-
Notifications
You must be signed in to change notification settings - Fork 51
/
attestations.go
99 lines (87 loc) · 3.35 KB
/
attestations.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package in_toto
import (
"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
slsa01 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1"
slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
)
const (
// StatementInTotoV01 is the statement type for the generalized link format
// containing statements. This is constant for all predicate types.
StatementInTotoV01 = "https://in-toto.io/Statement/v0.1"
// PredicateSPDX represents a SBOM using the SPDX standard.
// The SPDX mandates 'spdxVersion' field, so predicate type can omit
// version.
PredicateSPDX = "https://spdx.dev/Document"
// PredicateCycloneDX represents a CycloneDX SBOM
PredicateCycloneDX = "https://cyclonedx.org/bom"
// PredicateLinkV1 represents an in-toto 0.9 link.
PredicateLinkV1 = "https://in-toto.io/Link/v1"
)
// Subject describes the set of software artifacts the statement applies to.
type Subject struct {
Name string `json:"name"`
Digest common.DigestSet `json:"digest"`
}
// StatementHeader defines the common fields for all statements
type StatementHeader struct {
Type string `json:"_type"`
PredicateType string `json:"predicateType"`
Subject []Subject `json:"subject"`
}
/*
Statement binds the attestation to a particular subject and identifies the
of the predicate. This struct represents a generic statement.
*/
type Statement struct {
StatementHeader
// Predicate contains type speficic metadata.
Predicate interface{} `json:"predicate"`
}
// ProvenanceStatementSLSA01 is the definition for an entire provenance statement with SLSA 0.1 predicate.
type ProvenanceStatementSLSA01 struct {
StatementHeader
Predicate slsa01.ProvenancePredicate `json:"predicate"`
}
// ProvenanceStatementSLSA02 is the definition for an entire provenance statement with SLSA 0.2 predicate.
type ProvenanceStatementSLSA02 struct {
StatementHeader
Predicate slsa02.ProvenancePredicate `json:"predicate"`
}
// ProvenanceStatementSLSA1 is the definition for an entire provenance statement with SLSA 1.0 predicate.
type ProvenanceStatementSLSA1 struct {
StatementHeader
Predicate slsa1.ProvenancePredicate `json:"predicate"`
}
// ProvenanceStatement is the definition for an entire provenance statement with SLSA 0.2 predicate.
// Deprecated: Only version-specific provenance structs will be maintained (ProvenanceStatementSLSA01, ProvenanceStatementSLSA02).
type ProvenanceStatement struct {
StatementHeader
Predicate slsa02.ProvenancePredicate `json:"predicate"`
}
// LinkStatement is the definition for an entire link statement.
type LinkStatement struct {
StatementHeader
Predicate Link `json:"predicate"`
}
/*
SPDXStatement is the definition for an entire SPDX statement.
This is currently not implemented. Some tooling exists here:
https://github.com/spdx/tools-golang, but this software is still in
early state.
This struct is the same as the generic Statement struct but is added for
completeness
*/
type SPDXStatement struct {
StatementHeader
Predicate interface{} `json:"predicate"`
}
/*
CycloneDXStatement defines a cyclonedx sbom in the predicate. It is not
currently serialized just as its SPDX counterpart. It is an empty
interface, like the generic Statement.
*/
type CycloneDXStatement struct {
StatementHeader
Predicate interface{} `json:"predicate"`
}