Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulns attestation "result" struct discrepancy #391

Open
lumjjb opened this issue Oct 11, 2024 · 4 comments
Open

Vulns attestation "result" struct discrepancy #391

lumjjb opened this issue Oct 11, 2024 · 4 comments

Comments

@lumjjb
Copy link
Contributor

lumjjb commented Oct 11, 2024
edited
Loading

There may be a discrepancy with the intoto vuln predicate (if i interpret it right).

It looks like the spec specifies scanner.result.[*].vulnerability, optional object indicates a nested vulnerability object, but within the example, it shows no intermediary "vulnerability" object.

      "result": [
        {
         "id": "CVE-123",
         "severity": [
          { "method": "nvd", "score": "medium"},
          { "method": "cvss_score", "score", "5.2" }
         ]
        },

It seems like the intent is to have scanner.result.[*] optional object instead of scanner.result.[*].vulnerability, optional object?

EDIT:

A similar discrepancy seems to hold with the severity field, where it is not specified as a list but shows as a list.

scanner.result.[*].vulnerability.severity, required object

but the example shows a list

      "result": [
        {
         "id": "CVE-123",
         "severity": [
          { "method": "nvd", "score": "medium"},
          { "method": "cvss_score", "score", "5.2" }
         ]
        },

EDIT 2:

Invocation also exists in the example, not part of the spec:

    "invocation": {
      "parameters": [],
      "uri": "https://github.com/developer-guy/alpine/actions/runs/1071875574",
      "event_id": "1071875574",
      "builder.id": "GitHub Actions"
    },
This was referenced Oct 11, 2024
Merged
Closed
@lumjjb
Copy link
Contributor Author

lumjjb commented Oct 25, 2024

FYI @edonadei

@lumjjb
Copy link
Contributor Author

lumjjb commented Nov 16, 2024

Decision was to be fixed in v0.2 which is merged in #345. However, the invocation part of it is still a problem, i will create a PR to fix it directly on v0.2 since it is reasonable that the impact of spec implementors is minimal due to it being recent.

@lumjjb lumjjb mentioned this issue Nov 16, 2024
Merged
@puerco
Copy link
Contributor

puerco commented Jan 21, 2025

Following up to this one, I've opened #434 to address two inconsistencies between the protos and the spec with the metadata and scanner.db fields.

@marcelamelara
Copy link
Contributor

marcelamelara commented Jan 23, 2025
edited
Loading

@lumjjb @puerco if I'm reading this issue correctly, there is still a possible discrepancy related to optional subfields of the scanner.result[*] field that needs to be fixed, after #434 and #408?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lumjjb @puerco @marcelamelara