1// Copyright (C) 2023 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto2";
16
17package metadata_file;
18
19// Proto definition of METADATA files of packages in AOSP codebase.
20message Metadata {
21  // Name of the package.
22  optional string name = 1;
23
24  // A short description (a few lines) of the package.
25  // Example: "Handles location lookups, throttling, batching, etc."
26  optional string description = 2;
27
28  // Specifies additional data about third-party packages.
29  optional ThirdParty third_party = 3;
30}
31
32message ThirdParty {
33  // URL(s) associated with the package.
34  //
35  // At a minimum, all packages must specify a URL which identifies where it
36  // came from, containing a type of: ARCHIVE, GIT or OTHER. Typically,
37  // a package should contain only a single URL from these types.  Occasionally,
38  // a package may be broken across multiple archive files for whatever reason,
39  // in which case having multiple ARCHIVE URLs is okay.  However, this should
40  // not be used to combine different logical packages that are versioned and
41  // possibly licensed differently.
42  repeated URL url = 1;
43
44  // The package version.  In order of preference, this should contain:
45  //  - If the package comes from Git or another source control system,
46  //    a specific tag or revision in source control, such as "r123" or
47  //    "58e27d2".  This MUST NOT be a mutable ref such as a branch name.
48  //  - a released package version such as "1.0", "2.3-beta", etc.
49  //  - the date the package was retrieved, formatted as "As of YYYY-MM-DD".
50  optional string version = 2;
51
52  // The date of the change in which the package was last upgraded from
53  // upstream.
54  // This should only identify package upgrades from upstream, not local
55  // modifications. This may identify the date of either the original or
56  // merged change.
57  //
58  // Note: this is NOT the date that this version of the package was released
59  // externally.
60  optional Date last_upgrade_date = 3;
61
62  // License type that identifies how the package may be used.
63  optional LicenseType license_type = 4;
64
65  // An additional note explaining the licensing of this package.  This is most
66  // commonly used with commercial license.
67  optional string license_note = 5;
68
69  // Description of local changes that have been made to the package.  This does
70  // not need to (and in most cases should not) attempt to include an exhaustive
71  // list of all changes, but may instead direct readers to review the local
72  // commit history, a collection of patch files, a separate README.md (or
73  // similar) document, etc.
74  // Note: Use of this field to store IDs of advisories fixed with a backported
75  // patch is deprecated, use "security.mitigated_security_patch" instead.
76  optional string local_modifications = 6;
77
78  // Security related metadata including risk category and any special
79  // instructions for using the package, as determined by an ISE-TPS review.
80  optional Security security = 7;
81
82  // The type of directory this metadata represents.
83  optional DirectoryType type = 8 [default = PACKAGE];
84
85  // The homepage for the package. This will eventually replace
86  // `url { type: HOMEPAGE }`
87  optional string homepage = 9;
88
89  // SBOM information of the package. It is mandatory for prebuilt packages.
90  oneof sbom {
91    // Reference to external SBOM document provided as URL.
92    SBOMRef sbom_ref = 10;
93  }
94
95  // Identifiers for the package.
96  repeated Identifier identifier = 11;
97}
98
99// URL associated with a third-party package.
100message URL {
101  enum Type {
102    // The homepage for the package. For example, "https://bazel.io/". This URL
103    // is optional, but encouraged to help disambiguate similarly named packages
104    // or to get more information about the package. This is especially helpful
105    // when no other URLs provide human readable resources (such as git:// or
106    // sso:// URLs).
107    HOMEPAGE = 1;
108
109    // The URL of the archive containing the source code for the package, for
110    // example a zip or tgz file.
111    ARCHIVE = 2;
112
113    // The URL of the upstream git repository this package is retrieved from.
114    // For example:
115    //  - https://github.com/git/git.git
116    //  - git://git.kernel.org/pub/scm/git/git.git
117    //
118    // Use of a git URL requires that the package "version" value must specify a
119    // specific git tag or revision.
120    GIT = 3;
121
122    // The URL of the upstream SVN repository this package is retrieved from.
123    // For example:
124    //  - http://llvm.org/svn/llvm-project/llvm/
125    //
126    // Use of an SVN URL requires that the package "version" value must specify
127    // a specific SVN tag or revision.
128    SVN = 4;
129
130    // The URL of the upstream mercurial repository this package is retrieved
131    // from. For example:
132    //   - https://mercurial-scm.org/repo/evolve
133    //
134    // Use of a mercurial URL requires that the package "version" value must
135    // specify a specific tag or revision.
136    HG = 5;
137
138    // The URL of the upstream darcs repository this package is retrieved
139    // from. For example:
140    //   - https://hub.darcs.net/hu.dwim/hu.dwim.util
141    //
142    // Use of a DARCS URL requires that the package "version" value must
143    // specify a specific tag or revision.
144    DARCS = 6;
145
146    PIPER = 7;
147
148    // A URL that does not fit any other type. This may also indicate that the
149    // source code was received via email or some other out-of-band way. This is
150    // most commonly used with commercial software received directly from the
151    // vendor. In the case of email, the URL value can be used to provide
152    // additional information about how it was received.
153    OTHER = 8;
154
155    // The URL identifying where the local copy of the package source code can
156    // be found.
157    //
158    // Typically, the metadata files describing a package reside in the same
159    // directory as the source code for the package. In a few rare cases where
160    // they are separate, the LOCAL_SOURCE URL identifies where to find the
161    // source code. This only describes where to find the local copy of the
162    // source; there should always be an additional URL describing where the
163    // package was retrieved from.
164    //
165    // Examples:
166    //  - https://android.googlesource.com/platform/external/apache-http/
167    LOCAL_SOURCE = 9;
168  }
169
170  // The type of resource this URL identifies.
171  optional Type type = 1;
172
173  // The actual URL value.  URLs should be absolute and start with 'http://' or
174  // 'https://' (or occasionally 'git://' or 'ftp://' where appropriate).
175  optional string value = 2;
176}
177
178// License type that identifies how the packages may be used.
179enum LicenseType {
180  BY_EXCEPTION_ONLY = 1;
181  NOTICE = 2;
182  PERMISSIVE = 3;
183  RECIPROCAL = 4;
184  RESTRICTED_IF_STATICALLY_LINKED = 5;
185  RESTRICTED = 6;
186  UNENCUMBERED = 7;
187}
188
189// Identifies security related metadata including risk category and any special
190// instructions for using the package.
191message Security {
192  // Security risk category for a package, as determined by an ISE-TPS review.
193  enum Category {
194    CATEGORY_UNSPECIFIED = 0;
195
196    // Package should only be used in a sandboxed environment.
197    // Package should have restricted visibility.
198    SANDBOXED_ONLY = 1;
199
200    // Package should not be used to process user content. It is considered
201    // safe to use to process trusted data only. Package should have restricted
202    // visibility.
203    TRUSTED_DATA_ONLY = 2;
204
205    // Package is considered safe to use.
206    REVIEWED_AND_SECURE = 3;
207  }
208
209  // Identifies the security risk category for the package.  This will be
210  // provided by the ISE-TPS team as the result of a security review of the
211  // package.
212  optional Category category = 1;
213
214  // An additional security note for the package.
215  optional string note = 2;
216
217  // Text tag to categorize the package. It's currently used by security to:
218  // - to disable OSV (https://osv.dev)
219  // support via the `OSV:disable` tag
220  // - to attach CPE to their corresponding packages, for vulnerability
221  // monitoring:
222  //
223  // Please do document your usecase here should you want to add one.
224  repeated string tag = 3;
225
226  // ID of advisories fixed with a mitigated patch, for example CVE-2018-1111.
227  repeated string mitigated_security_patch = 4;
228}
229
230enum DirectoryType {
231  UNDEFINED = 0;
232
233  // This directory represents a package.
234  PACKAGE = 1;
235
236  // This directory is designed to organize multiple third-party PACKAGE
237  // directories.
238  GROUP = 2;
239
240  // This directory contains several PACKAGE directories representing
241  // different versions of the same third-party project.
242  VERSIONS = 3;
243}
244
245// Represents a whole or partial calendar date, such as a birthday. The time of
246// day and time zone are either specified elsewhere or are insignificant. The
247// date is relative to the Gregorian Calendar. This can represent one of the
248// following:
249//
250// * A full date, with non-zero year, month, and day values.
251// * A month and day, with a zero year (for example, an anniversary).
252// * A year on its own, with a zero month and a zero day.
253// * A year and month, with a zero day (for example, a credit card expiration
254//   date).
255message Date {
256  // Year of the date. Must be from 1 to 9999, or 0 to specify a date without
257  // a year.
258  optional int32 year = 1;
259  // Month of a year. Must be from 1 to 12, or 0 to specify a year without a
260  // month and day.
261  optional int32 month = 2;
262  // Day of a month. Must be from 1 to 31 and valid for the year and month, or 0
263  // to specify a year by itself or a year and month where the day isn't
264  // significant.
265  optional int32 day = 3;
266}
267
268// Reference to external SBOM document and element corresponding to the package.
269// See https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#66-external-document-references-field
270message SBOMRef {
271  // The URL that points to the SBOM document of the upstream package of this
272  // third_party package.
273  optional string url = 1;
274  // Checksum of the SBOM document the url field points to.
275  // Format: e.g. SHA1:<checksum>, or any algorithm defined in
276  // https://spdx.github.io/spdx-spec/v2.3/file-information/#8.4
277  optional string checksum = 2;
278  // SPDXID of the upstream package/file defined in the SBOM document the url field points to.
279  // Format: SPDXRef-[a-zA-Z0-9.-]+, see
280  // https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field or
281  // https://spdx.github.io/spdx-spec/v2.3/file-information/#82-file-spdx-identifier-field
282  optional string element_id = 3;
283}
284
285// Identifier for a third-party package.
286// See go/tp-metadata-id.
287message Identifier {
288  // The type of the identifier. Either an "ecosystem" value from
289  // https://ossf.github.io/osv-schema/#affectedpackage-field such as "Go",
290  // "npm" or "PyPI". The "value" and "version" fields follow the same rules as
291  // defined in the OSV spec.
292
293  // Or one of:
294  //  - "Git": The "value" field is the URL of the upstream git repository this
295  //  package is retrieved from.
296  //  For example:
297  //   - https://github.com/git/git
298  //   - git://git.kernel.org/pub/scm/git/git
299  //
300  //  Use of a git URL requires that the package "version" value must specify a
301  //  specific git tag or revision. This must not be a branch name.
302  //
303  //  - "SVN": The "value" field is the URL of the upstream SVN repository this
304  //  package is retrieved from.
305  //  For example:
306  //   - http://llvm.org/svn/llvm-project/llvm/
307  //
308  //  Use of an SVN URL requires that the package "version" value must specify
309  //  a specific SVN tag or revision. This must not be a branch name.
310  //
311  //  - "Hg": The "value" field is the URL of the upstream mercurial repository
312  //  this package is retrieved from.
313  //  For example:
314  //   - https://mercurial-scm.org/repo/evolve
315  //
316  //  Use of a mercurial URL requires that the package "version" value must
317  //  specify a specific tag or revision. This must not be a branch name.
318  //
319  //  - "Darcs": the "value" field is the URL of the upstream darcs repository
320  //  this package is retrieved from.
321  //  For example:
322  //   - https://hub.darcs.net/hu.dwim/hu.dwim.util
323  //
324  //  Use of a Darcs URL requires that the package "version" value must
325  //  specify a specific tag or revision. This must not be a branch name.
326  //
327  //  - "Piper": The "value" field is the URL of the upstream piper location.
328  //  This is primarily used when a package is being migrated into third_party
329  //  from elsewhere in Piper, or when a package is being newly developed in
330  //  third_party.
331  //
332  //  - "VCS": This is a generic fallback for an unlisted VCS system. The
333  // "value" field is the URL of the repository for this VCS.
334  //
335  //  - "Archive": The "value" field is the URL of the archive containing the
336  //  source code for the package, for example a zip or tgz file.
337  //
338  //  - "PrebuiltByAlphabet": This type should be used for archives of primarily
339  //  Google-owned source code (may contain non-Google-owned dependencies),
340  //  which has been built using production Google infrastructure, and copied
341  //  into Android. The "value" field is the URL of the prebuilt artifact or
342  //  the relative path of the artifact to the root of a package.
343  //  Example:
344  //    identifier {
345  //      type: "PrebuiltByAlphabet",
346  //      version: "1",
347  //      value: "v1/arm84_hdpi.apk",
348  //    }
349  //    identifier {
350  //      type: "PrebuiltByAlphabet",
351  //      version: "2",
352  //      value: "v2/x86_64_xhdpi.apk",
353  //    }
354  //
355  //  - "LocalSource": The "value" field is the URL identifying where the local
356  //  copy of the package source code can be found.
357  //  Examples:
358  //   - https://android.googlesource.com/platform/external/apache-http/
359  //
360  //  Typically, the metadata files describing a package reside in the same
361  //  directory as the source code for the package. In a few rare cases where
362  //  they are separate, the LocalSource URL identifies where to find the
363  //  source code. This only describes where to find the local copy of the
364  //  source; there should always be an additional URL describing where the
365  //  package was retrieved from.
366  //
367  //  - "Other": An identifier that does not fit any other type. This may also
368  //  indicate that the Source code was received via email or some other
369  //  out-of-band way. This is most commonly used with commercial software
370  //  received directly from the Vendor. In the case of email, the "value" field
371  //  can be used to provide additional information about how it was received.
372  optional string type = 1;
373
374  // A human readable string to indicate why a third-package package does not
375  // have this identifier type set.
376  // Example:
377  //   identifier {
378  //     type: "PyPI"
379  //     omission_reason: "Only on Git. Not published to PyPI."
380  //   }
381  optional string omission_reason = 2;
382
383  // The value of the package identifier as defined by the "type".
384  // Example:
385  //  identifier {
386  //    type: "PyPI"
387  //    value: "django"
388  //    version: "3.2.8"
389  //  }
390  optional string value = 3;
391
392  // The version associated with this package as defined by the "type".
393  // Example:
394  //  identifier {
395  //    type: "PyPI"
396  //    value: "django"
397  //    version: "3.2.8"
398  //  }
399  optional string version = 4;
400
401  // The closest version associated with this package as defined by the "type".
402  // This should only be set by automated infrastructure by applying automated
403  // heuristics, such as the closest git tag or package version from a package
404  // manifest file (e.g. pom.xml).
405  //
406  // For most identifier types, only one of `version` or `closest_version`
407  // should be set (not both). The exception is source repository types such as
408  // "Git", where `version` will refer to a git commit, and `closest_version`
409  // refers to a git tag.
410  // Example:
411  //  identifier {
412  //    type: "Git",
413  //    value: "https://github.com/my/repo"
414  //    version: "e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e"
415  //    closest_version: "v1.4"
416  //  }
417  optional string closest_version = 5;
418
419  // When `true`, this Identifier represents the location from which the source
420  // code for this package was originally obtained. This should only be set for
421  // *one* Identifier in a third_party package's METADATA.
422
423  // For external packages, this is typically for the Identifier associated
424  // with the version control system or package manager that was used to
425  // check out or download the code.
426  optional bool primary_source = 6;
427}