attestation

package
v0.12.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 6, 2025 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Index

Constants

View Source
const (
	PredicateVuln = "https://in-toto.io/attestation/vulns/v0.1"
)

PredicateVuln This is a new predicate type for vulnerabilities based off https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md. This is used by the certifier to attest to vulnerabilities in an artifact. Currently, the predicate is defined here but the intention is to upstream this to https://github.com/in-toto/attestation in the near future once the quirks are worked out.

Variables

This section is empty.

Functions

This section is empty.

Types

type DB

type DB struct {
	Uri     string `json:"uri,omitempty"`
	Version string `json:"version,omitempty"`
	// required
	LastUpdate *time.Time `json:"lastUpdate,omitempty"`
}

DB defines the scanner database used at the time of scan

type Metadata

type Metadata struct {
	ScanStartedOn  *time.Time `json:"scanStartedOn,omitempty"`
	ScanFinishedOn *time.Time `json:"scanFinishedOn,omitempty"`
}

Metadata defines when the last scan was done

type Result

type Result struct {
	Id       string     `json:"id,omitempty"`
	Severity []Severity `json:"severity,omitempty"`
}

Result defines the Vulnerability ID and its alias. There can be multiple results per artifact TODO: The spec has a discrepency that needs to be resolved, we are following the example json in the spec since that seems to be what 2 examples we've seen are using. Tracking https://github.com/in-toto/attestation/issues/391

type Scanner

type Scanner struct {
	Uri      string `json:"uri,omitempty"`
	Version  string `json:"version,omitempty"`
	Database DB     `json:"db,omitempty"`
	// required
	Result []Result `json:"result,omitempty"`
}

Scanner defines the scanner that was used to scan the artifacts and the resulting vulnerabilities found

type Severity

type Severity struct {
	// required
	Method string `json:"method,omitempty"`
	// required
	Score string `json:"score,omitempty"`
	// ambiguous type definition ins spec, look at
	// https://github.com/in-toto/attestation/issues/390https://github.com/in-toto/attestation/issues/390
	Annotations []map[string]interface{} `json:"annotations,omitempty"`
}

Severity describes the severity of a vulnerability using one or more quantitative scoring method.

type VulnerabilityPredicate

type VulnerabilityPredicate struct {
	// required
	Scanner Scanner `json:"scanner,omitempty"`
	// required
	Metadata Metadata `json:"metadata,omitempty"`
}

VulnerabilityPredicate defines predicate definition of the vulnerability attestation

type VulnerabilityStatement

type VulnerabilityStatement struct {
	attestationv1.Statement
	// Predicate contains type specific metadata.
	Predicate VulnerabilityPredicate `json:"predicate"`
}

VulnerabilityStatement defines the statement header and the vulnerability predicate

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL