Bump SCAI predicate version to v0.3

Signed-off-by: Marcela Melara <[email protected]>

.github/workflows/lint.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version: '1.21.x'
+          go-version: '1.22.x'
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: golangci-lint
         uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86

.github/workflows/test-e2e-flow.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version: 1.21.x
+          go-version: 1.22.x
 
       - name: Checkout updated scai-gen CLI tools
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332

go.mod

@@ -1,6 +1,9 @@
 module github.com/in-toto/scai-demos
 
-go 1.21
+go 1.22.5
+
+toolchain go1.22.6
+
 require (
 	github.com/google/cel-go v0.21.0
 	github.com/in-toto/attestation v1.1.0

scai-gen/cmd/check.go

@@ -6,6 +6,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	"github.com/in-toto/scai-demos/scai-gen/pkg/fileio"
@@ -156,7 +157,7 @@ func checkEvidence(_ *cobra.Command, args []string) error {
 		return fmt.Errorf("failed read evidence files in directory %s: %w", evidenceDir, err)
 	}
 
-	if statement.GetPredicateType() != "https://in-toto.io/attestation/scai/attribute-report/v0.2" {
+	if !isSupportedPredicateType(statement.GetPredicateType()) {
 		return fmt.Errorf("evidence checking only supported for SCAI attestations")
 	}
 
@@ -282,3 +283,22 @@ func getAllEvidenceFiles(evidenceDir string) (map[string][]byte, error) {
 
 	return evidenceMap, nil
 }
+
+func isSupportedPredicateType(predicateType string) bool {
+	supportedTypes := []string{"attribute-report/v0.2", "v0.3"}
+
+	// TODO: a future version of the scai Go package will have a const for this URI
+	version, found := strings.CutPrefix(predicateType, "https://in-toto.io/attestation/scai/")
+
+	if found {
+		idx := slices.IndexFunc(supportedTypes, func(v string) bool {
+			return v == version
+		})
+
+		if idx > -1 {
+			return true
+		}
+		return false
+	}
+	return false
+}

scai-gen/cmd/report.go

@@ -23,6 +23,7 @@ var reportCmd = &cobra.Command{
 var (
 	subjectFile  string
 	producerFile string
+	version      string
 )
 
 func init() {
@@ -52,6 +53,14 @@ func init() {
 		"The filename of the JSON-encoded producer resource descriptor",
 	)
 
+	reportCmd.Flags().StringVarP(
+		&version,
+		"version",
+		"v",
+		"v0.3",
+		"The spec version to generate for the generated attribute report",
+	)
+
 	reportCmd.Flags().BoolVarP(
 		&prettyPrint,
 		"pretty-print",
@@ -115,7 +124,16 @@ func genAttrReport(_ *cobra.Command, args []string) error {
 		return err
 	}
 
-	statement, err := generators.NewStatement([]*ita.ResourceDescriptor{subject}, "https://in-toto.io/attestation/scai/attribute-report/v0.2", reportStruct)
+	// TODO: a future version of the scai Go package will have a const for this URI
+	predicateType := "https://in-toto.io/attestation/scai/"
+	if version == "v0.2" {
+		suffix := "attribute-report/v0.2"
+		predicateType += suffix
+	} else {
+		predicateType += version
+	}
+
+	statement, err := generators.NewStatement([]*ita.ResourceDescriptor{subject}, predicateType, reportStruct)
 	if err != nil {
 		return fmt.Errorf("unable to generate in-toto Statement: %w", err)
 	}