Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider one-to-one mapping of an invocation to scan result #1262

Closed
marshall007 opened this issue Dec 30, 2021 · 4 comments · Fixed by #1268
Closed

Consider one-to-one mapping of an invocation to scan result #1262

marshall007 opened this issue Dec 30, 2021 · 4 comments · Fixed by #1268
Labels
enhancement New feature or request

Comments

@marshall007
Copy link

The recent addition of the COSIGN_VULN_ATTESTATION_SPEC supports storing multiple scan results originating from a single invocation. I think it would be more intuitive if we encouraged folks to map a single invocation to a single scan result.

This would not only make it easier to construct the payload, but easier to write and evaluate policy against as well. I think we should discourage concatenating the outputs from multiple scans in a single invocation. Doing so would be inconsistent with what invocation is intended to represent as far as I can tell.

Constructing separate vulnerability attestations for different types of scanners makes it easier to write a process that evaluates one or more policies against them. For example, you would download a single, named vulnerability attestation and have some guarantee (or at least a reasonable expectation) that it will contain a result set of a particular schema.

Slack thread for reference: https://sigstore.slack.com/archives/C01PZKDL4DP/p1640878335099100
@marshall007 marshall007 added the enhancement New feature or request label Dec 30, 2021
@dlorenc
Copy link
Member

dlorenc commented Jan 2, 2022

cc @developer-guy @Dentrax what do you think?

@Dentrax
Copy link
Member

Dentrax commented Jan 2, 2022
edited
Loading

+1, that makes sense! It would be better if the the spec mapped single invocation to single scanner and result. In this case scanner field should not an array?

@dlorenc
Copy link
Member

dlorenc commented Jan 2, 2022

Yeah I think that's right!

jdolitsky added a commit to jdolitsky/cosign that referenced this issue Jan 4, 2022
@jdolitsky
One-to-one mapping of invocation to scan result
0821e76 
In COSIGN_VULN_ATTESTATION_SPEC, modify the "scanners"
field to be a single object "scanner" (vs. an array)
so that image scans are tied to a single invocation.

Resolves sigstore#1262

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky jdolitsky mentioned this issue Jan 4, 2022
Merged
@jdolitsky
Copy link
Contributor

Hello all, attempted to resolve this in #1268

dlorenc pushed a commit that referenced this issue Jan 5, 2022
@jdolitsky
One-to-one mapping of invocation to scan result (#1268)
242f586 
In COSIGN_VULN_ATTESTATION_SPEC, modify the "scanners"
field to be a single object "scanner" (vs. an array)
so that image scans are tied to a single invocation.

Resolves #1262

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this issue May 6, 2022
@jdolitsky @mlieberman85
One-to-one mapping of invocation to scan result (sigstore#1268)
a0ba593 
In COSIGN_VULN_ATTESTATION_SPEC, modify the "scanners"
field to be a single object "scanner" (vs. an array)
so that image scans are tied to a single invocation.

Resolves sigstore#1262

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

One-to-one mapping of invocation to scan result jdolitsky/cosign
4 participants
@jdolitsky @marshall007 @dlorenc @Dentrax