Vulns attestation "result" struct discrepancy

[lumjjb]

There may be a discrepancy with the intoto vuln predicate (if i interpret it right).

It looks like the spec specifies scanner.result.[*].vulnerability, optional object indicates a nested vulnerability object, but within the example, it shows no intermediary "vulnerability" object.

      "result": [
        {
         "id": "CVE-123",
         "severity": [
          { "method": "nvd", "score": "medium"},
          { "method": "cvss_score", "score", "5.2" }
         ]
        },

It seems like the intent is to have scanner.result.[*] optional object instead of scanner.result.[*].vulnerability, optional object?

EDIT:

A similar discrepancy seems to hold with the severity field, where it is not specified as a list but shows as a list.

scanner.result.[*].vulnerability.severity, required object

but the example shows a list

      "result": [
        {
         "id": "CVE-123",
         "severity": [
          { "method": "nvd", "score": "medium"},
          { "method": "cvss_score", "score", "5.2" }
         ]
        },

EDIT 2:

Invocation also exists in the example, not part of the spec:

    "invocation": {
      "parameters": [],
      "uri": "https://github.com/developer-guy/alpine/actions/runs/1071875574",
      "event_id": "1071875574",
      "builder.id": "GitHub Actions"
    },

[lumjjb]

FYI @edonadei

[lumjjb]

Decision was to be fixed in v0.2 which is merged in #345. However, the invocation part of it is still a problem, i will create a PR to fix it directly on v0.2 since it is reasonable that the impact of spec implementors is minimal due to it being recent.

[puerco]

Following up to this one, I've opened #434 to address two inconsistencies between the protos and the spec with the metadata and scanner.db fields.

[marcelamelara]

@lumjjb @puerco if I'm reading this issue correctly, there is still a possible discrepancy related to optional subfields of the scanner.result[*] field that needs to be fixed, after #434 and #408?