feat: vuln attest support (sigstore#1168)

Signed-off-by: Batuhan Apaydın <[email protected]> Co-authored-by: Furkan Türkal <[email protected]> Signed-off-by: Batuhan Apaydın <[email protected]> Co-authored-by: Furkan Türkal <[email protected]> Signed-off-by: Batuhan Apaydın <[email protected]>
developer-guy · Dec 21, 2021 · f2d5299 · f2d5299
1 parent 6a4afef
commit f2d5299
Show file tree

Hide file tree

Showing 6 changed files with 491 additions and 6 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -34,9 +34,7 @@ jobs:
       - uses: actions/setup-go@v2
         with:
           go-version: '1.17.x'
-      - uses: imjasonh/[email protected]
-        with:
-          version: tip
+      - uses: imjasonh/setup-ko@main
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@master
         with:

diff --git a/cmd/cosign/cli/options/predicate.go b/cmd/cosign/cli/options/predicate.go
@@ -32,6 +32,7 @@ const (
 	PredicateSLSA   = "slsaprovenance"
 	PredicateSPDX   = "spdx"
 	PredicateLink   = "link"
+	PredicateVuln   = "vuln"
 )
 
 // PredicateTypeMap is the mapping between the predicate `type` option to predicate URI.
@@ -40,6 +41,7 @@ var PredicateTypeMap = map[string]string{
 	PredicateSLSA:   slsa.PredicateSLSAProvenance,
 	PredicateSPDX:   in_toto.PredicateSPDX,
 	PredicateLink:   in_toto.PredicateLinkV1,
+	PredicateVuln:   attestation.CosignVulnProvenanceV01,
 }
 
 // PredicateOptions is the wrapper for predicate related options.
@@ -52,7 +54,7 @@ var _ Interface = (*PredicateOptions)(nil)
 // AddFlags implements Interface
 func (o *PredicateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Type, "type", "custom",
-		"specify a predicate type (slsaprovenance|link|spdx|custom) or an URI")
+		"specify a predicate type (slsaprovenance|link|spdx|vuln|custom) or an URI")
 }
 
 // ParsePredicateType parses the predicate `type` flag passed into a predicate URI, or validates `type` is a valid URI.

diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md
diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md
diff --git a/pkg/cosign/attestation/attestation.go b/pkg/cosign/attestation/attestation.go
@@ -32,6 +32,9 @@ import (
 const (
 	// CosignCustomProvenanceV01 specifies the type of the Predicate.
 	CosignCustomProvenanceV01 = "cosign.sigstore.dev/attestation/v1"
+
+	// CosignVulnProvenanceV01 specifies the type of VulnerabilityScan Predicate
+	CosignVulnProvenanceV01 = "cosign.sigstore.dev/attestation/vuln/v1"
 )
 
 // CosignPredicate specifies the format of the Custom Predicate.
@@ -40,6 +43,37 @@ type CosignPredicate struct {
 	Timestamp string
 }
 
+// VulnPredicate specifies the format of the Vulnerability Scan Predicate
+type CosignVulnPredicate struct {
+	Invocation Invocation `json:"invocation"`
+	Scanners   []Scanner  `json:"scanners"`
+	Metadata   Metadata   `json:"metadata"`
+}
+
+type Invocation struct {
+	Parameters interface{} `json:"parameters"`
+	URI        string      `json:"uri"`
+	EventID    string      `json:"event_id"`
+	BuilderID  string      `json:"builder.id"`
+}
+
+type DB struct {
+	URI     string `json:"uri"`
+	Version string `json:"version"`
+}
+
+type Scanner struct {
+	URI     string                 `json:"uri"`
+	Version string                 `json:"version"`
+	DB      DB                     `json:"db"`
+	Result  map[string]interface{} `json:"result"`
+}
+
+type Metadata struct {
+	ScanStartedOn  time.Time `json:"scanStartedOn"`
+	ScanFinishedOn time.Time `json:"scanFinishedOn"`
+}
+
 // GenerateOpts specifies the options of the Statement generator.
 type GenerateOpts struct {
 	// Predicate is the source of bytes (e.g. a file) to use as the statement's predicate.
@@ -71,13 +105,29 @@ func GenerateStatement(opts GenerateOpts) (interface{}, error) {
 		return generateSPDXStatement(predicate, opts.Digest, opts.Repo)
 	case "link":
 		return generateLinkStatement(predicate, opts.Digest, opts.Repo)
+	case "vuln":
+		return generateVulnStatement(predicate, opts.Digest, opts.Repo)
 	default:
 		stamp := timestamp(opts)
 		predicateType := customType(opts)
 		return generateCustomStatement(predicate, predicateType, opts.Digest, opts.Repo, stamp)
 	}
 }
 
+func generateVulnStatement(predicate []byte, digest string, repo string) (interface{}, error) {
+	var vuln CosignVulnPredicate
+
+	err := json.Unmarshal(predicate, &vuln)
+	if err != nil {
+		return nil, err
+	}
+
+	return in_toto.Statement{
+		StatementHeader: generateStatementHeader(digest, repo, CosignVulnProvenanceV01),
+		Predicate:       vuln,
+	}, nil
+}
+
 func timestamp(opts GenerateOpts) string {
 	if opts.Time == nil {
 		opts.Time = time.Now