Use in-toto CycloneDX predicate to be compatible with cosign

[lehors]

This addresses Issue #1268

As noted in in-toto/attestation#82 (comment) it is not clear what the predicate value should really be but this change leaves that question to in-toto and ensures alignment with other tools such as cosign.

Signed-off-by: Arnaud J Le Hors [email protected]

[lehors]

I'm told the CycloneDX project has discussed the matter and decided to use the same value as what syft is currently using. So, I'm changing this to a draft PR. We should wait for the in-toto definition to be updated before applying this PR.
See in-toto/attestation#82 (comment)

[kzantow]

Thanks for the follow-up @lehors!

[lehors]

The decision by the CycloneDX project is now official:
https://cyclonedx.org/specification/overview/#recognized-predicate-type

And in-toto-goland has been updated accordingly:
in-toto/in-toto-golang#188

I think it makes sense to merge this PR. It will make no difference in how syft works but it makes the code cleaner.

[spiffcs]

Yea Happy to merge this so we're using the value from the in-toto library. Really appreciate the follow up on this @lehors!

[spiffcs]

I think we just need to update this PR with the latest in-toto-golang

[lehors]

I think we just need to update this PR with the latest in-toto-golang

Indeed, I had just thought about that: I also need to update go.mod to get the newer version. I don't know what your policy is with regard to dependencies. Would you rather wait for the next official release of in-toto-golang so we can simply use the new tag? I think that's fine, there is no hurry.

[spiffcs]

Just pushed a commit that has the latest from main @anchore/tools let me know if you think we should just wait for the next release

[lehors]

Looks good. I think you can go ahead and merge this now. Thanks!