Diese Seite wurde von der Cloud Translation API übersetzt.

Benutzerdefinierte Notizen und Vorkommnisse erstellen

Für besondere geschäftliche Anforderungen können Sie Artefaktanalyse Ihre eigenen Metadaten zur Verfügung stellen. Beispielsweise kann ein Unternehmen, das Sicherheitsmanagement für die Docker-Container seiner Kunden bereitstellt, mithilfe von Artefaktanalyse sicherheitsbezogene Metadaten für diese Images speichern und abrufen.

Führen Sie die folgenden Schritte aus, um mit der Artifact Analysis API benutzerdefinierte Metadaten für Sicherheitslücken für Ihre Images bereitzustellen. Dieselbe Anleitung gilt für das Speichern und Abrufen jeder Art von Metadaten, die in der Artefaktanalyse unterstützt werden.

Hinweise

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Enable the Container Analysis API.

Enable the API

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Enable the Container Analysis API.

Enable the API

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

To initialize the gcloud CLI, run the following command:

gcloud init

Weitere Informationen zum Einrichten der Zugriffssteuerung für Metadaten in Ihrem Projekt Überspringen Sie diesen Schritt, wenn Sie nur Metadaten von Sicherheitslücken verwenden, die durch das Container-Scannen der Artefaktanalyse erstellt wurden.

Hinweise und Vorkommen für Projekte erstellen

In diesem Abschnitt wird beschrieben, wie Sie Hinweise und Vorkommen erstellen. In diesem Beispiel verwenden Sie die Art VULNERABILITY.

Als Anbieter erstellen Sie für jede Sicherheitslücke einen Hinweis in Ihrem Projekt und außerdem ein Vorkommen im Projekt Ihres Kunden für ein Auftreten dieser Sicherheitslücke.

Notizen erstellen

So erstellen Sie eine Notiz und geben ihr eine Notiz-ID:

API

Erstellen Sie eine Datei namens note.json mit einer Beschreibung und Details zur Sicherheitslücke. Der folgende Code zeigt eine note.json-Beispieldatei:

{
    "shortDescription": "A brief Description of the note",
    "longDescription": "A longer description of the note",
    "kind": "VULNERABILITY",
    "vulnerability": {
        "details": [
        {
            "affectedPackage": "libexempi3",
            "affectedCpeUri": "cpe:/o:debian:debian_linux:7",
            "affectedVersionStart": { "name": "2.5.7", "revision": "1", "kind": "MINIMUM"},
            "affectedVersionEnd": { "name": "2.5.9", "revision": "1", "kind": "MINIMUM"},
        },
        {
            "affectedCpeUri": "cpe:/o:debian:abc:10",
            "affectedPackage": "anotherPackage",
        }
        ]
    }
}

Weitere Informationen zur JSON-Darstellung von Notizen finden Sie in der API-Dokumentation für Notizen.

Führen Sie den folgenden curl-Befehl aus, um eine Notiz zu erstellen:

curl -v -H "Content-Type: application/json" -H \
  "Authorization: Bearer $(gcloud auth print-access-token)" \
  https://containeranalysis.googleapis.com/v1/projects/PROVIDER_PROJECT_ID/notes?note_id=NOTE_ID -d @note.json

Wobei:

PROVIDER_PROJECT_ID ist die Projekt-ID.
NOTE_ID gibt eine Kennung für Ihre Notiz an. Verwenden Sie einen String mit einer maximalen Länge von 100 Zeichen.

Java

Informationen zum Installieren und Verwenden der Clientbibliothek für die Artefaktanalyse finden Sie unter Clientbibliotheken für die Artefaktanalyse. Weitere Informationen finden Sie in der Referenzdokumentation zur Artifact Analysis Java API.

Richten Sie zur Authentifizierung bei der Artefaktanalyse Standardanmeldedaten für Anwendungen ein. Weitere Informationen finden Sie unter Authentifizierung für eine lokale Entwicklungsumgebung einrichten.

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.Note;
import io.grafeas.v1.ProjectName;
import io.grafeas.v1.Version;
import io.grafeas.v1.VulnerabilityNote;
import java.io.IOException;
import java.lang.InterruptedException;


public class CreateNote {

  // Creates and returns a new Note
  public static Note createNote(String noteId, String projectId)
      throws IOException, InterruptedException {
    // String noteId = "my-note";
    // String projectId = "my-project-id";
    final String projectName = ProjectName.format(projectId);


    Note newNote = Note.newBuilder()
        // Associate the Note with the metadata type
        // https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
        // Here, we use the type "vulnerability"
        .setVulnerability(VulnerabilityNote.newBuilder()
            .addDetails(VulnerabilityNote.Detail.newBuilder()
                .setAffectedCpeUri("your-uri-here")
                .setAffectedPackage("your-package-here")
                .setAffectedVersionStart(Version.newBuilder()
                    .setKind(Version.VersionKind.MINIMUM))
                .setAffectedVersionEnd(Version.newBuilder()
                    .setKind(Version.VersionKind.MAXIMUM))))
        .build();

    // Initialize client that will be used to send requests. After completing all of your requests, 
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    Note result = client.createNote(projectName, noteId, newNote);
    return result;
  }
}

Go


import (
	"context"
	"fmt"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// createNote creates and returns a new vulnerability Note.
func createNote(noteID, projectID string) (*grafeaspb.Note, error) {
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("NewClient: %w", err)
	}
	defer client.Close()

	projectName := fmt.Sprintf("projects/%s", projectID)

	req := &grafeaspb.CreateNoteRequest{
		Parent: projectName,
		NoteId: noteID,
		Note: &grafeaspb.Note{
			Type: &grafeaspb.Note_Vulnerability{
				// The 'Vulnerability' field can be modified to contain information about your vulnerability.
				Vulnerability: &grafeaspb.VulnerabilityNote{
					Details: []*grafeaspb.VulnerabilityNote_Detail{
						{
							AffectedCpeUri:  "your-uri-here",
							AffectedPackage: "your-package-here",
							AffectedVersionStart: &grafeaspb.Version{
								Kind: grafeaspb.Version_MINIMUM,
							},
							AffectedVersionEnd: &grafeaspb.Version{
								Kind: grafeaspb.Version_MAXIMUM,
							},
						},
					},
				},
			},
		},
	}

	return client.GetGrafeasClient().CreateNote(ctx, req)
}

Node.js

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const projectId = 'your-project-id', // Your GCP Project ID
// const noteId = 'my-note-id' // Id of the note

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Construct request
// Associate the Note with a metadata type
// https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
// Here, we use the type "vulnerabiltity"
const formattedParent = client.getGrafeasClient().projectPath(projectId);

// Creates and returns a new Note
const [note] = await client.getGrafeasClient().createNote({
  parent: formattedParent,
  noteId: noteId,
  note: {
    vulnerability: {
      details: [
        {
          affectedCpeUri: 'foo.uri',
          affectedPackage: 'foo',
          affectedVersionStart: {
            kind: 'MINIMUM',
          },
          affectedVersionEnd: {
            kind: 'MAXIMUM',
          },
        },
      ],
    },
  },
});

console.log(`Note ${note.name} created.`);

Ruby

# note_id    = "A user-specified identifier for the note"
# project_id = "Your Google Cloud project ID"

require "google/cloud/container_analysis"

# Initialize the client
client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

parent = client.project_path project: project_id
note = {
  vulnerability: {
    details: [
      {
        affected_cpe_uri:       "your-uri-here",
        affected_package:       "your-package-here",
        affected_version_start: { kind: :MINIMUM },
        fixed_version:          { kind: :MAXIMUM }
      }
    ]
  }
}
response = client.create_note parent: parent, note_id: note_id, note: note
puts response.name

Python

from google.cloud.devtools import containeranalysis_v1
from grafeas.grafeas_v1 import types, Version


def create_note(note_id: str, project_id: str) -> types.grafeas.Note:
    """Creates and returns a new vulnerability note."""
    # note_id = 'my-note'
    # project_id = 'my-gcp-project'

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    project_name = f"projects/{project_id}"
    note = {
        "vulnerability": {
            "details": [
                {
                    "affected_cpe_uri": "your-uri-here",
                    "affected_package": "your-package-here",
                    "affected_version_start": {"kind": Version.VersionKind.MINIMUM},
                    "fixed_version": {"kind": Version.VersionKind.MAXIMUM},
                }
            ]
        }
    }
    response = grafeas_client.create_note(
        parent=project_name, note_id=note_id, note=note
    )
    return response

Vorkommen für Notizen erstellen

Vorkommen für einen Hinweis erstellen:

API

Erstellen Sie eine Datei mit dem Namen occurrence.json und mit folgendem Inhalt:

{
    "resourceUri": "<resource_url>",
    "noteName": "projects/<provider-project-id>/notes/<note_id>",
    "kind": "VULNERABILITY",
    "vulnerability": {
        "packageIssue": [{
           "affectedCpeUri": "cpe:/o:debian_linux:7",
           "affectedPackage": "packageName",
           "affectedVersion": {
              "kind": "NORMAL",
              "name": "8.1",
              "revision": "3"
           },
           "fixedCpeUri": "cpe:/o:debian_linux:7",
           "fixedPackage": "packageName",
           "fixedVersion": {
              "kind": "MAXIMUM"
           }
        }]
        "severity": "LOW"
    }
}

Wobei:

resource_url ist die URL der Ressource, die mit dem Vorkommen verknüpft ist, z. B. https://us-central1-docker.pkg.dev/my-project/my-repository/my-image@sha256:123.
note_id gibt eine Kennung für Ihre Notiz an. Verwenden Sie einen String mit einer maximalen Länge von 100 Zeichen.

Weitere Informationen zur JSON-Darstellung von Vorkommen finden Sie in der Dokumentation zur Occurrences API.

Führen Sie den folgenden curl-Befehl aus, wobei CUSTOMER_PROJECT_ID die Projekt-ID Ihres Kunden ist:

curl -v -H "Content-Type: application/json" -H \
  "Authorization: Bearer $(gcloud auth print-access-token)" \
  https://containeranalysis.googleapis.com/v1/projects/CUSTOMER_PROJECT_ID/occurrences -d @occurrence.json

Java

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.NoteName;
import io.grafeas.v1.Occurrence;
import io.grafeas.v1.ProjectName;
import io.grafeas.v1.Version;
import io.grafeas.v1.VulnerabilityOccurrence;
import io.grafeas.v1.VulnerabilityOccurrence.PackageIssue;
import java.io.IOException;
import java.lang.InterruptedException;

public class CreateOccurrence {
  // Creates and returns a new vulnerability Occurrence associated with an existing Note
  public static Occurrence createOccurrence(String resourceUrl, String noteId, 
      String occProjectId, String noteProjectId) throws IOException, InterruptedException {
    // String resourceUrl = "https://gcr.io/project/image@sha256:123";
    // String noteId = "my-note";
    // String occProjectId = "my-project-id";
    // String noteProjectId = "my-project-id";
    final NoteName noteName = NoteName.of(noteProjectId, noteId);
    final String occProjectName = ProjectName.format(occProjectId);

    Occurrence newOcc = Occurrence.newBuilder()
        .setNoteName(noteName.toString())
        .setResourceUri(resourceUrl)
        .setVulnerability(VulnerabilityOccurrence.newBuilder()
            .addPackageIssue(PackageIssue.newBuilder()
                .setAffectedCpeUri("your-uri-here")
                .setAffectedPackage("your-package-here")
                .setAffectedVersion(Version.newBuilder()
                    .setKind(Version.VersionKind.MINIMUM))
                .setFixedVersion(Version.newBuilder()
                    .setKind(Version.VersionKind.MAXIMUM))))
        .build();

    // Initialize client that will be used to send requests. After completing all of your requests, 
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    Occurrence result = client.createOccurrence(occProjectName, newOcc);
    return result;
  }
}

Go


import (
	"context"
	"fmt"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// createsOccurrence creates and returns a new Occurrence of a previously created vulnerability Note.
func createOccurrence(resourceURL, noteID, occProjectID, noteProjectID string) (*grafeaspb.Occurrence, error) {
	// Use this style of URL when you use Google Container Registry.
	// resourceURL := "https://gcr.io/my-project/my-repo/my-image"
	// Use this style of URL when you use Google Artifact Registry.
	// resourceURL := "https://LOCATION-docker.pkg.dev/my-project/my-repo/my-image"
	// noteID := "my-note"
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("NewClient: %w", err)
	}
	defer client.Close()

	req := &grafeaspb.CreateOccurrenceRequest{
		Parent: fmt.Sprintf("projects/%s", occProjectID),
		Occurrence: &grafeaspb.Occurrence{
			NoteName: fmt.Sprintf("projects/%s/notes/%s", noteProjectID, noteID),
			// Attach the occurrence to the associated resource uri.
			ResourceUri: resourceURL,
			// Details about the vulnerability instance can be added here.
			Details: &grafeaspb.Occurrence_Vulnerability{
				Vulnerability: &grafeaspb.VulnerabilityOccurrence{
					PackageIssue: []*grafeaspb.VulnerabilityOccurrence_PackageIssue{
						{
							AffectedCpeUri:  "your-uri-here",
							AffectedPackage: "your-package-here",
							AffectedVersion: &grafeaspb.Version{
								Kind: grafeaspb.Version_MINIMUM,
							},
							FixedVersion: &grafeaspb.Version{
								Kind: grafeaspb.Version_MAXIMUM,
							},
						},
					},
				},
			},
		},
	}
	return client.GetGrafeasClient().CreateOccurrence(ctx, req)
}

Node.js

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const noteProjectId = 'your-project-id', // Your GCP Project Id
// const noteId = 'my-note-id', // Id of the note
// const occurrenceProjectId = 'your-project-id', // GCP Project Id of Occurrence
// If you are using Google Container Registry
// const imageUrl = 'https://gcr.io/my-project/my-repo/my-image:123' // Image to attach metadata to
// If you are using Google Artifact Registry
// const imageUrl = 'https://LOCATION-docker.pkg.dev/my-project/my-repo/my-image:123' // Image to attach metadata to

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Construct request
const formattedParent = client
  .getGrafeasClient()
  .projectPath(occurrenceProjectId);
const formattedNote = client
  .getGrafeasClient()
  .notePath(noteProjectId, noteId);

// Creates and returns a new Occurrence associated with an existing Note
const [occurrence] = await client.getGrafeasClient().createOccurrence({
  parent: formattedParent,
  occurrence: {
    noteName: formattedNote,
    resourceUri: imageUrl,
    vulnerability: {
      packageIssue: [
        {
          affectedCpeUri: 'foo.uri',
          affectedPackage: 'foo',
          affectedVersion: {
            kind: 'MINIMUM',
          },
          fixedVersion: {
            kind: 'MAXIMUM',
          },
        },
      ],
    },
  },
});
console.log(`Occurrence created ${occurrence.name}.`);
return occurrence;

Ruby

# resource_url       = "The URL of the resource associated with the occurrence."
#                      # If you are using Google Container Registry
#                      # e.g. https://gcr.io/project/repo/image@sha256:123
#                      # If you are using Google Artifact Registry
#                      # e.g. https://LOCATION-docker.pkg.dev/project/repo/image@sha256:123
# note_id            = "The identifier of the note associated with the occurrence"
# occurrence_project = "The Google Cloud project ID for the new occurrence"
# note_project       = "The Google Cloud project ID of the associated note"

require "google/cloud/container_analysis"

# Initialize the client
client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
note_path = client.note_path project: note_project, note: note_id
project_path = client.project_path project: occurrence_project

occurrence = {
  note_name:     note_path,
  resource_uri:  resource_url,
  vulnerability: {
    package_issue: [
      {
        affected_cpe_uri: "your-uri-here:",
        affected_package: "your-package-here",
        affected_version: { kind: :MINIMUM },
        fixed_version:    { kind: :MAXIMUM }
      }
    ]
  }
}

response = client.create_occurrence parent: project_path, occurrence: occurrence
puts response.name

Python

from google.cloud.devtools import containeranalysis_v1
from grafeas.grafeas_v1 import types, Version


def create_occurrence(
    resource_url: str, note_id: str, occurrence_project: str, note_project: str
) -> types.grafeas.Occurrence:
    """Creates and returns a new occurrence of a previously
    created vulnerability note."""
    # resource_url = 'https://gcr.io/my-project/my-image@sha256:123'
    # note_id = 'my-note'
    # occurrence_project = 'my-gcp-project'
    # note_project = 'my-gcp-project'

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    formatted_note = f"projects/{note_project}/notes/{note_id}"
    formatted_project = f"projects/{occurrence_project}"

    occurrence = {
        "note_name": formatted_note,
        "resource_uri": resource_url,
        "vulnerability": {
            "package_issue": [
                {
                    "affected_cpe_uri": "your-uri-here",
                    "affected_package": "your-package-here",
                    "affected_version": {"kind": Version.VersionKind.MINIMUM},
                    "fixed_version": {"kind": Version.VersionKind.MAXIMUM},
                }
            ]
        },
    }

    return grafeas_client.create_occurrence(
        parent=formatted_project, occurrence=occurrence
    )

Alle Vorkommen für einen bestimmten Hinweis abrufen

Mit notes.occurrences.list() können Sie alle Vorkommen einer bestimmten Sicherheitslücke in sämtlichen Projekten Ihres Kunden aufrufen.

API

Senden Sie zum Auflisten aller Vorkommen für einen Hinweis folgende GET-Anfrage:

GET https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/notes/NOTE_ID/occurrences

Ausführliche Informationen finden Sie unter dem API-Endpunkt projects.notes.occurrences.list.

Java

import static java.lang.Thread.sleep;

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.ListNoteOccurrencesRequest;
import io.grafeas.v1.NoteName;
import io.grafeas.v1.Occurrence;
import java.io.IOException;
import java.lang.InterruptedException;

public class OccurrencesForNote {  
  // Retrieves all the Occurrences associated with a specified Note
  // Here, all Occurrences are printed and counted
  public static int getOccurrencesForNote(String noteId, String projectId) 
      throws IOException, InterruptedException {
    // String noteId = "my-note";
    // String projectId = "my-project-id";
    final NoteName noteName = NoteName.of(projectId, noteId);

    ListNoteOccurrencesRequest request = ListNoteOccurrencesRequest.newBuilder()
                                                                   .setName(noteName.toString())
                                                                   .build();

    // Initialize client that will be used to send requests. After completing all of your requests, 
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    int i = 0;
    for (Occurrence o : client.listNoteOccurrences(request).iterateAll()) {
      // Write custom code to process each Occurrence here
      System.out.println(o.getName());
      i = i + 1;
    }
    return i;
  }
}

Go


import (
	"context"
	"fmt"
	"io"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	"google.golang.org/api/iterator"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// getOccurrencesForNote retrieves all the Occurrences associated with a specified Note.
// Here, all Occurrences are printed and counted.
func getOccurrencesForNote(w io.Writer, noteID, projectID string) (int, error) {
	// noteID := fmt.Sprintf("my-note")
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return -1, fmt.Errorf("NewClient: %w", err)
	}
	defer client.Close()

	req := &grafeaspb.ListNoteOccurrencesRequest{
		Name: fmt.Sprintf("projects/%s/notes/%s", projectID, noteID),
	}
	it := client.GetGrafeasClient().ListNoteOccurrences(ctx, req)
	count := 0
	for {
		occ, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return -1, fmt.Errorf("occurrence iteration error: %w", err)
		}
		// Write custom code to process each Occurrence here.
		fmt.Fprintln(w, occ)
		count = count + 1
	}
	return count, nil
}

Node.js

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const projectId = 'your-project-id', // Your GCP Project ID
// const noteId = 'my-note-id' // Id of the note

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();

// Get path to Note
const formattedNote = client.notePath(projectId, noteId);

// Retrieves all the Occurrences associated with a specified Note
const [occurrences] = await client.getGrafeasClient().listNoteOccurrences({
  name: formattedNote,
});

if (occurrences.length) {
  console.log('Occurrences:');
  occurrences.forEach(occurrence => {
    console.log(`${occurrence.name}:`);
  });
} else {
  console.log('No occurrences found.');
}

Ruby

  # note_id    = "The identifier for the note to query"
  # project_id = "The Google Cloud project ID of the occurrences to retrieve"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  name = client.note_path project: project_id, note: note_id
  count = 0
  client.list_note_occurrences(name: name).each do |occurrence|
    # Process occurrence here
    puts occurrence
    count += 1
  end
  puts "Found #{count} occurrences"
  count
end

def get_discovery_info resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence."
  #                # e.g. https://gcr.io/project/image@sha256:123
  # project_id   = "The Google Cloud project ID of the occurrences to retrieve"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  parent = client.project_path project: project_id
  filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
  client.list_occurrences(parent: parent, filter: filter).each do |occurrence|
    # Process discovery occurrence here
    puts occurrence
  end
end

def occurrence_pubsub subscription_id:, timeout_seconds:, project_id:
  # subscription_id = "A user-specified identifier for the new subscription"
  # timeout_seconds = "The number of seconds to listen for new Pub/Sub messages"
  # project_id      = "Your Google Cloud project ID"

  require "google/cloud/pubsub"

  pubsub = Google::Cloud::Pubsub.new project: project_id
  topic = pubsub.topic "container-analysis-occurrences-v1"
  subscription = topic.subscribe subscription_id

  count = 0
  subscriber = subscription.listen do |received_message|
    count += 1
    # Process incoming occurrence here
    puts "Message #{count}: #{received_message.data}"
    received_message.acknowledge!
  end
  subscriber.start
  # Wait for incomming occurrences
  sleep timeout_seconds
  subscriber.stop.wait!
  subscription.delete
  # Print and return the total number of Pub/Sub messages received
  puts "Total Messages Received: #{count}"
  count
end

# rubocop:disable Metrics/MethodLength

def poll_discovery_finished resource_url:, timeout_seconds:, project_id:
  # resource_url    = "The URL of the resource associated with the occurrence."
  #                   # e.g. https://gcr.io/project/image@sha256:123
  # timeout_seconds = "The number of seconds to wait for the discovery occurrence"
  # project_id      = "Your Google Cloud project ID"

  require "google/cloud/container_analysis"

  deadline = Time.now + timeout_seconds

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
  parent = client.project_path project: project_id

  # Find the discovery occurrence using a filter string
  discovery_occurrence = nil
  while discovery_occurrence.nil?
    begin
      filter = "resourceUrl=\"#{resource_url}\" " \
               'AND noteProjectId="goog-analysis" ' \
               'AND noteId="PACKAGE_VULNERABILITY"'
      # The above filter isn't testable, since it looks for occurrences in a
      # locked down project. Fall back to a more permissive filter for testing
      filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
      # Only the discovery occurrence should be returned for the given filter
      discovery_occurrence = client.list_occurrences(parent: parent, filter: filter).first
    rescue StandardError # If there is an error, keep trying until the deadline
      puts "discovery occurrence not yet found"
    ensure
      # check for timeout
      sleep 1
      raise "Timeout while retrieving discovery occurrence." if Time.now > deadline
    end
  end

  # Wait for the discovery occurrence to enter a terminal state
  status = Grafeas::V1::DiscoveryOccurrence::AnalysisStatus::PENDING
  until [:FINISHED_SUCCESS, :FINISHED_FAILED, :FINISHED_UNSUPPORTED].include? status
    # Update occurrence
    begin
      updated = client.get_occurrence name: discovery_occurrence.name
      status = updated.discovery.analysis_status
    rescue StandardError # If there is an error, keep trying until the deadline
      puts "discovery occurrence not yet in terminal state"
    ensure
      # check for timeout
      sleep 1
      raise "Timeout while retrieving discovery occurrence." if Time.now > deadline
    end
  end
  puts "Found discovery occurrence #{updated.name}."
  puts "Status: #{updated.discovery.analysis_status}"
  updated
end

# rubocop:enable Metrics/MethodLength

def find_vulnerabilities_for_image resource_url:, project_id:
  # resource_url = "The URL of the resource associated with the occurrence
  #                e.g. https://gcr.io/project/image@sha256:123"
  # project_id   = "The Google Cloud project ID of the vulnerabilities to find"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  parent = client.project_path project: project_id
  filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
  client.list_occurrences parent: parent, filter: filter
end

def find_high_severity_vulnerabilities_for_image resource_url:, project_id:
  # resource_url       = "The URL of the resource associated with the occurrence."
  #                      # If you are using Google Container Registry
  #                      # e.g. https://gcr.io/project/repo/image@sha256:123
  #                      # If you are using Google Artifact Registry
  #                      # e.g. https://LOCATION-docker.pkg.dev/project/repo/image@sha256:123
  # project_id   = "The Google Cloud project ID of the vulnerabilities to find"

  require "google/cloud/container_analysis"

  # Initialize the client
  client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client

  parent = client.project_path project: project_id
  filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
  vulnerability_list = client.list_occurrences parent: parent, filter: filter
  # Filter the list to include only "high" and "critical" vulnerabilities
  vulnerability_list.select do |item|
    [:HIGH, :CRITICAL].include? item.vulnerability.effective_severity
  end
end

Python

from google.cloud.devtools import containeranalysis_v1


def get_occurrences_for_note(note_id: str, project_id: str) -> int:
    """Retrieves all the occurrences associated with a specified Note.
    Here, all occurrences are printed and counted."""
    # note_id = 'my-note'
    # project_id = 'my-gcp-project'

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    note_name = f"projects/{project_id}/notes/{note_id}"

    response = grafeas_client.list_note_occurrences(name=note_name)
    count = 0
    for o in response:
        # do something with the retrieved occurrence
        # in this sample, we will simply count each one
        count += 1
    return count

Nächste Schritte

Eine Anleitung zum Aufrufen und Filtern von Hinweisen und Vorkommen für Container-Images finden Sie unter Sicherheitslücken-Vorkommen ansehen.
Eine Anleitung zum Einrichten von Benachrichtigungen finden Sie unter Pub/Sub-Benachrichtigungen.

Benutzerdefinierte Notizen und Vorkommnisse erstellen Mit Sammlungen den Überblick behalten Sie können Inhalte basierend auf Ihren Einstellungen speichern und kategorisieren.

Hinweise

Hinweise und Vorkommen für Projekte erstellen

Notizen erstellen

API

Java

Go

Node.js

Ruby

Python

Vorkommen für Notizen erstellen

API

Java

Go

Node.js

Ruby

Python

Alle Vorkommen für einen bestimmten Hinweis abrufen

API

Java

Go

Node.js

Ruby

Python

Nächste Schritte

Benutzerdefinierte Notizen und Vorkommnisse erstellen