rakshitgondwal
commented
6 months ago Hey @pxp928, I'd like to have a go at this!
Open pxp928 opened 1 year ago
rakshitgondwal
commented
6 months ago Hey @pxp928, I'd like to have a go at this!
pxp928
commented
6 months ago Hey @rakshitgondwal sure thing but the vuln predicate type proto definition PR has not been merged yet: https://github.com/in-toto/attestation/pull/345. Once it has been, that would be great to transition over.
In the meantime, you can take a look at another issue that you would like to work on. Thank You!
rakshitgondwal
commented
5 months ago Sure, thank you @pxp928
lumjjb
commented
2 weeks ago Hi @rakshitgondwal ! I was wondering if you were still looking into this? I happened to have some vuln predicates ready for ingestion :). Would be awesome to see this!
Is your feature request related to a problem? Please describe.
Currently, we are using our own version to attest to vulnerability information. A formal vulnerability predicate has been created by the in-toto community that we should instead switch to.
Describe the solution you'd like
Once the protobuf is defined in the upstream in-toto attestations repo, we can use that to replace the current temporary vulnerability attestation we have been using.
The existing and new predicates are very similar but the new predicate contains extra fields (such as vulnerability score) that we need to capture.
This requires a change to both the osv ceritifier and vulnerability parser to capture the added information (such as vulnerability score) into GUAC