-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(report): add support for Cosign vulnerability attestation #2567
Conversation
go.mod
Outdated
@@ -28,7 +28,7 @@ require ( | |||
github.com/go-redis/redis/v8 v8.11.5 | |||
github.com/golang-jwt/jwt v3.2.2+incompatible | |||
github.com/golang/protobuf v1.5.2 | |||
github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475 | |||
github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to bump the version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, we don't.
I updated go.mod unintentionally. I checked again, and go.mod needs no modifications.
go.mod
Outdated
@@ -49,7 +49,7 @@ require ( | |||
github.com/sosedoff/gitkit v0.3.0 | |||
github.com/spf13/cobra v1.5.0 | |||
github.com/spf13/pflag v1.0.5 | |||
github.com/spf13/viper v1.8.1 | |||
github.com/spf13/viper v1.12.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
#2567 (comment)
pkg/report/predicate/vuln.go
Outdated
// CosignVulnPredicate represents the Cosign Vulnerability predicate. | ||
// Cosign provides the CosignVulnPredicate structure in their repository. | ||
// But the type of Scanner.Result is defined as map[string]interface{}, which is difficult to use, | ||
// so we define our own. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add this link, please.
sigstore/cosign#2096
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright. I've added the link.
pkg/report/predicate/vuln_test.go
Outdated
name string | ||
detectedVulns []types.DetectedVulnerability | ||
want predicate.CosignVulnPredicate | ||
wantResult types.Report |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I forgot to remove it.
pkg/report/predicate/vuln_test.go
Outdated
) | ||
|
||
func TestWriter_Write(t *testing.T) { | ||
testCases := []struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a nitpick, but we're recently trying to comply with the same convention.
trivy/pkg/licensing/classifier_test.go
Line 16 in d93a997
tests := []struct { |
testCases := []struct { | |
tests := []struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've fixed it.
pkg/report/predicate/vuln_test.go
Outdated
}, | ||
} | ||
|
||
for _, tc := range testCases { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: ditto
for _, tc := range testCases { | |
for _, tt := range testCases { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've fixed it.
pkg/report/predicate/vuln_test.go
Outdated
writer := predicate.NewWriter(output, "dev") | ||
|
||
err := writer.Write(inputResults) | ||
assert.NoError(t, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: IMHO, require
is better here as all the subsequent assertions will fail anyway when it returns an error.
assert.NoError(t, err) | |
require.NoError(t, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It makes sense. I've fixed it.
pkg/report/predicate/vuln_test.go
Outdated
|
||
var got predicate.CosignVulnPredicate | ||
err = json.Unmarshal(output.Bytes(), &got) | ||
assert.NoError(t, err, "invalid json written") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've fixed it.
If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command. | ||
|
||
|
||
Cosign can generate key pairs and use them for signing and verification. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a keyless section?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright. I've added a keyless signing section.
docs/docs/attestation/vuln.md
Outdated
|
||
## Generate Cosign Vulnerability Predicate | ||
|
||
Trivy generates reports in the [Cosign vulnerability predicate format](https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trivy generates reports in the [Cosign vulnerability predicate format](https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md). | |
Trivy generates reports in the [Cosign vulnerability predicate format][vuln-attest-spec] |
And put it at the bottom.
[vuln-attest-spec]: https://github.com/sigstore/cosign/blob/95b74db89941e8ec85e768f639efd4d948db06cd/specs/COSIGN_VULN_ATTESTATION_SPEC.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've fixed it.
mkdocs.yml
Outdated
@@ -74,6 +74,7 @@ nav: | |||
- SPDX: docs/sbom/spdx.md | |||
- Attestation: | |||
- SBOM: docs/attestation/sbom.md | |||
- Cosign Vulnerability Predicate: docs/attestation/vuln.md |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To align with their doc.
Cosign Vulnerability Scan Record Attestation Specification
https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VULN_ATTESTATION_SPEC.md
- Cosign Vulnerability Predicate: docs/attestation/vuln.md | |
- Cosign Vulnerability Scan Record: docs/attestation/vuln.md |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/report/predicate/vuln.go
Outdated
ScanFinishedOn time.Time `json:"scanFinishedOn"` | ||
} | ||
|
||
type Writer struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may have more predicates in the future.
type Writer struct { | |
type VulnWriter struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/report/predicate/vuln.go
Outdated
version string | ||
} | ||
|
||
func NewWriter(output io.Writer, version string) Writer { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func NewWriter(output io.Writer, version string) Writer { | |
func NewVulnWriter(output io.Writer, version string) Writer { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/report/predicate/vuln.go
Outdated
// But the type of Scanner.Result is defined as map[string]interface{}, which is difficult to use, | ||
// so we define our own. | ||
// The PR is in progress to replace Scanner.Result type to interface{}. | ||
// https://github.com/sigstore/cosign/pull/2096 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR got merged. But we can keep our own structs so that we won't depend on cosign only for those small structs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added comments on the background and references.
Description
Support
cosign-vuln
format option for Cosing vulnerability predicate.Result
Related issues
Checklist