Closed colek42 closed 4 days ago
This allows us to do links like query for SBOMs and generate vuln reports.
➜ go-witness git:(feat/sbom-attestor) ✗ curl https://archivista.testifysec.io/download/b0accc787c8c45c1d90f52575f5ab2b672a7b5bd71948525f6e1c930f2362fc1 | jq -r '.payload' | base64 -d | jq -r '.predicate.attestations[] | select(.type == "https://witness.dev/attestations/sbom/v0.1").attestation.sbomDocument' | grype
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3371k 0 3371k 0 0 4641k 0 --:--:-- --:--:-- --:--:-- 4637k
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
github.com/gin-gonic/gin v1.7.7 1.9.0 go-module GHSA-3vp4-m3rf-835h Medium
github.com/gin-gonic/gin v1.7.7 1.9.1 go-module GHSA-2c4m-59x9-fr2g Medium
Continuing work on this attestor this week. I'll close this PR for now until the changes are ready for review.
This adds a SBOM attestor, and a check for those MIME types. It supports both SPDX and Cyclone DX in json format.