[feature] Update vulnerability attestation to match new ITE-9 implementation #1242
Labels
Comments
|
Hey @pxp928, I'd like to have a go at this! |
|
Hey @rakshitgondwal sure thing but the vuln predicate type proto definition PR has not been merged yet: in-toto/attestation#345. Once it has been, that would be great to transition over. In the meantime, you can take a look at another issue that you would like to work on. Thank You! |
|
Sure, thank you @pxp928 |
|
Hi @rakshitgondwal ! I was wondering if you were still looking into this? I happened to have some vuln predicates ready for ingestion :). Would be awesome to see this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently, we are using our own version to attest to vulnerability information. A formal vulnerability predicate has been created by the in-toto community that we should instead switch to.
Describe the solution you'd like
Once the protobuf is defined in the upstream in-toto attestations repo, we can use that to replace the current temporary vulnerability attestation we have been using.
The existing and new predicates are very similar but the new predicate contains extra fields (such as vulnerability score) that we need to capture.
This requires a change to both the osv ceritifier and vulnerability parser to capture the added information (such as vulnerability score) into GUAC
The text was updated successfully, but these errors were encountered: