attestation

package

v0.11.0 Latest Latest Go to latest Published: Oct 28, 2024 License: Apache-2.0 Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/guacsec/guac

Links

Open Source Insights

Documentation ¶

Constants ¶

View Source

const (
	PredicateVuln = "https://in-toto.io/attestation/vulns/v0.1"
)

PredicateVuln This is a new predicate type for vulnerabilities based off https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md. This is used by the certifier to attest to vulnerabilities in an artifact. Currently, the predicate is defined here but the intention is to upstream this to https://github.com/in-toto/attestation in the near future once the quirks are worked out.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type DB ¶

type DB struct {
	Uri     string `json:"uri,omitempty"`
	Version string `json:"version,omitempty"`
	// required
	LastUpdate *time.Time `json:"lastUpdate,omitempty"`
}

DB defines the scanner database used at the time of scan

type Metadata ¶

type Metadata struct {
	ScanStartedOn  *time.Time `json:"scanStartedOn,omitempty"`
	ScanFinishedOn *time.Time `json:"scanFinishedOn,omitempty"`
}

Metadata defines when the last scan was done

type Result ¶

type Result struct {
	Id       string     `json:"id,omitempty"`
	Severity []Severity `json:"severity,omitempty"`
}

Result defines the Vulnerability ID and its alias. There can be multiple results per artifact TODO: The spec has a discrepency that needs to be resolved, we are following the example json in the spec since that seems to be what 2 examples we've seen are using. Tracking https://github.com/in-toto/attestation/issues/391

type Scanner ¶

type Scanner struct {
	Uri      string `json:"uri,omitempty"`
	Version  string `json:"version,omitempty"`
	Database DB     `json:"db,omitempty"`
	// required
	Result []Result `json:"result,omitempty"`
}

Scanner defines the scanner that was used to scan the artifacts and the resulting vulnerabilities found

type Severity ¶

type Severity struct {
	// required
	Method string `json:"method,omitempty"`
	// required
	Score string `json:"score,omitempty"`
	// ambiguous type definition ins spec, look at
	// https://github.com/in-toto/attestation/issues/390https://github.com/in-toto/attestation/issues/390
	Annotations []map[string]interface{} `json:"annotations,omitempty"`
}

type VulnerabilityPredicate ¶

type VulnerabilityPredicate struct {
	// required
	Scanner Scanner `json:"scanner,omitempty"`
	// required
	Metadata Metadata `json:"metadata,omitempty"`
}

VulnerabilityPredicate defines predicate definition of the vulnerability attestation

type VulnerabilityStatement ¶

type VulnerabilityStatement struct {
	attestationv1.Statement
	// Predicate contains type specific metadata.
	Predicate VulnerabilityPredicate `json:"predicate"`
}

VulnerabilityStatement defines the statement header and the vulnerability predicate

Source Files ¶

View all Source files

attestation_vuln.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL