From 4fcf62d37bb9dfe1f6399e5b4c5bb107743f6dfc Mon Sep 17 00:00:00 2001 From: hectorj2f Date: Sun, 13 Oct 2024 23:06:01 +0200 Subject: [PATCH] fix: lint issues in reference.md Signed-off-by: hectorj2f --- spec/predicates/reference.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/spec/predicates/reference.md b/spec/predicates/reference.md index b1ce517a..17d2d83d 100644 --- a/spec/predicates/reference.md +++ b/spec/predicates/reference.md @@ -27,11 +27,13 @@ A more opinionated predicate will increase usability and encourage adoption. ## Prerequisites + The [in-toto Attestation Framework](https://github.com/in-toto/attestation/blob/main/spec/README.md) and an SBOM specification such as [SPDX](https://spdx.dev/). ## Model + This predicate is intended to be generated and consumed throughout the software supply chain. In addition, it is intended to be used in the analysis of it as a whole. @@ -56,6 +58,7 @@ whole. ``` ### Parsing Rules + This predicate follows the [in-toto Attestation Framework's parsing rules](../v1/README.md#parsing-rules). @@ -68,6 +71,7 @@ being independently associated with each subject. See the [example](#reference-to-an-sbom-for-multiple-artifacts) with two subjects. ### Fields + `attester.id`: string ([TypeUri](../v1/field_types.md#typeuri)), *required* An identifier for the system that provides the document. @@ -79,7 +83,9 @@ for each. If the file type is unknown, `application/octet-stream` SHOULD be used. ## Examples + ### Reference to an SBOM for an image + ```json { "_type": "https://in-toto.io/Statement/v1", @@ -104,11 +110,14 @@ used. } } ``` + ### Reference to an SBOM for multiple artifacts + In this example, a single SBOM was generated for a set of build outputs by scanning the source file system. Per the [parsing rules](#parsing-rules), this attestation SHOULD be interpreted to mean that the SBOM was generated for both subjects -- it will list dependencies of both foo and bar. + ```json { "_type": "https://in-toto.io/Statement/v1",