feat: Finalize the SLSA v1.0 provenance format

[asraa]

Fixes issue:
Fixes #197

Description:
Finalizes the SLSA v1.0 provenance format.

@adityasaky it would be great to merge the next branch into main soon and do a minor release with the SLSA v1 feature!

Please verify and check that the pull request fulfills the following
requirements:

• [ x ] Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

cc @MarkLodato @laurentsimon @chuangw6

[chuangw6]

Thank you @asraa !!
Can we add a provenance statement struct in model.go like these?

[chuangw6]

Also want to loop in @sherzberg-1 as fyi. Just want to make sure the intoto provenance statement can be serialized and deserialized to grafeas proto.

[sherzberg-1]

Thanks @chuangw6 , will make sure they can serialize/deserialize back and forth.

[MarkLodato]

LGTM

[chuangw6]

Hi @adityasaky ,
SLSA v1 is released. And I think this PR is up to date.
Can you please TAL at this PR and see if we can get the branch into main and cut a release?
Thanks!

[adityasaky]

Thanks @asraa! I think we can merge this overall.

However, I do want to hear from @in-toto/attestation-maintainers re using the models generated for ResourceDescriptor (and possibly Statement etc as well).

[adityasaky]

Thoughts on using ResourceDescriptor from https://github.com/in-toto/attestation/blob/main/go/v1/resource_descriptor.pb.go?

cc @marcelamelara

[chuangw6]

I think that's a good idea. But given the proto only defines ResourceDescriptor and misses many other fields of SLSA v1 predicate, should we move on with current approach and cut a release first, and later switch over to models generated from proto once all v1 predicate fields are well defined in attestation repo?

[marcelamelara]

To my understanding, SLSA already defines full protos for SLSA provenance v1: https://github.com/slsa-framework/slsa/tree/main/docs/provenance/schema/v1/provenance.proto

We (in-toto attestation maintainers) were operating under the assumption that SLSA will maintain all SLSA-related predicate spec and proto versions. Based on your comment here, it sounds like there's an expectation that the in-toto attestation repo should maintain (a separate copy) of SLSA provenance v1 protos?

[chuangw6]

Oh, I was only looking at https://github.com/in-toto/attestation/tree/main/protos/in_toto_attestation/v1. I thought intoto will define its own proto again.

If intoto can reuse the proto from SLSA, that would be great. I have no option on this :D I'd defer intoto maintainers to decide this.

I am looking forward to seeing an intoto-golang release for SLSA v1!

[marcelamelara]

Got it :) At least my preference would be to use the SLSA-defined protos for generating the language bindings for the predicate, so this integration is something we should definitely discuss on our end.

[chuangw6]

Sounds good to me! Is there a target date we can expect a release with the slsa v1 support? Thanks!

[adityasaky]

I think I'm okay to merge this PR and then next into main and cut a release to unblock other tools. My inclination is to switch it out behind the scenes later as we want to do that for multiple models, not just SLSA Provenance.

[pxp928]

+1 with @adityasaky can merge for now and switch behind the scenes in another release.

[adityasaky]

LGTM, I do have a question about the package directory.

[adityasaky]

I think I'm okay to merge this PR and then next into main and cut a release to unblock other tools. My inclination is to switch it out behind the scenes later as we want to do that for multiple models, not just SLSA Provenance.

[pxp928]

LGTM

[pxp928]

+1 with @adityasaky can merge for now and switch behind the scenes in another release.