From f0c8303282b8424ff29aa8ed355cb2be67b88aca Mon Sep 17 00:00:00 2001 From: Gagan H R Date: Sun, 15 Mar 2026 23:50:44 +0530 Subject: [PATCH] fix: update predicateType to v0.2 in vulnerability attestations and related parsing logic Signed-off-by: Gagan H R --- .../testdata/exampledata/certify-novuln.json | 2 +- .../testdata/exampledata/certify-vuln.json | 2 +- internal/testing/testdata/testdata.go | 18 +++++++-------- .../attestation/vuln/attestation_vuln.go | 22 ++++++------------- pkg/handler/processor/guesser/type_ite6.go | 3 ++- pkg/ingestor/parser/vuln/vuln.go | 2 +- 6 files changed, 21 insertions(+), 28 deletions(-) diff --git a/internal/testing/testdata/exampledata/certify-novuln.json b/internal/testing/testdata/exampledata/certify-novuln.json index 5338b581a5..9c10ec816e 100644 --- a/internal/testing/testdata/exampledata/certify-novuln.json +++ b/internal/testing/testdata/exampledata/certify-novuln.json @@ -6,7 +6,7 @@ "digest": {"sha256": "3a2bd2c5cc4c978e8aefd8bd0ef335fb42ee31d1"} } ], - "predicateType": "https://in-toto.io/attestation/vulns/v0.1", + "predicateType": "https://in-toto.io/attestation/vulns/v0.2", "predicate": { "scanner": { "uri": "osv.dev", diff --git a/internal/testing/testdata/exampledata/certify-vuln.json b/internal/testing/testdata/exampledata/certify-vuln.json index c46bc2cdb0..611ce12446 100644 --- a/internal/testing/testdata/exampledata/certify-vuln.json +++ b/internal/testing/testdata/exampledata/certify-vuln.json @@ -5,7 +5,7 @@ "uri": "pkg:maven/org.apache.logging.log4j/log4j-core@2.8.1" } ], - "predicateType": "https://in-toto.io/attestation/vulns/v0.1", + "predicateType": "https://in-toto.io/attestation/vulns/v0.2", "predicate": { "scanner": { "uri": "osv.dev", diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go index fb753c7c2d..185be1de58 100644 --- a/internal/testing/testdata/testdata.go +++ b/internal/testing/testdata/testdata.go @@ -2181,7 +2181,7 @@ var ( "uri":"pkg:maven/org.apache.commons/commons-text@1.9" } ], - "predicate_type":"https://in-toto.io/attestation/vulns/v0.1", + "predicate_type":"https://in-toto.io/attestation/vulns/v0.2", "predicate":{ "scanner":{ "uri":"osv.dev", @@ -2207,7 +2207,7 @@ var ( "uri":"pkg:oci/vul-secondLevel-latest?repository_url=gcr.io" } ], - "predicate_type":"https://in-toto.io/attestation/vulns/v0.1", + "predicate_type":"https://in-toto.io/attestation/vulns/v0.2", "predicate":{ "scanner": { "uri": "osv.dev", @@ -2226,7 +2226,7 @@ var ( "uri":"pkg:oci/vul-image-latest?repository_url=gcr.io" } ], - "predicate_type":"https://in-toto.io/attestation/vulns/v0.1", + "predicate_type":"https://in-toto.io/attestation/vulns/v0.2", "predicate":{ "scanner": { "uri": "osv.dev", @@ -2245,7 +2245,7 @@ var ( "uri":"pkg:maven/org.apache.logging.log4j/log4j-core@2.8.1" } ], - "predicate_type":"https://in-toto.io/attestation/vulns/v0.1", + "predicate_type":"https://in-toto.io/attestation/vulns/v0.2", "predicate":{ "scanner":{ "uri":"osv.dev", @@ -2324,7 +2324,7 @@ var ( "uri": "pkg:maven/io.vertx/vertx-web-common@4.3.7?type=jar" } ], - "predicate_type": "https://in-toto.io/attestation/vulns/v0.1", + "predicate_type": "https://in-toto.io/attestation/vulns/v0.2", "predicate": { "scanner": { "uri": "osv.dev", @@ -2344,7 +2344,7 @@ var ( "uri": "pkg:maven/io.vertx/vertx-auth-common@4.3.7?type=jar" } ], - "predicate_type": "https://in-toto.io/attestation/vulns/v0.1", + "predicate_type": "https://in-toto.io/attestation/vulns/v0.2", "predicate": { "scanner": { "uri": "osv.dev", @@ -2364,7 +2364,7 @@ var ( "uri": "pkg:maven/io.vertx/vertx-bridge-common@4.3.7?type=jar" } ], - "predicate_type": "https://in-toto.io/attestation/vulns/v0.1", + "predicate_type": "https://in-toto.io/attestation/vulns/v0.2", "predicate": { "scanner": { "uri": "osv.dev", @@ -2384,7 +2384,7 @@ var ( "uri": "pkg:maven/io.vertx/vertx-core@4.3.7?type=jar" } ], - "predicate_type": "https://in-toto.io/attestation/vulns/v0.1", + "predicate_type": "https://in-toto.io/attestation/vulns/v0.2", "predicate": { "scanner": { "uri": "osv.dev", @@ -2412,7 +2412,7 @@ var ( "uri": "pkg:maven/io.vertx/vertx-web@4.3.7?type=jar" } ], - "predicate_type": "https://in-toto.io/attestation/vulns/v0.1", + "predicate_type": "https://in-toto.io/attestation/vulns/v0.2", "predicate": { "scanner": { "uri": "osv.dev", diff --git a/pkg/certifier/attestation/vuln/attestation_vuln.go b/pkg/certifier/attestation/vuln/attestation_vuln.go index 653ef0c184..641a8d9556 100644 --- a/pkg/certifier/attestation/vuln/attestation_vuln.go +++ b/pkg/certifier/attestation/vuln/attestation_vuln.go @@ -21,13 +21,10 @@ import ( attestationv1 "github.com/in-toto/attestation/go/v1" ) -// PredicateVuln This is a new predicate type for vulnerabilities based off -// https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md. -// This is used by the certifier to attest to vulnerabilities in an artifact. -// Currently, the predicate is defined here but the intention is to upstream this to -// https://github.com/in-toto/attestation in the near future once the quirks are worked out. +// PredicateVuln is the predicate type for vulnerability attestations as defined by the +// in-toto attestation framework. See https://github.com/in-toto/attestation/blob/main/spec/predicates/vulns_02.md const ( - PredicateVuln = "https://in-toto.io/attestation/vulns/v0.1" + PredicateVuln = "https://in-toto.io/attestation/vulns/v0.2" ) // VulnerabilityStatement defines the statement header and the vulnerability predicate @@ -44,13 +41,11 @@ type Metadata struct { } // Result defines the Vulnerability ID and its alias. There can be multiple -// results per artifact -// TODO: The spec has a discrepency that needs to be resolved, we are following -// the example json in the spec since that seems to be what 2 examples we've seen -// are using. Tracking https://github.com/in-toto/attestation/issues/391 +// results per artifact. type Result struct { - Id string `json:"id,omitempty"` - Severity []Severity `json:"severity,omitempty"` + Id string `json:"id,omitempty"` + Severity []Severity `json:"severity,omitempty"` + Annotations []map[string]interface{} `json:"annotations,omitempty"` } // Severity describes the severity of a vulnerability using one or more quantitative scoring method. @@ -59,9 +54,6 @@ type Severity struct { Method string `json:"method,omitempty"` // required Score string `json:"score,omitempty"` - // ambiguous type definition ins spec, look at - // https://github.com/in-toto/attestation/issues/390https://github.com/in-toto/attestation/issues/390 - Annotations []map[string]interface{} `json:"annotations,omitempty"` } // DB defines the scanner database used at the time of scan diff --git a/pkg/handler/processor/guesser/type_ite6.go b/pkg/handler/processor/guesser/type_ite6.go index be01b92282..066b36b723 100644 --- a/pkg/handler/processor/guesser/type_ite6.go +++ b/pkg/handler/processor/guesser/type_ite6.go @@ -39,7 +39,8 @@ func (_ *ite6TypeGuesser) GuessDocumentType(blob []byte, format processor.Format return processor.DocumentITE6Generic } else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/certify/v0.1") { return processor.DocumentITE6Generic - } else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/vulns/v0.1") { + } else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/vulns/v0.1") || + strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/vulns/v0.2") { return processor.DocumentITE6Vul } else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/clearlydefined/v0.1") { return processor.DocumentITE6ClearlyDefined diff --git a/pkg/ingestor/parser/vuln/vuln.go b/pkg/ingestor/parser/vuln/vuln.go index e1944ff200..c1c1452800 100644 --- a/pkg/ingestor/parser/vuln/vuln.go +++ b/pkg/ingestor/parser/vuln/vuln.go @@ -15,7 +15,7 @@ // Package vuln attestation parser parses the attestation defined by by // the certifier using the predicate type -// "https://in-toto.io/attestation/vulns/v0.1" Three different types of ingest +// "https://in-toto.io/attestation/vulns/v0.2" Three different types of ingest // predicates are created. // // - IsOccurences are created mapping between any package