Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cyclonedx predicate type for attestations #1977

Merged
merged 3 commits into from
Jun 9, 2022
Merged

Add cyclonedx predicate type for attestations #1977

merged 3 commits into from
Jun 9, 2022

Conversation

jdolitsky
Copy link
Contributor

Follow up PR to #1974, but for CycloneDX SBOMs

@codecov-commenter
Copy link

codecov-commenter commented Jun 8, 2022
edited
Loading

Codecov Report

Merging #1977 (9244c0a) into main (2ccdb3e) will decrease coverage by 0.03%.
The diff coverage is 16.66%.

@@            Coverage Diff             @@
##             main    #1977      +/-   ##
==========================================
- Coverage   34.66%   34.63%   -0.04%     
==========================================
  Files         152      152              
  Lines       10090    10099       +9     
==========================================
  Hits         3498     3498              
- Misses       6222     6231       +9     
  Partials      370      370
Impacted Files Coverage Δ
cmd/cosign/cli/options/predicate.go 0.00% <0.00%> (ø)
pkg/policy/attestation.go 38.63% <0.00%> (-4.41%) ⬇️
...s/policy/v1alpha1/clusterimagepolicy_validation.go 94.97% <100.00%> (ø)
...is/policy/v1beta1/clusterimagepolicy_validation.go 94.97% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2ccdb3e...9244c0a. Read the comment docs.

jdolitsky
jdolitsky commented Jun 8, 2022
View reviewed changes
pkg/cosign/attestation/attestation.go Outdated
@@ -34,6 +34,9 @@ const (

// CosignVulnProvenanceV01 specifies the type of VulnerabilityScan Predicate
CosignVulnProvenanceV01 = "cosign.sigstore.dev/attestation/vuln/v1"

// PredicateCycloneDX represents a SBOM using the CycloneDX standard.
PredicateCycloneDX = "https://cyclonedx.org/Document"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was not sure the proper value for this. This is based on https://spdx.dev/Document defined within in-toto: https://github.com/in-toto/in-toto-golang/blob/af1f9fb822bf841779c916a954f651e908c5a818/in_toto/model.go#L81

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filed this one on in-toto go, we could use the same value here: in-toto/in-toto-golang#169

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@puerco awesome, ty. Any reason for /schema vs. /document in that PR ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Saw your comment there. Just changed to /schema

hectorj2f
hectorj2f previously approved these changes Jun 8, 2022
View reviewed changes
@dlorenc
Copy link
Member

dlorenc commented Jun 9, 2022

Needs a rebase

@jdolitsky
Copy link
Contributor Author

rebased!

@jdolitsky jdolitsky mentioned this pull request Jun 9, 2022
Merged
@dlorenc dlorenc merged commit f812aa5 into sigstore:main Jun 9, 2022
@github-actions github-actions bot added this to the v1.10.0 milestone Jun 9, 2022
@masahiro331 masahiro331 mentioned this pull request Jul 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puerco puerco puerco left review comments

@dlorenc dlorenc dlorenc approved these changes

@hectorj2f hectorj2f hectorj2f left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.10.0
Development

Successfully merging this pull request may close these issues.
5 participants
@jdolitsky @codecov-commenter @dlorenc @hectorj2f @puerco