1// Copyright (C) 2023 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto2"; 16 17package metadata_file; 18 19// Proto definition of METADATA files of packages in AOSP codebase. 20message Metadata { 21 // Name of the package. 22 optional string name = 1; 23 24 // A short description (a few lines) of the package. 25 // Example: "Handles location lookups, throttling, batching, etc." 26 optional string description = 2; 27 28 // Specifies additional data about third-party packages. 29 optional ThirdParty third_party = 3; 30} 31 32message ThirdParty { 33 // URL(s) associated with the package. 34 // 35 // At a minimum, all packages must specify a URL which identifies where it 36 // came from, containing a type of: ARCHIVE, GIT or OTHER. Typically, 37 // a package should contain only a single URL from these types. Occasionally, 38 // a package may be broken across multiple archive files for whatever reason, 39 // in which case having multiple ARCHIVE URLs is okay. However, this should 40 // not be used to combine different logical packages that are versioned and 41 // possibly licensed differently. 42 repeated URL url = 1; 43 44 // The package version. In order of preference, this should contain: 45 // - If the package comes from Git or another source control system, 46 // a specific tag or revision in source control, such as "r123" or 47 // "58e27d2". This MUST NOT be a mutable ref such as a branch name. 48 // - a released package version such as "1.0", "2.3-beta", etc. 49 // - the date the package was retrieved, formatted as "As of YYYY-MM-DD". 50 optional string version = 2; 51 52 // The date of the change in which the package was last upgraded from 53 // upstream. 54 // This should only identify package upgrades from upstream, not local 55 // modifications. This may identify the date of either the original or 56 // merged change. 57 // 58 // Note: this is NOT the date that this version of the package was released 59 // externally. 60 optional Date last_upgrade_date = 3; 61 62 // License type that identifies how the package may be used. 63 optional LicenseType license_type = 4; 64 65 // An additional note explaining the licensing of this package. This is most 66 // commonly used with commercial license. 67 optional string license_note = 5; 68 69 // Description of local changes that have been made to the package. This does 70 // not need to (and in most cases should not) attempt to include an exhaustive 71 // list of all changes, but may instead direct readers to review the local 72 // commit history, a collection of patch files, a separate README.md (or 73 // similar) document, etc. 74 // Note: Use of this field to store IDs of advisories fixed with a backported 75 // patch is deprecated, use "security.mitigated_security_patch" instead. 76 optional string local_modifications = 6; 77 78 // Security related metadata including risk category and any special 79 // instructions for using the package, as determined by an ISE-TPS review. 80 optional Security security = 7; 81 82 // The type of directory this metadata represents. 83 optional DirectoryType type = 8 [default = PACKAGE]; 84 85 // The homepage for the package. This will eventually replace 86 // `url { type: HOMEPAGE }` 87 optional string homepage = 9; 88 89 // SBOM information of the package. It is mandatory for prebuilt packages. 90 oneof sbom { 91 // Reference to external SBOM document provided as URL. 92 SBOMRef sbom_ref = 10; 93 } 94 95 // Identifiers for the package. 96 repeated Identifier identifier = 11; 97} 98 99// URL associated with a third-party package. 100message URL { 101 enum Type { 102 // The homepage for the package. For example, "https://bazel.io/". This URL 103 // is optional, but encouraged to help disambiguate similarly named packages 104 // or to get more information about the package. This is especially helpful 105 // when no other URLs provide human readable resources (such as git:// or 106 // sso:// URLs). 107 HOMEPAGE = 1; 108 109 // The URL of the archive containing the source code for the package, for 110 // example a zip or tgz file. 111 ARCHIVE = 2; 112 113 // The URL of the upstream git repository this package is retrieved from. 114 // For example: 115 // - https://github.com/git/git.git 116 // - git://git.kernel.org/pub/scm/git/git.git 117 // 118 // Use of a git URL requires that the package "version" value must specify a 119 // specific git tag or revision. 120 GIT = 3; 121 122 // The URL of the upstream SVN repository this package is retrieved from. 123 // For example: 124 // - http://llvm.org/svn/llvm-project/llvm/ 125 // 126 // Use of an SVN URL requires that the package "version" value must specify 127 // a specific SVN tag or revision. 128 SVN = 4; 129 130 // The URL of the upstream mercurial repository this package is retrieved 131 // from. For example: 132 // - https://mercurial-scm.org/repo/evolve 133 // 134 // Use of a mercurial URL requires that the package "version" value must 135 // specify a specific tag or revision. 136 HG = 5; 137 138 // The URL of the upstream darcs repository this package is retrieved 139 // from. For example: 140 // - https://hub.darcs.net/hu.dwim/hu.dwim.util 141 // 142 // Use of a DARCS URL requires that the package "version" value must 143 // specify a specific tag or revision. 144 DARCS = 6; 145 146 PIPER = 7; 147 148 // A URL that does not fit any other type. This may also indicate that the 149 // source code was received via email or some other out-of-band way. This is 150 // most commonly used with commercial software received directly from the 151 // vendor. In the case of email, the URL value can be used to provide 152 // additional information about how it was received. 153 OTHER = 8; 154 155 // The URL identifying where the local copy of the package source code can 156 // be found. 157 // 158 // Typically, the metadata files describing a package reside in the same 159 // directory as the source code for the package. In a few rare cases where 160 // they are separate, the LOCAL_SOURCE URL identifies where to find the 161 // source code. This only describes where to find the local copy of the 162 // source; there should always be an additional URL describing where the 163 // package was retrieved from. 164 // 165 // Examples: 166 // - https://android.googlesource.com/platform/external/apache-http/ 167 LOCAL_SOURCE = 9; 168 } 169 170 // The type of resource this URL identifies. 171 optional Type type = 1; 172 173 // The actual URL value. URLs should be absolute and start with 'http://' or 174 // 'https://' (or occasionally 'git://' or 'ftp://' where appropriate). 175 optional string value = 2; 176} 177 178// License type that identifies how the packages may be used. 179enum LicenseType { 180 BY_EXCEPTION_ONLY = 1; 181 NOTICE = 2; 182 PERMISSIVE = 3; 183 RECIPROCAL = 4; 184 RESTRICTED_IF_STATICALLY_LINKED = 5; 185 RESTRICTED = 6; 186 UNENCUMBERED = 7; 187} 188 189// Identifies security related metadata including risk category and any special 190// instructions for using the package. 191message Security { 192 // Security risk category for a package, as determined by an ISE-TPS review. 193 enum Category { 194 CATEGORY_UNSPECIFIED = 0; 195 196 // Package should only be used in a sandboxed environment. 197 // Package should have restricted visibility. 198 SANDBOXED_ONLY = 1; 199 200 // Package should not be used to process user content. It is considered 201 // safe to use to process trusted data only. Package should have restricted 202 // visibility. 203 TRUSTED_DATA_ONLY = 2; 204 205 // Package is considered safe to use. 206 REVIEWED_AND_SECURE = 3; 207 } 208 209 // Identifies the security risk category for the package. This will be 210 // provided by the ISE-TPS team as the result of a security review of the 211 // package. 212 optional Category category = 1; 213 214 // An additional security note for the package. 215 optional string note = 2; 216 217 // Text tag to categorize the package. It's currently used by security to: 218 // - to disable OSV (https://osv.dev) 219 // support via the `OSV:disable` tag 220 // - to attach CPE to their corresponding packages, for vulnerability 221 // monitoring: 222 // 223 // Please do document your usecase here should you want to add one. 224 repeated string tag = 3; 225 226 // ID of advisories fixed with a mitigated patch, for example CVE-2018-1111. 227 repeated string mitigated_security_patch = 4; 228} 229 230enum DirectoryType { 231 UNDEFINED = 0; 232 233 // This directory represents a package. 234 PACKAGE = 1; 235 236 // This directory is designed to organize multiple third-party PACKAGE 237 // directories. 238 GROUP = 2; 239 240 // This directory contains several PACKAGE directories representing 241 // different versions of the same third-party project. 242 VERSIONS = 3; 243} 244 245// Represents a whole or partial calendar date, such as a birthday. The time of 246// day and time zone are either specified elsewhere or are insignificant. The 247// date is relative to the Gregorian Calendar. This can represent one of the 248// following: 249// 250// * A full date, with non-zero year, month, and day values. 251// * A month and day, with a zero year (for example, an anniversary). 252// * A year on its own, with a zero month and a zero day. 253// * A year and month, with a zero day (for example, a credit card expiration 254// date). 255message Date { 256 // Year of the date. Must be from 1 to 9999, or 0 to specify a date without 257 // a year. 258 optional int32 year = 1; 259 // Month of a year. Must be from 1 to 12, or 0 to specify a year without a 260 // month and day. 261 optional int32 month = 2; 262 // Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 263 // to specify a year by itself or a year and month where the day isn't 264 // significant. 265 optional int32 day = 3; 266} 267 268// Reference to external SBOM document and element corresponding to the package. 269// See https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#66-external-document-references-field 270message SBOMRef { 271 // The URL that points to the SBOM document of the upstream package of this 272 // third_party package. 273 optional string url = 1; 274 // Checksum of the SBOM document the url field points to. 275 // Format: e.g. SHA1:<checksum>, or any algorithm defined in 276 // https://spdx.github.io/spdx-spec/v2.3/file-information/#8.4 277 optional string checksum = 2; 278 // SPDXID of the upstream package/file defined in the SBOM document the url field points to. 279 // Format: SPDXRef-[a-zA-Z0-9.-]+, see 280 // https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field or 281 // https://spdx.github.io/spdx-spec/v2.3/file-information/#82-file-spdx-identifier-field 282 optional string element_id = 3; 283} 284 285// Identifier for a third-party package. 286// See go/tp-metadata-id. 287message Identifier { 288 // The type of the identifier. Either an "ecosystem" value from 289 // https://ossf.github.io/osv-schema/#affectedpackage-field such as "Go", 290 // "npm" or "PyPI". The "value" and "version" fields follow the same rules as 291 // defined in the OSV spec. 292 293 // Or one of: 294 // - "Git": The "value" field is the URL of the upstream git repository this 295 // package is retrieved from. 296 // For example: 297 // - https://github.com/git/git 298 // - git://git.kernel.org/pub/scm/git/git 299 // 300 // Use of a git URL requires that the package "version" value must specify a 301 // specific git tag or revision. This must not be a branch name. 302 // 303 // - "SVN": The "value" field is the URL of the upstream SVN repository this 304 // package is retrieved from. 305 // For example: 306 // - http://llvm.org/svn/llvm-project/llvm/ 307 // 308 // Use of an SVN URL requires that the package "version" value must specify 309 // a specific SVN tag or revision. This must not be a branch name. 310 // 311 // - "Hg": The "value" field is the URL of the upstream mercurial repository 312 // this package is retrieved from. 313 // For example: 314 // - https://mercurial-scm.org/repo/evolve 315 // 316 // Use of a mercurial URL requires that the package "version" value must 317 // specify a specific tag or revision. This must not be a branch name. 318 // 319 // - "Darcs": the "value" field is the URL of the upstream darcs repository 320 // this package is retrieved from. 321 // For example: 322 // - https://hub.darcs.net/hu.dwim/hu.dwim.util 323 // 324 // Use of a Darcs URL requires that the package "version" value must 325 // specify a specific tag or revision. This must not be a branch name. 326 // 327 // - "Piper": The "value" field is the URL of the upstream piper location. 328 // This is primarily used when a package is being migrated into third_party 329 // from elsewhere in Piper, or when a package is being newly developed in 330 // third_party. 331 // 332 // - "VCS": This is a generic fallback for an unlisted VCS system. The 333 // "value" field is the URL of the repository for this VCS. 334 // 335 // - "Archive": The "value" field is the URL of the archive containing the 336 // source code for the package, for example a zip or tgz file. 337 // 338 // - "PrebuiltByAlphabet": This type should be used for archives of primarily 339 // Google-owned source code (may contain non-Google-owned dependencies), 340 // which has been built using production Google infrastructure, and copied 341 // into Android. The "value" field is the URL of the prebuilt artifact or 342 // the relative path of the artifact to the root of a package. 343 // Example: 344 // identifier { 345 // type: "PrebuiltByAlphabet", 346 // version: "1", 347 // value: "v1/arm84_hdpi.apk", 348 // } 349 // identifier { 350 // type: "PrebuiltByAlphabet", 351 // version: "2", 352 // value: "v2/x86_64_xhdpi.apk", 353 // } 354 // 355 // - "LocalSource": The "value" field is the URL identifying where the local 356 // copy of the package source code can be found. 357 // Examples: 358 // - https://android.googlesource.com/platform/external/apache-http/ 359 // 360 // Typically, the metadata files describing a package reside in the same 361 // directory as the source code for the package. In a few rare cases where 362 // they are separate, the LocalSource URL identifies where to find the 363 // source code. This only describes where to find the local copy of the 364 // source; there should always be an additional URL describing where the 365 // package was retrieved from. 366 // 367 // - "Other": An identifier that does not fit any other type. This may also 368 // indicate that the Source code was received via email or some other 369 // out-of-band way. This is most commonly used with commercial software 370 // received directly from the Vendor. In the case of email, the "value" field 371 // can be used to provide additional information about how it was received. 372 optional string type = 1; 373 374 // A human readable string to indicate why a third-package package does not 375 // have this identifier type set. 376 // Example: 377 // identifier { 378 // type: "PyPI" 379 // omission_reason: "Only on Git. Not published to PyPI." 380 // } 381 optional string omission_reason = 2; 382 383 // The value of the package identifier as defined by the "type". 384 // Example: 385 // identifier { 386 // type: "PyPI" 387 // value: "django" 388 // version: "3.2.8" 389 // } 390 optional string value = 3; 391 392 // The version associated with this package as defined by the "type". 393 // Example: 394 // identifier { 395 // type: "PyPI" 396 // value: "django" 397 // version: "3.2.8" 398 // } 399 optional string version = 4; 400 401 // The closest version associated with this package as defined by the "type". 402 // This should only be set by automated infrastructure by applying automated 403 // heuristics, such as the closest git tag or package version from a package 404 // manifest file (e.g. pom.xml). 405 // 406 // For most identifier types, only one of `version` or `closest_version` 407 // should be set (not both). The exception is source repository types such as 408 // "Git", where `version` will refer to a git commit, and `closest_version` 409 // refers to a git tag. 410 // Example: 411 // identifier { 412 // type: "Git", 413 // value: "https://github.com/my/repo" 414 // version: "e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e" 415 // closest_version: "v1.4" 416 // } 417 optional string closest_version = 5; 418 419 // When `true`, this Identifier represents the location from which the source 420 // code for this package was originally obtained. This should only be set for 421 // *one* Identifier in a third_party package's METADATA. 422 423 // For external packages, this is typically for the Identifier associated 424 // with the version control system or package manager that was used to 425 // check out or download the code. 426 optional bool primary_source = 6; 427}