建立自訂記事和事件

您可以選擇將自己的中繼資料提供給「Artifact Analysis」,以滿足特定業務需求。舉例來說,針對客戶的 Docker 容器提供安全管理服務的機構,可以使用 Artifact Analysis 儲存及擷取映像檔中與安全性相關的中繼資料。

請按照下列步驟,使用 Artifact Analysis API 為映像檔提供自訂安全漏洞中繼資料。您可以使用相同的操作說明,儲存及擷取 Artifact Analysis 支援的任何類型中繼資料

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Enable the Container Analysis API.

    Enable the API

  4. Install the Google Cloud CLI.

  5. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  6. To initialize the gcloud CLI, run the following command:

    gcloud init
  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  8. Enable the Container Analysis API.

    Enable the API

  9. Install the Google Cloud CLI.

  10. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  11. To initialize the gcloud CLI, run the following command:

    gcloud init
  12. 瞭解如何為專案中的中繼資料設定存取權控管。如果您只使用由 Artifact Analysis 容器掃描建立的安全漏洞事件中繼資料,請略過這個步驟。
  13. 建立專案的註記和例項

    本節說明如何建立註記和事件。在本範例中,您將使用 VULNERABILITY 類型。

    供應商必須在專案中建立每種安全漏洞的註記,並在客戶的專案中建立這些安全漏洞的例項記錄。

    建立附註

    請按照下列步驟建立記事並指定記事 ID。

    API

    1. 建立名為 note.json 的檔案,其中含有安全漏洞的說明和詳細資料。以下程式碼為 note.json 檔案範例:

      {
          "shortDescription": "A brief Description of the note",
          "longDescription": "A longer description of the note",
          "kind": "VULNERABILITY",
          "vulnerability": {
              "details": [
              {
                  "affectedPackage": "libexempi3",
                  "affectedCpeUri": "cpe:/o:debian:debian_linux:7",
                  "affectedVersionStart": { "name": "2.5.7", "revision": "1", "kind": "MINIMUM"},
                  "affectedVersionEnd": { "name": "2.5.9", "revision": "1", "kind": "MINIMUM"},
              },
              {
                  "affectedCpeUri": "cpe:/o:debian:abc:10",
                  "affectedPackage": "anotherPackage",
              }
              ]
          }
      }
      

      如要進一步瞭解筆記的 JSON 表示法,請參閱 notes API 說明文件

    2. 執行下列 curl 指令建立記事:

      curl -v -H "Content-Type: application/json" -H \
        "Authorization: Bearer $(gcloud auth print-access-token)" \
        https://containeranalysis.googleapis.com/v1/projects/PROVIDER_PROJECT_ID/notes?note_id=NOTE_ID -d @note.json
      

      其中:

      • PROVIDER_PROJECT_ID 是您的專案 ID。
      • NOTE_ID 會指定筆記的 ID。使用長度上限為 100 個字元的字串。

    Java

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Java API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
    import io.grafeas.v1.GrafeasClient;
    import io.grafeas.v1.Note;
    import io.grafeas.v1.ProjectName;
    import io.grafeas.v1.Version;
    import io.grafeas.v1.VulnerabilityNote;
    import java.io.IOException;
    import java.lang.InterruptedException;
    
    
    public class CreateNote {
    
      // Creates and returns a new Note
      public static Note createNote(String noteId, String projectId)
          throws IOException, InterruptedException {
        // String noteId = "my-note";
        // String projectId = "my-project-id";
        final String projectName = ProjectName.format(projectId);
    
    
        Note newNote = Note.newBuilder()
            // Associate the Note with the metadata type
            // https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
            // Here, we use the type "vulnerability"
            .setVulnerability(VulnerabilityNote.newBuilder()
                .addDetails(VulnerabilityNote.Detail.newBuilder()
                    .setAffectedCpeUri("your-uri-here")
                    .setAffectedPackage("your-package-here")
                    .setAffectedVersionStart(Version.newBuilder()
                        .setKind(Version.VersionKind.MINIMUM))
                    .setAffectedVersionEnd(Version.newBuilder()
                        .setKind(Version.VersionKind.MAXIMUM))))
            .build();
    
        // Initialize client that will be used to send requests. After completing all of your requests, 
        // call the "close" method on the client to safely clean up any remaining background resources.
        GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
        Note result = client.createNote(projectName, noteId, newNote);
        return result;
      }
    }

    Go

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Go API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    
    import (
    	"context"
    	"fmt"
    
    	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
    	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
    )
    
    // createNote creates and returns a new vulnerability Note.
    func createNote(noteID, projectID string) (*grafeaspb.Note, error) {
    	ctx := context.Background()
    	client, err := containeranalysis.NewClient(ctx)
    	if err != nil {
    		return nil, fmt.Errorf("NewClient: %w", err)
    	}
    	defer client.Close()
    
    	projectName := fmt.Sprintf("projects/%s", projectID)
    
    	req := &grafeaspb.CreateNoteRequest{
    		Parent: projectName,
    		NoteId: noteID,
    		Note: &grafeaspb.Note{
    			Type: &grafeaspb.Note_Vulnerability{
    				// The 'Vulnerability' field can be modified to contain information about your vulnerability.
    				Vulnerability: &grafeaspb.VulnerabilityNote{
    					Details: []*grafeaspb.VulnerabilityNote_Detail{
    						{
    							AffectedCpeUri:  "your-uri-here",
    							AffectedPackage: "your-package-here",
    							AffectedVersionStart: &grafeaspb.Version{
    								Kind: grafeaspb.Version_MINIMUM,
    							},
    							AffectedVersionEnd: &grafeaspb.Version{
    								Kind: grafeaspb.Version_MAXIMUM,
    							},
    						},
    					},
    				},
    			},
    		},
    	}
    
    	return client.GetGrafeasClient().CreateNote(ctx, req)
    }
    

    Node.js

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Node.js API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    /**
     * TODO(developer): Uncomment these variables before running the sample
     */
    // const projectId = 'your-project-id', // Your GCP Project ID
    // const noteId = 'my-note-id' // Id of the note
    
    // Import the library and create a client
    const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
    const client = new ContainerAnalysisClient();
    
    // Construct request
    // Associate the Note with a metadata type
    // https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
    // Here, we use the type "vulnerabiltity"
    const formattedParent = client.getGrafeasClient().projectPath(projectId);
    
    // Creates and returns a new Note
    const [note] = await client.getGrafeasClient().createNote({
      parent: formattedParent,
      noteId: noteId,
      note: {
        vulnerability: {
          details: [
            {
              affectedCpeUri: 'foo.uri',
              affectedPackage: 'foo',
              affectedVersionStart: {
                kind: 'MINIMUM',
              },
              affectedVersionEnd: {
                kind: 'MAXIMUM',
              },
            },
          ],
        },
      },
    });
    
    console.log(`Note ${note.name} created.`);

    Ruby

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Ruby API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    # note_id    = "A user-specified identifier for the note"
    # project_id = "Your Google Cloud project ID"
    
    require "google/cloud/container_analysis"
    
    # Initialize the client
    client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
    
    parent = client.project_path project: project_id
    note = {
      vulnerability: {
        details: [
          {
            affected_cpe_uri:       "your-uri-here",
            affected_package:       "your-package-here",
            affected_version_start: { kind: :MINIMUM },
            fixed_version:          { kind: :MAXIMUM }
          }
        ]
      }
    }
    response = client.create_note parent: parent, note_id: note_id, note: note
    puts response.name

    Python

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Python API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    from google.cloud.devtools import containeranalysis_v1
    from grafeas.grafeas_v1 import types, Version
    
    
    def create_note(note_id: str, project_id: str) -> types.grafeas.Note:
        """Creates and returns a new vulnerability note."""
        # note_id = 'my-note'
        # project_id = 'my-gcp-project'
    
        client = containeranalysis_v1.ContainerAnalysisClient()
        grafeas_client = client.get_grafeas_client()
        project_name = f"projects/{project_id}"
        note = {
            "vulnerability": {
                "details": [
                    {
                        "affected_cpe_uri": "your-uri-here",
                        "affected_package": "your-package-here",
                        "affected_version_start": {"kind": Version.VersionKind.MINIMUM},
                        "fixed_version": {"kind": Version.VersionKind.MAXIMUM},
                    }
                ]
            }
        }
        response = grafeas_client.create_note(
            parent=project_name, note_id=note_id, note=note
        )
        return response
    
    

    為註記建立例項

    如何為註記建立例項:

    API

    1. 建立名為 occurrence.json 的檔案,並在當中加入下列內容:

      {
          "resourceUri": "<resource_url>",
          "noteName": "projects/<provider-project-id>/notes/<note_id>",
          "kind": "VULNERABILITY",
          "vulnerability": {
              "packageIssue": [{
                 "affectedCpeUri": "cpe:/o:debian_linux:7",
                 "affectedPackage": "packageName",
                 "affectedVersion": {
                    "kind": "NORMAL",
                    "name": "8.1",
                    "revision": "3"
                 },
                 "fixedCpeUri": "cpe:/o:debian_linux:7",
                 "fixedPackage": "packageName",
                 "fixedVersion": {
                    "kind": "MAXIMUM"
                 }
              }]
              "severity": "LOW"
          }
      }
      

      其中:

      • resource_url 是與事件相關聯的資源網址,例如 https://us-central1-docker.pkg.dev/my-project/my-repository/my-image@sha256:123
      • note_id 會指定筆記的 ID。使用長度上限為 100 個半形字元的字串。

      如要進一步瞭解出現次數 JSON 表示法,請參閱 occurrences API 說明文件

    2. 執行下列 curl 指令,其中 CUSTOMER_PROJECT_ID 是客戶的專案 ID:

      curl -v -H "Content-Type: application/json" -H \
        "Authorization: Bearer $(gcloud auth print-access-token)" \
        https://containeranalysis.googleapis.com/v1/projects/CUSTOMER_PROJECT_ID/occurrences -d @occurrence.json
      

    Java

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Java API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
    import io.grafeas.v1.GrafeasClient;
    import io.grafeas.v1.NoteName;
    import io.grafeas.v1.Occurrence;
    import io.grafeas.v1.ProjectName;
    import io.grafeas.v1.Version;
    import io.grafeas.v1.VulnerabilityOccurrence;
    import io.grafeas.v1.VulnerabilityOccurrence.PackageIssue;
    import java.io.IOException;
    import java.lang.InterruptedException;
    
    public class CreateOccurrence {
      // Creates and returns a new vulnerability Occurrence associated with an existing Note
      public static Occurrence createOccurrence(String resourceUrl, String noteId, 
          String occProjectId, String noteProjectId) throws IOException, InterruptedException {
        // String resourceUrl = "https://gcr.io/project/image@sha256:123";
        // String noteId = "my-note";
        // String occProjectId = "my-project-id";
        // String noteProjectId = "my-project-id";
        final NoteName noteName = NoteName.of(noteProjectId, noteId);
        final String occProjectName = ProjectName.format(occProjectId);
    
        Occurrence newOcc = Occurrence.newBuilder()
            .setNoteName(noteName.toString())
            .setResourceUri(resourceUrl)
            .setVulnerability(VulnerabilityOccurrence.newBuilder()
                .addPackageIssue(PackageIssue.newBuilder()
                    .setAffectedCpeUri("your-uri-here")
                    .setAffectedPackage("your-package-here")
                    .setAffectedVersion(Version.newBuilder()
                        .setKind(Version.VersionKind.MINIMUM))
                    .setFixedVersion(Version.newBuilder()
                        .setKind(Version.VersionKind.MAXIMUM))))
            .build();
    
        // Initialize client that will be used to send requests. After completing all of your requests, 
        // call the "close" method on the client to safely clean up any remaining background resources.
        GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
        Occurrence result = client.createOccurrence(occProjectName, newOcc);
        return result;
      }
    }

    Go

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Go API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    
    import (
    	"context"
    	"fmt"
    
    	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
    	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
    )
    
    // createsOccurrence creates and returns a new Occurrence of a previously created vulnerability Note.
    func createOccurrence(resourceURL, noteID, occProjectID, noteProjectID string) (*grafeaspb.Occurrence, error) {
    	// Use this style of URL when you use Google Container Registry.
    	// resourceURL := "https://gcr.io/my-project/my-repo/my-image"
    	// Use this style of URL when you use Google Artifact Registry.
    	// resourceURL := "https://LOCATION-docker.pkg.dev/my-project/my-repo/my-image"
    	// noteID := "my-note"
    	ctx := context.Background()
    	client, err := containeranalysis.NewClient(ctx)
    	if err != nil {
    		return nil, fmt.Errorf("NewClient: %w", err)
    	}
    	defer client.Close()
    
    	req := &grafeaspb.CreateOccurrenceRequest{
    		Parent: fmt.Sprintf("projects/%s", occProjectID),
    		Occurrence: &grafeaspb.Occurrence{
    			NoteName: fmt.Sprintf("projects/%s/notes/%s", noteProjectID, noteID),
    			// Attach the occurrence to the associated resource uri.
    			ResourceUri: resourceURL,
    			// Details about the vulnerability instance can be added here.
    			Details: &grafeaspb.Occurrence_Vulnerability{
    				Vulnerability: &grafeaspb.VulnerabilityOccurrence{
    					PackageIssue: []*grafeaspb.VulnerabilityOccurrence_PackageIssue{
    						{
    							AffectedCpeUri:  "your-uri-here",
    							AffectedPackage: "your-package-here",
    							AffectedVersion: &grafeaspb.Version{
    								Kind: grafeaspb.Version_MINIMUM,
    							},
    							FixedVersion: &grafeaspb.Version{
    								Kind: grafeaspb.Version_MAXIMUM,
    							},
    						},
    					},
    				},
    			},
    		},
    	}
    	return client.GetGrafeasClient().CreateOccurrence(ctx, req)
    }
    

    Node.js

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Node.js API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    /**
     * TODO(developer): Uncomment these variables before running the sample
     */
    // const noteProjectId = 'your-project-id', // Your GCP Project Id
    // const noteId = 'my-note-id', // Id of the note
    // const occurrenceProjectId = 'your-project-id', // GCP Project Id of Occurrence
    // If you are using Google Container Registry
    // const imageUrl = 'https://gcr.io/my-project/my-repo/my-image:123' // Image to attach metadata to
    // If you are using Google Artifact Registry
    // const imageUrl = 'https://LOCATION-docker.pkg.dev/my-project/my-repo/my-image:123' // Image to attach metadata to
    
    // Import the library and create a client
    const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
    const client = new ContainerAnalysisClient();
    
    // Construct request
    const formattedParent = client
      .getGrafeasClient()
      .projectPath(occurrenceProjectId);
    const formattedNote = client
      .getGrafeasClient()
      .notePath(noteProjectId, noteId);
    
    // Creates and returns a new Occurrence associated with an existing Note
    const [occurrence] = await client.getGrafeasClient().createOccurrence({
      parent: formattedParent,
      occurrence: {
        noteName: formattedNote,
        resourceUri: imageUrl,
        vulnerability: {
          packageIssue: [
            {
              affectedCpeUri: 'foo.uri',
              affectedPackage: 'foo',
              affectedVersion: {
                kind: 'MINIMUM',
              },
              fixedVersion: {
                kind: 'MAXIMUM',
              },
            },
          ],
        },
      },
    });
    console.log(`Occurrence created ${occurrence.name}.`);
    return occurrence;

    Ruby

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Ruby API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    # resource_url       = "The URL of the resource associated with the occurrence."
    #                      # If you are using Google Container Registry
    #                      # e.g. https://gcr.io/project/repo/image@sha256:123
    #                      # If you are using Google Artifact Registry
    #                      # e.g. https://LOCATION-docker.pkg.dev/project/repo/image@sha256:123
    # note_id            = "The identifier of the note associated with the occurrence"
    # occurrence_project = "The Google Cloud project ID for the new occurrence"
    # note_project       = "The Google Cloud project ID of the associated note"
    
    require "google/cloud/container_analysis"
    
    # Initialize the client
    client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
    note_path = client.note_path project: note_project, note: note_id
    project_path = client.project_path project: occurrence_project
    
    occurrence = {
      note_name:     note_path,
      resource_uri:  resource_url,
      vulnerability: {
        package_issue: [
          {
            affected_cpe_uri: "your-uri-here:",
            affected_package: "your-package-here",
            affected_version: { kind: :MINIMUM },
            fixed_version:    { kind: :MAXIMUM }
          }
        ]
      }
    }
    
    response = client.create_occurrence parent: project_path, occurrence: occurrence
    puts response.name

    Python

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Python API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    from google.cloud.devtools import containeranalysis_v1
    from grafeas.grafeas_v1 import types, Version
    
    
    def create_occurrence(
        resource_url: str, note_id: str, occurrence_project: str, note_project: str
    ) -> types.grafeas.Occurrence:
        """Creates and returns a new occurrence of a previously
        created vulnerability note."""
        # resource_url = 'https://gcr.io/my-project/my-image@sha256:123'
        # note_id = 'my-note'
        # occurrence_project = 'my-gcp-project'
        # note_project = 'my-gcp-project'
    
        client = containeranalysis_v1.ContainerAnalysisClient()
        grafeas_client = client.get_grafeas_client()
        formatted_note = f"projects/{note_project}/notes/{note_id}"
        formatted_project = f"projects/{occurrence_project}"
    
        occurrence = {
            "note_name": formatted_note,
            "resource_uri": resource_url,
            "vulnerability": {
                "package_issue": [
                    {
                        "affected_cpe_uri": "your-uri-here",
                        "affected_package": "your-package-here",
                        "affected_version": {"kind": Version.VersionKind.MINIMUM},
                        "fixed_version": {"kind": Version.VersionKind.MAXIMUM},
                    }
                ]
            },
        }
    
        return grafeas_client.create_occurrence(
            parent=formatted_project, occurrence=occurrence
        )
    
    

    取得特定註記的所有例項

    您可以使用 notes.occurrences.list() 查看客戶專案中特定安全漏洞的所有例項。

    API

    如要列出特定註記的所有例項,請傳送 GET 要求,如下所示:

    GET https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/notes/NOTE_ID/occurrences
    

    如要瞭解完整的詳細資訊,請參閱 projects.notes.occurrences.list API 端點。

    Java

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Java API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    import static java.lang.Thread.sleep;
    
    import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
    import io.grafeas.v1.GrafeasClient;
    import io.grafeas.v1.ListNoteOccurrencesRequest;
    import io.grafeas.v1.NoteName;
    import io.grafeas.v1.Occurrence;
    import java.io.IOException;
    import java.lang.InterruptedException;
    
    public class OccurrencesForNote {  
      // Retrieves all the Occurrences associated with a specified Note
      // Here, all Occurrences are printed and counted
      public static int getOccurrencesForNote(String noteId, String projectId) 
          throws IOException, InterruptedException {
        // String noteId = "my-note";
        // String projectId = "my-project-id";
        final NoteName noteName = NoteName.of(projectId, noteId);
    
        ListNoteOccurrencesRequest request = ListNoteOccurrencesRequest.newBuilder()
                                                                       .setName(noteName.toString())
                                                                       .build();
    
        // Initialize client that will be used to send requests. After completing all of your requests, 
        // call the "close" method on the client to safely clean up any remaining background resources.
        GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
        int i = 0;
        for (Occurrence o : client.listNoteOccurrences(request).iterateAll()) {
          // Write custom code to process each Occurrence here
          System.out.println(o.getName());
          i = i + 1;
        }
        return i;
      }
    }

    Go

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Go API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    
    import (
    	"context"
    	"fmt"
    	"io"
    
    	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
    	"google.golang.org/api/iterator"
    	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
    )
    
    // getOccurrencesForNote retrieves all the Occurrences associated with a specified Note.
    // Here, all Occurrences are printed and counted.
    func getOccurrencesForNote(w io.Writer, noteID, projectID string) (int, error) {
    	// noteID := fmt.Sprintf("my-note")
    	ctx := context.Background()
    	client, err := containeranalysis.NewClient(ctx)
    	if err != nil {
    		return -1, fmt.Errorf("NewClient: %w", err)
    	}
    	defer client.Close()
    
    	req := &grafeaspb.ListNoteOccurrencesRequest{
    		Name: fmt.Sprintf("projects/%s/notes/%s", projectID, noteID),
    	}
    	it := client.GetGrafeasClient().ListNoteOccurrences(ctx, req)
    	count := 0
    	for {
    		occ, err := it.Next()
    		if err == iterator.Done {
    			break
    		}
    		if err != nil {
    			return -1, fmt.Errorf("occurrence iteration error: %w", err)
    		}
    		// Write custom code to process each Occurrence here.
    		fmt.Fprintln(w, occ)
    		count = count + 1
    	}
    	return count, nil
    }
    

    Node.js

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Node.js API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    /**
     * TODO(developer): Uncomment these variables before running the sample
     */
    // const projectId = 'your-project-id', // Your GCP Project ID
    // const noteId = 'my-note-id' // Id of the note
    
    // Import the library and create a client
    const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
    const client = new ContainerAnalysisClient();
    
    // Get path to Note
    const formattedNote = client.notePath(projectId, noteId);
    
    // Retrieves all the Occurrences associated with a specified Note
    const [occurrences] = await client.getGrafeasClient().listNoteOccurrences({
      name: formattedNote,
    });
    
    if (occurrences.length) {
      console.log('Occurrences:');
      occurrences.forEach(occurrence => {
        console.log(`${occurrence.name}:`);
      });
    } else {
      console.log('No occurrences found.');
    }

    Ruby

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Ruby API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

      # note_id    = "The identifier for the note to query"
      # project_id = "The Google Cloud project ID of the occurrences to retrieve"
    
      require "google/cloud/container_analysis"
    
      # Initialize the client
      client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
    
      name = client.note_path project: project_id, note: note_id
      count = 0
      client.list_note_occurrences(name: name).each do |occurrence|
        # Process occurrence here
        puts occurrence
        count += 1
      end
      puts "Found #{count} occurrences"
      count
    end
    
    def get_discovery_info resource_url:, project_id:
      # resource_url = "The URL of the resource associated with the occurrence."
      #                # e.g. https://gcr.io/project/image@sha256:123
      # project_id   = "The Google Cloud project ID of the occurrences to retrieve"
    
      require "google/cloud/container_analysis"
    
      # Initialize the client
      client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
    
      parent = client.project_path project: project_id
      filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
      client.list_occurrences(parent: parent, filter: filter).each do |occurrence|
        # Process discovery occurrence here
        puts occurrence
      end
    end
    
    def occurrence_pubsub subscription_id:, timeout_seconds:, project_id:
      # subscription_id = "A user-specified identifier for the new subscription"
      # timeout_seconds = "The number of seconds to listen for new Pub/Sub messages"
      # project_id      = "Your Google Cloud project ID"
    
      require "google/cloud/pubsub"
    
      pubsub = Google::Cloud::Pubsub.new project: project_id
      topic = pubsub.topic "container-analysis-occurrences-v1"
      subscription = topic.subscribe subscription_id
    
      count = 0
      subscriber = subscription.listen do |received_message|
        count += 1
        # Process incoming occurrence here
        puts "Message #{count}: #{received_message.data}"
        received_message.acknowledge!
      end
      subscriber.start
      # Wait for incomming occurrences
      sleep timeout_seconds
      subscriber.stop.wait!
      subscription.delete
      # Print and return the total number of Pub/Sub messages received
      puts "Total Messages Received: #{count}"
      count
    end
    
    # rubocop:disable Metrics/MethodLength
    
    def poll_discovery_finished resource_url:, timeout_seconds:, project_id:
      # resource_url    = "The URL of the resource associated with the occurrence."
      #                   # e.g. https://gcr.io/project/image@sha256:123
      # timeout_seconds = "The number of seconds to wait for the discovery occurrence"
      # project_id      = "Your Google Cloud project ID"
    
      require "google/cloud/container_analysis"
    
      deadline = Time.now + timeout_seconds
    
      # Initialize the client
      client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
      parent = client.project_path project: project_id
    
      # Find the discovery occurrence using a filter string
      discovery_occurrence = nil
      while discovery_occurrence.nil?
        begin
          filter = "resourceUrl=\"#{resource_url}\" " \
                   'AND noteProjectId="goog-analysis" ' \
                   'AND noteId="PACKAGE_VULNERABILITY"'
          # The above filter isn't testable, since it looks for occurrences in a
          # locked down project. Fall back to a more permissive filter for testing
          filter = "kind = \"DISCOVERY\" AND resourceUrl = \"#{resource_url}\""
          # Only the discovery occurrence should be returned for the given filter
          discovery_occurrence = client.list_occurrences(parent: parent, filter: filter).first
        rescue StandardError # If there is an error, keep trying until the deadline
          puts "discovery occurrence not yet found"
        ensure
          # check for timeout
          sleep 1
          raise "Timeout while retrieving discovery occurrence." if Time.now > deadline
        end
      end
    
      # Wait for the discovery occurrence to enter a terminal state
      status = Grafeas::V1::DiscoveryOccurrence::AnalysisStatus::PENDING
      until [:FINISHED_SUCCESS, :FINISHED_FAILED, :FINISHED_UNSUPPORTED].include? status
        # Update occurrence
        begin
          updated = client.get_occurrence name: discovery_occurrence.name
          status = updated.discovery.analysis_status
        rescue StandardError # If there is an error, keep trying until the deadline
          puts "discovery occurrence not yet in terminal state"
        ensure
          # check for timeout
          sleep 1
          raise "Timeout while retrieving discovery occurrence." if Time.now > deadline
        end
      end
      puts "Found discovery occurrence #{updated.name}."
      puts "Status: #{updated.discovery.analysis_status}"
      updated
    end
    
    # rubocop:enable Metrics/MethodLength
    
    def find_vulnerabilities_for_image resource_url:, project_id:
      # resource_url = "The URL of the resource associated with the occurrence
      #                e.g. https://gcr.io/project/image@sha256:123"
      # project_id   = "The Google Cloud project ID of the vulnerabilities to find"
    
      require "google/cloud/container_analysis"
    
      # Initialize the client
      client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
    
      parent = client.project_path project: project_id
      filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
      client.list_occurrences parent: parent, filter: filter
    end
    
    def find_high_severity_vulnerabilities_for_image resource_url:, project_id:
      # resource_url       = "The URL of the resource associated with the occurrence."
      #                      # If you are using Google Container Registry
      #                      # e.g. https://gcr.io/project/repo/image@sha256:123
      #                      # If you are using Google Artifact Registry
      #                      # e.g. https://LOCATION-docker.pkg.dev/project/repo/image@sha256:123
      # project_id   = "The Google Cloud project ID of the vulnerabilities to find"
    
      require "google/cloud/container_analysis"
    
      # Initialize the client
      client = Google::Cloud::ContainerAnalysis.container_analysis.grafeas_client
    
      parent = client.project_path project: project_id
      filter = "resourceUrl = \"#{resource_url}\" AND kind = \"VULNERABILITY\""
      vulnerability_list = client.list_occurrences parent: parent, filter: filter
      # Filter the list to include only "high" and "critical" vulnerabilities
      vulnerability_list.select do |item|
        [:HIGH, :CRITICAL].include? item.vulnerability.effective_severity
      end
    end
    

    Python

    如要瞭解如何安裝及使用 Artifact Analysis 用戶端程式庫,請參閱「Artifact Analysis 用戶端程式庫」。詳情請參閱 Artifact Analysis Python API 參考說明文件

    如要向 Artifact Analysis 驗證,請設定應用程式預設憑證。詳情請參閱「為本機開發環境設定驗證機制」。

    from google.cloud.devtools import containeranalysis_v1
    
    
    def get_occurrences_for_note(note_id: str, project_id: str) -> int:
        """Retrieves all the occurrences associated with a specified Note.
        Here, all occurrences are printed and counted."""
        # note_id = 'my-note'
        # project_id = 'my-gcp-project'
    
        client = containeranalysis_v1.ContainerAnalysisClient()
        grafeas_client = client.get_grafeas_client()
        note_name = f"projects/{project_id}/notes/{note_id}"
    
        response = grafeas_client.list_note_occurrences(name=note_name)
        count = 0
        for o in response:
            # do something with the retrieved occurrence
            # in this sample, we will simply count each one
            count += 1
        return count
    
    

    後續步驟