Container Analysis API . projects . occurrences

Instance Methods

batchCreate(parent, body=None, x__xgafv=None)

Creates new occurrences in batch.

create(parent, body=None, x__xgafv=None)

Creates a new occurrence.

delete(name, x__xgafv=None)

Deletes the specified occurrence. For example, use this method to delete an

get(name, x__xgafv=None)

Gets the specified occurrence.

getIamPolicy(resource, body=None, x__xgafv=None)

Gets the access control policy for a note or an occurrence resource.

getNotes(name, x__xgafv=None)

Gets the note attached to the specified occurrence. Consumer projects can

getVulnerabilitySummary(parent, x__xgafv=None, filter=None)

Gets a summary of the number and severity of occurrences.

list(parent, pageSize=None, pageToken=None, x__xgafv=None, filter=None)

Lists occurrences for the specified project.

list_next(previous_request, previous_response)

Retrieves the next page of results.

patch(name, body=None, updateMask=None, x__xgafv=None)

Updates the specified occurrence.

setIamPolicy(resource, body=None, x__xgafv=None)

Sets the access control policy on the specified note or occurrence.

testIamPermissions(resource, body=None, x__xgafv=None)

Returns the permissions that a caller has on the specified note or

Method Details

batchCreate(parent, body=None, x__xgafv=None)
Creates new occurrences in batch.

Args:
  parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which
the occurrences are to be created. (required)
  body: object, The request body.
    The object takes the form of:

{ # Request to create occurrences in batch.
    "occurrences": [ # Required. The occurrences to create. Max allowed length is 1000.
      { # An instance of an analysis type that has been found on a resource.
        "updateTime": "A String", # Output only. The time this occurrence was last updated.
        "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
          "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
              #
              # The hash of the resource content. For example, the Docker digest.
            "type": "A String", # Required. The type of hash that was performed.
            "value": "A String", # Required. The hash value.
          },
          "name": "A String", # Deprecated, do not use. Use uri instead.
              #
              # The name of the resource. For example, the name of a Docker image -
              # "Debian".
          "uri": "A String", # Required. The unique URI of the resource. For example,
              # `https://gcr.io/project/image@sha256:foo` for a Docker image.
        },
        "name": "A String", # Output only. The name of the occurrence in the form of
            # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
        "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
          "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
              # scale of 0-10 where 0 indicates low severity and 10 indicates high
              # severity.
          "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
          "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
              # packages etc)
          "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
              # available, and note provider assigned severity when distro has not yet
              # assigned a severity for this vulnerability.
          "relatedUrls": [ # Output only. URLs related to this vulnerability.
            { # Metadata for any related URL information.
              "url": "A String", # Specific URL associated with the resource.
              "label": "A String", # Label to describe usage of the URL.
            },
          ],
          "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
              # within the associated resource.
            { # This message wraps a location affected by a vulnerability and its
                # associated fix (if one is available).
              "severityName": "A String", # Deprecated, use Details.effective_severity instead
                  # The severity (e.g., distro assigned severity) for this vulnerability.
              "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
                "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                    # format. Examples include distro or storage location for vulnerable jar.
                "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
                "package": "A String", # Required. The package being described.
              },
              "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
                "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                    # format. Examples include distro or storage location for vulnerable jar.
                "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
                "package": "A String", # Required. The package being described.
              },
            },
          ],
          "longDescription": "A String", # Output only. A detailed description of this vulnerability.
          "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
        },
        "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
            # specified. This field can be used as a filter in list requests.
        "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
          "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
            "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
                # Deprecated, do not use.
            "analysisStatus": "A String", # The status of discovery for the resource.
            "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
            "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
                # details to show to the user. The LocalizedMessage is output only and
                # populated by the API.
                # different programming environments, including REST APIs and RPC APIs. It is
                # used by [gRPC](https://github.com/grpc). Each `Status` message contains
                # three pieces of data: error code, error message, and error details.
                #
                # You can find out more about this error model and how to work with it in the
                # [API Design Guide](https://cloud.google.com/apis/design/errors).
              "message": "A String", # A developer-facing error message, which should be in English. Any
                  # user-facing error message should be localized and sent in the
                  # google.rpc.Status.details field, or localized by the client.
              "code": 42, # The status code, which should be an enum value of google.rpc.Code.
              "details": [ # A list of messages that carry the error details.  There is a common set of
                  # message types for APIs to use.
                {
                  "a_key": "", # Properties of the object. Contains field @type with type URL.
                },
              ],
            },
          },
        },
        "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
          "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
              # attestation can be verified using the attached signature. If the verifier
              # trusts the public key of the signer, then verifying the signature is
              # sufficient to establish trust. In this circumstance, the authority to which
              # this attestation is attached is primarily useful for look-up (how to find
              # this attestation if you already know the authority and artifact to be
              # verified) and intent (which authority was this attestation intended to sign
              # for).
            "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
                # supports `ATTACHED` signatures, where the payload that is signed is included
                # alongside the signature itself in the same file.
              "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
                  # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
                  # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
                  # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
                  # Implementations may choose to acknowledge "LONG", "SHORT", or other
                  # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
                  # In gpg, the full fingerprint can be retrieved from the `fpr` field
                  # returned when calling --list-keys with --with-colons.  For example:
                  # ```
                  # gpg --with-colons --with-fingerprint --force-v4-certs \
                  #     --list-keys attester@example.com
                  # tru::1:1513631572:0:3:1:5
                  # pub:...<SNIP>...
                  # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
                  # ```
                  # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
              "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
                  # The verifier must ensure that the provided type is one that the verifier
                  # supports, and that the attestation payload is a valid instantiation of that
                  # type (for example by validating a JSON schema).
              "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
                  # (GPG) or equivalent. Since this message only supports attached signatures,
                  # the payload that was signed must be attached. While the signature format
                  # supported is dependent on the verification implementation, currently only
                  # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
                  # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
                  # --output=signature.gpg payload.json` will create the signature content
                  # expected in this field in `signature.gpg` for the `payload.json`
                  # attestation payload.
            },
            "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
                # This attestation must define the `serialized_payload` that the `signatures`
                # verify and any metadata necessary to interpret that plaintext.  The
                # signatures should always be over the `serialized_payload` bytestring.
              "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
                  # should consider this attestation message verified if at least one
                  # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
                  # for more details on signature structure and verification.
                { # Verifiers (e.g. Kritis implementations) MUST verify signatures
                    # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
                    # Typically this means that the verifier has been configured with a map from
                    # `public_key_id` to public key material (and any required parameters, e.g.
                    # signing algorithm).
                    #
                    # In particular, verification implementations MUST NOT treat the signature
                    # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
                    # DOES NOT validate or authenticate a public key; it only provides a mechanism
                    # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
                    # a trusted channel. Verification implementations MUST reject signatures in any
                    # of the following circumstances:
                    #   * The `public_key_id` is not recognized by the verifier.
                    #   * The public key that `public_key_id` refers to does not verify the
                    #     signature with respect to the payload.
                    #
                    # The `signature` contents SHOULD NOT be "attached" (where the payload is
                    # included with the serialized `signature` bytes). Verifiers MUST ignore any
                    # "attached" payload and only verify signatures with respect to explicitly
                    # provided payload (e.g. a `payload` field on the proto message that holds
                    # this Signature, or the canonical serialization of the proto message that
                    # holds this signature).
                  "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                      #   * The `public_key_id` is required.
                      #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                      #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                      #     such as a cryptographic digest.
                      #
                      # Examples of valid `public_key_id`s:
                      #
                      # OpenPGP V4 public key fingerprint:
                      #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                      # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                      # details on this scheme.
                      #
                      # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                      # serialization):
                      #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                      #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
                  "signature": "A String", # The content of the signature, an opaque bytestring.
                      # The payload that this signature verifies MUST be unambiguously provided
                      # with the Signature during verification. A wrapper message might provide
                      # the payload explicitly. Alternatively, a message might have a canonical
                      # serialization that can always be unambiguously computed to derive the
                      # payload.
                },
              ],
              "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
                  # The verifier must ensure that the provided type is one that the verifier
                  # supports, and that the attestation payload is a valid instantiation of that
                  # type (for example by validating a JSON schema).
              "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
                  # The encoding and semantic meaning of this payload must match what is set in
                  # `content_type`.
            },
          },
        },
        "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
            # signatures and the in-toto link itself. This is used for occurrences of a
            # Grafeas in-toto note.
          "signatures": [
            { # A signature object consists of the KeyID used and the signature itself.
              "keyid": "A String",
              "sig": "A String",
            },
          ],
          "signed": { # This corresponds to an in-toto link.
            "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
                # environment. It is suggested for this field to contain information that
                # details environment variables, filesystem information, and the present
                # working directory. The recommended structure of this field is:
                # "environment": {
                #   "custom_values": {
                #     "variables": "<ENV>",
                #     "filesystem": "<FS>",
                #     "workdir": "<CWD>",
                #     "<ANY OTHER RELEVANT FIELDS>": "..."
                #   }
                # }
                # fields are "variables", "filesystem", and "workdir".
              "customValues": {
                "a_key": "A String",
              },
            },
            "command": [ # This field contains the full command executed for the step. This can also
                # be empty if links are generated for operations that aren't directly mapped
                # to a specific command. Each term in the command is an independent string
                # in the list. An example of a command in the in-toto metadata field is:
                # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
              "A String",
            ],
            "materials": [ # Materials are the supply chain artifacts that go into the step and are used
                # for the operation performed. The key of the map is the path of the artifact
                # and the structure contains the recorded hash information. An example is:
                # "materials": [
                #   {
                #     "resource_uri": "foo/bar",
                #     "hashes": {
                #       "sha256": "ebebf...",
                #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
                #     }
                #   }
                # ]
              {
                "resourceUri": "A String",
                "hashes": { # Defines a hash object for use in Materials and Products.
                  "sha256": "A String",
                },
              },
            ],
            "products": [ # Products are the supply chain artifacts generated as a result of the step.
                # The structure is identical to that of materials.
              {
                "resourceUri": "A String",
                "hashes": { # Defines a hash object for use in Materials and Products.
                  "sha256": "A String",
                },
              },
            ],
            "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
                # are not the actual result of the step.
                # fields are "stderr", "stdout", and "return-value".
              "customValues": {
                "a_key": "A String",
              },
            },
          },
        },
        "build": { # Details of a build occurrence. # Describes a verifiable build.
          "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
              # details about the build from source to completion.
            "commands": [ # Commands requested by the build.
              { # Command describes a step performed as part of the build pipeline.
                "waitFor": [ # The ID(s) of the command(s) that this command depends on.
                  "A String",
                ],
                "name": "A String", # Required. Name of the command, as presented on the command line, or if the
                    # command is packaged as a Docker container, as presented to `docker pull`.
                "args": [ # Command-line arguments used when executing this command.
                  "A String",
                ],
                "env": [ # Environment variables set before running this command.
                  "A String",
                ],
                "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
                    # this command as a dependency.
                "dir": "A String", # Working directory (relative to project source root) used when running this
                    # command.
              },
            ],
            "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
              "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
                  # source integrity was maintained in the build.
                  #
                  # The keys to this map are file paths used as build source and the values
                  # contain the hash values for those files.
                  #
                  # If the build source came in a single package such as a gzipped tarfile
                  # (.tar.gz), the FileHash will be for the single path to that file.
                "a_key": { # Container message for hashes of byte content of files, used in source
                    # messages to verify integrity of source input to the build.
                  "fileHash": [ # Required. Collection of file hashes.
                    { # Container message for hash values.
                      "type": "A String", # Required. The type of hash that was performed.
                      "value": "A String", # Required. The hash value.
                    },
                  ],
                },
              },
              "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
                  # location.
              "additionalContexts": [ # If provided, some of the source code used for the build may be found in
                  # these locations, in the case where the source repository had multiple
                  # remotes or submodules. This list will not include the context specified in
                  # the context field.
                { # A SourceContext is a reference to a tree of files. A SourceContext together
                    # with a path point to a unique revision of a single file or directory.
                  "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                      # repository (e.g., GitHub).
                    "url": "A String", # Git repository URL.
                    "revisionId": "A String", # Git commit hash.
                  },
                  "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                      # Source Repo.
                    "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                      "kind": "A String", # The alias kind.
                      "name": "A String", # The alias name.
                    },
                    "revisionId": "A String", # A revision ID.
                    "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                      "uid": "A String", # A server-assigned, globally unique identifier.
                      "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                          # winged-cargo-31) and a repo name within that project.
                        "projectId": "A String", # The ID of the project.
                        "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                      },
                    },
                  },
                  "labels": { # Labels with user defined metadata.
                    "a_key": "A String",
                  },
                  "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                    "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                      "kind": "A String", # The alias kind.
                      "name": "A String", # The alias name.
                    },
                    "revisionId": "A String", # A revision (commit) ID.
                    "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                        # "project/subproject" is a valid project name. The "repo name" is the
                        # hostURI/project.
                    "hostUri": "A String", # The URI of a running Gerrit instance.
                  },
                },
              ],
              "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
                  # with a path point to a unique revision of a single file or directory.
                "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                    # repository (e.g., GitHub).
                  "url": "A String", # Git repository URL.
                  "revisionId": "A String", # Git commit hash.
                },
                "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                    # Source Repo.
                  "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                    "kind": "A String", # The alias kind.
                    "name": "A String", # The alias name.
                  },
                  "revisionId": "A String", # A revision ID.
                  "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                    "uid": "A String", # A server-assigned, globally unique identifier.
                    "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                        # winged-cargo-31) and a repo name within that project.
                      "projectId": "A String", # The ID of the project.
                      "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                    },
                  },
                },
                "labels": { # Labels with user defined metadata.
                  "a_key": "A String",
                },
                "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                  "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                    "kind": "A String", # The alias kind.
                    "name": "A String", # The alias name.
                  },
                  "revisionId": "A String", # A revision (commit) ID.
                  "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                      # "project/subproject" is a valid project name. The "repo name" is the
                      # hostURI/project.
                  "hostUri": "A String", # The URI of a running Gerrit instance.
                },
              },
            },
            "buildOptions": { # Special options applied to this build. This is a catch-all field where
                # build providers can enter any desired additional details.
              "a_key": "A String",
            },
            "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
                # user's e-mail address at the time the build was initiated; this address may
                # not represent the same end-user for all time.
            "projectId": "A String", # ID of the project.
            "builderVersion": "A String", # Version string of the builder at the time this build was executed.
            "createTime": "A String", # Time at which the build was created.
            "builtArtifacts": [ # Output of the build.
              { # Artifact describes a build product.
                "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
                    # container.
                "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
                    # like `gcr.io/projectID/imagename@sha256:123456`.
                "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
                    # the case of a container build, the name used to push the container image to
                    # Google Container Registry, as presented to `docker push`. Note that a
                    # single Artifact ID can have multiple names, for example if two tags are
                    # applied to one image.
                  "A String",
                ],
              },
            ],
            "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
            "startTime": "A String", # Time at which execution of the build was started.
            "endTime": "A String", # Time at which execution of the build was finished.
            "id": "A String", # Required. Unique identifier of the build.
            "logsUri": "A String", # URI where any logs for this provenance were written.
          },
          "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
              # build signature in the corresponding build note. After verifying the
              # signature, `provenance_bytes` can be unmarshalled and compared to the
              # provenance to confirm that it is unchanged. A base64-encoded string
              # representation of the provenance bytes is used for the signature in order
              # to interoperate with openssl which expects this format for signature
              # verification.
              #
              # The serialized form is captured both to avoid ambiguity in how the
              # provenance is marshalled to json as well to prevent incompatibilities with
              # future changes.
        },
        "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
          "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
            "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
                # the deployable field with the same name.
              "A String",
            ],
            "userEmail": "A String", # Identity of the user that triggered this deployment.
            "address": "A String", # Address of the runtime element hosting this deployment.
            "platform": "A String", # Platform hosting this deployment.
            "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
            "undeployTime": "A String", # End of the lifetime of this deployment.
            "config": "A String", # Configuration used to create this deployment.
          },
        },
        "remediation": "A String", # A description of actions that can be taken to remedy the note.
        "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
          "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
              # system.
            "name": "A String", # Output only. The name of the installed package.
            "location": [ # Required. All of the places within the filesystem versions of this package
                # have been found.
              { # An occurrence of a particular package installation found within a system's
                  # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
                "path": "A String", # The path from which we gathered that this package/version is installed.
                "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
                    # denoting the package manager version distributing a package.
                "version": { # Version contains structured information about the version of a package. # The version installed at this location.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
              },
            ],
          },
        },
        "createTime": "A String", # Output only. The time this occurrence was created.
        "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
            # note.
          "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
              # relationship. This image would be produced from a Dockerfile with FROM
              # <DockerImage.Basis in attached Note>.
            "distance": 42, # Output only. The number of layers by which this image differs from the
                # associated image basis.
            "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
                # occurrence.
            "layerInfo": [ # This contains layer-specific metadata, if populated it has length
                # "distance" and is ordered with [distance] being the layer immediately
                # following the base image and [1] being the final layer.
              { # Layer holds metadata specific to a layer of a Docker image.
                "arguments": "A String", # The recovered arguments to the Dockerfile directive.
                "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
              },
            ],
            "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
              "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
                  # representation.
              "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
                "A String",
              ],
              "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
                  #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
                  # Only the name of the final blob is kept.
            },
          },
        },
        "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
            # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
            # used as a filter in list requests.
      },
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response for creating occurrences in batch.
    "occurrences": [ # The occurrences that were created.
      { # An instance of an analysis type that has been found on a resource.
        "updateTime": "A String", # Output only. The time this occurrence was last updated.
        "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
          "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
              #
              # The hash of the resource content. For example, the Docker digest.
            "type": "A String", # Required. The type of hash that was performed.
            "value": "A String", # Required. The hash value.
          },
          "name": "A String", # Deprecated, do not use. Use uri instead.
              #
              # The name of the resource. For example, the name of a Docker image -
              # "Debian".
          "uri": "A String", # Required. The unique URI of the resource. For example,
              # `https://gcr.io/project/image@sha256:foo` for a Docker image.
        },
        "name": "A String", # Output only. The name of the occurrence in the form of
            # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
        "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
          "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
              # scale of 0-10 where 0 indicates low severity and 10 indicates high
              # severity.
          "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
          "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
              # packages etc)
          "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
              # available, and note provider assigned severity when distro has not yet
              # assigned a severity for this vulnerability.
          "relatedUrls": [ # Output only. URLs related to this vulnerability.
            { # Metadata for any related URL information.
              "url": "A String", # Specific URL associated with the resource.
              "label": "A String", # Label to describe usage of the URL.
            },
          ],
          "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
              # within the associated resource.
            { # This message wraps a location affected by a vulnerability and its
                # associated fix (if one is available).
              "severityName": "A String", # Deprecated, use Details.effective_severity instead
                  # The severity (e.g., distro assigned severity) for this vulnerability.
              "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
                "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                    # format. Examples include distro or storage location for vulnerable jar.
                "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
                "package": "A String", # Required. The package being described.
              },
              "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
                "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                    # format. Examples include distro or storage location for vulnerable jar.
                "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
                "package": "A String", # Required. The package being described.
              },
            },
          ],
          "longDescription": "A String", # Output only. A detailed description of this vulnerability.
          "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
        },
        "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
            # specified. This field can be used as a filter in list requests.
        "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
          "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
            "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
                # Deprecated, do not use.
            "analysisStatus": "A String", # The status of discovery for the resource.
            "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
            "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
                # details to show to the user. The LocalizedMessage is output only and
                # populated by the API.
                # different programming environments, including REST APIs and RPC APIs. It is
                # used by [gRPC](https://github.com/grpc). Each `Status` message contains
                # three pieces of data: error code, error message, and error details.
                #
                # You can find out more about this error model and how to work with it in the
                # [API Design Guide](https://cloud.google.com/apis/design/errors).
              "message": "A String", # A developer-facing error message, which should be in English. Any
                  # user-facing error message should be localized and sent in the
                  # google.rpc.Status.details field, or localized by the client.
              "code": 42, # The status code, which should be an enum value of google.rpc.Code.
              "details": [ # A list of messages that carry the error details.  There is a common set of
                  # message types for APIs to use.
                {
                  "a_key": "", # Properties of the object. Contains field @type with type URL.
                },
              ],
            },
          },
        },
        "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
          "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
              # attestation can be verified using the attached signature. If the verifier
              # trusts the public key of the signer, then verifying the signature is
              # sufficient to establish trust. In this circumstance, the authority to which
              # this attestation is attached is primarily useful for look-up (how to find
              # this attestation if you already know the authority and artifact to be
              # verified) and intent (which authority was this attestation intended to sign
              # for).
            "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
                # supports `ATTACHED` signatures, where the payload that is signed is included
                # alongside the signature itself in the same file.
              "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
                  # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
                  # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
                  # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
                  # Implementations may choose to acknowledge "LONG", "SHORT", or other
                  # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
                  # In gpg, the full fingerprint can be retrieved from the `fpr` field
                  # returned when calling --list-keys with --with-colons.  For example:
                  # ```
                  # gpg --with-colons --with-fingerprint --force-v4-certs \
                  #     --list-keys attester@example.com
                  # tru::1:1513631572:0:3:1:5
                  # pub:...<SNIP>...
                  # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
                  # ```
                  # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
              "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
                  # The verifier must ensure that the provided type is one that the verifier
                  # supports, and that the attestation payload is a valid instantiation of that
                  # type (for example by validating a JSON schema).
              "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
                  # (GPG) or equivalent. Since this message only supports attached signatures,
                  # the payload that was signed must be attached. While the signature format
                  # supported is dependent on the verification implementation, currently only
                  # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
                  # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
                  # --output=signature.gpg payload.json` will create the signature content
                  # expected in this field in `signature.gpg` for the `payload.json`
                  # attestation payload.
            },
            "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
                # This attestation must define the `serialized_payload` that the `signatures`
                # verify and any metadata necessary to interpret that plaintext.  The
                # signatures should always be over the `serialized_payload` bytestring.
              "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
                  # should consider this attestation message verified if at least one
                  # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
                  # for more details on signature structure and verification.
                { # Verifiers (e.g. Kritis implementations) MUST verify signatures
                    # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
                    # Typically this means that the verifier has been configured with a map from
                    # `public_key_id` to public key material (and any required parameters, e.g.
                    # signing algorithm).
                    #
                    # In particular, verification implementations MUST NOT treat the signature
                    # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
                    # DOES NOT validate or authenticate a public key; it only provides a mechanism
                    # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
                    # a trusted channel. Verification implementations MUST reject signatures in any
                    # of the following circumstances:
                    #   * The `public_key_id` is not recognized by the verifier.
                    #   * The public key that `public_key_id` refers to does not verify the
                    #     signature with respect to the payload.
                    #
                    # The `signature` contents SHOULD NOT be "attached" (where the payload is
                    # included with the serialized `signature` bytes). Verifiers MUST ignore any
                    # "attached" payload and only verify signatures with respect to explicitly
                    # provided payload (e.g. a `payload` field on the proto message that holds
                    # this Signature, or the canonical serialization of the proto message that
                    # holds this signature).
                  "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                      #   * The `public_key_id` is required.
                      #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                      #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                      #     such as a cryptographic digest.
                      #
                      # Examples of valid `public_key_id`s:
                      #
                      # OpenPGP V4 public key fingerprint:
                      #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                      # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                      # details on this scheme.
                      #
                      # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                      # serialization):
                      #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                      #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
                  "signature": "A String", # The content of the signature, an opaque bytestring.
                      # The payload that this signature verifies MUST be unambiguously provided
                      # with the Signature during verification. A wrapper message might provide
                      # the payload explicitly. Alternatively, a message might have a canonical
                      # serialization that can always be unambiguously computed to derive the
                      # payload.
                },
              ],
              "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
                  # The verifier must ensure that the provided type is one that the verifier
                  # supports, and that the attestation payload is a valid instantiation of that
                  # type (for example by validating a JSON schema).
              "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
                  # The encoding and semantic meaning of this payload must match what is set in
                  # `content_type`.
            },
          },
        },
        "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
            # signatures and the in-toto link itself. This is used for occurrences of a
            # Grafeas in-toto note.
          "signatures": [
            { # A signature object consists of the KeyID used and the signature itself.
              "keyid": "A String",
              "sig": "A String",
            },
          ],
          "signed": { # This corresponds to an in-toto link.
            "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
                # environment. It is suggested for this field to contain information that
                # details environment variables, filesystem information, and the present
                # working directory. The recommended structure of this field is:
                # "environment": {
                #   "custom_values": {
                #     "variables": "<ENV>",
                #     "filesystem": "<FS>",
                #     "workdir": "<CWD>",
                #     "<ANY OTHER RELEVANT FIELDS>": "..."
                #   }
                # }
                # fields are "variables", "filesystem", and "workdir".
              "customValues": {
                "a_key": "A String",
              },
            },
            "command": [ # This field contains the full command executed for the step. This can also
                # be empty if links are generated for operations that aren't directly mapped
                # to a specific command. Each term in the command is an independent string
                # in the list. An example of a command in the in-toto metadata field is:
                # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
              "A String",
            ],
            "materials": [ # Materials are the supply chain artifacts that go into the step and are used
                # for the operation performed. The key of the map is the path of the artifact
                # and the structure contains the recorded hash information. An example is:
                # "materials": [
                #   {
                #     "resource_uri": "foo/bar",
                #     "hashes": {
                #       "sha256": "ebebf...",
                #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
                #     }
                #   }
                # ]
              {
                "resourceUri": "A String",
                "hashes": { # Defines a hash object for use in Materials and Products.
                  "sha256": "A String",
                },
              },
            ],
            "products": [ # Products are the supply chain artifacts generated as a result of the step.
                # The structure is identical to that of materials.
              {
                "resourceUri": "A String",
                "hashes": { # Defines a hash object for use in Materials and Products.
                  "sha256": "A String",
                },
              },
            ],
            "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
                # are not the actual result of the step.
                # fields are "stderr", "stdout", and "return-value".
              "customValues": {
                "a_key": "A String",
              },
            },
          },
        },
        "build": { # Details of a build occurrence. # Describes a verifiable build.
          "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
              # details about the build from source to completion.
            "commands": [ # Commands requested by the build.
              { # Command describes a step performed as part of the build pipeline.
                "waitFor": [ # The ID(s) of the command(s) that this command depends on.
                  "A String",
                ],
                "name": "A String", # Required. Name of the command, as presented on the command line, or if the
                    # command is packaged as a Docker container, as presented to `docker pull`.
                "args": [ # Command-line arguments used when executing this command.
                  "A String",
                ],
                "env": [ # Environment variables set before running this command.
                  "A String",
                ],
                "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
                    # this command as a dependency.
                "dir": "A String", # Working directory (relative to project source root) used when running this
                    # command.
              },
            ],
            "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
              "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
                  # source integrity was maintained in the build.
                  #
                  # The keys to this map are file paths used as build source and the values
                  # contain the hash values for those files.
                  #
                  # If the build source came in a single package such as a gzipped tarfile
                  # (.tar.gz), the FileHash will be for the single path to that file.
                "a_key": { # Container message for hashes of byte content of files, used in source
                    # messages to verify integrity of source input to the build.
                  "fileHash": [ # Required. Collection of file hashes.
                    { # Container message for hash values.
                      "type": "A String", # Required. The type of hash that was performed.
                      "value": "A String", # Required. The hash value.
                    },
                  ],
                },
              },
              "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
                  # location.
              "additionalContexts": [ # If provided, some of the source code used for the build may be found in
                  # these locations, in the case where the source repository had multiple
                  # remotes or submodules. This list will not include the context specified in
                  # the context field.
                { # A SourceContext is a reference to a tree of files. A SourceContext together
                    # with a path point to a unique revision of a single file or directory.
                  "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                      # repository (e.g., GitHub).
                    "url": "A String", # Git repository URL.
                    "revisionId": "A String", # Git commit hash.
                  },
                  "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                      # Source Repo.
                    "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                      "kind": "A String", # The alias kind.
                      "name": "A String", # The alias name.
                    },
                    "revisionId": "A String", # A revision ID.
                    "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                      "uid": "A String", # A server-assigned, globally unique identifier.
                      "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                          # winged-cargo-31) and a repo name within that project.
                        "projectId": "A String", # The ID of the project.
                        "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                      },
                    },
                  },
                  "labels": { # Labels with user defined metadata.
                    "a_key": "A String",
                  },
                  "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                    "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                      "kind": "A String", # The alias kind.
                      "name": "A String", # The alias name.
                    },
                    "revisionId": "A String", # A revision (commit) ID.
                    "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                        # "project/subproject" is a valid project name. The "repo name" is the
                        # hostURI/project.
                    "hostUri": "A String", # The URI of a running Gerrit instance.
                  },
                },
              ],
              "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
                  # with a path point to a unique revision of a single file or directory.
                "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                    # repository (e.g., GitHub).
                  "url": "A String", # Git repository URL.
                  "revisionId": "A String", # Git commit hash.
                },
                "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                    # Source Repo.
                  "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                    "kind": "A String", # The alias kind.
                    "name": "A String", # The alias name.
                  },
                  "revisionId": "A String", # A revision ID.
                  "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                    "uid": "A String", # A server-assigned, globally unique identifier.
                    "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                        # winged-cargo-31) and a repo name within that project.
                      "projectId": "A String", # The ID of the project.
                      "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                    },
                  },
                },
                "labels": { # Labels with user defined metadata.
                  "a_key": "A String",
                },
                "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                  "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                    "kind": "A String", # The alias kind.
                    "name": "A String", # The alias name.
                  },
                  "revisionId": "A String", # A revision (commit) ID.
                  "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                      # "project/subproject" is a valid project name. The "repo name" is the
                      # hostURI/project.
                  "hostUri": "A String", # The URI of a running Gerrit instance.
                },
              },
            },
            "buildOptions": { # Special options applied to this build. This is a catch-all field where
                # build providers can enter any desired additional details.
              "a_key": "A String",
            },
            "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
                # user's e-mail address at the time the build was initiated; this address may
                # not represent the same end-user for all time.
            "projectId": "A String", # ID of the project.
            "builderVersion": "A String", # Version string of the builder at the time this build was executed.
            "createTime": "A String", # Time at which the build was created.
            "builtArtifacts": [ # Output of the build.
              { # Artifact describes a build product.
                "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
                    # container.
                "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
                    # like `gcr.io/projectID/imagename@sha256:123456`.
                "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
                    # the case of a container build, the name used to push the container image to
                    # Google Container Registry, as presented to `docker push`. Note that a
                    # single Artifact ID can have multiple names, for example if two tags are
                    # applied to one image.
                  "A String",
                ],
              },
            ],
            "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
            "startTime": "A String", # Time at which execution of the build was started.
            "endTime": "A String", # Time at which execution of the build was finished.
            "id": "A String", # Required. Unique identifier of the build.
            "logsUri": "A String", # URI where any logs for this provenance were written.
          },
          "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
              # build signature in the corresponding build note. After verifying the
              # signature, `provenance_bytes` can be unmarshalled and compared to the
              # provenance to confirm that it is unchanged. A base64-encoded string
              # representation of the provenance bytes is used for the signature in order
              # to interoperate with openssl which expects this format for signature
              # verification.
              #
              # The serialized form is captured both to avoid ambiguity in how the
              # provenance is marshalled to json as well to prevent incompatibilities with
              # future changes.
        },
        "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
          "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
            "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
                # the deployable field with the same name.
              "A String",
            ],
            "userEmail": "A String", # Identity of the user that triggered this deployment.
            "address": "A String", # Address of the runtime element hosting this deployment.
            "platform": "A String", # Platform hosting this deployment.
            "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
            "undeployTime": "A String", # End of the lifetime of this deployment.
            "config": "A String", # Configuration used to create this deployment.
          },
        },
        "remediation": "A String", # A description of actions that can be taken to remedy the note.
        "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
          "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
              # system.
            "name": "A String", # Output only. The name of the installed package.
            "location": [ # Required. All of the places within the filesystem versions of this package
                # have been found.
              { # An occurrence of a particular package installation found within a system's
                  # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
                "path": "A String", # The path from which we gathered that this package/version is installed.
                "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
                    # denoting the package manager version distributing a package.
                "version": { # Version contains structured information about the version of a package. # The version installed at this location.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
              },
            ],
          },
        },
        "createTime": "A String", # Output only. The time this occurrence was created.
        "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
            # note.
          "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
              # relationship. This image would be produced from a Dockerfile with FROM
              # <DockerImage.Basis in attached Note>.
            "distance": 42, # Output only. The number of layers by which this image differs from the
                # associated image basis.
            "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
                # occurrence.
            "layerInfo": [ # This contains layer-specific metadata, if populated it has length
                # "distance" and is ordered with [distance] being the layer immediately
                # following the base image and [1] being the final layer.
              { # Layer holds metadata specific to a layer of a Docker image.
                "arguments": "A String", # The recovered arguments to the Dockerfile directive.
                "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
              },
            ],
            "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
              "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
                  # representation.
              "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
                "A String",
              ],
              "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
                  #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
                  # Only the name of the final blob is kept.
            },
          },
        },
        "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
            # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
            # used as a filter in list requests.
      },
    ],
  }
create(parent, body=None, x__xgafv=None)
Creates a new occurrence.

Args:
  parent: string, Required. The name of the project in the form of `projects/[PROJECT_ID]`, under which
the occurrence is to be created. (required)
  body: object, The request body.
    The object takes the form of:

{ # An instance of an analysis type that has been found on a resource.
  "updateTime": "A String", # Output only. The time this occurrence was last updated.
  "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
    "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
        #
        # The hash of the resource content. For example, the Docker digest.
      "type": "A String", # Required. The type of hash that was performed.
      "value": "A String", # Required. The hash value.
    },
    "name": "A String", # Deprecated, do not use. Use uri instead.
        #
        # The name of the resource. For example, the name of a Docker image -
        # "Debian".
    "uri": "A String", # Required. The unique URI of the resource. For example,
        # `https://gcr.io/project/image@sha256:foo` for a Docker image.
  },
  "name": "A String", # Output only. The name of the occurrence in the form of
      # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
  "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
    "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
        # scale of 0-10 where 0 indicates low severity and 10 indicates high
        # severity.
    "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
    "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
        # packages etc)
    "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
        # available, and note provider assigned severity when distro has not yet
        # assigned a severity for this vulnerability.
    "relatedUrls": [ # Output only. URLs related to this vulnerability.
      { # Metadata for any related URL information.
        "url": "A String", # Specific URL associated with the resource.
        "label": "A String", # Label to describe usage of the URL.
      },
    ],
    "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
        # within the associated resource.
      { # This message wraps a location affected by a vulnerability and its
          # associated fix (if one is available).
        "severityName": "A String", # Deprecated, use Details.effective_severity instead
            # The severity (e.g., distro assigned severity) for this vulnerability.
        "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
          "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
              # format. Examples include distro or storage location for vulnerable jar.
          "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
          "package": "A String", # Required. The package being described.
        },
        "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
          "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
              # format. Examples include distro or storage location for vulnerable jar.
          "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
          "package": "A String", # Required. The package being described.
        },
      },
    ],
    "longDescription": "A String", # Output only. A detailed description of this vulnerability.
    "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
  },
  "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
      # specified. This field can be used as a filter in list requests.
  "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
    "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
      "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
          # Deprecated, do not use.
      "analysisStatus": "A String", # The status of discovery for the resource.
      "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
      "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
          # details to show to the user. The LocalizedMessage is output only and
          # populated by the API.
          # different programming environments, including REST APIs and RPC APIs. It is
          # used by [gRPC](https://github.com/grpc). Each `Status` message contains
          # three pieces of data: error code, error message, and error details.
          #
          # You can find out more about this error model and how to work with it in the
          # [API Design Guide](https://cloud.google.com/apis/design/errors).
        "message": "A String", # A developer-facing error message, which should be in English. Any
            # user-facing error message should be localized and sent in the
            # google.rpc.Status.details field, or localized by the client.
        "code": 42, # The status code, which should be an enum value of google.rpc.Code.
        "details": [ # A list of messages that carry the error details.  There is a common set of
            # message types for APIs to use.
          {
            "a_key": "", # Properties of the object. Contains field @type with type URL.
          },
        ],
      },
    },
  },
  "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
    "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
        # attestation can be verified using the attached signature. If the verifier
        # trusts the public key of the signer, then verifying the signature is
        # sufficient to establish trust. In this circumstance, the authority to which
        # this attestation is attached is primarily useful for look-up (how to find
        # this attestation if you already know the authority and artifact to be
        # verified) and intent (which authority was this attestation intended to sign
        # for).
      "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
          # supports `ATTACHED` signatures, where the payload that is signed is included
          # alongside the signature itself in the same file.
        "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
            # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
            # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
            # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
            # Implementations may choose to acknowledge "LONG", "SHORT", or other
            # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
            # In gpg, the full fingerprint can be retrieved from the `fpr` field
            # returned when calling --list-keys with --with-colons.  For example:
            # ```
            # gpg --with-colons --with-fingerprint --force-v4-certs \
            #     --list-keys attester@example.com
            # tru::1:1513631572:0:3:1:5
            # pub:...<SNIP>...
            # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
            # ```
            # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
        "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
            # The verifier must ensure that the provided type is one that the verifier
            # supports, and that the attestation payload is a valid instantiation of that
            # type (for example by validating a JSON schema).
        "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
            # (GPG) or equivalent. Since this message only supports attached signatures,
            # the payload that was signed must be attached. While the signature format
            # supported is dependent on the verification implementation, currently only
            # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
            # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
            # --output=signature.gpg payload.json` will create the signature content
            # expected in this field in `signature.gpg` for the `payload.json`
            # attestation payload.
      },
      "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
          # This attestation must define the `serialized_payload` that the `signatures`
          # verify and any metadata necessary to interpret that plaintext.  The
          # signatures should always be over the `serialized_payload` bytestring.
        "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
            # should consider this attestation message verified if at least one
            # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
            # for more details on signature structure and verification.
          { # Verifiers (e.g. Kritis implementations) MUST verify signatures
              # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
              # Typically this means that the verifier has been configured with a map from
              # `public_key_id` to public key material (and any required parameters, e.g.
              # signing algorithm).
              #
              # In particular, verification implementations MUST NOT treat the signature
              # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
              # DOES NOT validate or authenticate a public key; it only provides a mechanism
              # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
              # a trusted channel. Verification implementations MUST reject signatures in any
              # of the following circumstances:
              #   * The `public_key_id` is not recognized by the verifier.
              #   * The public key that `public_key_id` refers to does not verify the
              #     signature with respect to the payload.
              #
              # The `signature` contents SHOULD NOT be "attached" (where the payload is
              # included with the serialized `signature` bytes). Verifiers MUST ignore any
              # "attached" payload and only verify signatures with respect to explicitly
              # provided payload (e.g. a `payload` field on the proto message that holds
              # this Signature, or the canonical serialization of the proto message that
              # holds this signature).
            "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                #   * The `public_key_id` is required.
                #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                #     such as a cryptographic digest.
                #
                # Examples of valid `public_key_id`s:
                #
                # OpenPGP V4 public key fingerprint:
                #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                # details on this scheme.
                #
                # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                # serialization):
                #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
            "signature": "A String", # The content of the signature, an opaque bytestring.
                # The payload that this signature verifies MUST be unambiguously provided
                # with the Signature during verification. A wrapper message might provide
                # the payload explicitly. Alternatively, a message might have a canonical
                # serialization that can always be unambiguously computed to derive the
                # payload.
          },
        ],
        "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
            # The verifier must ensure that the provided type is one that the verifier
            # supports, and that the attestation payload is a valid instantiation of that
            # type (for example by validating a JSON schema).
        "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
            # The encoding and semantic meaning of this payload must match what is set in
            # `content_type`.
      },
    },
  },
  "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
      # signatures and the in-toto link itself. This is used for occurrences of a
      # Grafeas in-toto note.
    "signatures": [
      { # A signature object consists of the KeyID used and the signature itself.
        "keyid": "A String",
        "sig": "A String",
      },
    ],
    "signed": { # This corresponds to an in-toto link.
      "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
          # environment. It is suggested for this field to contain information that
          # details environment variables, filesystem information, and the present
          # working directory. The recommended structure of this field is:
          # "environment": {
          #   "custom_values": {
          #     "variables": "<ENV>",
          #     "filesystem": "<FS>",
          #     "workdir": "<CWD>",
          #     "<ANY OTHER RELEVANT FIELDS>": "..."
          #   }
          # }
          # fields are "variables", "filesystem", and "workdir".
        "customValues": {
          "a_key": "A String",
        },
      },
      "command": [ # This field contains the full command executed for the step. This can also
          # be empty if links are generated for operations that aren't directly mapped
          # to a specific command. Each term in the command is an independent string
          # in the list. An example of a command in the in-toto metadata field is:
          # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
        "A String",
      ],
      "materials": [ # Materials are the supply chain artifacts that go into the step and are used
          # for the operation performed. The key of the map is the path of the artifact
          # and the structure contains the recorded hash information. An example is:
          # "materials": [
          #   {
          #     "resource_uri": "foo/bar",
          #     "hashes": {
          #       "sha256": "ebebf...",
          #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
          #     }
          #   }
          # ]
        {
          "resourceUri": "A String",
          "hashes": { # Defines a hash object for use in Materials and Products.
            "sha256": "A String",
          },
        },
      ],
      "products": [ # Products are the supply chain artifacts generated as a result of the step.
          # The structure is identical to that of materials.
        {
          "resourceUri": "A String",
          "hashes": { # Defines a hash object for use in Materials and Products.
            "sha256": "A String",
          },
        },
      ],
      "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
          # are not the actual result of the step.
          # fields are "stderr", "stdout", and "return-value".
        "customValues": {
          "a_key": "A String",
        },
      },
    },
  },
  "build": { # Details of a build occurrence. # Describes a verifiable build.
    "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
        # details about the build from source to completion.
      "commands": [ # Commands requested by the build.
        { # Command describes a step performed as part of the build pipeline.
          "waitFor": [ # The ID(s) of the command(s) that this command depends on.
            "A String",
          ],
          "name": "A String", # Required. Name of the command, as presented on the command line, or if the
              # command is packaged as a Docker container, as presented to `docker pull`.
          "args": [ # Command-line arguments used when executing this command.
            "A String",
          ],
          "env": [ # Environment variables set before running this command.
            "A String",
          ],
          "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
              # this command as a dependency.
          "dir": "A String", # Working directory (relative to project source root) used when running this
              # command.
        },
      ],
      "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
        "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
            # source integrity was maintained in the build.
            #
            # The keys to this map are file paths used as build source and the values
            # contain the hash values for those files.
            #
            # If the build source came in a single package such as a gzipped tarfile
            # (.tar.gz), the FileHash will be for the single path to that file.
          "a_key": { # Container message for hashes of byte content of files, used in source
              # messages to verify integrity of source input to the build.
            "fileHash": [ # Required. Collection of file hashes.
              { # Container message for hash values.
                "type": "A String", # Required. The type of hash that was performed.
                "value": "A String", # Required. The hash value.
              },
            ],
          },
        },
        "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
            # location.
        "additionalContexts": [ # If provided, some of the source code used for the build may be found in
            # these locations, in the case where the source repository had multiple
            # remotes or submodules. This list will not include the context specified in
            # the context field.
          { # A SourceContext is a reference to a tree of files. A SourceContext together
              # with a path point to a unique revision of a single file or directory.
            "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                # repository (e.g., GitHub).
              "url": "A String", # Git repository URL.
              "revisionId": "A String", # Git commit hash.
            },
            "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                # Source Repo.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision ID.
              "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                "uid": "A String", # A server-assigned, globally unique identifier.
                "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                    # winged-cargo-31) and a repo name within that project.
                  "projectId": "A String", # The ID of the project.
                  "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                },
              },
            },
            "labels": { # Labels with user defined metadata.
              "a_key": "A String",
            },
            "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision (commit) ID.
              "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                  # "project/subproject" is a valid project name. The "repo name" is the
                  # hostURI/project.
              "hostUri": "A String", # The URI of a running Gerrit instance.
            },
          },
        ],
        "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
            # with a path point to a unique revision of a single file or directory.
          "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
              # repository (e.g., GitHub).
            "url": "A String", # Git repository URL.
            "revisionId": "A String", # Git commit hash.
          },
          "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
              # Source Repo.
            "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
              "kind": "A String", # The alias kind.
              "name": "A String", # The alias name.
            },
            "revisionId": "A String", # A revision ID.
            "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
              "uid": "A String", # A server-assigned, globally unique identifier.
              "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                  # winged-cargo-31) and a repo name within that project.
                "projectId": "A String", # The ID of the project.
                "repoName": "A String", # The name of the repo. Leave empty for the default repo.
              },
            },
          },
          "labels": { # Labels with user defined metadata.
            "a_key": "A String",
          },
          "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
            "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
              "kind": "A String", # The alias kind.
              "name": "A String", # The alias name.
            },
            "revisionId": "A String", # A revision (commit) ID.
            "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                # "project/subproject" is a valid project name. The "repo name" is the
                # hostURI/project.
            "hostUri": "A String", # The URI of a running Gerrit instance.
          },
        },
      },
      "buildOptions": { # Special options applied to this build. This is a catch-all field where
          # build providers can enter any desired additional details.
        "a_key": "A String",
      },
      "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
          # user's e-mail address at the time the build was initiated; this address may
          # not represent the same end-user for all time.
      "projectId": "A String", # ID of the project.
      "builderVersion": "A String", # Version string of the builder at the time this build was executed.
      "createTime": "A String", # Time at which the build was created.
      "builtArtifacts": [ # Output of the build.
        { # Artifact describes a build product.
          "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
              # container.
          "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
              # like `gcr.io/projectID/imagename@sha256:123456`.
          "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
              # the case of a container build, the name used to push the container image to
              # Google Container Registry, as presented to `docker push`. Note that a
              # single Artifact ID can have multiple names, for example if two tags are
              # applied to one image.
            "A String",
          ],
        },
      ],
      "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
      "startTime": "A String", # Time at which execution of the build was started.
      "endTime": "A String", # Time at which execution of the build was finished.
      "id": "A String", # Required. Unique identifier of the build.
      "logsUri": "A String", # URI where any logs for this provenance were written.
    },
    "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
        # build signature in the corresponding build note. After verifying the
        # signature, `provenance_bytes` can be unmarshalled and compared to the
        # provenance to confirm that it is unchanged. A base64-encoded string
        # representation of the provenance bytes is used for the signature in order
        # to interoperate with openssl which expects this format for signature
        # verification.
        #
        # The serialized form is captured both to avoid ambiguity in how the
        # provenance is marshalled to json as well to prevent incompatibilities with
        # future changes.
  },
  "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
    "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
      "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
          # the deployable field with the same name.
        "A String",
      ],
      "userEmail": "A String", # Identity of the user that triggered this deployment.
      "address": "A String", # Address of the runtime element hosting this deployment.
      "platform": "A String", # Platform hosting this deployment.
      "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
      "undeployTime": "A String", # End of the lifetime of this deployment.
      "config": "A String", # Configuration used to create this deployment.
    },
  },
  "remediation": "A String", # A description of actions that can be taken to remedy the note.
  "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
    "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
        # system.
      "name": "A String", # Output only. The name of the installed package.
      "location": [ # Required. All of the places within the filesystem versions of this package
          # have been found.
        { # An occurrence of a particular package installation found within a system's
            # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
          "path": "A String", # The path from which we gathered that this package/version is installed.
          "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
              # denoting the package manager version distributing a package.
          "version": { # Version contains structured information about the version of a package. # The version installed at this location.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
        },
      ],
    },
  },
  "createTime": "A String", # Output only. The time this occurrence was created.
  "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
      # note.
    "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
        # relationship. This image would be produced from a Dockerfile with FROM
        # <DockerImage.Basis in attached Note>.
      "distance": 42, # Output only. The number of layers by which this image differs from the
          # associated image basis.
      "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
          # occurrence.
      "layerInfo": [ # This contains layer-specific metadata, if populated it has length
          # "distance" and is ordered with [distance] being the layer immediately
          # following the base image and [1] being the final layer.
        { # Layer holds metadata specific to a layer of a Docker image.
          "arguments": "A String", # The recovered arguments to the Dockerfile directive.
          "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
        },
      ],
      "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
        "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
            # representation.
        "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
          "A String",
        ],
        "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
            #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
            # Only the name of the final blob is kept.
      },
    },
  },
  "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
      # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
      # used as a filter in list requests.
}

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # An instance of an analysis type that has been found on a resource.
    "updateTime": "A String", # Output only. The time this occurrence was last updated.
    "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
      "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
          #
          # The hash of the resource content. For example, the Docker digest.
        "type": "A String", # Required. The type of hash that was performed.
        "value": "A String", # Required. The hash value.
      },
      "name": "A String", # Deprecated, do not use. Use uri instead.
          #
          # The name of the resource. For example, the name of a Docker image -
          # "Debian".
      "uri": "A String", # Required. The unique URI of the resource. For example,
          # `https://gcr.io/project/image@sha256:foo` for a Docker image.
    },
    "name": "A String", # Output only. The name of the occurrence in the form of
        # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
    "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
      "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
          # scale of 0-10 where 0 indicates low severity and 10 indicates high
          # severity.
      "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
      "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
          # packages etc)
      "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
          # available, and note provider assigned severity when distro has not yet
          # assigned a severity for this vulnerability.
      "relatedUrls": [ # Output only. URLs related to this vulnerability.
        { # Metadata for any related URL information.
          "url": "A String", # Specific URL associated with the resource.
          "label": "A String", # Label to describe usage of the URL.
        },
      ],
      "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
          # within the associated resource.
        { # This message wraps a location affected by a vulnerability and its
            # associated fix (if one is available).
          "severityName": "A String", # Deprecated, use Details.effective_severity instead
              # The severity (e.g., distro assigned severity) for this vulnerability.
          "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
            "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                # format. Examples include distro or storage location for vulnerable jar.
            "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
            "package": "A String", # Required. The package being described.
          },
          "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
            "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                # format. Examples include distro or storage location for vulnerable jar.
            "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
            "package": "A String", # Required. The package being described.
          },
        },
      ],
      "longDescription": "A String", # Output only. A detailed description of this vulnerability.
      "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
    },
    "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
        # specified. This field can be used as a filter in list requests.
    "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
      "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
        "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
            # Deprecated, do not use.
        "analysisStatus": "A String", # The status of discovery for the resource.
        "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
        "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
            # details to show to the user. The LocalizedMessage is output only and
            # populated by the API.
            # different programming environments, including REST APIs and RPC APIs. It is
            # used by [gRPC](https://github.com/grpc). Each `Status` message contains
            # three pieces of data: error code, error message, and error details.
            #
            # You can find out more about this error model and how to work with it in the
            # [API Design Guide](https://cloud.google.com/apis/design/errors).
          "message": "A String", # A developer-facing error message, which should be in English. Any
              # user-facing error message should be localized and sent in the
              # google.rpc.Status.details field, or localized by the client.
          "code": 42, # The status code, which should be an enum value of google.rpc.Code.
          "details": [ # A list of messages that carry the error details.  There is a common set of
              # message types for APIs to use.
            {
              "a_key": "", # Properties of the object. Contains field @type with type URL.
            },
          ],
        },
      },
    },
    "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
      "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
          # attestation can be verified using the attached signature. If the verifier
          # trusts the public key of the signer, then verifying the signature is
          # sufficient to establish trust. In this circumstance, the authority to which
          # this attestation is attached is primarily useful for look-up (how to find
          # this attestation if you already know the authority and artifact to be
          # verified) and intent (which authority was this attestation intended to sign
          # for).
        "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
            # supports `ATTACHED` signatures, where the payload that is signed is included
            # alongside the signature itself in the same file.
          "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
              # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
              # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
              # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
              # Implementations may choose to acknowledge "LONG", "SHORT", or other
              # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
              # In gpg, the full fingerprint can be retrieved from the `fpr` field
              # returned when calling --list-keys with --with-colons.  For example:
              # ```
              # gpg --with-colons --with-fingerprint --force-v4-certs \
              #     --list-keys attester@example.com
              # tru::1:1513631572:0:3:1:5
              # pub:...<SNIP>...
              # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
              # ```
              # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
          "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
              # The verifier must ensure that the provided type is one that the verifier
              # supports, and that the attestation payload is a valid instantiation of that
              # type (for example by validating a JSON schema).
          "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
              # (GPG) or equivalent. Since this message only supports attached signatures,
              # the payload that was signed must be attached. While the signature format
              # supported is dependent on the verification implementation, currently only
              # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
              # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
              # --output=signature.gpg payload.json` will create the signature content
              # expected in this field in `signature.gpg` for the `payload.json`
              # attestation payload.
        },
        "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
            # This attestation must define the `serialized_payload` that the `signatures`
            # verify and any metadata necessary to interpret that plaintext.  The
            # signatures should always be over the `serialized_payload` bytestring.
          "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
              # should consider this attestation message verified if at least one
              # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
              # for more details on signature structure and verification.
            { # Verifiers (e.g. Kritis implementations) MUST verify signatures
                # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
                # Typically this means that the verifier has been configured with a map from
                # `public_key_id` to public key material (and any required parameters, e.g.
                # signing algorithm).
                #
                # In particular, verification implementations MUST NOT treat the signature
                # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
                # DOES NOT validate or authenticate a public key; it only provides a mechanism
                # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
                # a trusted channel. Verification implementations MUST reject signatures in any
                # of the following circumstances:
                #   * The `public_key_id` is not recognized by the verifier.
                #   * The public key that `public_key_id` refers to does not verify the
                #     signature with respect to the payload.
                #
                # The `signature` contents SHOULD NOT be "attached" (where the payload is
                # included with the serialized `signature` bytes). Verifiers MUST ignore any
                # "attached" payload and only verify signatures with respect to explicitly
                # provided payload (e.g. a `payload` field on the proto message that holds
                # this Signature, or the canonical serialization of the proto message that
                # holds this signature).
              "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                  #   * The `public_key_id` is required.
                  #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                  #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                  #     such as a cryptographic digest.
                  #
                  # Examples of valid `public_key_id`s:
                  #
                  # OpenPGP V4 public key fingerprint:
                  #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                  # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                  # details on this scheme.
                  #
                  # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                  # serialization):
                  #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                  #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
              "signature": "A String", # The content of the signature, an opaque bytestring.
                  # The payload that this signature verifies MUST be unambiguously provided
                  # with the Signature during verification. A wrapper message might provide
                  # the payload explicitly. Alternatively, a message might have a canonical
                  # serialization that can always be unambiguously computed to derive the
                  # payload.
            },
          ],
          "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
              # The verifier must ensure that the provided type is one that the verifier
              # supports, and that the attestation payload is a valid instantiation of that
              # type (for example by validating a JSON schema).
          "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
              # The encoding and semantic meaning of this payload must match what is set in
              # `content_type`.
        },
      },
    },
    "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
        # signatures and the in-toto link itself. This is used for occurrences of a
        # Grafeas in-toto note.
      "signatures": [
        { # A signature object consists of the KeyID used and the signature itself.
          "keyid": "A String",
          "sig": "A String",
        },
      ],
      "signed": { # This corresponds to an in-toto link.
        "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
            # environment. It is suggested for this field to contain information that
            # details environment variables, filesystem information, and the present
            # working directory. The recommended structure of this field is:
            # "environment": {
            #   "custom_values": {
            #     "variables": "<ENV>",
            #     "filesystem": "<FS>",
            #     "workdir": "<CWD>",
            #     "<ANY OTHER RELEVANT FIELDS>": "..."
            #   }
            # }
            # fields are "variables", "filesystem", and "workdir".
          "customValues": {
            "a_key": "A String",
          },
        },
        "command": [ # This field contains the full command executed for the step. This can also
            # be empty if links are generated for operations that aren't directly mapped
            # to a specific command. Each term in the command is an independent string
            # in the list. An example of a command in the in-toto metadata field is:
            # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
          "A String",
        ],
        "materials": [ # Materials are the supply chain artifacts that go into the step and are used
            # for the operation performed. The key of the map is the path of the artifact
            # and the structure contains the recorded hash information. An example is:
            # "materials": [
            #   {
            #     "resource_uri": "foo/bar",
            #     "hashes": {
            #       "sha256": "ebebf...",
            #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
            #     }
            #   }
            # ]
          {
            "resourceUri": "A String",
            "hashes": { # Defines a hash object for use in Materials and Products.
              "sha256": "A String",
            },
          },
        ],
        "products": [ # Products are the supply chain artifacts generated as a result of the step.
            # The structure is identical to that of materials.
          {
            "resourceUri": "A String",
            "hashes": { # Defines a hash object for use in Materials and Products.
              "sha256": "A String",
            },
          },
        ],
        "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
            # are not the actual result of the step.
            # fields are "stderr", "stdout", and "return-value".
          "customValues": {
            "a_key": "A String",
          },
        },
      },
    },
    "build": { # Details of a build occurrence. # Describes a verifiable build.
      "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
          # details about the build from source to completion.
        "commands": [ # Commands requested by the build.
          { # Command describes a step performed as part of the build pipeline.
            "waitFor": [ # The ID(s) of the command(s) that this command depends on.
              "A String",
            ],
            "name": "A String", # Required. Name of the command, as presented on the command line, or if the
                # command is packaged as a Docker container, as presented to `docker pull`.
            "args": [ # Command-line arguments used when executing this command.
              "A String",
            ],
            "env": [ # Environment variables set before running this command.
              "A String",
            ],
            "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
                # this command as a dependency.
            "dir": "A String", # Working directory (relative to project source root) used when running this
                # command.
          },
        ],
        "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
          "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
              # source integrity was maintained in the build.
              #
              # The keys to this map are file paths used as build source and the values
              # contain the hash values for those files.
              #
              # If the build source came in a single package such as a gzipped tarfile
              # (.tar.gz), the FileHash will be for the single path to that file.
            "a_key": { # Container message for hashes of byte content of files, used in source
                # messages to verify integrity of source input to the build.
              "fileHash": [ # Required. Collection of file hashes.
                { # Container message for hash values.
                  "type": "A String", # Required. The type of hash that was performed.
                  "value": "A String", # Required. The hash value.
                },
              ],
            },
          },
          "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
              # location.
          "additionalContexts": [ # If provided, some of the source code used for the build may be found in
              # these locations, in the case where the source repository had multiple
              # remotes or submodules. This list will not include the context specified in
              # the context field.
            { # A SourceContext is a reference to a tree of files. A SourceContext together
                # with a path point to a unique revision of a single file or directory.
              "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                  # repository (e.g., GitHub).
                "url": "A String", # Git repository URL.
                "revisionId": "A String", # Git commit hash.
              },
              "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                  # Source Repo.
                "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                  "kind": "A String", # The alias kind.
                  "name": "A String", # The alias name.
                },
                "revisionId": "A String", # A revision ID.
                "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                  "uid": "A String", # A server-assigned, globally unique identifier.
                  "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                      # winged-cargo-31) and a repo name within that project.
                    "projectId": "A String", # The ID of the project.
                    "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                  },
                },
              },
              "labels": { # Labels with user defined metadata.
                "a_key": "A String",
              },
              "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                  "kind": "A String", # The alias kind.
                  "name": "A String", # The alias name.
                },
                "revisionId": "A String", # A revision (commit) ID.
                "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                    # "project/subproject" is a valid project name. The "repo name" is the
                    # hostURI/project.
                "hostUri": "A String", # The URI of a running Gerrit instance.
              },
            },
          ],
          "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
              # with a path point to a unique revision of a single file or directory.
            "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                # repository (e.g., GitHub).
              "url": "A String", # Git repository URL.
              "revisionId": "A String", # Git commit hash.
            },
            "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                # Source Repo.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision ID.
              "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                "uid": "A String", # A server-assigned, globally unique identifier.
                "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                    # winged-cargo-31) and a repo name within that project.
                  "projectId": "A String", # The ID of the project.
                  "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                },
              },
            },
            "labels": { # Labels with user defined metadata.
              "a_key": "A String",
            },
            "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision (commit) ID.
              "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                  # "project/subproject" is a valid project name. The "repo name" is the
                  # hostURI/project.
              "hostUri": "A String", # The URI of a running Gerrit instance.
            },
          },
        },
        "buildOptions": { # Special options applied to this build. This is a catch-all field where
            # build providers can enter any desired additional details.
          "a_key": "A String",
        },
        "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
            # user's e-mail address at the time the build was initiated; this address may
            # not represent the same end-user for all time.
        "projectId": "A String", # ID of the project.
        "builderVersion": "A String", # Version string of the builder at the time this build was executed.
        "createTime": "A String", # Time at which the build was created.
        "builtArtifacts": [ # Output of the build.
          { # Artifact describes a build product.
            "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
                # container.
            "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
                # like `gcr.io/projectID/imagename@sha256:123456`.
            "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
                # the case of a container build, the name used to push the container image to
                # Google Container Registry, as presented to `docker push`. Note that a
                # single Artifact ID can have multiple names, for example if two tags are
                # applied to one image.
              "A String",
            ],
          },
        ],
        "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
        "startTime": "A String", # Time at which execution of the build was started.
        "endTime": "A String", # Time at which execution of the build was finished.
        "id": "A String", # Required. Unique identifier of the build.
        "logsUri": "A String", # URI where any logs for this provenance were written.
      },
      "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
          # build signature in the corresponding build note. After verifying the
          # signature, `provenance_bytes` can be unmarshalled and compared to the
          # provenance to confirm that it is unchanged. A base64-encoded string
          # representation of the provenance bytes is used for the signature in order
          # to interoperate with openssl which expects this format for signature
          # verification.
          #
          # The serialized form is captured both to avoid ambiguity in how the
          # provenance is marshalled to json as well to prevent incompatibilities with
          # future changes.
    },
    "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
      "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
        "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
            # the deployable field with the same name.
          "A String",
        ],
        "userEmail": "A String", # Identity of the user that triggered this deployment.
        "address": "A String", # Address of the runtime element hosting this deployment.
        "platform": "A String", # Platform hosting this deployment.
        "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
        "undeployTime": "A String", # End of the lifetime of this deployment.
        "config": "A String", # Configuration used to create this deployment.
      },
    },
    "remediation": "A String", # A description of actions that can be taken to remedy the note.
    "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
      "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
          # system.
        "name": "A String", # Output only. The name of the installed package.
        "location": [ # Required. All of the places within the filesystem versions of this package
            # have been found.
          { # An occurrence of a particular package installation found within a system's
              # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
            "path": "A String", # The path from which we gathered that this package/version is installed.
            "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
                # denoting the package manager version distributing a package.
            "version": { # Version contains structured information about the version of a package. # The version installed at this location.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
          },
        ],
      },
    },
    "createTime": "A String", # Output only. The time this occurrence was created.
    "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
        # note.
      "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
          # relationship. This image would be produced from a Dockerfile with FROM
          # <DockerImage.Basis in attached Note>.
        "distance": 42, # Output only. The number of layers by which this image differs from the
            # associated image basis.
        "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
            # occurrence.
        "layerInfo": [ # This contains layer-specific metadata, if populated it has length
            # "distance" and is ordered with [distance] being the layer immediately
            # following the base image and [1] being the final layer.
          { # Layer holds metadata specific to a layer of a Docker image.
            "arguments": "A String", # The recovered arguments to the Dockerfile directive.
            "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
          },
        ],
        "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
          "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
              # representation.
          "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
            "A String",
          ],
          "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
              #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
              # Only the name of the final blob is kept.
        },
      },
    },
    "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
        # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
        # used as a filter in list requests.
  }
delete(name, x__xgafv=None)
Deletes the specified occurrence. For example, use this method to delete an
occurrence when the occurrence is no longer applicable for the given
resource.

Args:
  name: string, Required. The name of the occurrence in the form of
`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A generic empty message that you can re-use to avoid defining duplicated
      # empty messages in your APIs. A typical example is to use it as the request
      # or the response type of an API method. For instance:
      #
      #     service Foo {
      #       rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
      #     }
      #
      # The JSON representation for `Empty` is empty JSON object `{}`.
  }
get(name, x__xgafv=None)
Gets the specified occurrence.

Args:
  name: string, Required. The name of the occurrence in the form of
`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # An instance of an analysis type that has been found on a resource.
    "updateTime": "A String", # Output only. The time this occurrence was last updated.
    "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
      "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
          #
          # The hash of the resource content. For example, the Docker digest.
        "type": "A String", # Required. The type of hash that was performed.
        "value": "A String", # Required. The hash value.
      },
      "name": "A String", # Deprecated, do not use. Use uri instead.
          #
          # The name of the resource. For example, the name of a Docker image -
          # "Debian".
      "uri": "A String", # Required. The unique URI of the resource. For example,
          # `https://gcr.io/project/image@sha256:foo` for a Docker image.
    },
    "name": "A String", # Output only. The name of the occurrence in the form of
        # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
    "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
      "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
          # scale of 0-10 where 0 indicates low severity and 10 indicates high
          # severity.
      "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
      "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
          # packages etc)
      "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
          # available, and note provider assigned severity when distro has not yet
          # assigned a severity for this vulnerability.
      "relatedUrls": [ # Output only. URLs related to this vulnerability.
        { # Metadata for any related URL information.
          "url": "A String", # Specific URL associated with the resource.
          "label": "A String", # Label to describe usage of the URL.
        },
      ],
      "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
          # within the associated resource.
        { # This message wraps a location affected by a vulnerability and its
            # associated fix (if one is available).
          "severityName": "A String", # Deprecated, use Details.effective_severity instead
              # The severity (e.g., distro assigned severity) for this vulnerability.
          "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
            "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                # format. Examples include distro or storage location for vulnerable jar.
            "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
            "package": "A String", # Required. The package being described.
          },
          "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
            "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                # format. Examples include distro or storage location for vulnerable jar.
            "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
            "package": "A String", # Required. The package being described.
          },
        },
      ],
      "longDescription": "A String", # Output only. A detailed description of this vulnerability.
      "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
    },
    "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
        # specified. This field can be used as a filter in list requests.
    "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
      "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
        "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
            # Deprecated, do not use.
        "analysisStatus": "A String", # The status of discovery for the resource.
        "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
        "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
            # details to show to the user. The LocalizedMessage is output only and
            # populated by the API.
            # different programming environments, including REST APIs and RPC APIs. It is
            # used by [gRPC](https://github.com/grpc). Each `Status` message contains
            # three pieces of data: error code, error message, and error details.
            #
            # You can find out more about this error model and how to work with it in the
            # [API Design Guide](https://cloud.google.com/apis/design/errors).
          "message": "A String", # A developer-facing error message, which should be in English. Any
              # user-facing error message should be localized and sent in the
              # google.rpc.Status.details field, or localized by the client.
          "code": 42, # The status code, which should be an enum value of google.rpc.Code.
          "details": [ # A list of messages that carry the error details.  There is a common set of
              # message types for APIs to use.
            {
              "a_key": "", # Properties of the object. Contains field @type with type URL.
            },
          ],
        },
      },
    },
    "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
      "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
          # attestation can be verified using the attached signature. If the verifier
          # trusts the public key of the signer, then verifying the signature is
          # sufficient to establish trust. In this circumstance, the authority to which
          # this attestation is attached is primarily useful for look-up (how to find
          # this attestation if you already know the authority and artifact to be
          # verified) and intent (which authority was this attestation intended to sign
          # for).
        "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
            # supports `ATTACHED` signatures, where the payload that is signed is included
            # alongside the signature itself in the same file.
          "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
              # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
              # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
              # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
              # Implementations may choose to acknowledge "LONG", "SHORT", or other
              # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
              # In gpg, the full fingerprint can be retrieved from the `fpr` field
              # returned when calling --list-keys with --with-colons.  For example:
              # ```
              # gpg --with-colons --with-fingerprint --force-v4-certs \
              #     --list-keys attester@example.com
              # tru::1:1513631572:0:3:1:5
              # pub:...<SNIP>...
              # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
              # ```
              # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
          "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
              # The verifier must ensure that the provided type is one that the verifier
              # supports, and that the attestation payload is a valid instantiation of that
              # type (for example by validating a JSON schema).
          "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
              # (GPG) or equivalent. Since this message only supports attached signatures,
              # the payload that was signed must be attached. While the signature format
              # supported is dependent on the verification implementation, currently only
              # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
              # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
              # --output=signature.gpg payload.json` will create the signature content
              # expected in this field in `signature.gpg` for the `payload.json`
              # attestation payload.
        },
        "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
            # This attestation must define the `serialized_payload` that the `signatures`
            # verify and any metadata necessary to interpret that plaintext.  The
            # signatures should always be over the `serialized_payload` bytestring.
          "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
              # should consider this attestation message verified if at least one
              # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
              # for more details on signature structure and verification.
            { # Verifiers (e.g. Kritis implementations) MUST verify signatures
                # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
                # Typically this means that the verifier has been configured with a map from
                # `public_key_id` to public key material (and any required parameters, e.g.
                # signing algorithm).
                #
                # In particular, verification implementations MUST NOT treat the signature
                # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
                # DOES NOT validate or authenticate a public key; it only provides a mechanism
                # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
                # a trusted channel. Verification implementations MUST reject signatures in any
                # of the following circumstances:
                #   * The `public_key_id` is not recognized by the verifier.
                #   * The public key that `public_key_id` refers to does not verify the
                #     signature with respect to the payload.
                #
                # The `signature` contents SHOULD NOT be "attached" (where the payload is
                # included with the serialized `signature` bytes). Verifiers MUST ignore any
                # "attached" payload and only verify signatures with respect to explicitly
                # provided payload (e.g. a `payload` field on the proto message that holds
                # this Signature, or the canonical serialization of the proto message that
                # holds this signature).
              "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                  #   * The `public_key_id` is required.
                  #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                  #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                  #     such as a cryptographic digest.
                  #
                  # Examples of valid `public_key_id`s:
                  #
                  # OpenPGP V4 public key fingerprint:
                  #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                  # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                  # details on this scheme.
                  #
                  # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                  # serialization):
                  #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                  #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
              "signature": "A String", # The content of the signature, an opaque bytestring.
                  # The payload that this signature verifies MUST be unambiguously provided
                  # with the Signature during verification. A wrapper message might provide
                  # the payload explicitly. Alternatively, a message might have a canonical
                  # serialization that can always be unambiguously computed to derive the
                  # payload.
            },
          ],
          "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
              # The verifier must ensure that the provided type is one that the verifier
              # supports, and that the attestation payload is a valid instantiation of that
              # type (for example by validating a JSON schema).
          "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
              # The encoding and semantic meaning of this payload must match what is set in
              # `content_type`.
        },
      },
    },
    "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
        # signatures and the in-toto link itself. This is used for occurrences of a
        # Grafeas in-toto note.
      "signatures": [
        { # A signature object consists of the KeyID used and the signature itself.
          "keyid": "A String",
          "sig": "A String",
        },
      ],
      "signed": { # This corresponds to an in-toto link.
        "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
            # environment. It is suggested for this field to contain information that
            # details environment variables, filesystem information, and the present
            # working directory. The recommended structure of this field is:
            # "environment": {
            #   "custom_values": {
            #     "variables": "<ENV>",
            #     "filesystem": "<FS>",
            #     "workdir": "<CWD>",
            #     "<ANY OTHER RELEVANT FIELDS>": "..."
            #   }
            # }
            # fields are "variables", "filesystem", and "workdir".
          "customValues": {
            "a_key": "A String",
          },
        },
        "command": [ # This field contains the full command executed for the step. This can also
            # be empty if links are generated for operations that aren't directly mapped
            # to a specific command. Each term in the command is an independent string
            # in the list. An example of a command in the in-toto metadata field is:
            # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
          "A String",
        ],
        "materials": [ # Materials are the supply chain artifacts that go into the step and are used
            # for the operation performed. The key of the map is the path of the artifact
            # and the structure contains the recorded hash information. An example is:
            # "materials": [
            #   {
            #     "resource_uri": "foo/bar",
            #     "hashes": {
            #       "sha256": "ebebf...",
            #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
            #     }
            #   }
            # ]
          {
            "resourceUri": "A String",
            "hashes": { # Defines a hash object for use in Materials and Products.
              "sha256": "A String",
            },
          },
        ],
        "products": [ # Products are the supply chain artifacts generated as a result of the step.
            # The structure is identical to that of materials.
          {
            "resourceUri": "A String",
            "hashes": { # Defines a hash object for use in Materials and Products.
              "sha256": "A String",
            },
          },
        ],
        "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
            # are not the actual result of the step.
            # fields are "stderr", "stdout", and "return-value".
          "customValues": {
            "a_key": "A String",
          },
        },
      },
    },
    "build": { # Details of a build occurrence. # Describes a verifiable build.
      "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
          # details about the build from source to completion.
        "commands": [ # Commands requested by the build.
          { # Command describes a step performed as part of the build pipeline.
            "waitFor": [ # The ID(s) of the command(s) that this command depends on.
              "A String",
            ],
            "name": "A String", # Required. Name of the command, as presented on the command line, or if the
                # command is packaged as a Docker container, as presented to `docker pull`.
            "args": [ # Command-line arguments used when executing this command.
              "A String",
            ],
            "env": [ # Environment variables set before running this command.
              "A String",
            ],
            "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
                # this command as a dependency.
            "dir": "A String", # Working directory (relative to project source root) used when running this
                # command.
          },
        ],
        "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
          "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
              # source integrity was maintained in the build.
              #
              # The keys to this map are file paths used as build source and the values
              # contain the hash values for those files.
              #
              # If the build source came in a single package such as a gzipped tarfile
              # (.tar.gz), the FileHash will be for the single path to that file.
            "a_key": { # Container message for hashes of byte content of files, used in source
                # messages to verify integrity of source input to the build.
              "fileHash": [ # Required. Collection of file hashes.
                { # Container message for hash values.
                  "type": "A String", # Required. The type of hash that was performed.
                  "value": "A String", # Required. The hash value.
                },
              ],
            },
          },
          "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
              # location.
          "additionalContexts": [ # If provided, some of the source code used for the build may be found in
              # these locations, in the case where the source repository had multiple
              # remotes or submodules. This list will not include the context specified in
              # the context field.
            { # A SourceContext is a reference to a tree of files. A SourceContext together
                # with a path point to a unique revision of a single file or directory.
              "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                  # repository (e.g., GitHub).
                "url": "A String", # Git repository URL.
                "revisionId": "A String", # Git commit hash.
              },
              "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                  # Source Repo.
                "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                  "kind": "A String", # The alias kind.
                  "name": "A String", # The alias name.
                },
                "revisionId": "A String", # A revision ID.
                "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                  "uid": "A String", # A server-assigned, globally unique identifier.
                  "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                      # winged-cargo-31) and a repo name within that project.
                    "projectId": "A String", # The ID of the project.
                    "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                  },
                },
              },
              "labels": { # Labels with user defined metadata.
                "a_key": "A String",
              },
              "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                  "kind": "A String", # The alias kind.
                  "name": "A String", # The alias name.
                },
                "revisionId": "A String", # A revision (commit) ID.
                "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                    # "project/subproject" is a valid project name. The "repo name" is the
                    # hostURI/project.
                "hostUri": "A String", # The URI of a running Gerrit instance.
              },
            },
          ],
          "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
              # with a path point to a unique revision of a single file or directory.
            "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                # repository (e.g., GitHub).
              "url": "A String", # Git repository URL.
              "revisionId": "A String", # Git commit hash.
            },
            "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                # Source Repo.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision ID.
              "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                "uid": "A String", # A server-assigned, globally unique identifier.
                "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                    # winged-cargo-31) and a repo name within that project.
                  "projectId": "A String", # The ID of the project.
                  "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                },
              },
            },
            "labels": { # Labels with user defined metadata.
              "a_key": "A String",
            },
            "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision (commit) ID.
              "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                  # "project/subproject" is a valid project name. The "repo name" is the
                  # hostURI/project.
              "hostUri": "A String", # The URI of a running Gerrit instance.
            },
          },
        },
        "buildOptions": { # Special options applied to this build. This is a catch-all field where
            # build providers can enter any desired additional details.
          "a_key": "A String",
        },
        "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
            # user's e-mail address at the time the build was initiated; this address may
            # not represent the same end-user for all time.
        "projectId": "A String", # ID of the project.
        "builderVersion": "A String", # Version string of the builder at the time this build was executed.
        "createTime": "A String", # Time at which the build was created.
        "builtArtifacts": [ # Output of the build.
          { # Artifact describes a build product.
            "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
                # container.
            "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
                # like `gcr.io/projectID/imagename@sha256:123456`.
            "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
                # the case of a container build, the name used to push the container image to
                # Google Container Registry, as presented to `docker push`. Note that a
                # single Artifact ID can have multiple names, for example if two tags are
                # applied to one image.
              "A String",
            ],
          },
        ],
        "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
        "startTime": "A String", # Time at which execution of the build was started.
        "endTime": "A String", # Time at which execution of the build was finished.
        "id": "A String", # Required. Unique identifier of the build.
        "logsUri": "A String", # URI where any logs for this provenance were written.
      },
      "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
          # build signature in the corresponding build note. After verifying the
          # signature, `provenance_bytes` can be unmarshalled and compared to the
          # provenance to confirm that it is unchanged. A base64-encoded string
          # representation of the provenance bytes is used for the signature in order
          # to interoperate with openssl which expects this format for signature
          # verification.
          #
          # The serialized form is captured both to avoid ambiguity in how the
          # provenance is marshalled to json as well to prevent incompatibilities with
          # future changes.
    },
    "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
      "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
        "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
            # the deployable field with the same name.
          "A String",
        ],
        "userEmail": "A String", # Identity of the user that triggered this deployment.
        "address": "A String", # Address of the runtime element hosting this deployment.
        "platform": "A String", # Platform hosting this deployment.
        "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
        "undeployTime": "A String", # End of the lifetime of this deployment.
        "config": "A String", # Configuration used to create this deployment.
      },
    },
    "remediation": "A String", # A description of actions that can be taken to remedy the note.
    "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
      "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
          # system.
        "name": "A String", # Output only. The name of the installed package.
        "location": [ # Required. All of the places within the filesystem versions of this package
            # have been found.
          { # An occurrence of a particular package installation found within a system's
              # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
            "path": "A String", # The path from which we gathered that this package/version is installed.
            "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
                # denoting the package manager version distributing a package.
            "version": { # Version contains structured information about the version of a package. # The version installed at this location.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
          },
        ],
      },
    },
    "createTime": "A String", # Output only. The time this occurrence was created.
    "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
        # note.
      "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
          # relationship. This image would be produced from a Dockerfile with FROM
          # <DockerImage.Basis in attached Note>.
        "distance": 42, # Output only. The number of layers by which this image differs from the
            # associated image basis.
        "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
            # occurrence.
        "layerInfo": [ # This contains layer-specific metadata, if populated it has length
            # "distance" and is ordered with [distance] being the layer immediately
            # following the base image and [1] being the final layer.
          { # Layer holds metadata specific to a layer of a Docker image.
            "arguments": "A String", # The recovered arguments to the Dockerfile directive.
            "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
          },
        ],
        "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
          "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
              # representation.
          "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
            "A String",
          ],
          "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
              #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
              # Only the name of the final blob is kept.
        },
      },
    },
    "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
        # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
        # used as a filter in list requests.
  }
getIamPolicy(resource, body=None, x__xgafv=None)
Gets the access control policy for a note or an occurrence resource.
Requires `containeranalysis.notes.setIamPolicy` or
`containeranalysis.occurrences.setIamPolicy` permission if the resource is
a note or occurrence, respectively.

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for
notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for
occurrences.

Args:
  resource: string, REQUIRED: The resource for which the policy is being requested.
See the operation documentation for the appropriate value for this field. (required)
  body: object, The request body.
    The object takes the form of:

{ # Request message for `GetIamPolicy` method.
    "options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to
        # `GetIamPolicy`.
      "requestedPolicyVersion": 42, # Optional. The policy format version to be returned.
          #
          # Valid values are 0, 1, and 3. Requests specifying an invalid value will be
          # rejected.
          #
          # Requests for policies with any conditional bindings must specify version 3.
          # Policies without any conditional bindings may specify any valid value or
          # leave the field unset.
    },
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # An Identity and Access Management (IAM) policy, which specifies access
      # controls for Google Cloud resources.
      #
      #
      # A `Policy` is a collection of `bindings`. A `binding` binds one or more
      # `members` to a single `role`. Members can be user accounts, service accounts,
      # Google groups, and domains (such as G Suite). A `role` is a named list of
      # permissions; each `role` can be an IAM predefined role or a user-created
      # custom role.
      #
      # Optionally, a `binding` can specify a `condition`, which is a logical
      # expression that allows access to a resource only if the expression evaluates
      # to `true`. A condition can add constraints based on attributes of the
      # request, the resource, or both.
      #
      # **JSON example:**
      #
      #     {
      #       "bindings": [
      #         {
      #           "role": "roles/resourcemanager.organizationAdmin",
      #           "members": [
      #             "user:mike@example.com",
      #             "group:admins@example.com",
      #             "domain:google.com",
      #             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
      #           ]
      #         },
      #         {
      #           "role": "roles/resourcemanager.organizationViewer",
      #           "members": ["user:eve@example.com"],
      #           "condition": {
      #             "title": "expirable access",
      #             "description": "Does not grant access after Sep 2020",
      #             "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
      #           }
      #         }
      #       ],
      #       "etag": "BwWWja0YfJA=",
      #       "version": 3
      #     }
      #
      # **YAML example:**
      #
      #     bindings:
      #     - members:
      #       - user:mike@example.com
      #       - group:admins@example.com
      #       - domain:google.com
      #       - serviceAccount:my-project-id@appspot.gserviceaccount.com
      #       role: roles/resourcemanager.organizationAdmin
      #     - members:
      #       - user:eve@example.com
      #       role: roles/resourcemanager.organizationViewer
      #       condition:
      #         title: expirable access
      #         description: Does not grant access after Sep 2020
      #         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
      #     - etag: BwWWja0YfJA=
      #     - version: 3
      #
      # For a description of IAM and its features, see the
      # [IAM documentation](https://cloud.google.com/iam/docs/).
    "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
        # `condition` that determines how and when the `bindings` are applied. Each
        # of the `bindings` must contain at least one member.
      { # Associates `members` with a `role`.
        "role": "A String", # Role that is assigned to `members`.
            # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
        "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
            # NOTE: An unsatisfied condition will not allow user access via current
            # binding. Different bindings, including their conditions, are examined
            # independently.
            # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
            # are documented at https://github.com/google/cel-spec.
            #
            # Example (Comparison):
            #
            #     title: "Summary size limit"
            #     description: "Determines if a summary is less than 100 chars"
            #     expression: "document.summary.size() < 100"
            #
            # Example (Equality):
            #
            #     title: "Requestor is owner"
            #     description: "Determines if requestor is the document owner"
            #     expression: "document.owner == request.auth.claims.email"
            #
            # Example (Logic):
            #
            #     title: "Public documents"
            #     description: "Determine whether the document should be publicly visible"
            #     expression: "document.type != 'private' && document.type != 'internal'"
            #
            # Example (Data Manipulation):
            #
            #     title: "Notification string"
            #     description: "Create a notification string with a timestamp."
            #     expression: "'New message received at ' + string(document.create_time)"
            #
            # The exact variables and functions that may be referenced within an expression
            # are determined by the service that evaluates it. See the service
            # documentation for additional information.
          "description": "A String", # Optional. Description of the expression. This is a longer text which
              # describes the expression, e.g. when hovered over it in a UI.
          "expression": "A String", # Textual representation of an expression in Common Expression Language
              # syntax.
          "location": "A String", # Optional. String indicating the location of the expression for error
              # reporting, e.g. a file name and a position in the file.
          "title": "A String", # Optional. Title for the expression, i.e. a short string describing
              # its purpose. This can be used e.g. in UIs which allow to enter the
              # expression.
        },
        "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
            # `members` can have the following values:
            #
            # * `allUsers`: A special identifier that represents anyone who is
            #    on the internet; with or without a Google account.
            #
            # * `allAuthenticatedUsers`: A special identifier that represents anyone
            #    who is authenticated with a Google account or a service account.
            #
            # * `user:{emailid}`: An email address that represents a specific Google
            #    account. For example, `alice@example.com` .
            #
            #
            # * `serviceAccount:{emailid}`: An email address that represents a service
            #    account. For example, `my-other-app@appspot.gserviceaccount.com`.
            #
            # * `group:{emailid}`: An email address that represents a Google group.
            #    For example, `admins@example.com`.
            #
            # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
            #    identifier) representing a user that has been recently deleted. For
            #    example, `alice@example.com?uid=123456789012345678901`. If the user is
            #    recovered, this value reverts to `user:{emailid}` and the recovered user
            #    retains the role in the binding.
            #
            # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
            #    unique identifier) representing a service account that has been recently
            #    deleted. For example,
            #    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
            #    If the service account is undeleted, this value reverts to
            #    `serviceAccount:{emailid}` and the undeleted service account retains the
            #    role in the binding.
            #
            # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
            #    identifier) representing a Google group that has been recently
            #    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
            #    the group is recovered, this value reverts to `group:{emailid}` and the
            #    recovered group retains the role in the binding.
            #
            #
            # * `domain:{domain}`: The G Suite domain (primary) that represents all the
            #    users of that domain. For example, `google.com` or `example.com`.
            #
          "A String",
        ],
      },
    ],
    "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
        # prevent simultaneous updates of a policy from overwriting each other.
        # It is strongly suggested that systems make use of the `etag` in the
        # read-modify-write cycle to perform policy updates in order to avoid race
        # conditions: An `etag` is returned in the response to `getIamPolicy`, and
        # systems are expected to put that etag in the request to `setIamPolicy` to
        # ensure that their change will be applied to the same version of the policy.
        #
        # **Important:** If you use IAM Conditions, you must include the `etag` field
        # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
        # you to overwrite a version `3` policy with a version `1` policy, and all of
        # the conditions in the version `3` policy are lost.
    "version": 42, # Specifies the format of the policy.
        #
        # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
        # are rejected.
        #
        # Any operation that affects conditional role bindings must specify version
        # `3`. This requirement applies to the following operations:
        #
        # * Getting a policy that includes a conditional role binding
        # * Adding a conditional role binding to a policy
        # * Changing a conditional role binding in a policy
        # * Removing any role binding, with or without a condition, from a policy
        #   that includes conditions
        #
        # **Important:** If you use IAM Conditions, you must include the `etag` field
        # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
        # you to overwrite a version `3` policy with a version `1` policy, and all of
        # the conditions in the version `3` policy are lost.
        #
        # If a policy does not include any conditions, operations on that policy may
        # specify any valid version or leave the field unset.
  }
getNotes(name, x__xgafv=None)
Gets the note attached to the specified occurrence. Consumer projects can
use this method to get a note that belongs to a provider project.

Args:
  name: string, Required. The name of the occurrence in the form of
`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A type of analysis that can be done for a resource.
    "updateTime": "A String", # Output only. The time this note was last updated. This field can be used as
        # a filter in list requests.
    "relatedNoteNames": [ # Other notes related to this note.
      "A String",
    ],
    "name": "A String", # Output only. The name of the note in the form of
        # `projects/[PROVIDER_ID]/notes/[NOTE_ID]`.
    "package": { # This represents a particular package that is distributed over various # A note describing a package hosted by various package managers.
        # channels. E.g., glibc (aka libc6) is distributed by many, at various
        # versions.
      "distribution": [ # The various channels by which a package is distributed.
        { # This represents a particular channel of distribution for a given package.
            # E.g., Debian's jessie-backports dpkg mirror.
          "cpeUri": "A String", # Required. The cpe_uri in [CPE format](https://cpe.mitre.org/specification/)
              # denoting the package manager version distributing a package.
          "maintainer": "A String", # A freeform string denoting the maintainer of this package.
          "description": "A String", # The distribution channel-specific description of this package.
          "url": "A String", # The distribution channel-specific homepage for this package.
          "architecture": "A String", # The CPU architecture for which packages in this distribution channel were
              # built.
          "latestVersion": { # Version contains structured information about the version of a package. # The latest available version of this package in this distribution channel.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
        },
      ],
      "name": "A String", # Required. Immutable. The name of the package.
    },
    "vulnerability": { # Vulnerability provides metadata about a security vulnerability in a Note. # A note describing a package vulnerability.
      "windowsDetails": [ # Windows details get their own format because the information format and
          # model don't match a normal detail. Specifically Windows updates are done as
          # patches, thus Windows vulnerabilities really are a missing package, rather
          # than a package being at an incorrect version.
        {
          "cpeUri": "A String", # Required. The CPE URI in
              # [cpe format](https://cpe.mitre.org/specification/) in which the
              # vulnerability manifests. Examples include distro or storage location for
              # vulnerable jar.
          "fixingKbs": [ # Required. The names of the KBs which have hotfixes to mitigate this
              # vulnerability. Note that there may be multiple hotfixes (and thus
              # multiple KBs) that mitigate a given vulnerability. Currently any listed
              # kb's presence is considered a fix.
            {
              "url": "A String", # A link to the KB in the Windows update catalog -
                  # https://www.catalog.update.microsoft.com/
              "name": "A String", # The KB name (generally of the form KB[0-9]+ i.e. KB123456).
            },
          ],
          "name": "A String", # Required. The name of the vulnerability.
          "description": "A String", # The description of the vulnerability.
        },
      ],
      "cvssV3": { # Common Vulnerability Scoring System version 3. # The full description of the CVSSv3.
          # For details, see https://www.first.org/cvss/specification-document
        "attackComplexity": "A String",
        "attackVector": "A String", # Base Metrics
            # Represents the intrinsic characteristics of a vulnerability that are
            # constant over time and across user environments.
        "privilegesRequired": "A String",
        "userInteraction": "A String",
        "baseScore": 3.14, # The base score is a function of the base metric scores.
        "availabilityImpact": "A String",
        "impactScore": 3.14,
        "exploitabilityScore": 3.14,
        "scope": "A String",
        "integrityImpact": "A String",
        "confidentialityImpact": "A String",
      },
      "cvssScore": 3.14, # The CVSS score for this vulnerability.
      "severity": "A String", # Note provider assigned impact of the vulnerability.
      "details": [ # All information about the package to specifically identify this
          # vulnerability. One entry per (version range and cpe_uri) the package
          # vulnerability has manifested in.
        { # Identifies all appearances of this vulnerability in the package for a
            # specific distro/location. For example: glibc in
            # cpe:/o:debian:debian_linux:8 for versions 2.1 - 2.2
          "severityName": "A String", # The severity (eg: distro assigned severity) for this vulnerability.
          "cpeUri": "A String", # Required. The CPE URI in
              # [cpe format](https://cpe.mitre.org/specification/) in which the
              # vulnerability manifests. Examples include distro or storage location for
              # vulnerable jar.
          "description": "A String", # A vendor-specific description of this note.
          "minAffectedVersion": { # Version contains structured information about the version of a package. # The min version of the package in which the vulnerability exists.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
          "package": "A String", # Required. The name of the package where the vulnerability was found.
          "isObsolete": True or False, # Whether this detail is obsolete. Occurrences are expected not to point to
              # obsolete details.
          "packageType": "A String", # The type of package; whether native or non native(ruby gems, node.js
              # packages etc).
          "sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an
              # upstream timestamp from the underlying information source - e.g. Ubuntu
              # security tracker.
          "maxAffectedVersion": { # Version contains structured information about the version of a package. # The max version of the package in which the vulnerability exists.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
          "fixedLocation": { # The location of the vulnerability. # The fix for this specific package version.
            "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                # format. Examples include distro or storage location for vulnerable jar.
            "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
            "package": "A String", # Required. The package being described.
          },
        },
      ],
      "sourceUpdateTime": "A String", # The time this information was last changed at the source. This is an
          # upstream timestamp from the underlying information source - e.g. Ubuntu
          # security tracker.
    },
    "kind": "A String", # Output only. The type of analysis. This field can be used as a filter in
        # list requests.
    "relatedUrl": [ # URLs associated with this note.
      { # Metadata for any related URL information.
        "url": "A String", # Specific URL associated with the resource.
        "label": "A String", # Label to describe usage of the URL.
      },
    ],
    "longDescription": "A String", # A detailed description of this note.
    "attestationAuthority": { # Note kind that represents a logical attestation "role" or "authority". For # A note describing an attestation role.
        # example, an organization might have one `Authority` for "QA" and one for
        # "build". This note is intended to act strictly as a grouping mechanism for
        # the attached occurrences (Attestations). This grouping mechanism also
        # provides a security boundary, since IAM ACLs gate the ability for a principle
        # to attach an occurrence to a given note. It also provides a single point of
        # lookup to find all attached attestation occurrences, even if they don't all
        # live in the same project.
      "hint": { # This submessage provides human-readable hints about the purpose of the # Hint hints at the purpose of the attestation authority.
          # authority. Because the name of a note acts as its resource reference, it is
          # important to disambiguate the canonical name of the Note (which might be a
          # UUID for security purposes) from "readable" names more suitable for debug
          # output. Note that these hints should not be used to look up authorities in
          # security sensitive contexts, such as when looking up attestations to
          # verify.
        "humanReadableName": "A String", # Required. The human readable name of this attestation authority, for
            # example "qa".
      },
    },
    "intoto": { # This contains the fields corresponding to the definition of a software supply # A note describing an in-toto link.
        # chain step in an in-toto layout. This information goes into a Grafeas note.
      "stepName": "A String", # This field identifies the name of the step in the supply chain.
      "expectedCommand": [ # This field contains the expected command used to perform the step.
        "A String",
      ],
      "threshold": "A String", # This field contains a value that indicates the minimum number of keys that
          # need to be used to sign the step's in-toto link.
      "expectedMaterials": [ # The following fields contain in-toto artifact rules identifying the
          # artifacts that enter this supply chain step, and exit the supply chain
          # step, i.e. materials and products of the step.
        { # Defines an object to declare an in-toto artifact rule
          "artifactRule": [
            "A String",
          ],
        },
      ],
      "expectedProducts": [
        { # Defines an object to declare an in-toto artifact rule
          "artifactRule": [
            "A String",
          ],
        },
      ],
      "signingKeys": [ # This field contains the public keys that can be used to verify the
          # signatures on the step metadata.
        { # This defines the format used to record keys used in the software supply
            # chain. An in-toto link is attested using one or more keys defined in the
            # in-toto layout. An example of this is:
            # {
            #   "key_id": "776a00e29f3559e0141b3b096f696abc6cfb0c657ab40f441132b345b0...",
            #   "key_type": "rsa",
            #   "public_key_value": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0B...",
            #   "key_scheme": "rsassa-pss-sha256"
            # }
            # The format for in-toto's key definition can be found in section 4.2 of the
            # in-toto specification.
          "keyType": "A String", # This field identifies the specific signing method. Eg: "rsa", "ed25519",
              # and "ecdsa".
          "keyId": "A String", # key_id is an identifier for the signing key.
          "publicKeyValue": "A String", # This field contains the actual public key.
          "keyScheme": "A String", # This field contains the corresponding signature scheme.
              # Eg: "rsassa-pss-sha256".
        },
      ],
    },
    "build": { # Note holding the version of the provider's builder and the signature of the # A note describing build provenance for a verifiable build.
        # provenance message in the build details occurrence.
      "builderVersion": "A String", # Required. Immutable. Version of the builder which produced this build.
      "signature": { # Message encapsulating the signature of the verified build. # Signature of the build in occurrences pointing to this build note
          # containing build details.
        "publicKey": "A String", # Public key of the builder which can be used to verify that the related
            # findings are valid and unchanged. If `key_type` is empty, this defaults
            # to PEM encoded public keys.
            #
            # This field may be empty if `key_id` references an external key.
            #
            # For Cloud Build based signatures, this is a PEM encoded public
            # key. To verify the Cloud Build signature, place the contents of
            # this field into a file (public.pem). The signature field is base64-decoded
            # into its binary representation in signature.bin, and the provenance bytes
            # from `BuildDetails` are base64-decoded into a binary representation in
            # signed.bin. OpenSSL can then verify the signature:
            # `openssl sha256 -verify public.pem -signature signature.bin signed.bin`
        "keyType": "A String", # The type of the key, either stored in `public_key` or referenced in
            # `key_id`.
        "keyId": "A String", # An ID for the key used to sign. This could be either an ID for the key
            # stored in `public_key` (such as the ID or fingerprint for a PGP key, or the
            # CN for a cert), or a reference to an external key (such as a reference to a
            # key in Cloud Key Management Service).
        "signature": "A String", # Required. Signature of the related `BuildProvenance`. In JSON, this is
            # base-64 encoded.
      },
    },
    "baseImage": { # Basis describes the base image portion (Note) of the DockerImage # A note describing a base image.
        # relationship. Linked occurrences are derived from this or an
        # equivalent image via:
        #   FROM <Basis.resource_url>
        # Or an equivalent reference, e.g. a tag of the resource_url.
      "resourceUrl": "A String", # Required. Immutable. The resource_url for the resource representing the
          # basis of associated occurrence images.
      "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. Immutable. The fingerprint of the base image.
        "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
            # representation.
        "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
          "A String",
        ],
        "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
            #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
            # Only the name of the final blob is kept.
      },
    },
    "expirationTime": "A String", # Time of expiration for this note. Empty if note does not expire.
    "deployable": { # An artifact that can be deployed in some runtime. # A note describing something that can be deployed.
      "resourceUri": [ # Required. Resource URI for the artifact being deployed.
        "A String",
      ],
    },
    "shortDescription": "A String", # A one sentence description of this note.
    "createTime": "A String", # Output only. The time this note was created. This field can be used as a
        # filter in list requests.
    "discovery": { # A note that indicates a type of analysis a provider would perform. This note # A note describing the initial analysis of a resource.
        # exists in a provider's project. A `Discovery` occurrence is created in a
        # consumer's project at the start of analysis.
      "analysisKind": "A String", # Required. Immutable. The kind of analysis that is handled by this
          # discovery.
    },
  }
getVulnerabilitySummary(parent, x__xgafv=None, filter=None)
Gets a summary of the number and severity of occurrences.

Args:
  parent: string, Required. The name of the project to get a vulnerability summary for in the form of
`projects/[PROJECT_ID]`. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format
  filter: string, The filter expression.

Returns:
  An object of the form:

    { # A summary of how many vulnerability occurrences there are per resource and
      # severity type.
    "counts": [ # A listing by resource of the number of fixable and total vulnerabilities.
      { # Per resource and severity counts of fixable and total vulnerabilities.
        "totalCount": "A String", # The total number of vulnerabilities associated with this resource.
        "resource": { # An entity that can have metadata. For example, a Docker image. # The affected resource.
          "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
              #
              # The hash of the resource content. For example, the Docker digest.
            "type": "A String", # Required. The type of hash that was performed.
            "value": "A String", # Required. The hash value.
          },
          "name": "A String", # Deprecated, do not use. Use uri instead.
              #
              # The name of the resource. For example, the name of a Docker image -
              # "Debian".
          "uri": "A String", # Required. The unique URI of the resource. For example,
              # `https://gcr.io/project/image@sha256:foo` for a Docker image.
        },
        "severity": "A String", # The severity for this count. SEVERITY_UNSPECIFIED indicates total across
            # all severities.
        "fixableCount": "A String", # The number of fixable vulnerabilities associated with this resource.
      },
    ],
  }
list(parent, pageSize=None, pageToken=None, x__xgafv=None, filter=None)
Lists occurrences for the specified project.

Args:
  parent: string, Required. The name of the project to list occurrences for in the form of
`projects/[PROJECT_ID]`. (required)
  pageSize: integer, Number of occurrences to return in the list. Must be positive. Max allowed
page size is 1000. If not specified, page size defaults to 20.
  pageToken: string, Token to provide to skip to a particular spot in the list.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format
  filter: string, The filter expression.

Returns:
  An object of the form:

    { # Response for listing occurrences.
    "nextPageToken": "A String", # The next pagination token in the list response. It should be used as
        # `page_token` for the following request. An empty value means no more
        # results.
    "occurrences": [ # The occurrences requested.
      { # An instance of an analysis type that has been found on a resource.
        "updateTime": "A String", # Output only. The time this occurrence was last updated.
        "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
          "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
              #
              # The hash of the resource content. For example, the Docker digest.
            "type": "A String", # Required. The type of hash that was performed.
            "value": "A String", # Required. The hash value.
          },
          "name": "A String", # Deprecated, do not use. Use uri instead.
              #
              # The name of the resource. For example, the name of a Docker image -
              # "Debian".
          "uri": "A String", # Required. The unique URI of the resource. For example,
              # `https://gcr.io/project/image@sha256:foo` for a Docker image.
        },
        "name": "A String", # Output only. The name of the occurrence in the form of
            # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
        "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
          "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
              # scale of 0-10 where 0 indicates low severity and 10 indicates high
              # severity.
          "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
          "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
              # packages etc)
          "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
              # available, and note provider assigned severity when distro has not yet
              # assigned a severity for this vulnerability.
          "relatedUrls": [ # Output only. URLs related to this vulnerability.
            { # Metadata for any related URL information.
              "url": "A String", # Specific URL associated with the resource.
              "label": "A String", # Label to describe usage of the URL.
            },
          ],
          "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
              # within the associated resource.
            { # This message wraps a location affected by a vulnerability and its
                # associated fix (if one is available).
              "severityName": "A String", # Deprecated, use Details.effective_severity instead
                  # The severity (e.g., distro assigned severity) for this vulnerability.
              "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
                "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                    # format. Examples include distro or storage location for vulnerable jar.
                "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
                "package": "A String", # Required. The package being described.
              },
              "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
                "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                    # format. Examples include distro or storage location for vulnerable jar.
                "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
                "package": "A String", # Required. The package being described.
              },
            },
          ],
          "longDescription": "A String", # Output only. A detailed description of this vulnerability.
          "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
        },
        "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
            # specified. This field can be used as a filter in list requests.
        "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
          "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
            "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
                # Deprecated, do not use.
            "analysisStatus": "A String", # The status of discovery for the resource.
            "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
            "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
                # details to show to the user. The LocalizedMessage is output only and
                # populated by the API.
                # different programming environments, including REST APIs and RPC APIs. It is
                # used by [gRPC](https://github.com/grpc). Each `Status` message contains
                # three pieces of data: error code, error message, and error details.
                #
                # You can find out more about this error model and how to work with it in the
                # [API Design Guide](https://cloud.google.com/apis/design/errors).
              "message": "A String", # A developer-facing error message, which should be in English. Any
                  # user-facing error message should be localized and sent in the
                  # google.rpc.Status.details field, or localized by the client.
              "code": 42, # The status code, which should be an enum value of google.rpc.Code.
              "details": [ # A list of messages that carry the error details.  There is a common set of
                  # message types for APIs to use.
                {
                  "a_key": "", # Properties of the object. Contains field @type with type URL.
                },
              ],
            },
          },
        },
        "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
          "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
              # attestation can be verified using the attached signature. If the verifier
              # trusts the public key of the signer, then verifying the signature is
              # sufficient to establish trust. In this circumstance, the authority to which
              # this attestation is attached is primarily useful for look-up (how to find
              # this attestation if you already know the authority and artifact to be
              # verified) and intent (which authority was this attestation intended to sign
              # for).
            "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
                # supports `ATTACHED` signatures, where the payload that is signed is included
                # alongside the signature itself in the same file.
              "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
                  # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
                  # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
                  # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
                  # Implementations may choose to acknowledge "LONG", "SHORT", or other
                  # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
                  # In gpg, the full fingerprint can be retrieved from the `fpr` field
                  # returned when calling --list-keys with --with-colons.  For example:
                  # ```
                  # gpg --with-colons --with-fingerprint --force-v4-certs \
                  #     --list-keys attester@example.com
                  # tru::1:1513631572:0:3:1:5
                  # pub:...<SNIP>...
                  # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
                  # ```
                  # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
              "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
                  # The verifier must ensure that the provided type is one that the verifier
                  # supports, and that the attestation payload is a valid instantiation of that
                  # type (for example by validating a JSON schema).
              "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
                  # (GPG) or equivalent. Since this message only supports attached signatures,
                  # the payload that was signed must be attached. While the signature format
                  # supported is dependent on the verification implementation, currently only
                  # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
                  # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
                  # --output=signature.gpg payload.json` will create the signature content
                  # expected in this field in `signature.gpg` for the `payload.json`
                  # attestation payload.
            },
            "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
                # This attestation must define the `serialized_payload` that the `signatures`
                # verify and any metadata necessary to interpret that plaintext.  The
                # signatures should always be over the `serialized_payload` bytestring.
              "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
                  # should consider this attestation message verified if at least one
                  # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
                  # for more details on signature structure and verification.
                { # Verifiers (e.g. Kritis implementations) MUST verify signatures
                    # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
                    # Typically this means that the verifier has been configured with a map from
                    # `public_key_id` to public key material (and any required parameters, e.g.
                    # signing algorithm).
                    #
                    # In particular, verification implementations MUST NOT treat the signature
                    # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
                    # DOES NOT validate or authenticate a public key; it only provides a mechanism
                    # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
                    # a trusted channel. Verification implementations MUST reject signatures in any
                    # of the following circumstances:
                    #   * The `public_key_id` is not recognized by the verifier.
                    #   * The public key that `public_key_id` refers to does not verify the
                    #     signature with respect to the payload.
                    #
                    # The `signature` contents SHOULD NOT be "attached" (where the payload is
                    # included with the serialized `signature` bytes). Verifiers MUST ignore any
                    # "attached" payload and only verify signatures with respect to explicitly
                    # provided payload (e.g. a `payload` field on the proto message that holds
                    # this Signature, or the canonical serialization of the proto message that
                    # holds this signature).
                  "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                      #   * The `public_key_id` is required.
                      #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                      #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                      #     such as a cryptographic digest.
                      #
                      # Examples of valid `public_key_id`s:
                      #
                      # OpenPGP V4 public key fingerprint:
                      #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                      # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                      # details on this scheme.
                      #
                      # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                      # serialization):
                      #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                      #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
                  "signature": "A String", # The content of the signature, an opaque bytestring.
                      # The payload that this signature verifies MUST be unambiguously provided
                      # with the Signature during verification. A wrapper message might provide
                      # the payload explicitly. Alternatively, a message might have a canonical
                      # serialization that can always be unambiguously computed to derive the
                      # payload.
                },
              ],
              "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
                  # The verifier must ensure that the provided type is one that the verifier
                  # supports, and that the attestation payload is a valid instantiation of that
                  # type (for example by validating a JSON schema).
              "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
                  # The encoding and semantic meaning of this payload must match what is set in
                  # `content_type`.
            },
          },
        },
        "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
            # signatures and the in-toto link itself. This is used for occurrences of a
            # Grafeas in-toto note.
          "signatures": [
            { # A signature object consists of the KeyID used and the signature itself.
              "keyid": "A String",
              "sig": "A String",
            },
          ],
          "signed": { # This corresponds to an in-toto link.
            "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
                # environment. It is suggested for this field to contain information that
                # details environment variables, filesystem information, and the present
                # working directory. The recommended structure of this field is:
                # "environment": {
                #   "custom_values": {
                #     "variables": "<ENV>",
                #     "filesystem": "<FS>",
                #     "workdir": "<CWD>",
                #     "<ANY OTHER RELEVANT FIELDS>": "..."
                #   }
                # }
                # fields are "variables", "filesystem", and "workdir".
              "customValues": {
                "a_key": "A String",
              },
            },
            "command": [ # This field contains the full command executed for the step. This can also
                # be empty if links are generated for operations that aren't directly mapped
                # to a specific command. Each term in the command is an independent string
                # in the list. An example of a command in the in-toto metadata field is:
                # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
              "A String",
            ],
            "materials": [ # Materials are the supply chain artifacts that go into the step and are used
                # for the operation performed. The key of the map is the path of the artifact
                # and the structure contains the recorded hash information. An example is:
                # "materials": [
                #   {
                #     "resource_uri": "foo/bar",
                #     "hashes": {
                #       "sha256": "ebebf...",
                #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
                #     }
                #   }
                # ]
              {
                "resourceUri": "A String",
                "hashes": { # Defines a hash object for use in Materials and Products.
                  "sha256": "A String",
                },
              },
            ],
            "products": [ # Products are the supply chain artifacts generated as a result of the step.
                # The structure is identical to that of materials.
              {
                "resourceUri": "A String",
                "hashes": { # Defines a hash object for use in Materials and Products.
                  "sha256": "A String",
                },
              },
            ],
            "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
                # are not the actual result of the step.
                # fields are "stderr", "stdout", and "return-value".
              "customValues": {
                "a_key": "A String",
              },
            },
          },
        },
        "build": { # Details of a build occurrence. # Describes a verifiable build.
          "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
              # details about the build from source to completion.
            "commands": [ # Commands requested by the build.
              { # Command describes a step performed as part of the build pipeline.
                "waitFor": [ # The ID(s) of the command(s) that this command depends on.
                  "A String",
                ],
                "name": "A String", # Required. Name of the command, as presented on the command line, or if the
                    # command is packaged as a Docker container, as presented to `docker pull`.
                "args": [ # Command-line arguments used when executing this command.
                  "A String",
                ],
                "env": [ # Environment variables set before running this command.
                  "A String",
                ],
                "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
                    # this command as a dependency.
                "dir": "A String", # Working directory (relative to project source root) used when running this
                    # command.
              },
            ],
            "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
              "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
                  # source integrity was maintained in the build.
                  #
                  # The keys to this map are file paths used as build source and the values
                  # contain the hash values for those files.
                  #
                  # If the build source came in a single package such as a gzipped tarfile
                  # (.tar.gz), the FileHash will be for the single path to that file.
                "a_key": { # Container message for hashes of byte content of files, used in source
                    # messages to verify integrity of source input to the build.
                  "fileHash": [ # Required. Collection of file hashes.
                    { # Container message for hash values.
                      "type": "A String", # Required. The type of hash that was performed.
                      "value": "A String", # Required. The hash value.
                    },
                  ],
                },
              },
              "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
                  # location.
              "additionalContexts": [ # If provided, some of the source code used for the build may be found in
                  # these locations, in the case where the source repository had multiple
                  # remotes or submodules. This list will not include the context specified in
                  # the context field.
                { # A SourceContext is a reference to a tree of files. A SourceContext together
                    # with a path point to a unique revision of a single file or directory.
                  "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                      # repository (e.g., GitHub).
                    "url": "A String", # Git repository URL.
                    "revisionId": "A String", # Git commit hash.
                  },
                  "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                      # Source Repo.
                    "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                      "kind": "A String", # The alias kind.
                      "name": "A String", # The alias name.
                    },
                    "revisionId": "A String", # A revision ID.
                    "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                      "uid": "A String", # A server-assigned, globally unique identifier.
                      "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                          # winged-cargo-31) and a repo name within that project.
                        "projectId": "A String", # The ID of the project.
                        "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                      },
                    },
                  },
                  "labels": { # Labels with user defined metadata.
                    "a_key": "A String",
                  },
                  "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                    "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                      "kind": "A String", # The alias kind.
                      "name": "A String", # The alias name.
                    },
                    "revisionId": "A String", # A revision (commit) ID.
                    "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                        # "project/subproject" is a valid project name. The "repo name" is the
                        # hostURI/project.
                    "hostUri": "A String", # The URI of a running Gerrit instance.
                  },
                },
              ],
              "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
                  # with a path point to a unique revision of a single file or directory.
                "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                    # repository (e.g., GitHub).
                  "url": "A String", # Git repository URL.
                  "revisionId": "A String", # Git commit hash.
                },
                "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                    # Source Repo.
                  "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                    "kind": "A String", # The alias kind.
                    "name": "A String", # The alias name.
                  },
                  "revisionId": "A String", # A revision ID.
                  "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                    "uid": "A String", # A server-assigned, globally unique identifier.
                    "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                        # winged-cargo-31) and a repo name within that project.
                      "projectId": "A String", # The ID of the project.
                      "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                    },
                  },
                },
                "labels": { # Labels with user defined metadata.
                  "a_key": "A String",
                },
                "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                  "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                    "kind": "A String", # The alias kind.
                    "name": "A String", # The alias name.
                  },
                  "revisionId": "A String", # A revision (commit) ID.
                  "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                      # "project/subproject" is a valid project name. The "repo name" is the
                      # hostURI/project.
                  "hostUri": "A String", # The URI of a running Gerrit instance.
                },
              },
            },
            "buildOptions": { # Special options applied to this build. This is a catch-all field where
                # build providers can enter any desired additional details.
              "a_key": "A String",
            },
            "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
                # user's e-mail address at the time the build was initiated; this address may
                # not represent the same end-user for all time.
            "projectId": "A String", # ID of the project.
            "builderVersion": "A String", # Version string of the builder at the time this build was executed.
            "createTime": "A String", # Time at which the build was created.
            "builtArtifacts": [ # Output of the build.
              { # Artifact describes a build product.
                "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
                    # container.
                "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
                    # like `gcr.io/projectID/imagename@sha256:123456`.
                "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
                    # the case of a container build, the name used to push the container image to
                    # Google Container Registry, as presented to `docker push`. Note that a
                    # single Artifact ID can have multiple names, for example if two tags are
                    # applied to one image.
                  "A String",
                ],
              },
            ],
            "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
            "startTime": "A String", # Time at which execution of the build was started.
            "endTime": "A String", # Time at which execution of the build was finished.
            "id": "A String", # Required. Unique identifier of the build.
            "logsUri": "A String", # URI where any logs for this provenance were written.
          },
          "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
              # build signature in the corresponding build note. After verifying the
              # signature, `provenance_bytes` can be unmarshalled and compared to the
              # provenance to confirm that it is unchanged. A base64-encoded string
              # representation of the provenance bytes is used for the signature in order
              # to interoperate with openssl which expects this format for signature
              # verification.
              #
              # The serialized form is captured both to avoid ambiguity in how the
              # provenance is marshalled to json as well to prevent incompatibilities with
              # future changes.
        },
        "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
          "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
            "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
                # the deployable field with the same name.
              "A String",
            ],
            "userEmail": "A String", # Identity of the user that triggered this deployment.
            "address": "A String", # Address of the runtime element hosting this deployment.
            "platform": "A String", # Platform hosting this deployment.
            "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
            "undeployTime": "A String", # End of the lifetime of this deployment.
            "config": "A String", # Configuration used to create this deployment.
          },
        },
        "remediation": "A String", # A description of actions that can be taken to remedy the note.
        "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
          "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
              # system.
            "name": "A String", # Output only. The name of the installed package.
            "location": [ # Required. All of the places within the filesystem versions of this package
                # have been found.
              { # An occurrence of a particular package installation found within a system's
                  # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
                "path": "A String", # The path from which we gathered that this package/version is installed.
                "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
                    # denoting the package manager version distributing a package.
                "version": { # Version contains structured information about the version of a package. # The version installed at this location.
                  "epoch": 42, # Used to correct mistakes in the version numbering scheme.
                  "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                      # versions.
                  "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                      # name.
                  "revision": "A String", # The iteration of the package build from the above version.
                },
              },
            ],
          },
        },
        "createTime": "A String", # Output only. The time this occurrence was created.
        "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
            # note.
          "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
              # relationship. This image would be produced from a Dockerfile with FROM
              # <DockerImage.Basis in attached Note>.
            "distance": 42, # Output only. The number of layers by which this image differs from the
                # associated image basis.
            "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
                # occurrence.
            "layerInfo": [ # This contains layer-specific metadata, if populated it has length
                # "distance" and is ordered with [distance] being the layer immediately
                # following the base image and [1] being the final layer.
              { # Layer holds metadata specific to a layer of a Docker image.
                "arguments": "A String", # The recovered arguments to the Dockerfile directive.
                "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
              },
            ],
            "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
              "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
                  # representation.
              "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
                "A String",
              ],
              "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
                  #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
                  # Only the name of the final blob is kept.
            },
          },
        },
        "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
            # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
            # used as a filter in list requests.
      },
    ],
  }
list_next(previous_request, previous_response)
Retrieves the next page of results.

Args:
  previous_request: The request for the previous page. (required)
  previous_response: The response from the request for the previous page. (required)

Returns:
  A request object that you can call 'execute()' on to request the next
  page. Returns None if there are no more items in the collection.
    
patch(name, body=None, updateMask=None, x__xgafv=None)
Updates the specified occurrence.

Args:
  name: string, Required. The name of the occurrence in the form of
`projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`. (required)
  body: object, The request body.
    The object takes the form of:

{ # An instance of an analysis type that has been found on a resource.
  "updateTime": "A String", # Output only. The time this occurrence was last updated.
  "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
    "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
        #
        # The hash of the resource content. For example, the Docker digest.
      "type": "A String", # Required. The type of hash that was performed.
      "value": "A String", # Required. The hash value.
    },
    "name": "A String", # Deprecated, do not use. Use uri instead.
        #
        # The name of the resource. For example, the name of a Docker image -
        # "Debian".
    "uri": "A String", # Required. The unique URI of the resource. For example,
        # `https://gcr.io/project/image@sha256:foo` for a Docker image.
  },
  "name": "A String", # Output only. The name of the occurrence in the form of
      # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
  "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
    "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
        # scale of 0-10 where 0 indicates low severity and 10 indicates high
        # severity.
    "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
    "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
        # packages etc)
    "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
        # available, and note provider assigned severity when distro has not yet
        # assigned a severity for this vulnerability.
    "relatedUrls": [ # Output only. URLs related to this vulnerability.
      { # Metadata for any related URL information.
        "url": "A String", # Specific URL associated with the resource.
        "label": "A String", # Label to describe usage of the URL.
      },
    ],
    "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
        # within the associated resource.
      { # This message wraps a location affected by a vulnerability and its
          # associated fix (if one is available).
        "severityName": "A String", # Deprecated, use Details.effective_severity instead
            # The severity (e.g., distro assigned severity) for this vulnerability.
        "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
          "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
              # format. Examples include distro or storage location for vulnerable jar.
          "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
          "package": "A String", # Required. The package being described.
        },
        "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
          "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
              # format. Examples include distro or storage location for vulnerable jar.
          "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
          "package": "A String", # Required. The package being described.
        },
      },
    ],
    "longDescription": "A String", # Output only. A detailed description of this vulnerability.
    "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
  },
  "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
      # specified. This field can be used as a filter in list requests.
  "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
    "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
      "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
          # Deprecated, do not use.
      "analysisStatus": "A String", # The status of discovery for the resource.
      "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
      "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
          # details to show to the user. The LocalizedMessage is output only and
          # populated by the API.
          # different programming environments, including REST APIs and RPC APIs. It is
          # used by [gRPC](https://github.com/grpc). Each `Status` message contains
          # three pieces of data: error code, error message, and error details.
          #
          # You can find out more about this error model and how to work with it in the
          # [API Design Guide](https://cloud.google.com/apis/design/errors).
        "message": "A String", # A developer-facing error message, which should be in English. Any
            # user-facing error message should be localized and sent in the
            # google.rpc.Status.details field, or localized by the client.
        "code": 42, # The status code, which should be an enum value of google.rpc.Code.
        "details": [ # A list of messages that carry the error details.  There is a common set of
            # message types for APIs to use.
          {
            "a_key": "", # Properties of the object. Contains field @type with type URL.
          },
        ],
      },
    },
  },
  "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
    "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
        # attestation can be verified using the attached signature. If the verifier
        # trusts the public key of the signer, then verifying the signature is
        # sufficient to establish trust. In this circumstance, the authority to which
        # this attestation is attached is primarily useful for look-up (how to find
        # this attestation if you already know the authority and artifact to be
        # verified) and intent (which authority was this attestation intended to sign
        # for).
      "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
          # supports `ATTACHED` signatures, where the payload that is signed is included
          # alongside the signature itself in the same file.
        "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
            # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
            # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
            # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
            # Implementations may choose to acknowledge "LONG", "SHORT", or other
            # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
            # In gpg, the full fingerprint can be retrieved from the `fpr` field
            # returned when calling --list-keys with --with-colons.  For example:
            # ```
            # gpg --with-colons --with-fingerprint --force-v4-certs \
            #     --list-keys attester@example.com
            # tru::1:1513631572:0:3:1:5
            # pub:...<SNIP>...
            # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
            # ```
            # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
        "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
            # The verifier must ensure that the provided type is one that the verifier
            # supports, and that the attestation payload is a valid instantiation of that
            # type (for example by validating a JSON schema).
        "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
            # (GPG) or equivalent. Since this message only supports attached signatures,
            # the payload that was signed must be attached. While the signature format
            # supported is dependent on the verification implementation, currently only
            # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
            # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
            # --output=signature.gpg payload.json` will create the signature content
            # expected in this field in `signature.gpg` for the `payload.json`
            # attestation payload.
      },
      "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
          # This attestation must define the `serialized_payload` that the `signatures`
          # verify and any metadata necessary to interpret that plaintext.  The
          # signatures should always be over the `serialized_payload` bytestring.
        "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
            # should consider this attestation message verified if at least one
            # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
            # for more details on signature structure and verification.
          { # Verifiers (e.g. Kritis implementations) MUST verify signatures
              # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
              # Typically this means that the verifier has been configured with a map from
              # `public_key_id` to public key material (and any required parameters, e.g.
              # signing algorithm).
              #
              # In particular, verification implementations MUST NOT treat the signature
              # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
              # DOES NOT validate or authenticate a public key; it only provides a mechanism
              # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
              # a trusted channel. Verification implementations MUST reject signatures in any
              # of the following circumstances:
              #   * The `public_key_id` is not recognized by the verifier.
              #   * The public key that `public_key_id` refers to does not verify the
              #     signature with respect to the payload.
              #
              # The `signature` contents SHOULD NOT be "attached" (where the payload is
              # included with the serialized `signature` bytes). Verifiers MUST ignore any
              # "attached" payload and only verify signatures with respect to explicitly
              # provided payload (e.g. a `payload` field on the proto message that holds
              # this Signature, or the canonical serialization of the proto message that
              # holds this signature).
            "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                #   * The `public_key_id` is required.
                #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                #     such as a cryptographic digest.
                #
                # Examples of valid `public_key_id`s:
                #
                # OpenPGP V4 public key fingerprint:
                #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                # details on this scheme.
                #
                # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                # serialization):
                #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
            "signature": "A String", # The content of the signature, an opaque bytestring.
                # The payload that this signature verifies MUST be unambiguously provided
                # with the Signature during verification. A wrapper message might provide
                # the payload explicitly. Alternatively, a message might have a canonical
                # serialization that can always be unambiguously computed to derive the
                # payload.
          },
        ],
        "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
            # The verifier must ensure that the provided type is one that the verifier
            # supports, and that the attestation payload is a valid instantiation of that
            # type (for example by validating a JSON schema).
        "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
            # The encoding and semantic meaning of this payload must match what is set in
            # `content_type`.
      },
    },
  },
  "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
      # signatures and the in-toto link itself. This is used for occurrences of a
      # Grafeas in-toto note.
    "signatures": [
      { # A signature object consists of the KeyID used and the signature itself.
        "keyid": "A String",
        "sig": "A String",
      },
    ],
    "signed": { # This corresponds to an in-toto link.
      "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
          # environment. It is suggested for this field to contain information that
          # details environment variables, filesystem information, and the present
          # working directory. The recommended structure of this field is:
          # "environment": {
          #   "custom_values": {
          #     "variables": "<ENV>",
          #     "filesystem": "<FS>",
          #     "workdir": "<CWD>",
          #     "<ANY OTHER RELEVANT FIELDS>": "..."
          #   }
          # }
          # fields are "variables", "filesystem", and "workdir".
        "customValues": {
          "a_key": "A String",
        },
      },
      "command": [ # This field contains the full command executed for the step. This can also
          # be empty if links are generated for operations that aren't directly mapped
          # to a specific command. Each term in the command is an independent string
          # in the list. An example of a command in the in-toto metadata field is:
          # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
        "A String",
      ],
      "materials": [ # Materials are the supply chain artifacts that go into the step and are used
          # for the operation performed. The key of the map is the path of the artifact
          # and the structure contains the recorded hash information. An example is:
          # "materials": [
          #   {
          #     "resource_uri": "foo/bar",
          #     "hashes": {
          #       "sha256": "ebebf...",
          #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
          #     }
          #   }
          # ]
        {
          "resourceUri": "A String",
          "hashes": { # Defines a hash object for use in Materials and Products.
            "sha256": "A String",
          },
        },
      ],
      "products": [ # Products are the supply chain artifacts generated as a result of the step.
          # The structure is identical to that of materials.
        {
          "resourceUri": "A String",
          "hashes": { # Defines a hash object for use in Materials and Products.
            "sha256": "A String",
          },
        },
      ],
      "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
          # are not the actual result of the step.
          # fields are "stderr", "stdout", and "return-value".
        "customValues": {
          "a_key": "A String",
        },
      },
    },
  },
  "build": { # Details of a build occurrence. # Describes a verifiable build.
    "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
        # details about the build from source to completion.
      "commands": [ # Commands requested by the build.
        { # Command describes a step performed as part of the build pipeline.
          "waitFor": [ # The ID(s) of the command(s) that this command depends on.
            "A String",
          ],
          "name": "A String", # Required. Name of the command, as presented on the command line, or if the
              # command is packaged as a Docker container, as presented to `docker pull`.
          "args": [ # Command-line arguments used when executing this command.
            "A String",
          ],
          "env": [ # Environment variables set before running this command.
            "A String",
          ],
          "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
              # this command as a dependency.
          "dir": "A String", # Working directory (relative to project source root) used when running this
              # command.
        },
      ],
      "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
        "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
            # source integrity was maintained in the build.
            #
            # The keys to this map are file paths used as build source and the values
            # contain the hash values for those files.
            #
            # If the build source came in a single package such as a gzipped tarfile
            # (.tar.gz), the FileHash will be for the single path to that file.
          "a_key": { # Container message for hashes of byte content of files, used in source
              # messages to verify integrity of source input to the build.
            "fileHash": [ # Required. Collection of file hashes.
              { # Container message for hash values.
                "type": "A String", # Required. The type of hash that was performed.
                "value": "A String", # Required. The hash value.
              },
            ],
          },
        },
        "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
            # location.
        "additionalContexts": [ # If provided, some of the source code used for the build may be found in
            # these locations, in the case where the source repository had multiple
            # remotes or submodules. This list will not include the context specified in
            # the context field.
          { # A SourceContext is a reference to a tree of files. A SourceContext together
              # with a path point to a unique revision of a single file or directory.
            "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                # repository (e.g., GitHub).
              "url": "A String", # Git repository URL.
              "revisionId": "A String", # Git commit hash.
            },
            "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                # Source Repo.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision ID.
              "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                "uid": "A String", # A server-assigned, globally unique identifier.
                "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                    # winged-cargo-31) and a repo name within that project.
                  "projectId": "A String", # The ID of the project.
                  "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                },
              },
            },
            "labels": { # Labels with user defined metadata.
              "a_key": "A String",
            },
            "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision (commit) ID.
              "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                  # "project/subproject" is a valid project name. The "repo name" is the
                  # hostURI/project.
              "hostUri": "A String", # The URI of a running Gerrit instance.
            },
          },
        ],
        "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
            # with a path point to a unique revision of a single file or directory.
          "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
              # repository (e.g., GitHub).
            "url": "A String", # Git repository URL.
            "revisionId": "A String", # Git commit hash.
          },
          "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
              # Source Repo.
            "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
              "kind": "A String", # The alias kind.
              "name": "A String", # The alias name.
            },
            "revisionId": "A String", # A revision ID.
            "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
              "uid": "A String", # A server-assigned, globally unique identifier.
              "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                  # winged-cargo-31) and a repo name within that project.
                "projectId": "A String", # The ID of the project.
                "repoName": "A String", # The name of the repo. Leave empty for the default repo.
              },
            },
          },
          "labels": { # Labels with user defined metadata.
            "a_key": "A String",
          },
          "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
            "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
              "kind": "A String", # The alias kind.
              "name": "A String", # The alias name.
            },
            "revisionId": "A String", # A revision (commit) ID.
            "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                # "project/subproject" is a valid project name. The "repo name" is the
                # hostURI/project.
            "hostUri": "A String", # The URI of a running Gerrit instance.
          },
        },
      },
      "buildOptions": { # Special options applied to this build. This is a catch-all field where
          # build providers can enter any desired additional details.
        "a_key": "A String",
      },
      "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
          # user's e-mail address at the time the build was initiated; this address may
          # not represent the same end-user for all time.
      "projectId": "A String", # ID of the project.
      "builderVersion": "A String", # Version string of the builder at the time this build was executed.
      "createTime": "A String", # Time at which the build was created.
      "builtArtifacts": [ # Output of the build.
        { # Artifact describes a build product.
          "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
              # container.
          "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
              # like `gcr.io/projectID/imagename@sha256:123456`.
          "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
              # the case of a container build, the name used to push the container image to
              # Google Container Registry, as presented to `docker push`. Note that a
              # single Artifact ID can have multiple names, for example if two tags are
              # applied to one image.
            "A String",
          ],
        },
      ],
      "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
      "startTime": "A String", # Time at which execution of the build was started.
      "endTime": "A String", # Time at which execution of the build was finished.
      "id": "A String", # Required. Unique identifier of the build.
      "logsUri": "A String", # URI where any logs for this provenance were written.
    },
    "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
        # build signature in the corresponding build note. After verifying the
        # signature, `provenance_bytes` can be unmarshalled and compared to the
        # provenance to confirm that it is unchanged. A base64-encoded string
        # representation of the provenance bytes is used for the signature in order
        # to interoperate with openssl which expects this format for signature
        # verification.
        #
        # The serialized form is captured both to avoid ambiguity in how the
        # provenance is marshalled to json as well to prevent incompatibilities with
        # future changes.
  },
  "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
    "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
      "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
          # the deployable field with the same name.
        "A String",
      ],
      "userEmail": "A String", # Identity of the user that triggered this deployment.
      "address": "A String", # Address of the runtime element hosting this deployment.
      "platform": "A String", # Platform hosting this deployment.
      "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
      "undeployTime": "A String", # End of the lifetime of this deployment.
      "config": "A String", # Configuration used to create this deployment.
    },
  },
  "remediation": "A String", # A description of actions that can be taken to remedy the note.
  "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
    "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
        # system.
      "name": "A String", # Output only. The name of the installed package.
      "location": [ # Required. All of the places within the filesystem versions of this package
          # have been found.
        { # An occurrence of a particular package installation found within a system's
            # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
          "path": "A String", # The path from which we gathered that this package/version is installed.
          "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
              # denoting the package manager version distributing a package.
          "version": { # Version contains structured information about the version of a package. # The version installed at this location.
            "epoch": 42, # Used to correct mistakes in the version numbering scheme.
            "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                # versions.
            "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                # name.
            "revision": "A String", # The iteration of the package build from the above version.
          },
        },
      ],
    },
  },
  "createTime": "A String", # Output only. The time this occurrence was created.
  "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
      # note.
    "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
        # relationship. This image would be produced from a Dockerfile with FROM
        # <DockerImage.Basis in attached Note>.
      "distance": 42, # Output only. The number of layers by which this image differs from the
          # associated image basis.
      "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
          # occurrence.
      "layerInfo": [ # This contains layer-specific metadata, if populated it has length
          # "distance" and is ordered with [distance] being the layer immediately
          # following the base image and [1] being the final layer.
        { # Layer holds metadata specific to a layer of a Docker image.
          "arguments": "A String", # The recovered arguments to the Dockerfile directive.
          "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
        },
      ],
      "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
        "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
            # representation.
        "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
          "A String",
        ],
        "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
            #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
            # Only the name of the final blob is kept.
      },
    },
  },
  "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
      # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
      # used as a filter in list requests.
}

  updateMask: string, The fields to update.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # An instance of an analysis type that has been found on a resource.
    "updateTime": "A String", # Output only. The time this occurrence was last updated.
    "resource": { # An entity that can have metadata. For example, a Docker image. # Required. Immutable. The resource for which the occurrence applies.
      "contentHash": { # Container message for hash values. # Deprecated, do not use. Use uri instead.
          #
          # The hash of the resource content. For example, the Docker digest.
        "type": "A String", # Required. The type of hash that was performed.
        "value": "A String", # Required. The hash value.
      },
      "name": "A String", # Deprecated, do not use. Use uri instead.
          #
          # The name of the resource. For example, the name of a Docker image -
          # "Debian".
      "uri": "A String", # Required. The unique URI of the resource. For example,
          # `https://gcr.io/project/image@sha256:foo` for a Docker image.
    },
    "name": "A String", # Output only. The name of the occurrence in the form of
        # `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]`.
    "vulnerability": { # Details of a vulnerability Occurrence. # Describes a security vulnerability.
      "cvssScore": 3.14, # Output only. The CVSS score of this vulnerability. CVSS score is on a
          # scale of 0-10 where 0 indicates low severity and 10 indicates high
          # severity.
      "severity": "A String", # Output only. The note provider assigned Severity of the vulnerability.
      "type": "A String", # The type of package; whether native or non native(ruby gems, node.js
          # packages etc)
      "effectiveSeverity": "A String", # The distro assigned severity for this vulnerability when it is
          # available, and note provider assigned severity when distro has not yet
          # assigned a severity for this vulnerability.
      "relatedUrls": [ # Output only. URLs related to this vulnerability.
        { # Metadata for any related URL information.
          "url": "A String", # Specific URL associated with the resource.
          "label": "A String", # Label to describe usage of the URL.
        },
      ],
      "packageIssue": [ # Required. The set of affected locations and their fixes (if available)
          # within the associated resource.
        { # This message wraps a location affected by a vulnerability and its
            # associated fix (if one is available).
          "severityName": "A String", # Deprecated, use Details.effective_severity instead
              # The severity (e.g., distro assigned severity) for this vulnerability.
          "affectedLocation": { # The location of the vulnerability. # Required. The location of the vulnerability.
            "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                # format. Examples include distro or storage location for vulnerable jar.
            "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
            "package": "A String", # Required. The package being described.
          },
          "fixedLocation": { # The location of the vulnerability. # The location of the available fix for vulnerability.
            "cpeUri": "A String", # Required. The CPE URI in [cpe format](https://cpe.mitre.org/specification/)
                # format. Examples include distro or storage location for vulnerable jar.
            "version": { # Version contains structured information about the version of a package. # Required. The version of the package being described.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
            "package": "A String", # Required. The package being described.
          },
        },
      ],
      "longDescription": "A String", # Output only. A detailed description of this vulnerability.
      "shortDescription": "A String", # Output only. A one sentence description of this vulnerability.
    },
    "kind": "A String", # Output only. This explicitly denotes which of the occurrence details are
        # specified. This field can be used as a filter in list requests.
    "discovered": { # Details of a discovery occurrence. # Describes when a resource was discovered.
      "discovered": { # Provides information about the analysis status of a discovered resource. # Required. Analysis status for the discovered resource.
        "lastAnalysisTime": "A String", # The last time continuous analysis was done for this resource.
            # Deprecated, do not use.
        "analysisStatus": "A String", # The status of discovery for the resource.
        "continuousAnalysis": "A String", # Whether the resource is continuously analyzed.
        "analysisStatusError": { # The `Status` type defines a logical error model that is suitable for # When an error is encountered this will contain a LocalizedMessage under
            # details to show to the user. The LocalizedMessage is output only and
            # populated by the API.
            # different programming environments, including REST APIs and RPC APIs. It is
            # used by [gRPC](https://github.com/grpc). Each `Status` message contains
            # three pieces of data: error code, error message, and error details.
            #
            # You can find out more about this error model and how to work with it in the
            # [API Design Guide](https://cloud.google.com/apis/design/errors).
          "message": "A String", # A developer-facing error message, which should be in English. Any
              # user-facing error message should be localized and sent in the
              # google.rpc.Status.details field, or localized by the client.
          "code": 42, # The status code, which should be an enum value of google.rpc.Code.
          "details": [ # A list of messages that carry the error details.  There is a common set of
              # message types for APIs to use.
            {
              "a_key": "", # Properties of the object. Contains field @type with type URL.
            },
          ],
        },
      },
    },
    "attestation": { # Details of an attestation occurrence. # Describes an attestation of an artifact.
      "attestation": { # Occurrence that represents a single "attestation". The authenticity of an # Required. Attestation for the resource.
          # attestation can be verified using the attached signature. If the verifier
          # trusts the public key of the signer, then verifying the signature is
          # sufficient to establish trust. In this circumstance, the authority to which
          # this attestation is attached is primarily useful for look-up (how to find
          # this attestation if you already know the authority and artifact to be
          # verified) and intent (which authority was this attestation intended to sign
          # for).
        "pgpSignedAttestation": { # An attestation wrapper with a PGP-compatible signature. This message only # A PGP signed attestation.
            # supports `ATTACHED` signatures, where the payload that is signed is included
            # alongside the signature itself in the same file.
          "pgpKeyId": "A String", # The cryptographic fingerprint of the key used to generate the signature,
              # as output by, e.g. `gpg --list-keys`. This should be the version 4, full
              # 160-bit fingerprint, expressed as a 40 character hexidecimal string. See
              # https://tools.ietf.org/html/rfc4880#section-12.2 for details.
              # Implementations may choose to acknowledge "LONG", "SHORT", or other
              # abbreviated key IDs, but only the full fingerprint is guaranteed to work.
              # In gpg, the full fingerprint can be retrieved from the `fpr` field
              # returned when calling --list-keys with --with-colons.  For example:
              # ```
              # gpg --with-colons --with-fingerprint --force-v4-certs \
              #     --list-keys attester@example.com
              # tru::1:1513631572:0:3:1:5
              # pub:...<SNIP>...
              # fpr:::::::::24FF6481B76AC91E66A00AC657A93A81EF3AE6FB:
              # ```
              # Above, the fingerprint is `24FF6481B76AC91E66A00AC657A93A81EF3AE6FB`.
          "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
              # The verifier must ensure that the provided type is one that the verifier
              # supports, and that the attestation payload is a valid instantiation of that
              # type (for example by validating a JSON schema).
          "signature": "A String", # Required. The raw content of the signature, as output by GNU Privacy Guard
              # (GPG) or equivalent. Since this message only supports attached signatures,
              # the payload that was signed must be attached. While the signature format
              # supported is dependent on the verification implementation, currently only
              # ASCII-armored (`--armor` to gpg), non-clearsigned (`--sign` rather than
              # `--clearsign` to gpg) are supported. Concretely, `gpg --sign --armor
              # --output=signature.gpg payload.json` will create the signature content
              # expected in this field in `signature.gpg` for the `payload.json`
              # attestation payload.
        },
        "genericSignedAttestation": { # An attestation wrapper that uses the Grafeas `Signature` message.
            # This attestation must define the `serialized_payload` that the `signatures`
            # verify and any metadata necessary to interpret that plaintext.  The
            # signatures should always be over the `serialized_payload` bytestring.
          "signatures": [ # One or more signatures over `serialized_payload`.  Verifier implementations
              # should consider this attestation message verified if at least one
              # `signature` verifies `serialized_payload`.  See `Signature` in common.proto
              # for more details on signature structure and verification.
            { # Verifiers (e.g. Kritis implementations) MUST verify signatures
                # with respect to the trust anchors defined in policy (e.g. a Kritis policy).
                # Typically this means that the verifier has been configured with a map from
                # `public_key_id` to public key material (and any required parameters, e.g.
                # signing algorithm).
                #
                # In particular, verification implementations MUST NOT treat the signature
                # `public_key_id` as anything more than a key lookup hint. The `public_key_id`
                # DOES NOT validate or authenticate a public key; it only provides a mechanism
                # for quickly selecting a public key ALREADY CONFIGURED on the verifier through
                # a trusted channel. Verification implementations MUST reject signatures in any
                # of the following circumstances:
                #   * The `public_key_id` is not recognized by the verifier.
                #   * The public key that `public_key_id` refers to does not verify the
                #     signature with respect to the payload.
                #
                # The `signature` contents SHOULD NOT be "attached" (where the payload is
                # included with the serialized `signature` bytes). Verifiers MUST ignore any
                # "attached" payload and only verify signatures with respect to explicitly
                # provided payload (e.g. a `payload` field on the proto message that holds
                # this Signature, or the canonical serialization of the proto message that
                # holds this signature).
              "publicKeyId": "A String", # The identifier for the public key that verifies this signature.
                  #   * The `public_key_id` is required.
                  #   * The `public_key_id` MUST be an RFC3986 conformant URI.
                  #   * When possible, the `public_key_id` SHOULD be an immutable reference,
                  #     such as a cryptographic digest.
                  #
                  # Examples of valid `public_key_id`s:
                  #
                  # OpenPGP V4 public key fingerprint:
                  #   * "openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA"
                  # See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more
                  # details on this scheme.
                  #
                  # RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER
                  # serialization):
                  #   * "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
                  #   * "nih:///sha-256;703f68f42aba2c6de30f488a5ea122fef76324679c9bf89791ba95a1271589a5"
              "signature": "A String", # The content of the signature, an opaque bytestring.
                  # The payload that this signature verifies MUST be unambiguously provided
                  # with the Signature during verification. A wrapper message might provide
                  # the payload explicitly. Alternatively, a message might have a canonical
                  # serialization that can always be unambiguously computed to derive the
                  # payload.
            },
          ],
          "contentType": "A String", # Type (for example schema) of the attestation payload that was signed.
              # The verifier must ensure that the provided type is one that the verifier
              # supports, and that the attestation payload is a valid instantiation of that
              # type (for example by validating a JSON schema).
          "serializedPayload": "A String", # The serialized payload that is verified by one or more `signatures`.
              # The encoding and semantic meaning of this payload must match what is set in
              # `content_type`.
        },
      },
    },
    "intoto": { # This corresponds to a signed in-toto link - it is made up of one or more # Describes a specific in-toto link.
        # signatures and the in-toto link itself. This is used for occurrences of a
        # Grafeas in-toto note.
      "signatures": [
        { # A signature object consists of the KeyID used and the signature itself.
          "keyid": "A String",
          "sig": "A String",
        },
      ],
      "signed": { # This corresponds to an in-toto link.
        "environment": { # Defines an object for the environment field in in-toto links. The suggested # This is a field that can be used to capture information about the
            # environment. It is suggested for this field to contain information that
            # details environment variables, filesystem information, and the present
            # working directory. The recommended structure of this field is:
            # "environment": {
            #   "custom_values": {
            #     "variables": "<ENV>",
            #     "filesystem": "<FS>",
            #     "workdir": "<CWD>",
            #     "<ANY OTHER RELEVANT FIELDS>": "..."
            #   }
            # }
            # fields are "variables", "filesystem", and "workdir".
          "customValues": {
            "a_key": "A String",
          },
        },
        "command": [ # This field contains the full command executed for the step. This can also
            # be empty if links are generated for operations that aren't directly mapped
            # to a specific command. Each term in the command is an independent string
            # in the list. An example of a command in the in-toto metadata field is:
            # "command": ["git", "clone", "https://github.com/in-toto/demo-project.git"]
          "A String",
        ],
        "materials": [ # Materials are the supply chain artifacts that go into the step and are used
            # for the operation performed. The key of the map is the path of the artifact
            # and the structure contains the recorded hash information. An example is:
            # "materials": [
            #   {
            #     "resource_uri": "foo/bar",
            #     "hashes": {
            #       "sha256": "ebebf...",
            #       <OTHER HASH ALGORITHMS>: <HASH VALUE>
            #     }
            #   }
            # ]
          {
            "resourceUri": "A String",
            "hashes": { # Defines a hash object for use in Materials and Products.
              "sha256": "A String",
            },
          },
        ],
        "products": [ # Products are the supply chain artifacts generated as a result of the step.
            # The structure is identical to that of materials.
          {
            "resourceUri": "A String",
            "hashes": { # Defines a hash object for use in Materials and Products.
              "sha256": "A String",
            },
          },
        ],
        "byproducts": { # Defines an object for the byproducts field in in-toto links. The suggested # ByProducts are data generated as part of a software supply chain step, but
            # are not the actual result of the step.
            # fields are "stderr", "stdout", and "return-value".
          "customValues": {
            "a_key": "A String",
          },
        },
      },
    },
    "build": { # Details of a build occurrence. # Describes a verifiable build.
      "provenance": { # Provenance of a build. Contains all information needed to verify the full # Required. The actual provenance for the build.
          # details about the build from source to completion.
        "commands": [ # Commands requested by the build.
          { # Command describes a step performed as part of the build pipeline.
            "waitFor": [ # The ID(s) of the command(s) that this command depends on.
              "A String",
            ],
            "name": "A String", # Required. Name of the command, as presented on the command line, or if the
                # command is packaged as a Docker container, as presented to `docker pull`.
            "args": [ # Command-line arguments used when executing this command.
              "A String",
            ],
            "env": [ # Environment variables set before running this command.
              "A String",
            ],
            "id": "A String", # Optional unique identifier for this command, used in wait_for to reference
                # this command as a dependency.
            "dir": "A String", # Working directory (relative to project source root) used when running this
                # command.
          },
        ],
        "sourceProvenance": { # Source describes the location of the source used for the build. # Details of the Source input to the build.
          "fileHashes": { # Hash(es) of the build source, which can be used to verify that the original
              # source integrity was maintained in the build.
              #
              # The keys to this map are file paths used as build source and the values
              # contain the hash values for those files.
              #
              # If the build source came in a single package such as a gzipped tarfile
              # (.tar.gz), the FileHash will be for the single path to that file.
            "a_key": { # Container message for hashes of byte content of files, used in source
                # messages to verify integrity of source input to the build.
              "fileHash": [ # Required. Collection of file hashes.
                { # Container message for hash values.
                  "type": "A String", # Required. The type of hash that was performed.
                  "value": "A String", # Required. The hash value.
                },
              ],
            },
          },
          "artifactStorageSourceUri": "A String", # If provided, the input binary artifacts for the build came from this
              # location.
          "additionalContexts": [ # If provided, some of the source code used for the build may be found in
              # these locations, in the case where the source repository had multiple
              # remotes or submodules. This list will not include the context specified in
              # the context field.
            { # A SourceContext is a reference to a tree of files. A SourceContext together
                # with a path point to a unique revision of a single file or directory.
              "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                  # repository (e.g., GitHub).
                "url": "A String", # Git repository URL.
                "revisionId": "A String", # Git commit hash.
              },
              "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                  # Source Repo.
                "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                  "kind": "A String", # The alias kind.
                  "name": "A String", # The alias name.
                },
                "revisionId": "A String", # A revision ID.
                "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                  "uid": "A String", # A server-assigned, globally unique identifier.
                  "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                      # winged-cargo-31) and a repo name within that project.
                    "projectId": "A String", # The ID of the project.
                    "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                  },
                },
              },
              "labels": { # Labels with user defined metadata.
                "a_key": "A String",
              },
              "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
                "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                  "kind": "A String", # The alias kind.
                  "name": "A String", # The alias name.
                },
                "revisionId": "A String", # A revision (commit) ID.
                "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                    # "project/subproject" is a valid project name. The "repo name" is the
                    # hostURI/project.
                "hostUri": "A String", # The URI of a running Gerrit instance.
              },
            },
          ],
          "context": { # A SourceContext is a reference to a tree of files. A SourceContext together # If provided, the source code used for the build came from this location.
              # with a path point to a unique revision of a single file or directory.
            "git": { # A GitSourceContext denotes a particular revision in a third party Git # A SourceContext referring to any third party Git repo (e.g., GitHub).
                # repository (e.g., GitHub).
              "url": "A String", # Git repository URL.
              "revisionId": "A String", # Git commit hash.
            },
            "cloudRepo": { # A CloudRepoSourceContext denotes a particular revision in a Google Cloud # A SourceContext referring to a revision in a Google Cloud Source Repo.
                # Source Repo.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision ID.
              "repoId": { # A unique identifier for a Cloud Repo. # The ID of the repo.
                "uid": "A String", # A server-assigned, globally unique identifier.
                "projectRepoId": { # Selects a repo using a Google Cloud Platform project ID (e.g., # A combination of a project ID and a repo name.
                    # winged-cargo-31) and a repo name within that project.
                  "projectId": "A String", # The ID of the project.
                  "repoName": "A String", # The name of the repo. Leave empty for the default repo.
                },
              },
            },
            "labels": { # Labels with user defined metadata.
              "a_key": "A String",
            },
            "gerrit": { # A SourceContext referring to a Gerrit project. # A SourceContext referring to a Gerrit project.
              "aliasContext": { # An alias to a repo revision. # An alias, which may be a branch or tag.
                "kind": "A String", # The alias kind.
                "name": "A String", # The alias name.
              },
              "revisionId": "A String", # A revision (commit) ID.
              "gerritProject": "A String", # The full project name within the host. Projects may be nested, so
                  # "project/subproject" is a valid project name. The "repo name" is the
                  # hostURI/project.
              "hostUri": "A String", # The URI of a running Gerrit instance.
            },
          },
        },
        "buildOptions": { # Special options applied to this build. This is a catch-all field where
            # build providers can enter any desired additional details.
          "a_key": "A String",
        },
        "creator": "A String", # E-mail address of the user who initiated this build. Note that this was the
            # user's e-mail address at the time the build was initiated; this address may
            # not represent the same end-user for all time.
        "projectId": "A String", # ID of the project.
        "builderVersion": "A String", # Version string of the builder at the time this build was executed.
        "createTime": "A String", # Time at which the build was created.
        "builtArtifacts": [ # Output of the build.
          { # Artifact describes a build product.
            "checksum": "A String", # Hash or checksum value of a binary, or Docker Registry 2.0 digest of a
                # container.
            "id": "A String", # Artifact ID, if any; for container images, this will be a URL by digest
                # like `gcr.io/projectID/imagename@sha256:123456`.
            "names": [ # Related artifact names. This may be the path to a binary or jar file, or in
                # the case of a container build, the name used to push the container image to
                # Google Container Registry, as presented to `docker push`. Note that a
                # single Artifact ID can have multiple names, for example if two tags are
                # applied to one image.
              "A String",
            ],
          },
        ],
        "triggerId": "A String", # Trigger identifier if the build was triggered automatically; empty if not.
        "startTime": "A String", # Time at which execution of the build was started.
        "endTime": "A String", # Time at which execution of the build was finished.
        "id": "A String", # Required. Unique identifier of the build.
        "logsUri": "A String", # URI where any logs for this provenance were written.
      },
      "provenanceBytes": "A String", # Serialized JSON representation of the provenance, used in generating the
          # build signature in the corresponding build note. After verifying the
          # signature, `provenance_bytes` can be unmarshalled and compared to the
          # provenance to confirm that it is unchanged. A base64-encoded string
          # representation of the provenance bytes is used for the signature in order
          # to interoperate with openssl which expects this format for signature
          # verification.
          #
          # The serialized form is captured both to avoid ambiguity in how the
          # provenance is marshalled to json as well to prevent incompatibilities with
          # future changes.
    },
    "deployment": { # Details of a deployment occurrence. # Describes the deployment of an artifact on a runtime.
      "deployment": { # The period during which some deployable was active in a runtime. # Required. Deployment history for the resource.
        "resourceUri": [ # Output only. Resource URI for the artifact being deployed taken from
            # the deployable field with the same name.
          "A String",
        ],
        "userEmail": "A String", # Identity of the user that triggered this deployment.
        "address": "A String", # Address of the runtime element hosting this deployment.
        "platform": "A String", # Platform hosting this deployment.
        "deployTime": "A String", # Required. Beginning of the lifetime of this deployment.
        "undeployTime": "A String", # End of the lifetime of this deployment.
        "config": "A String", # Configuration used to create this deployment.
      },
    },
    "remediation": "A String", # A description of actions that can be taken to remedy the note.
    "installation": { # Details of a package occurrence. # Describes the installation of a package on the linked resource.
      "installation": { # This represents how a particular software package may be installed on a # Required. Where the package was installed.
          # system.
        "name": "A String", # Output only. The name of the installed package.
        "location": [ # Required. All of the places within the filesystem versions of this package
            # have been found.
          { # An occurrence of a particular package installation found within a system's
              # filesystem. E.g., glibc was found in `/var/lib/dpkg/status`.
            "path": "A String", # The path from which we gathered that this package/version is installed.
            "cpeUri": "A String", # Required. The CPE URI in [CPE format](https://cpe.mitre.org/specification/)
                # denoting the package manager version distributing a package.
            "version": { # Version contains structured information about the version of a package. # The version installed at this location.
              "epoch": 42, # Used to correct mistakes in the version numbering scheme.
              "kind": "A String", # Required. Distinguishes between sentinel MIN/MAX versions and normal
                  # versions.
              "name": "A String", # Required only when version kind is NORMAL. The main part of the version
                  # name.
              "revision": "A String", # The iteration of the package build from the above version.
            },
          },
        ],
      },
    },
    "createTime": "A String", # Output only. The time this occurrence was created.
    "derivedImage": { # Details of an image occurrence. # Describes how this resource derives from the basis in the associated
        # note.
      "derivedImage": { # Derived describes the derived image portion (Occurrence) of the DockerImage # Required. Immutable. The child image derived from the base image.
          # relationship. This image would be produced from a Dockerfile with FROM
          # <DockerImage.Basis in attached Note>.
        "distance": 42, # Output only. The number of layers by which this image differs from the
            # associated image basis.
        "baseResourceUrl": "A String", # Output only. This contains the base image URL for the derived image
            # occurrence.
        "layerInfo": [ # This contains layer-specific metadata, if populated it has length
            # "distance" and is ordered with [distance] being the layer immediately
            # following the base image and [1] being the final layer.
          { # Layer holds metadata specific to a layer of a Docker image.
            "arguments": "A String", # The recovered arguments to the Dockerfile directive.
            "directive": "A String", # Required. The recovered Dockerfile directive used to construct this layer.
          },
        ],
        "fingerprint": { # A set of properties that uniquely identify a given Docker image. # Required. The fingerprint of the derived image.
          "v1Name": "A String", # Required. The layer ID of the final layer in the Docker image's v1
              # representation.
          "v2Blob": [ # Required. The ordered list of v2 blobs that represent a given image.
            "A String",
          ],
          "v2Name": "A String", # Output only. The name of the image's v2 blobs computed via:
              #   [bottom] := v2_blobbottom := sha256(v2_blob[N] + " " + v2_name[N+1])
              # Only the name of the final blob is kept.
        },
      },
    },
    "noteName": "A String", # Required. Immutable. The analysis note associated with this occurrence, in
        # the form of `projects/[PROVIDER_ID]/notes/[NOTE_ID]`. This field can be
        # used as a filter in list requests.
  }
setIamPolicy(resource, body=None, x__xgafv=None)
Sets the access control policy on the specified note or occurrence.
Requires `containeranalysis.notes.setIamPolicy` or
`containeranalysis.occurrences.setIamPolicy` permission if the resource is
a note or an occurrence, respectively.

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for
notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for
occurrences.

Args:
  resource: string, REQUIRED: The resource for which the policy is being specified.
See the operation documentation for the appropriate value for this field. (required)
  body: object, The request body.
    The object takes the form of:

{ # Request message for `SetIamPolicy` method.
    "policy": { # An Identity and Access Management (IAM) policy, which specifies access # REQUIRED: The complete policy to be applied to the `resource`. The size of
        # the policy is limited to a few 10s of KB. An empty policy is a
        # valid policy but certain Cloud Platform services (such as Projects)
        # might reject them.
        # controls for Google Cloud resources.
        #
        #
        # A `Policy` is a collection of `bindings`. A `binding` binds one or more
        # `members` to a single `role`. Members can be user accounts, service accounts,
        # Google groups, and domains (such as G Suite). A `role` is a named list of
        # permissions; each `role` can be an IAM predefined role or a user-created
        # custom role.
        #
        # Optionally, a `binding` can specify a `condition`, which is a logical
        # expression that allows access to a resource only if the expression evaluates
        # to `true`. A condition can add constraints based on attributes of the
        # request, the resource, or both.
        #
        # **JSON example:**
        #
        #     {
        #       "bindings": [
        #         {
        #           "role": "roles/resourcemanager.organizationAdmin",
        #           "members": [
        #             "user:mike@example.com",
        #             "group:admins@example.com",
        #             "domain:google.com",
        #             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
        #           ]
        #         },
        #         {
        #           "role": "roles/resourcemanager.organizationViewer",
        #           "members": ["user:eve@example.com"],
        #           "condition": {
        #             "title": "expirable access",
        #             "description": "Does not grant access after Sep 2020",
        #             "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
        #           }
        #         }
        #       ],
        #       "etag": "BwWWja0YfJA=",
        #       "version": 3
        #     }
        #
        # **YAML example:**
        #
        #     bindings:
        #     - members:
        #       - user:mike@example.com
        #       - group:admins@example.com
        #       - domain:google.com
        #       - serviceAccount:my-project-id@appspot.gserviceaccount.com
        #       role: roles/resourcemanager.organizationAdmin
        #     - members:
        #       - user:eve@example.com
        #       role: roles/resourcemanager.organizationViewer
        #       condition:
        #         title: expirable access
        #         description: Does not grant access after Sep 2020
        #         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
        #     - etag: BwWWja0YfJA=
        #     - version: 3
        #
        # For a description of IAM and its features, see the
        # [IAM documentation](https://cloud.google.com/iam/docs/).
      "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
          # `condition` that determines how and when the `bindings` are applied. Each
          # of the `bindings` must contain at least one member.
        { # Associates `members` with a `role`.
          "role": "A String", # Role that is assigned to `members`.
              # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
          "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
              # NOTE: An unsatisfied condition will not allow user access via current
              # binding. Different bindings, including their conditions, are examined
              # independently.
              # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
              # are documented at https://github.com/google/cel-spec.
              #
              # Example (Comparison):
              #
              #     title: "Summary size limit"
              #     description: "Determines if a summary is less than 100 chars"
              #     expression: "document.summary.size() < 100"
              #
              # Example (Equality):
              #
              #     title: "Requestor is owner"
              #     description: "Determines if requestor is the document owner"
              #     expression: "document.owner == request.auth.claims.email"
              #
              # Example (Logic):
              #
              #     title: "Public documents"
              #     description: "Determine whether the document should be publicly visible"
              #     expression: "document.type != 'private' && document.type != 'internal'"
              #
              # Example (Data Manipulation):
              #
              #     title: "Notification string"
              #     description: "Create a notification string with a timestamp."
              #     expression: "'New message received at ' + string(document.create_time)"
              #
              # The exact variables and functions that may be referenced within an expression
              # are determined by the service that evaluates it. See the service
              # documentation for additional information.
            "description": "A String", # Optional. Description of the expression. This is a longer text which
                # describes the expression, e.g. when hovered over it in a UI.
            "expression": "A String", # Textual representation of an expression in Common Expression Language
                # syntax.
            "location": "A String", # Optional. String indicating the location of the expression for error
                # reporting, e.g. a file name and a position in the file.
            "title": "A String", # Optional. Title for the expression, i.e. a short string describing
                # its purpose. This can be used e.g. in UIs which allow to enter the
                # expression.
          },
          "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
              # `members` can have the following values:
              #
              # * `allUsers`: A special identifier that represents anyone who is
              #    on the internet; with or without a Google account.
              #
              # * `allAuthenticatedUsers`: A special identifier that represents anyone
              #    who is authenticated with a Google account or a service account.
              #
              # * `user:{emailid}`: An email address that represents a specific Google
              #    account. For example, `alice@example.com` .
              #
              #
              # * `serviceAccount:{emailid}`: An email address that represents a service
              #    account. For example, `my-other-app@appspot.gserviceaccount.com`.
              #
              # * `group:{emailid}`: An email address that represents a Google group.
              #    For example, `admins@example.com`.
              #
              # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
              #    identifier) representing a user that has been recently deleted. For
              #    example, `alice@example.com?uid=123456789012345678901`. If the user is
              #    recovered, this value reverts to `user:{emailid}` and the recovered user
              #    retains the role in the binding.
              #
              # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
              #    unique identifier) representing a service account that has been recently
              #    deleted. For example,
              #    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
              #    If the service account is undeleted, this value reverts to
              #    `serviceAccount:{emailid}` and the undeleted service account retains the
              #    role in the binding.
              #
              # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
              #    identifier) representing a Google group that has been recently
              #    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
              #    the group is recovered, this value reverts to `group:{emailid}` and the
              #    recovered group retains the role in the binding.
              #
              #
              # * `domain:{domain}`: The G Suite domain (primary) that represents all the
              #    users of that domain. For example, `google.com` or `example.com`.
              #
            "A String",
          ],
        },
      ],
      "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
          # prevent simultaneous updates of a policy from overwriting each other.
          # It is strongly suggested that systems make use of the `etag` in the
          # read-modify-write cycle to perform policy updates in order to avoid race
          # conditions: An `etag` is returned in the response to `getIamPolicy`, and
          # systems are expected to put that etag in the request to `setIamPolicy` to
          # ensure that their change will be applied to the same version of the policy.
          #
          # **Important:** If you use IAM Conditions, you must include the `etag` field
          # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
          # you to overwrite a version `3` policy with a version `1` policy, and all of
          # the conditions in the version `3` policy are lost.
      "version": 42, # Specifies the format of the policy.
          #
          # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
          # are rejected.
          #
          # Any operation that affects conditional role bindings must specify version
          # `3`. This requirement applies to the following operations:
          #
          # * Getting a policy that includes a conditional role binding
          # * Adding a conditional role binding to a policy
          # * Changing a conditional role binding in a policy
          # * Removing any role binding, with or without a condition, from a policy
          #   that includes conditions
          #
          # **Important:** If you use IAM Conditions, you must include the `etag` field
          # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
          # you to overwrite a version `3` policy with a version `1` policy, and all of
          # the conditions in the version `3` policy are lost.
          #
          # If a policy does not include any conditions, operations on that policy may
          # specify any valid version or leave the field unset.
    },
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # An Identity and Access Management (IAM) policy, which specifies access
      # controls for Google Cloud resources.
      #
      #
      # A `Policy` is a collection of `bindings`. A `binding` binds one or more
      # `members` to a single `role`. Members can be user accounts, service accounts,
      # Google groups, and domains (such as G Suite). A `role` is a named list of
      # permissions; each `role` can be an IAM predefined role or a user-created
      # custom role.
      #
      # Optionally, a `binding` can specify a `condition`, which is a logical
      # expression that allows access to a resource only if the expression evaluates
      # to `true`. A condition can add constraints based on attributes of the
      # request, the resource, or both.
      #
      # **JSON example:**
      #
      #     {
      #       "bindings": [
      #         {
      #           "role": "roles/resourcemanager.organizationAdmin",
      #           "members": [
      #             "user:mike@example.com",
      #             "group:admins@example.com",
      #             "domain:google.com",
      #             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
      #           ]
      #         },
      #         {
      #           "role": "roles/resourcemanager.organizationViewer",
      #           "members": ["user:eve@example.com"],
      #           "condition": {
      #             "title": "expirable access",
      #             "description": "Does not grant access after Sep 2020",
      #             "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
      #           }
      #         }
      #       ],
      #       "etag": "BwWWja0YfJA=",
      #       "version": 3
      #     }
      #
      # **YAML example:**
      #
      #     bindings:
      #     - members:
      #       - user:mike@example.com
      #       - group:admins@example.com
      #       - domain:google.com
      #       - serviceAccount:my-project-id@appspot.gserviceaccount.com
      #       role: roles/resourcemanager.organizationAdmin
      #     - members:
      #       - user:eve@example.com
      #       role: roles/resourcemanager.organizationViewer
      #       condition:
      #         title: expirable access
      #         description: Does not grant access after Sep 2020
      #         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
      #     - etag: BwWWja0YfJA=
      #     - version: 3
      #
      # For a description of IAM and its features, see the
      # [IAM documentation](https://cloud.google.com/iam/docs/).
    "bindings": [ # Associates a list of `members` to a `role`. Optionally, may specify a
        # `condition` that determines how and when the `bindings` are applied. Each
        # of the `bindings` must contain at least one member.
      { # Associates `members` with a `role`.
        "role": "A String", # Role that is assigned to `members`.
            # For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
        "condition": { # Represents a textual expression in the Common Expression Language (CEL) # The condition that is associated with this binding.
            # NOTE: An unsatisfied condition will not allow user access via current
            # binding. Different bindings, including their conditions, are examined
            # independently.
            # syntax. CEL is a C-like expression language. The syntax and semantics of CEL
            # are documented at https://github.com/google/cel-spec.
            #
            # Example (Comparison):
            #
            #     title: "Summary size limit"
            #     description: "Determines if a summary is less than 100 chars"
            #     expression: "document.summary.size() < 100"
            #
            # Example (Equality):
            #
            #     title: "Requestor is owner"
            #     description: "Determines if requestor is the document owner"
            #     expression: "document.owner == request.auth.claims.email"
            #
            # Example (Logic):
            #
            #     title: "Public documents"
            #     description: "Determine whether the document should be publicly visible"
            #     expression: "document.type != 'private' && document.type != 'internal'"
            #
            # Example (Data Manipulation):
            #
            #     title: "Notification string"
            #     description: "Create a notification string with a timestamp."
            #     expression: "'New message received at ' + string(document.create_time)"
            #
            # The exact variables and functions that may be referenced within an expression
            # are determined by the service that evaluates it. See the service
            # documentation for additional information.
          "description": "A String", # Optional. Description of the expression. This is a longer text which
              # describes the expression, e.g. when hovered over it in a UI.
          "expression": "A String", # Textual representation of an expression in Common Expression Language
              # syntax.
          "location": "A String", # Optional. String indicating the location of the expression for error
              # reporting, e.g. a file name and a position in the file.
          "title": "A String", # Optional. Title for the expression, i.e. a short string describing
              # its purpose. This can be used e.g. in UIs which allow to enter the
              # expression.
        },
        "members": [ # Specifies the identities requesting access for a Cloud Platform resource.
            # `members` can have the following values:
            #
            # * `allUsers`: A special identifier that represents anyone who is
            #    on the internet; with or without a Google account.
            #
            # * `allAuthenticatedUsers`: A special identifier that represents anyone
            #    who is authenticated with a Google account or a service account.
            #
            # * `user:{emailid}`: An email address that represents a specific Google
            #    account. For example, `alice@example.com` .
            #
            #
            # * `serviceAccount:{emailid}`: An email address that represents a service
            #    account. For example, `my-other-app@appspot.gserviceaccount.com`.
            #
            # * `group:{emailid}`: An email address that represents a Google group.
            #    For example, `admins@example.com`.
            #
            # * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique
            #    identifier) representing a user that has been recently deleted. For
            #    example, `alice@example.com?uid=123456789012345678901`. If the user is
            #    recovered, this value reverts to `user:{emailid}` and the recovered user
            #    retains the role in the binding.
            #
            # * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus
            #    unique identifier) representing a service account that has been recently
            #    deleted. For example,
            #    `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`.
            #    If the service account is undeleted, this value reverts to
            #    `serviceAccount:{emailid}` and the undeleted service account retains the
            #    role in the binding.
            #
            # * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique
            #    identifier) representing a Google group that has been recently
            #    deleted. For example, `admins@example.com?uid=123456789012345678901`. If
            #    the group is recovered, this value reverts to `group:{emailid}` and the
            #    recovered group retains the role in the binding.
            #
            #
            # * `domain:{domain}`: The G Suite domain (primary) that represents all the
            #    users of that domain. For example, `google.com` or `example.com`.
            #
          "A String",
        ],
      },
    ],
    "etag": "A String", # `etag` is used for optimistic concurrency control as a way to help
        # prevent simultaneous updates of a policy from overwriting each other.
        # It is strongly suggested that systems make use of the `etag` in the
        # read-modify-write cycle to perform policy updates in order to avoid race
        # conditions: An `etag` is returned in the response to `getIamPolicy`, and
        # systems are expected to put that etag in the request to `setIamPolicy` to
        # ensure that their change will be applied to the same version of the policy.
        #
        # **Important:** If you use IAM Conditions, you must include the `etag` field
        # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
        # you to overwrite a version `3` policy with a version `1` policy, and all of
        # the conditions in the version `3` policy are lost.
    "version": 42, # Specifies the format of the policy.
        #
        # Valid values are `0`, `1`, and `3`. Requests that specify an invalid value
        # are rejected.
        #
        # Any operation that affects conditional role bindings must specify version
        # `3`. This requirement applies to the following operations:
        #
        # * Getting a policy that includes a conditional role binding
        # * Adding a conditional role binding to a policy
        # * Changing a conditional role binding in a policy
        # * Removing any role binding, with or without a condition, from a policy
        #   that includes conditions
        #
        # **Important:** If you use IAM Conditions, you must include the `etag` field
        # whenever you call `setIamPolicy`. If you omit this field, then IAM allows
        # you to overwrite a version `3` policy with a version `1` policy, and all of
        # the conditions in the version `3` policy are lost.
        #
        # If a policy does not include any conditions, operations on that policy may
        # specify any valid version or leave the field unset.
  }
testIamPermissions(resource, body=None, x__xgafv=None)
Returns the permissions that a caller has on the specified note or
occurrence. Requires list permission on the project (for example,
`containeranalysis.notes.list`).

The resource takes the format `projects/[PROJECT_ID]/notes/[NOTE_ID]` for
notes and `projects/[PROJECT_ID]/occurrences/[OCCURRENCE_ID]` for
occurrences.

Args:
  resource: string, REQUIRED: The resource for which the policy detail is being requested.
See the operation documentation for the appropriate value for this field. (required)
  body: object, The request body.
    The object takes the form of:

{ # Request message for `TestIamPermissions` method.
    "permissions": [ # The set of permissions to check for the `resource`. Permissions with
        # wildcards (such as '*' or 'storage.*') are not allowed. For more
        # information see
        # [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
      "A String",
    ],
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response message for `TestIamPermissions` method.
    "permissions": [ # A subset of `TestPermissionsRequest.permissions` that the caller is
        # allowed.
      "A String",
    ],
  }