guacsec · gaganhr94 · Mar 15, 2026
diff --git a/internal/testing/testdata/exampledata/certify-novuln.json b/internal/testing/testdata/exampledata/certify-novuln.json
@@ -6,7 +6,7 @@
         "digest": {"sha256": "3a2bd2c5cc4c978e8aefd8bd0ef335fb42ee31d1"}
       }
   ],
-  "predicateType": "https://in-toto.io/attestation/vulns/v0.1",
+  "predicateType": "https://in-toto.io/attestation/vulns/v0.2",
   "predicate": {
     "scanner": {
       "uri": "osv.dev",

diff --git a/internal/testing/testdata/exampledata/certify-vuln.json b/internal/testing/testdata/exampledata/certify-vuln.json
@@ -5,7 +5,7 @@
       "uri": "pkg:maven/org.apache.logging.log4j/log4j-core@2.8.1"
     }
   ],
-  "predicateType": "https://in-toto.io/attestation/vulns/v0.1",
+  "predicateType": "https://in-toto.io/attestation/vulns/v0.2",
   "predicate": {
     "scanner": {
       "uri": "osv.dev",

diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -2181,7 +2181,7 @@ var (
 			  "uri":"pkg:maven/org.apache.commons/commons-text@1.9"
 		   }
 		],
-		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type":"https://in-toto.io/attestation/vulns/v0.2",
 		"predicate":{
 		   "scanner":{
 			  "uri":"osv.dev",
@@ -2207,7 +2207,7 @@ var (
 			  "uri":"pkg:oci/vul-secondLevel-latest?repository_url=gcr.io"
 		   }
 		],
-		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type":"https://in-toto.io/attestation/vulns/v0.2",
 		"predicate":{
 		   "scanner": {
 			"uri": "osv.dev",
@@ -2226,7 +2226,7 @@ var (
 			  "uri":"pkg:oci/vul-image-latest?repository_url=gcr.io"
 		   }
 		],
-		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type":"https://in-toto.io/attestation/vulns/v0.2",
 		"predicate":{
 		   "scanner": {
 			"uri": "osv.dev",
@@ -2245,7 +2245,7 @@ var (
 			  "uri":"pkg:maven/org.apache.logging.log4j/log4j-core@2.8.1"
 		   }
 		],
-		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type":"https://in-toto.io/attestation/vulns/v0.2",
 		"predicate":{
 		   "scanner":{
 			  "uri":"osv.dev",
@@ -2324,7 +2324,7 @@ var (
 				"uri": "pkg:maven/io.vertx/vertx-web-common@4.3.7?type=jar"
 			}
 		],
-		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type": "https://in-toto.io/attestation/vulns/v0.2",
 		"predicate": {
 			"scanner": {
 				"uri": "osv.dev",
@@ -2344,7 +2344,7 @@ var (
 				"uri": "pkg:maven/io.vertx/vertx-auth-common@4.3.7?type=jar"
 			}
 		],
-		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type": "https://in-toto.io/attestation/vulns/v0.2",
 		"predicate": {
 			"scanner": {
 				"uri": "osv.dev",
@@ -2364,7 +2364,7 @@ var (
 				"uri": "pkg:maven/io.vertx/vertx-bridge-common@4.3.7?type=jar"
 			}
 		],
-		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type": "https://in-toto.io/attestation/vulns/v0.2",
 		"predicate": {
 			"scanner": {
 				"uri": "osv.dev",
@@ -2384,7 +2384,7 @@ var (
 				"uri": "pkg:maven/io.vertx/vertx-core@4.3.7?type=jar"
 			}
 		],
-		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
+		"predicate_type": "https://in-toto.io/attestation/vulns/v0.2",
 		"predicate": {
 			"scanner": {
 				"uri": "osv.dev",
@@ -2412,7 +2412,7 @@ var (
 		      "uri": "pkg:maven/io.vertx/vertx-web@4.3.7?type=jar"
 		    }
 		  ],
-		  "predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
+		  "predicate_type": "https://in-toto.io/attestation/vulns/v0.2",
 		  "predicate": {
 		    "scanner": {
 		      "uri": "osv.dev",

diff --git a/pkg/certifier/attestation/vuln/attestation_vuln.go b/pkg/certifier/attestation/vuln/attestation_vuln.go
@@ -21,13 +21,10 @@ import (
 	attestationv1 "github.com/in-toto/attestation/go/v1"
 )
 
-// PredicateVuln This is a new predicate type for vulnerabilities based off
-// https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md.
-// This is used by the certifier to attest to vulnerabilities in an artifact.
-// Currently, the predicate is defined here but the intention is to upstream this to
-// https://github.com/in-toto/attestation in the near future once the quirks are worked out.
+// PredicateVuln is the predicate type for vulnerability attestations as defined by the
+// in-toto attestation framework. See https://github.com/in-toto/attestation/blob/main/spec/predicates/vulns_02.md
 const (
-	PredicateVuln = "https://in-toto.io/attestation/vulns/v0.1"
+	PredicateVuln = "https://in-toto.io/attestation/vulns/v0.2"
 )
 
 // VulnerabilityStatement defines the statement header and the vulnerability predicate
@@ -44,13 +41,11 @@ type Metadata struct {
 }
 
 // Result defines the Vulnerability ID and its alias. There can be multiple
-// results per artifact
-// TODO: The spec has a discrepency that needs to be resolved, we are following
-// the example json in the spec since that seems to be what 2 examples we've seen
-// are using. Tracking https://github.com/in-toto/attestation/issues/391
+// results per artifact.
 type Result struct {
-	Id       string     `json:"id,omitempty"`
-	Severity []Severity `json:"severity,omitempty"`
+	Id          string                   `json:"id,omitempty"`
+	Severity    []Severity               `json:"severity,omitempty"`
+	Annotations []map[string]interface{} `json:"annotations,omitempty"`
 }
 
 // Severity describes the severity of a vulnerability using one or more quantitative scoring method.
@@ -59,9 +54,6 @@ type Severity struct {
 	Method string `json:"method,omitempty"`
 	// required
 	Score string `json:"score,omitempty"`
-	// ambiguous type definition ins spec, look at
-	// https://github.com/in-toto/attestation/issues/390https://github.com/in-toto/attestation/issues/390
-	Annotations []map[string]interface{} `json:"annotations,omitempty"`
 }
 
 // DB defines the scanner database used at the time of scan

diff --git a/pkg/handler/processor/guesser/type_ite6.go b/pkg/handler/processor/guesser/type_ite6.go
@@ -39,7 +39,8 @@ func (_ *ite6TypeGuesser) GuessDocumentType(blob []byte, format processor.Format
 				return processor.DocumentITE6Generic
 			} else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/certify/v0.1") {
 				return processor.DocumentITE6Generic
-			} else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/vulns/v0.1") {
+			} else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/vulns/v0.1") ||
+				strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/vulns/v0.2") {
 				return processor.DocumentITE6Vul
 			} else if strings.HasPrefix(statement.PredicateType, "https://in-toto.io/attestation/clearlydefined/v0.1") {
 				return processor.DocumentITE6ClearlyDefined

diff --git a/pkg/ingestor/parser/vuln/vuln.go b/pkg/ingestor/parser/vuln/vuln.go
@@ -15,7 +15,7 @@
 
 // Package vuln attestation parser parses the attestation defined by by
 // the certifier using the predicate type
-// "https://in-toto.io/attestation/vulns/v0.1" Three different types of ingest
+// "https://in-toto.io/attestation/vulns/v0.2" Three different types of ingest
 // predicates are created.
 //
 // - IsOccurences are created mapping between any package