Skip to content

Add support for OpenVEX predicate type #3405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hectorj2f merged 2 commits into from
Dec 7, 2023
Merged

Add support for OpenVEX predicate type #3405

hectorj2f merged 2 commits into from
Dec 7, 2023

Conversation

@puerco
Copy link
Member

@puerco puerco commented Dec 1, 2023
edited
Loading

Summary

This PR adds support for OpenVEX as a known predicate type to the cosign attest and cosign download attestation and cosign attest-blob commands.

Instead of linking the openvex go-modules, I've hardcoded the value or the predicate URI in a const to avoid growing the dependency tree.

Resolves #3404

Release Note

  • OpenVEX is now one of the recognized predicate types using the identifier string openvex as the type.

Documentation

TBD

Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev

@puerco puerco mentioned this pull request Dec 1, 2023
Closed
@codecov
Copy link

codecov bot commented Dec 1, 2023
edited
Loading

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (304ff16) 29.70% compared to head (22f9204) 30.21%.
Report is 4 commits behind head on main.

❗ Current head 22f9204 differs from pull request most recent head 39623db. Consider uploading reports for the commit 39623db to get more accurate results

Files Patch % Lines
cmd/cosign/cli/options/predicate.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3405      +/-   ##
==========================================
+ Coverage   29.70%   30.21%   +0.51%     
==========================================
  Files         155      155              
  Lines        9966     9966              
==========================================
+ Hits         2960     3011      +51     
+ Misses       6575     6505      -70     
- Partials      431      450      +19

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

hectorj2f
hectorj2f reviewed Dec 3, 2023
View reviewed changes
hectorj2f
hectorj2f reviewed Dec 3, 2023
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where could I find more about the OpenVex predicate specification to know what to put in my attestation ?

puerco added 2 commits December 4, 2023 18:54
@puerco
Add support for OpenVEX predicate type
23a7738 
OpenVEX is an implementation of the Vulnerability Exploitability
Exchange (VEX) designed to be attestable, SBOM-agnostic and lightweight.
It is hosted in the OpenSSF Vulnerability Disclosures WG and has
support in popular scanners such as Trivy adn Grype.

This PR adds support for openvex predicates to the `cosign attest` and
`cosign download attestation` commands.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Update docs of attest subcommands with openvex values
39623db 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Copy link
Member Author

puerco commented Dec 5, 2023

I also added a link to our current attestation spec: https://github.com/openvex/spec/blob/main/ATTESTING.md
I can switch the link once we finish registering our predicate type with our in-toto friends :)

@hectorj2f hectorj2f requested a review from Hayden-IO December 6, 2023 18:18
cpanato
cpanato approved these changes Dec 6, 2023
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thx lgtm

@hectorj2f hectorj2f merged commit 421c02a into sigstore:main Dec 7, 2023
@github-actions github-actions bot added this to the v2.3.0 milestone Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

@cpanato cpanato cpanato approved these changes

@Hayden-IO Hayden-IO Hayden-IO approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.3.0

Development

Successfully merging this pull request may close these issues.

Support for OpenVEX in known predicate types

4 participants

@puerco @hectorj2f @cpanato @Hayden-IO