityImpact:
307 description: ' Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH,
308 IMPACT_LOW, IMPACT_NONE'
309 type: string
310 exploitabilityScore:
311 format: double
312 type: number
313 impactScore:
314 format: double
315 type: number
316 integrityImpact:
317 description: ' Possible values: IMPACT_UNSPECIFIED, IMPACT_HIGH,
318 IMPACT_LOW, IMPACT_NONE'
319 type: string
320 privilegesRequired:
321 description: ' Possible values: PRIVILEGES_REQUIRED_UNSPECIFIED,
322 PRIVILEGES_REQUIRED_NONE, PRIVILEGES_REQUIRED_LOW, PRIVILEGES_REQUIRED_HIGH'
323 type: string
324 scope:
325 description: ' Possible values: SCOPE_UNSPECIFIED, SCOPE_UNCHANGED,
326 SCOPE_CHANGED'
327 type: string
328 userInteraction:
329 description: ' Possible values: USER_INTERACTION_UNSPECIFIED,
330 USER_INTERACTION_NONE, USER_INTERACTION_REQUIRED'
331 type: string
332 type: object
333 details:
334 description: Details of all known distros and packages affected
335 by this vulnerability.
336 items:
337 properties:
338 affectedCpeUri:
339 description: Required. The (https://cpe.mitre.org/specification/)
340 this vulnerability affects.
341 type: string
342 affectedPackage:
343 description: Required. The package this vulnerability affects.
344 type: string
345 affectedVersionEnd:
346 description: 'The version number at the end of an interval
347 in which this vulnerability exists. A vulnerability can
348 affect a package between version numbers that are disjoint
349 sets of intervals (example: ) each of which will be represented
350 in its own Detail. If a specific affected version is provided
351 by a vulnerability database, affected_version_start and
352 affected_version_end will be the same in that Detail.'
353 properties:
354 epoch:
355 description: Used to correct mistakes in the version
356 numbering scheme.
357 format: int64
358 type: integer
359 fullName:
360 description: Human readable version string. This string
361 is of the form :- and is only set when kind is NORMAL.
362 type: string
363 kind:
364 description: 'Required. Distinguishes between sentinel
365 MIN/MAX versions and normal versions. Possible values:
366 NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE,
367 PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
368 type: string
369 name:
370 description: Required only when version kind is NORMAL.
371 The main part of the version name.
372 type: string
373 revision:
374 description: The iteration of the package build from
375 the above version.
376 type: string
377 required:
378 - kind
379 type: object
380 affectedVersionStart:
381 description: 'The version number at the start of an interval
382 in which this vulnerability exists. A vulnerability can
383 affect a package between version numbers that are disjoint
384 sets of intervals (example: ) each of which will be represented
385 in its own Detail. If a specific affected version is provided
386 by a vulnerability database, affected_version_start and
387 affected_version_end will be the same in that Detail.'
388 properties:
389 epoch:
390 description: Used to correct mistakes in the version
391 numbering scheme.
392 format: int64
393 type: integer
394 fullName:
395 description: Human readable version string. This string
396 is of the form :- and is only set when kind is NORMAL.
397 type: string
398 kind:
399 description: 'Required. Distinguishes between sentinel
400 MIN/MAX versions and normal versions. Possible values:
401 NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE,
402 PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
403 type: string
404 name:
405 description: Required only when version kind is NORMAL.
406 The main part of the version name.
407 type: string
408 revision:
409 description: The iteration of the package build from
410 the above version.
411 type: string
412 required:
413 - kind
414 type: object
415 description:
416 description: A vendor-specific description of this vulnerability.
417 type: string
418 fixedCpeUri:
419 description: The distro recommended (https://cpe.mitre.org/specification/)
420 to update to that contains a fix for this vulnerability.
421 It is possible for this to be different from the affected_cpe_uri.
422 type: string
423 fixedPackage:
424 description: The distro recommended package to update to
425 that contains a fix for this vulnerability. It is possible
426 for this to be different from the affected_package.
427 type: string
428 fixedVersion:
429 description: The distro recommended version to update to
430 that contains a fix for this vulnerability. Setting this
431 to VersionKind.MAXIMUM means no such version is yet available.
432 properties:
433 epoch:
434 description: Used to correct mistakes in the version
435 numbering scheme.
436 format: int64
437 type: integer
438 fullName:
439 description: Human readable version string. This string
440 is of the form :- and is only set when kind is NORMAL.
441 type: string
442 kind:
443 description: 'Required. Distinguishes between sentinel
444 MIN/MAX versions and normal versions. Possible values:
445 NOTE_KIND_UNSPECIFIED, VULNERABILITY, BUILD, IMAGE,
446 PACKAGE, DEPLOYMENT, DISCOVERY, ATTESTATION, UPGRADE'
447 type: string
448 name:
449 description: Required only when version kind is NORMAL.
450 The main part of the version name.
451 type: string
452 revision:
453 description: The iteration of the package build from
454 the above version.
455 type: string
456 required:
457 - kind
458 type: object
459 isObsolete:
460 description: Whether this detail is obsolete. Occurrences
461 are expected not to point to obsolete details.
462 type: boolean
463 packageType:
464 description: The type of package; whether native or non
465 native (e.g., ruby gems, node.js packages, etc.).
466 type: string
467 severityName:
468 description: The distro assigned severity of this vulnerability.
469 type: string
470 sourceUpdateTime:
471 description: The time this information was last changed
472 at the source. This is an upstream timestamp from the
473 underlying information source - e.g. Ubuntu security tracker.
474 format: date-time
475 type: string
476 required:
477 - affectedCpeUri
478 - affectedPackage
479 type: object
480 type: array
481 severity:
482 description: 'The note provider assigned severity of this vulnerability.
483 Possible values: SEVERITY_UNSPECIFIED, MINIMAL, LOW, MEDIUM,
484 HIGH, CRITICAL'
485 type: string
486 sourceUpdateTime:
487 description: The time this information was last changed at the
488 source. This is an upstream timestamp from the underlying information
489 source - e.g. Ubuntu security tracker.
490 format: date-time
491 type: string
492 windowsDetails:
493 description: Windows details get their own format because the
494 information format and model don't match a normal detail. Specifically
495 Windows updates are done as patches, thus Windows vulnerabilities
496 really are a missing package, rather than a package being at
497 an incorrect version.
498 items:
499 properties:
500 cpeUri:
501 description: Required. The (https://cpe.mitre.org/specification/)
502 this vulnerability affects.
503 type: string
504 description:
505 description: The description of this vulnerability.
506 type: string
507 fixingKbs:
508 description: Required. The names of the KBs which have hotfixes
509 to mitigate this vulnerability. Note that there may be
510 multiple hotfixes (and thus multiple KBs) that mitigate
511 a given vulnerability. Currently any listed KBs presence
512 is considered a fix.
513 items:
514 properties:
515 name:
516 description: The KB name (generally of the form KB+
517 (e.g., KB123456)).
518 type: string
519 url:
520 description: A link to the KB in the (https://www.catalog.update.microsoft.com/).
521 type: string
522 type: object
523 type: array
524 name:
525 description: Required. The name of this vulnerability.
526 type: string
527 required:
528 - cpeUri
529 - fixingKbs
530 - name
531 type: object
532 type: array
533 type: object
534 type: object
535 status:
536 properties:
537 conditions:
538 description: Conditions represent the latest available observation
539 of the resource's current state.
540 items:
541 properties:
542 lastTransitionTime:
543 description: Last time the condition transitioned from one status
544 to another.
545 type: string
546 message:
547 description: Human-readable message indicating details about
548 last transition.
549 type: string
550 reason:
551 description: Unique, one-word, CamelCase reason for the condition's
552 last transition.
553 type: string
554 status:
555 description: Status is the status of the condition. Can be True,
556 False, Unknown.
557 type: string
558 type:
559 description: Type is the type of the condition.
560 type: string
561 type: object
562 type: array
563 createTime:
564 description: Output only. The time this note was created. This field
565 can be used as a filter in list requests.
566 format: date-time
567 type: string
568 image:
569 properties:
570 fingerprint:
571 properties:
572 v2Name:
573 description: 'Output only. The name of the image''s v2 blobs
574 computed via: ) Only the name of the final blob is kept.'
575 type: string
576 type: object
577 type: object
578 observedGeneration:
579 description: ObservedGeneration is the generation of the resource
580 that was most recently observed by the Config Connector controller.
581 If this is equal to metadata.generation, then that means that the
582 current reported status reflects the most recent desired state of
583 the resource.
584 type: integer
585 updateTime:
586 description: Output only. The time this note was last updated. This
587 field can be used as a filter in list requests.
588 format: date-time
589 type: string
590 type: object
591 type: object
592 served: true
593 storage: true
594 subresources:
595 status: {}
596status:
597 acceptedNames:
598 kind: ""
599 plural: ""
600 conditions: []
601 storedVersions: []
View as plain text