Add proto definition for vuln predicate type #345
Conversation
hectorj2f
force-pushed
the
vuln-att-protos
branch
from
48ea84a
to
0d02476
Compare
|
related to #268 |
There was a problem hiding this comment.
Thanks for sending this.
Besides the other comments, have you by any chance generated any json with this? Could you provide a sample? it would be nice to compare it against the example https://github.com/in-toto/attestation/blob/main/spec/predicates/vuln.md#example
go/predicates/vuln/v1/vuln.pb.go
Outdated
There was a problem hiding this comment.
I believe you don't need (and shouldn't!) include these files in your change. Instead they'll be autogenerated by this workflow https://github.com/in-toto/attestation/blob/main/.github/workflows/make-protos.yml
Can you remove this these files from this PR?
|
|
||
| message Vulnerability { | ||
| string id = 1; | ||
| Severity severity = 2; |
There was a problem hiding this comment.
I think this is where we need resolution to #342
As defined here a given vulnerability can only have a single severity and method. In practice there are many ways to measure severity and users may need to express both in the vuln attestation.
We can see this in practice in the example.
So perhaps this should be repeated?
There was a problem hiding this comment.
I'll make all these changes. 👍🏻
| string score = 2; | ||
| } | ||
|
|
||
| google.protobuf.Struct annotations = 3; |
There was a problem hiding this comment.
This is also a list so perhaps it should be repeated too?
|
Friendly ping on this PR. @hectorj2f Could you please remove the generated Go/Python/Java files and add an entry for this proto here? then I think your PR will be pretty much ready to go. |
|
@marcelamelara Yes, I'll do it. |
Signed-off-by: hectorj2f <[email protected]>
hectorj2f
force-pushed
the
vuln-att-protos
branch
from
0d02476
to
cd455a3
Compare
|
I think something might have gotten a bit screwy with the git commits (I've done this myself for sure). When I look at 'Files Changed' it doesn't look like anything has changed since our earlier comments? |
|
I'm confused now. I followed what @marcelamelara commented above remove all the generated go/python and java code and leave the entry in protos. |
|
If I understand correctly, having only the .proto file is what Tom had originally requested. But there may have been some edits to that proto file that were lost when the auto-generated files were removed? I only see 1 commit in this PR right now. Separately, I also had requested a minor documentation update to the /protos/README.md file. This way this new proto is included in that list. |
Signed-off-by: hectorj2f <[email protected]>
Signed-off-by: hectorj2f <[email protected]>
Signed-off-by: hectorj2f <[email protected]>
|
One final question (which can be addressed in a separate PR, I think) is about the predicate type URI for this predicate. Right now, in the vuln predicate spec it's listed as @hectorj2f What do you think? Is this a concern? |
This PR adds a proto definition for the vuln predicate type. This was pending since we added the vuln predicate type and it is needed to update the cosign vuln predicate types.