Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define intoto v1.0 statement type #265

Open
chuangw6 opened this issue Sep 8, 2023 · 6 comments · Fixed by #267
Open

Define intoto v1.0 statement type #265

chuangw6 opened this issue Sep 8, 2023 · 6 comments · Fixed by #267
Labels
bug Something isn't working

Comments

@chuangw6
Copy link
Contributor

chuangw6 commented Sep 8, 2023

As discussed in slsa-framework/slsa#918, SLSA v1 predicate is supposed to be wrapped in intoto v1.0 statement.

Therefore, I suppose there should be a const defined for intoto v1.0 statement type i.e. StatementInTotoV10, but there appears to be none.

in-toto-golang/in_toto/attestations.go

Lines 10 to 22 in 8a5dc9e

const (
// StatementInTotoV01 is the statement type for the generalized link format
// containing statements. This is constant for all predicate types.
StatementInTotoV01 = "https://in-toto.io/Statement/v0.1"
// PredicateSPDX represents a SBOM using the SPDX standard.
// The SPDX mandates 'spdxVersion' field, so predicate type can omit
// version.
PredicateSPDX = "https://spdx.dev/Document"
// PredicateCycloneDX represents a CycloneDX SBOM
PredicateCycloneDX = "https://cyclonedx.org/bom"
// PredicateLinkV1 represents an in-toto 0.9 link.
PredicateLinkV1 = "https://in-toto.io/Link/v1"
)

@chuangw6 chuangw6 added the bug Something isn't working label Sep 8, 2023
@chuangw6
Copy link
Contributor Author

chuangw6 commented Sep 8, 2023

cc @adityasaky @marcelamelara

@chuangw6 chuangw6 mentioned this issue Sep 8, 2023
Open
@marcelamelara
Copy link
Contributor

@chuangw6 Thanks for this issue! We've been discussing that this should be addressed as part of a larger effort to transition in-toto-golang towards the Go implementation of attestations, which includes this const (and would also address #260). Do you have the availability to work on importing the new attestation library yourself?

@marcelamelara marcelamelara mentioned this issue Sep 19, 2023
Merged
@adityasaky
Copy link
Member

I think this isn't fully resolved until we pull in pb layers?

@adityasaky adityasaky reopened this Sep 19, 2023
@pxp928
Copy link
Member

pxp928 commented Sep 19, 2023

Yes, seems to have auto-completed via #267

@marcelamelara
Copy link
Contributor

My interpretation of this issue is that @chuangw6 was only looking for const definition for the statement type. But I agree that the ultimate goal is to be able to generate predicates/statements from the pbs. I should have some cycles to work on that this week.

@marcelamelara marcelamelara mentioned this issue Sep 20, 2023
Closed
@chuangw6
Copy link
Contributor Author

My interpretation of this issue is that @chuangw6 was only looking for const definition for the statement type.

Yes, that's the intention of this ticket.

I should have some cycles to work on that this week.

Thank you @marcelamelara for taking care of this. Sorry for the delay. I recently transferred teams and got quite busy with handoff and onboarding, and in future I will be no longer working on open source projects. Someone else from Tekton side will be communicating with in-toto on the topic of attestation in future.

Thank again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
4 participants
@adityasaky @chuangw6 @pxp928 @marcelamelara