1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
|
// Copyright (C) 2023 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto2";
package metadata_file;
// Proto definition of METADATA files of packages in AOSP codebase.
message Metadata {
// Name of the package.
optional string name = 1;
// A short description (a few lines) of the package.
// Example: "Handles location lookups, throttling, batching, etc."
optional string description = 2;
// Specifies additional data about third-party packages.
optional ThirdParty third_party = 3;
}
message ThirdParty {
// URL(s) associated with the package.
//
// At a minimum, all packages must specify a URL which identifies where it
// came from, containing a type of: ARCHIVE, GIT or OTHER. Typically,
// a package should contain only a single URL from these types. Occasionally,
// a package may be broken across multiple archive files for whatever reason,
// in which case having multiple ARCHIVE URLs is okay. However, this should
// not be used to combine different logical packages that are versioned and
// possibly licensed differently.
repeated URL url = 1;
// The package version. In order of preference, this should contain:
// - If the package comes from Git or another source control system,
// a specific tag or revision in source control, such as "r123" or
// "58e27d2". This MUST NOT be a mutable ref such as a branch name.
// - a released package version such as "1.0", "2.3-beta", etc.
// - the date the package was retrieved, formatted as "As of YYYY-MM-DD".
optional string version = 2;
// The date of the change in which the package was last upgraded from
// upstream.
// This should only identify package upgrades from upstream, not local
// modifications. This may identify the date of either the original or
// merged change.
//
// Note: this is NOT the date that this version of the package was released
// externally.
optional Date last_upgrade_date = 3;
// License type that identifies how the package may be used.
optional LicenseType license_type = 4;
// An additional note explaining the licensing of this package. This is most
// commonly used with commercial license.
optional string license_note = 5;
// Description of local changes that have been made to the package. This does
// not need to (and in most cases should not) attempt to include an exhaustive
// list of all changes, but may instead direct readers to review the local
// commit history, a collection of patch files, a separate README.md (or
// similar) document, etc.
// Note: Use of this field to store IDs of advisories fixed with a backported
// patch is deprecated, use "security.mitigated_security_patch" instead.
optional string local_modifications = 6;
// Security related metadata including risk category and any special
// instructions for using the package, as determined by an ISE-TPS review.
optional Security security = 7;
// The type of directory this metadata represents.
optional DirectoryType type = 8 [default = PACKAGE];
// The homepage for the package. This will eventually replace
// `url { type: HOMEPAGE }`
optional string homepage = 9;
// SBOM information of the package. It is mandatory for prebuilt packages.
oneof sbom {
// Reference to external SBOM document provided as URL.
SBOMRef sbom_ref = 10;
}
// Identifiers for the package.
repeated Identifier identifier = 11;
}
// URL associated with a third-party package.
message URL {
enum Type {
// The homepage for the package. For example, "https://bazel.io/". This URL
// is optional, but encouraged to help disambiguate similarly named packages
// or to get more information about the package. This is especially helpful
// when no other URLs provide human readable resources (such as git:// or
// sso:// URLs).
HOMEPAGE = 1;
// The URL of the archive containing the source code for the package, for
// example a zip or tgz file.
ARCHIVE = 2;
// The URL of the upstream git repository this package is retrieved from.
// For example:
// - https://github.com/git/git.git
// - git://git.kernel.org/pub/scm/git/git.git
//
// Use of a git URL requires that the package "version" value must specify a
// specific git tag or revision.
GIT = 3;
// The URL of the upstream SVN repository this package is retrieved from.
// For example:
// - http://llvm.org/svn/llvm-project/llvm/
//
// Use of an SVN URL requires that the package "version" value must specify
// a specific SVN tag or revision.
SVN = 4;
// The URL of the upstream mercurial repository this package is retrieved
// from. For example:
// - https://mercurial-scm.org/repo/evolve
//
// Use of a mercurial URL requires that the package "version" value must
// specify a specific tag or revision.
HG = 5;
// The URL of the upstream darcs repository this package is retrieved
// from. For example:
// - https://hub.darcs.net/hu.dwim/hu.dwim.util
//
// Use of a DARCS URL requires that the package "version" value must
// specify a specific tag or revision.
DARCS = 6;
PIPER = 7;
// A URL that does not fit any other type. This may also indicate that the
// source code was received via email or some other out-of-band way. This is
// most commonly used with commercial software received directly from the
// vendor. In the case of email, the URL value can be used to provide
// additional information about how it was received.
OTHER = 8;
// The URL identifying where the local copy of the package source code can
// be found.
//
// Typically, the metadata files describing a package reside in the same
// directory as the source code for the package. In a few rare cases where
// they are separate, the LOCAL_SOURCE URL identifies where to find the
// source code. This only describes where to find the local copy of the
// source; there should always be an additional URL describing where the
// package was retrieved from.
//
// Examples:
// - https://android.googlesource.com/platform/external/apache-http/
LOCAL_SOURCE = 9;
}
// The type of resource this URL identifies.
optional Type type = 1;
// The actual URL value. URLs should be absolute and start with 'http://' or
// 'https://' (or occasionally 'git://' or 'ftp://' where appropriate).
optional string value = 2;
}
// License type that identifies how the packages may be used.
enum LicenseType {
BY_EXCEPTION_ONLY = 1;
NOTICE = 2;
PERMISSIVE = 3;
RECIPROCAL = 4;
RESTRICTED_IF_STATICALLY_LINKED = 5;
RESTRICTED = 6;
UNENCUMBERED = 7;
}
// Identifies security related metadata including risk category and any special
// instructions for using the package.
message Security {
// Security risk category for a package, as determined by an ISE-TPS review.
enum Category {
CATEGORY_UNSPECIFIED = 0;
// Package should only be used in a sandboxed environment.
// Package should have restricted visibility.
SANDBOXED_ONLY = 1;
// Package should not be used to process user content. It is considered
// safe to use to process trusted data only. Package should have restricted
// visibility.
TRUSTED_DATA_ONLY = 2;
// Package is considered safe to use.
REVIEWED_AND_SECURE = 3;
}
// Identifies the security risk category for the package. This will be
// provided by the ISE-TPS team as the result of a security review of the
// package.
optional Category category = 1;
// An additional security note for the package.
optional string note = 2;
// Text tag to categorize the package. It's currently used by security to:
// - to disable OSV (https://osv.dev)
// support via the `OSV:disable` tag
// - to attach CPE to their corresponding packages, for vulnerability
// monitoring:
//
// Please do document your usecase here should you want to add one.
repeated string tag = 3;
// ID of advisories fixed with a mitigated patch, for example CVE-2018-1111.
repeated string mitigated_security_patch = 4;
}
enum DirectoryType {
UNDEFINED = 0;
// This directory represents a package.
PACKAGE = 1;
// This directory is designed to organize multiple third-party PACKAGE
// directories.
GROUP = 2;
// This directory contains several PACKAGE directories representing
// different versions of the same third-party project.
VERSIONS = 3;
}
// Represents a whole or partial calendar date, such as a birthday. The time of
// day and time zone are either specified elsewhere or are insignificant. The
// date is relative to the Gregorian Calendar. This can represent one of the
// following:
//
// * A full date, with non-zero year, month, and day values.
// * A month and day, with a zero year (for example, an anniversary).
// * A year on its own, with a zero month and a zero day.
// * A year and month, with a zero day (for example, a credit card expiration
// date).
message Date {
// Year of the date. Must be from 1 to 9999, or 0 to specify a date without
// a year.
optional int32 year = 1;
// Month of a year. Must be from 1 to 12, or 0 to specify a year without a
// month and day.
optional int32 month = 2;
// Day of a month. Must be from 1 to 31 and valid for the year and month, or 0
// to specify a year by itself or a year and month where the day isn't
// significant.
optional int32 day = 3;
}
// Reference to external SBOM document and element corresponding to the package.
// See https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#66-external-document-references-field
message SBOMRef {
// The URL that points to the SBOM document of the upstream package of this
// third_party package.
optional string url = 1;
// Checksum of the SBOM document the url field points to.
// Format: e.g. SHA1:<checksum>, or any algorithm defined in
// https://spdx.github.io/spdx-spec/v2.3/file-information/#8.4
optional string checksum = 2;
// SPDXID of the upstream package/file defined in the SBOM document the url field points to.
// Format: SPDXRef-[a-zA-Z0-9.-]+, see
// https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field or
// https://spdx.github.io/spdx-spec/v2.3/file-information/#82-file-spdx-identifier-field
optional string element_id = 3;
}
// Identifier for a third-party package.
// See go/tp-metadata-id.
message Identifier {
// The type of the identifier. Either an "ecosystem" value from
// https://ossf.github.io/osv-schema/#affectedpackage-field such as "Go",
// "npm" or "PyPI". The "value" and "version" fields follow the same rules as
// defined in the OSV spec.
// Or one of:
// - "Git": The "value" field is the URL of the upstream git repository this
// package is retrieved from.
// For example:
// - https://github.com/git/git
// - git://git.kernel.org/pub/scm/git/git
//
// Use of a git URL requires that the package "version" value must specify a
// specific git tag or revision. This must not be a branch name.
//
// - "SVN": The "value" field is the URL of the upstream SVN repository this
// package is retrieved from.
// For example:
// - http://llvm.org/svn/llvm-project/llvm/
//
// Use of an SVN URL requires that the package "version" value must specify
// a specific SVN tag or revision. This must not be a branch name.
//
// - "Hg": The "value" field is the URL of the upstream mercurial repository
// this package is retrieved from.
// For example:
// - https://mercurial-scm.org/repo/evolve
//
// Use of a mercurial URL requires that the package "version" value must
// specify a specific tag or revision. This must not be a branch name.
//
// - "Darcs": the "value" field is the URL of the upstream darcs repository
// this package is retrieved from.
// For example:
// - https://hub.darcs.net/hu.dwim/hu.dwim.util
//
// Use of a Darcs URL requires that the package "version" value must
// specify a specific tag or revision. This must not be a branch name.
//
// - "Piper": The "value" field is the URL of the upstream piper location.
// This is primarily used when a package is being migrated into third_party
// from elsewhere in Piper, or when a package is being newly developed in
// third_party.
//
// - "VCS": This is a generic fallback for an unlisted VCS system. The
// "value" field is the URL of the repository for this VCS.
//
// - "Archive": The "value" field is the URL of the archive containing the
// source code for the package, for example a zip or tgz file.
//
// - "PrebuiltByAlphabet": This type should be used for archives of primarily
// Google-owned source code (may contain non-Google-owned dependencies),
// which has been built using production Google infrastructure, and copied
// into Android. The "value" field is the URL of the prebuilt artifact or
// the relative path of the artifact to the root of a package.
// Example:
// identifier {
// type: "PrebuiltByAlphabet",
// version: "1",
// value: "v1/arm84_hdpi.apk",
// }
// identifier {
// type: "PrebuiltByAlphabet",
// version: "2",
// value: "v2/x86_64_xhdpi.apk",
// }
//
// - "LocalSource": The "value" field is the URL identifying where the local
// copy of the package source code can be found.
// Examples:
// - https://android.googlesource.com/platform/external/apache-http/
//
// Typically, the metadata files describing a package reside in the same
// directory as the source code for the package. In a few rare cases where
// they are separate, the LocalSource URL identifies where to find the
// source code. This only describes where to find the local copy of the
// source; there should always be an additional URL describing where the
// package was retrieved from.
//
// - "Other": An identifier that does not fit any other type. This may also
// indicate that the Source code was received via email or some other
// out-of-band way. This is most commonly used with commercial software
// received directly from the Vendor. In the case of email, the "value" field
// can be used to provide additional information about how it was received.
optional string type = 1;
// A human readable string to indicate why a third-package package does not
// have this identifier type set.
// Example:
// identifier {
// type: "PyPI"
// omission_reason: "Only on Git. Not published to PyPI."
// }
optional string omission_reason = 2;
// The value of the package identifier as defined by the "type".
// Example:
// identifier {
// type: "PyPI"
// value: "django"
// version: "3.2.8"
// }
optional string value = 3;
// The version associated with this package as defined by the "type".
// Example:
// identifier {
// type: "PyPI"
// value: "django"
// version: "3.2.8"
// }
optional string version = 4;
// The closest version associated with this package as defined by the "type".
// This should only be set by automated infrastructure by applying automated
// heuristics, such as the closest git tag or package version from a package
// manifest file (e.g. pom.xml).
//
// For most identifier types, only one of `version` or `closest_version`
// should be set (not both). The exception is source repository types such as
// "Git", where `version` will refer to a git commit, and `closest_version`
// refers to a git tag.
// Example:
// identifier {
// type: "Git",
// value: "https://github.com/my/repo"
// version: "e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e"
// closest_version: "v1.4"
// }
optional string closest_version = 5;
// When `true`, this Identifier represents the location from which the source
// code for this package was originally obtained. This should only be set for
// *one* Identifier in a third_party package's METADATA.
// For external packages, this is typically for the Identifier associated
// with the version control system or package manager that was used to
// check out or download the code.
optional bool primary_source = 6;
}
|
