Subset: SlsaDependencyTrack
Slots and classes related to the SLSA Dependency Track, which measures a producer's ability to manage risk from third-party dependencies.
URI: SlsaDependencyTrack
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/slsa
Classes in subset
| Class | Description |
|---|---|
| DependencyInventory | A comprehensive inventory of all third-party build dependencies for an artifa... |
| Package | An identifiable unit of software intended for distribution |
| ResourceDescriptor | A reference to a software artifact including its location, digest, and option... |
Slots from DependencyInventory also in slsa_dependency_track
| Name | Cardinality and Range | Description |
|---|---|---|
| artifact | 0..1 ResourceDescriptor |
A specific immutable package artifact or the artifact whose dependency invent... |
| dependencies | * ResourceDescriptor |
All third-party build dependencies (direct and transitive) for an artifact ve... |
| dependencyLevel | 0..1 DependencyLevelEnum |
The SLSA Dependency Level that this inventory and associated triage process s... |
Slots from Package also in slsa_dependency_track
| Name | Cardinality and Range | Description |
|---|---|---|
| artifact | 0..1 ResourceDescriptor |
A specific immutable package artifact or the artifact whose dependency invent... |
| ecosystem | 0..1 String |
The package ecosystem (e |
| name | 0..1 String |
A local name for a resource within the context of an attestation, or the name... |
| registry | 0..1 String |
URI of the package registry where a package is published and from which consu... |
Slots from ResourceDescriptor also in slsa_dependency_track
| Name | Cardinality and Range | Description |
|---|---|---|
| annotations | * String |
Arbitrary vendor-specific key-value annotations |
| digest | 0..1 DigestSet |
Set of cryptographic digests of a resource's content used for integrity verif... |
| downloadLocation | 0..1 String |
URI from which a resource can be downloaded, if different from its identifyin... |
| name | 0..1 String |
A local name for a resource within the context of an attestation, or the name... |
| uri | 0..1 String |
A URI uniquely identifying a resource, such as a package URL (purl), git repo... |
Slots in subset
| Slot | Description |
|---|---|
| annotations | Arbitrary vendor-specific key-value annotations |
| artifact | A specific immutable package artifact or the artifact whose dependency invent... |
| dependencies | All third-party build dependencies (direct and transitive) for an artifact ve... |
| dependencyLevel | The SLSA Dependency Level that this inventory and associated triage process s... |
| digest | Set of cryptographic digests of a resource's content used for integrity verif... |
| downloadLocation | URI from which a resource can be downloaded, if different from its identifyin... |
| ecosystem | The package ecosystem (e |
| guacUri | URI to query the GUAC (Graph for Understanding Artifact Composition) instance... |
| id | A URI uniquely identifying an entity (build platform, verifier, build image, ... |
| name | A local name for a resource within the context of an attestation, or the name... |
| registry | URI of the package registry where a package is published and from which consu... |
| uri | A URI uniquely identifying a resource, such as a package URL (purl), git repo... |
Enumerations in subset
| Enumeration | Description |
|---|---|
| DependencyLevelEnum | SLSA Dependency Track levels for measuring and controlling risk introduced fr... |