Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
POST /v1/images/scan
ScanImage scans a single image and returns the result
Code | Message | Datatype |
---|---|---|
200 |
A successful response. |
|
0 |
An unexpected error response. |
Enum Values |
---|
UNKNOWN_VULNERABILITY |
IMAGE_VULNERABILITY |
K8S_VULNERABILITY |
ISTIO_VULNERABILITY |
NODE_VULNERABILITY |
OPENSHIFT_VULNERABILITY |
Any
contains an arbitrary serialized protocol buffer message along with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
Example 2: Pack and unpack a message in Java.
Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); }
Example 3: Pack and unpack a message in Python.
foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... }
The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".
The JSON representation of an Any
value uses the regular
representation of the deserialized, embedded message, with an
additional field @type
which contains the type URL. Example:
package google.profile; message Person { string first_name = 1; string last_name = 2; }
{ "@type": "type.googleapis.com/google.profile.Person", "firstName": <string>, "lastName": <string> }
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
value
which holds the custom JSON in addition to the @type
field. Example (for message [google.protobuf.Duration][]):
{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
typeUrl |
String |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in |
|||
value |
byte[] |
Must be a valid serialized protocol buffer of the above specified type. |
byte |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
error |
String |
||||
code |
Integer |
int32 |
|||
message |
String |
||||
details |
List of ProtobufAny |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
vector |
String |
||||
attackVector |
ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK, |
||||
accessComplexity |
ACCESS_HIGH, ACCESS_MEDIUM, ACCESS_LOW, |
||||
authentication |
AUTH_MULTIPLE, AUTH_SINGLE, AUTH_NONE, |
||||
confidentiality |
IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE, |
||||
integrity |
IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE, |
||||
availability |
IMPACT_NONE, IMPACT_PARTIAL, IMPACT_COMPLETE, |
||||
exploitabilityScore |
Float |
float |
|||
impactScore |
Float |
float |
|||
score |
Float |
float |
|||
severity |
UNKNOWN, LOW, MEDIUM, HIGH, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
vector |
String |
||||
exploitabilityScore |
Float |
float |
|||
impactScore |
Float |
float |
|||
attackVector |
ATTACK_LOCAL, ATTACK_ADJACENT, ATTACK_NETWORK, ATTACK_PHYSICAL, |
||||
attackComplexity |
COMPLEXITY_LOW, COMPLEXITY_HIGH, |
||||
privilegesRequired |
PRIVILEGE_NONE, PRIVILEGE_LOW, PRIVILEGE_HIGH, |
||||
userInteraction |
UI_NONE, UI_REQUIRED, |
||||
scope |
UNCHANGED, CHANGED, |
||||
confidentiality |
IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH, |
||||
integrity |
IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH, |
||||
availability |
IMPACT_NONE, IMPACT_LOW, IMPACT_HIGH, |
||||
score |
Float |
float |
|||
severity |
UNKNOWN, NONE, LOW, MEDIUM, HIGH, CRITICAL, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
rawSignature |
byte[] |
byte |
|||
signaturePayload |
byte[] |
byte |
|||
certPem |
byte[] |
byte |
|||
certChainPem |
byte[] |
byte |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
mirror |
String |
Next Tag: 13
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
version |
String |
||||
license |
|||||
vulns |
List of StorageEmbeddedVulnerability |
||||
layerIndex |
Integer |
int32 |
|||
priority |
String |
int64 |
|||
source |
OS, PYTHON, JAVA, RUBY, NODEJS, GO, DOTNETCORERUNTIME, INFRASTRUCTURE, |
||||
location |
String |
||||
topCvss |
Float |
float |
|||
riskScore |
Float |
float |
|||
fixedBy |
String |
Component version that fixes all the fixable vulnerabilities in this component. |
|||
executables |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
path |
String |
||||
dependencies |
List of |
Next Tag: 21
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
cve |
String |
||||
cvss |
Float |
float |
|||
summary |
String |
||||
link |
String |
||||
fixedBy |
String |
||||
scoreVersion |
V2, V3, |
||||
cvssV2 |
|||||
cvssV3 |
|||||
publishedOn |
Date |
date-time |
|||
lastModified |
Date |
date-time |
|||
vulnerabilityType |
UNKNOWN_VULNERABILITY, IMAGE_VULNERABILITY, K8S_VULNERABILITY, ISTIO_VULNERABILITY, NODE_VULNERABILITY, OPENSHIFT_VULNERABILITY, |
||||
vulnerabilityTypes |
|||||
suppressed |
Boolean |
||||
suppressActivation |
Date |
date-time |
|||
suppressExpiry |
Date |
date-time |
|||
firstSystemOccurrence |
Date |
Time when the CVE was first seen, for this specific distro, in the system. |
date-time |
||
firstImageOccurrence |
Date |
Time when the CVE was first seen in this image. |
date-time |
||
severity |
UNKNOWN_VULNERABILITY_SEVERITY, LOW_VULNERABILITY_SEVERITY, MODERATE_VULNERABILITY_SEVERITY, IMPORTANT_VULNERABILITY_SEVERITY, CRITICAL_VULNERABILITY_SEVERITY, |
||||
state |
OBSERVED, DEFERRED, FALSE_POSITIVE, |
Next Tag: 19
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
|||||
names |
List of StorageImageName |
This should deprecate the ImageName field long-term, allowing images with the same digest to be associated with different locations. TODO(dhaus): For now, this message will be without search tags due to duplicated search tags otherwise. |
|||
metadata |
|||||
scan |
|||||
signatureVerificationData |
|||||
signature |
|||||
components |
Integer |
int32 |
|||
cves |
Integer |
int32 |
|||
fixableCves |
Integer |
int32 |
|||
lastUpdated |
Date |
date-time |
|||
notPullable |
Boolean |
||||
isClusterLocal |
Boolean |
||||
priority |
String |
int64 |
|||
riskScore |
Float |
float |
|||
topCvss |
Float |
float |
|||
notes |
List of StorageImageNote |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
instruction |
String |
||||
value |
String |
||||
created |
Date |
date-time |
|||
author |
String |
||||
empty |
Boolean |
If any fields of ImageMetadata are modified including subfields, please check pkg/images/enricher/metadata.go to ensure that those changes will be automatically picked up Next Tag: 6
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
v1 |
|||||
v2 |
|||||
layerShas |
List of |
||||
dataSource |
|||||
version |
String |
uint64 |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
registry |
String |
||||
remote |
String |
||||
tag |
String |
||||
fullName |
String |
Enum Values |
---|
MISSING_METADATA |
MISSING_SCAN_DATA |
MISSING_SIGNATURE |
MISSING_SIGNATURE_VERIFICATION_DATA |
Next tag: 8
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
scannerVersion |
String |
||||
scanTime |
Date |
date-time |
|||
components |
|||||
operatingSystem |
String |
||||
dataSource |
|||||
notes |
List of StorageImageScanNote |
||||
hash |
String |
uint64 |
Enum Values |
---|
UNSET |
OS_UNAVAILABLE |
PARTIAL_SCAN_DATA |
OS_CVES_UNAVAILABLE |
OS_CVES_STALE |
LANGUAGE_CVES_UNAVAILABLE |
CERTIFIED_RHEL_SCAN_UNAVAILABLE |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
signatures |
List of StorageSignature |
||||
fetched |
Date |
date-time |
Next Tag: 6
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
verificationTime |
Date |
date-time |
|||
verifierId |
String |
verifier_id correlates to the ID of the signature integration used to verify the signature. |
|||
status |
UNSET, VERIFIED, FAILED_VERIFICATION, INVALID_SIGNATURE_ALGO, CORRUPTED_SIGNATURE, GENERIC_ERROR, |
||||
description |
String |
description is set in the case of an error with the specific error’s message. Otherwise, this will not be set. |
|||
verifiedImageReferences |
List of |
The full image names that are verified by this specific signature integration ID. |
Status represents the status of the result.
VERIFIED: VERIFIED is set when the signature’s verification was successful.
FAILED_VERIFICATION: FAILED_VERIFICATION is set when the signature’s verification failed.
INVALID_SIGNATURE_ALGO: INVALID_SIGNATURE_ALGO is set when the signature’s algorithm is invalid and unsupported.
CORRUPTED_SIGNATURE: CORRUPTED_SIGNATURE is set when the raw signature is corrupted, i.e. wrong base64 encoding.
GENERIC_ERROR: GENERIC_ERROR is set when an error occurred during verification that cannot be associated with a specific status.
Enum Values |
---|
UNSET |
VERIFIED |
FAILED_VERIFICATION |
INVALID_SIGNATURE_ALGO |
CORRUPTED_SIGNATURE |
GENERIC_ERROR |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
type |
String |
||||
url |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
digest |
String |
||||
created |
Date |
date-time |
|||
author |
String |
||||
layers |
List of StorageImageLayer |
||||
user |
String |
||||
command |
List of |
||||
entrypoint |
List of |
||||
volumes |
List of |
||||
labels |
Map of |
Enum Values |
---|
UNKNOWN_VULNERABILITY_SEVERITY |
LOW_VULNERABILITY_SEVERITY |
MODERATE_VULNERABILITY_SEVERITY |
IMPORTANT_VULNERABILITY_SEVERITY |
CRITICAL_VULNERABILITY_SEVERITY |