update vuln attestation to (opiniatedly) follow intoto/vulns v0.1 spec (

#2194) Signed-off-by: Brandon Lum <lumjjb@gmail.com>
guacsec · Oct 21, 2024 · ff4744b · ff4744b
1 parent 0b6f4a9
commit ff4744b
Show file tree

Hide file tree

Showing 11 changed files with 109 additions and 154 deletions.
diff --git a/internal/testing/dochelper/dochelper.go b/internal/testing/dochelper/dochelper.go
@@ -23,7 +23,7 @@ import (
 
 	jsoniter "github.com/json-iterator/go"
 
-	attestation_vuln "github.com/guacsec/guac/pkg/certifier/attestation"
+	attestation_vuln "github.com/guacsec/guac/pkg/certifier/attestation/vuln"
 	"github.com/guacsec/guac/pkg/handler/processor"
 )
 
@@ -173,8 +173,11 @@ func DocEqualWithTimestamp(gotDoc, wantDoc *processor.Document) (bool, error) {
 	}
 
 	// change the timestamp to match else it will fail to compare
-	want.Predicate.Metadata.ScannedOn = &testTime
-	got.Predicate.Metadata.ScannedOn = &testTime
+	want.Predicate.Metadata.ScanStartedOn = &testTime
+	got.Predicate.Metadata.ScanStartedOn = &testTime
+
+	want.Predicate.Metadata.ScanFinishedOn = &testTime
+	got.Predicate.Metadata.ScanFinishedOn = &testTime
 
 	return reflect.DeepEqual(want, got), nil
 }

diff --git a/internal/testing/testdata/exampledata/certify-novuln.json b/internal/testing/testdata/exampledata/certify-novuln.json
@@ -8,22 +8,13 @@
   ],
   "predicateType": "https://in-toto.io/attestation/vulns/v0.1",
   "predicate": {
-    "invocation": {
-      "parameters": [""],
-      "uri": "guac",
-      "event_id": "",
-      "producer_id": "guac"
-    },
     "scanner": {
       "uri": "osv.dev",
-      "version": "0.0.14",
-      "db": {
-        "uri": "",
-        "version": ""
-      }
+      "version": "0.0.14"
     },
     "metadata": {
-      "scannedOn": "2022-11-21T17:45:50.52Z"
+      "scanStartedOn": "2022-11-21T17:45:50.52Z",
+      "scanFinishedOn": "2022-11-21T17:45:50.52Z"
     }
   }
 }
diff --git a/internal/testing/testdata/exampledata/certify-vuln.json b/internal/testing/testdata/exampledata/certify-vuln.json
@@ -7,41 +7,26 @@
   ],
   "predicateType": "https://in-toto.io/attestation/vulns/v0.1",
   "predicate": {
-    "invocation": {
-      "parameters": [""],
-      "uri": "guac",
-      "event_id": "",
-      "producer_id": "guac"
-    },
     "scanner": {
       "uri": "osv.dev",
       "version": "0.0.14",
-      "db": {
-        "uri": "",
-        "version": ""
-      },
       "result": [{
-            "vulnerability_id": "GHSA-7rjr-3q55-vv33",
-            "aliases": [""]
+            "id": "GHSA-7rjr-3q55-vv33"
         }, {
-            "vulnerability_id": "GHSA-8489-44mv-ggj8",
-            "aliases": [""]
+            "id": "GHSA-8489-44mv-ggj8"
         }, {
-            "vulnerability_id": "GHSA-fxph-q3j8-mv87",
-            "aliases": [""]
+            "id": "GHSA-fxph-q3j8-mv87"
         }, {
-            "vulnerability_id": "GHSA-jfh8-c2jp-5v3q",
-            "aliases": [""]
+            "id": "GHSA-jfh8-c2jp-5v3q"
         }, {
-            "vulnerability_id": "GHSA-p6xc-xr62-6r2g",
-            "aliases": [""]
+            "id": "GHSA-p6xc-xr62-6r2g"
         }, {
-            "vulnerability_id": "GHSA-vwqq-5vrc-xw9h",
-            "aliases": [""]
+            "id": "GHSA-vwqq-5vrc-xw9h"
         }]
     },
     "metadata": {
-      "scannedOn": "2022-11-21T17:45:50.52Z"
+      "scanStartedOn": "2022-11-21T17:45:50.52Z",
+      "scanFinishedOn": "2022-11-21T17:45:50.52Z"
     }
   }
 }
diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -1893,23 +1893,20 @@ var (
 		],
 		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
 		"predicate":{
-		   "invocation":{
-			  "uri":"guac",
-			  "producer_id":"guacsec/guac"
-		   },
 		   "scanner":{
 			  "uri":"osv.dev",
 			  "version":"0.0.14",
 			  "db":{
 			  },
 			  "result":[
 				 {
-					"vulnerability_id":"GHSA-599f-7c49-w659"
+					"id":"GHSA-599f-7c49-w659"
 				 }
 			  ]
 		   },
 		   "metadata":{
-			  "scannedOn":"2022-11-22T13:18:58.063182-05:00"
+			  "scanStartedOn":"2022-11-22T13:19:18.825699-05:00",
+                          "scanFinishedOn":"2022-11-22T13:19:18.825699-05:00"
 		   }
 		}
 	 }`
@@ -1922,17 +1919,13 @@ var (
 		],
 		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
 		"predicate":{
-		   "invocation":{
-			  "uri":"guac",
-			  "producer_id":"guacsec/guac"
-		   },
 		   "scanner": {
 			"uri": "osv.dev",
-			"version": "0.0.14",
-			"db": {}
+			"version": "0.0.14"
 		   },
 		   "metadata":{
-			  "scannedOn":"2022-11-22T13:19:18.825699-05:00"
+			  "scanStartedOn":"2022-11-22T13:19:18.825699-05:00",
+			  "scanFinishedOn":"2022-11-22T13:19:18.825699-05:00"
 		   }
 		}
 	 }`
@@ -1945,17 +1938,13 @@ var (
 		],
 		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
 		"predicate":{
-		   "invocation":{
-			  "uri":"guac",
-			  "producer_id":"guacsec/guac"
-		   },
 		   "scanner": {
 			"uri": "osv.dev",
-			"version": "0.0.14",
-			"db": {}
+			"version": "0.0.14"
 		   },
 		   "metadata":{
-			  "scannedOn":"2022-11-22T13:19:18.825699-05:00"
+			  "scanStartedOn":"2022-11-22T13:19:18.825699-05:00",
+			  "scanFinishedOn":"2022-11-22T13:19:18.825699-05:00"
 		   }
 		}
 	 }`
@@ -1968,38 +1957,35 @@ var (
 		],
 		"predicate_type":"https://in-toto.io/attestation/vulns/v0.1",
 		"predicate":{
-		   "invocation":{
-			  "uri":"guac",
-			  "producer_id":"guacsec/guac"
-		   },
 		   "scanner":{
 			  "uri":"osv.dev",
 			  "version":"0.0.14",
 			  "db":{
 			  },
 			  "result":[
 				 {
-					"vulnerability_id":"GHSA-7rjr-3q55-vv33"
+					"id":"GHSA-7rjr-3q55-vv33"
 				 },
 				 {
-					"vulnerability_id":"GHSA-8489-44mv-ggj8"
+					"id":"GHSA-8489-44mv-ggj8"
 				 },
 				 {
-					"vulnerability_id":"GHSA-fxph-q3j8-mv87"
+					"id":"GHSA-fxph-q3j8-mv87"
 				 },
 				 {
-					"vulnerability_id":"GHSA-jfh8-c2jp-5v3q"
+					"id":"GHSA-jfh8-c2jp-5v3q"
 				 },
 				 {
-					"vulnerability_id":"GHSA-p6xc-xr62-6r2g"
+					"id":"GHSA-p6xc-xr62-6r2g"
 				 },
 				 {
-					"vulnerability_id":"GHSA-vwqq-5vrc-xw9h"
+					"id":"GHSA-vwqq-5vrc-xw9h"
 				 }
 			  ]
 		   },
 		   "metadata":{
-			  "scannedOn":"2022-11-22T13:18:31.607996-05:00"
+			  "scanStartedOn":"2022-11-22T13:19:18.825699-05:00",
+			  "scanFinishedOn":"2022-11-22T13:19:18.825699-05:00"
 		   }
 		}
 	 }`
@@ -2029,17 +2015,13 @@ var (
 		],
 		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
 		"predicate": {
-			"invocation": {
-				"uri": "guac",
-				"producer_id": "guacsec/guac"
-			},
 			"scanner": {
 				"uri": "osv.dev",
-				"version": "0.0.14",
-				"db": {}
+				"version": "0.0.14"
 			},
 			"metadata": {
-				"scannedOn": "2023-02-15T11:10:08.986308-08:00"
+				"scanStartedOn":"2022-11-22T13:19:18.825699-05:00",
+				"scanFinishedOn":"2022-11-22T13:19:18.825699-05:00"
 			}
 		}
 	}`
@@ -2053,17 +2035,13 @@ var (
 		],
 		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
 		"predicate": {
-			"invocation": {
-				"uri": "guac",
-				"producer_id": "guacsec/guac"
-			},
 			"scanner": {
 				"uri": "osv.dev",
-				"version": "0.0.14",
-				"db": {}
+				"version": "0.0.14"
 			},
 			"metadata": {
-				"scannedOn": "2023-02-15T11:10:08.986401-08:00"
+				"scanStartedOn":"2022-11-22T13:19:18.825699-05:00",
+				"scanFinishedOn":"2022-11-22T13:19:18.825699-05:00"
 			}
 		}
 	}`
@@ -2077,17 +2055,13 @@ var (
 		],
 		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
 		"predicate": {
-			"invocation": {
-				"uri": "guac",
-				"producer_id": "guacsec/guac"
-			},
 			"scanner": {
 				"uri": "osv.dev",
-				"version": "0.0.14",
-				"db": {}
+				"version": "0.0.14"
 			},
 			"metadata": {
-				"scannedOn": "2023-02-15T11:10:08.98646-08:00"
+				"scanStartedOn":"2022-11-22T13:19:18.825699-05:00",
+				"scanFinishedOn":"2022-11-22T13:19:18.825699-05:00"
 			}
 		}
 	}`
@@ -2101,22 +2075,18 @@ var (
 		],
 		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
 		"predicate": {
-			"invocation": {
-				"uri": "guac",
-				"producer_id": "guacsec/guac"
-			},
 			"scanner": {
 				"uri": "osv.dev",
 				"version": "0.0.14",
-				"db": {},
 				"result": [
 					{
-						"vulnerability_id": "GHSA-9ph3-v2vh-3qx7"
+						"id": "GHSA-9ph3-v2vh-3qx7"
 					}
 				]
 			},
 			"metadata": {
-				"scannedOn": "2023-02-15T11:10:08.986506-08:00"
+				"scanStartedOn":"2023-02-15T11:10:08.986506-08:00",
+				"scanFinishedOn":"2023-02-15T11:10:08.986506-08:00"
 			}
 		}
 	}`
@@ -2130,22 +2100,18 @@ var (
 		],
 		"predicate_type": "https://in-toto.io/attestation/vulns/v0.1",
 		"predicate": {
-			"invocation": {
-				"uri": "guac",
-				"producer_id": "guacsec/guac"
-			},
 			"scanner": {
 				"uri": "osv.dev",
 				"version": "0.0.14",
-				"db": {},
 				"result": [
 					{
-						"vulnerability_id": "GHSA-53jx-vvf9-4x38"
+						"id": "GHSA-53jx-vvf9-4x38"
 					}
 				]
 			},
 			"metadata": {
-				"scannedOn": "2023-02-15T11:10:08.986592-08:00"
+				"scanStartedOn":"2023-02-15T11:10:08.986506-08:00",
+				"scanFinishedOn":"2023-02-15T11:10:08.986506-08:00"
 			}
 		}
 	}`

diff --git a/...tifier/attestation/attestation_license.go → ...ttestation/license/attestation_license.go b/...tifier/attestation/attestation_license.go → ...ttestation/license/attestation_license.go
@@ -151,3 +151,7 @@ type ClearlyDefinedPredicate struct {
 	Definition Definition `json:"definition,omitempty"`
 	Metadata   Metadata   `json:"metadata,omitempty"`
 }
+
+type Metadata struct {
+	ScannedOn *time.Time `json:"scannedOn,omitempty"`
+}