-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add proto definition for vuln predicate type #345
base: main
Are you sure you want to change the base?
Conversation
48ea84a
to
0d02476
Compare
related to #268 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for sending this.
Besides the other comments, have you by any chance generated any json with this? Could you provide a sample? it would be nice to compare it against the example https://github.com/in-toto/attestation/blob/main/spec/predicates/vuln.md#example
go/predicates/vuln/v1/vuln.pb.go
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe you don't need (and shouldn't!) include these files in your change. Instead they'll be autogenerated by this workflow https://github.com/in-toto/attestation/blob/main/.github/workflows/make-protos.yml
Can you remove this these files from this PR?
|
||
message Vulnerability { | ||
string id = 1; | ||
Severity severity = 2; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is where we need resolution to #342
As defined here a given vulnerability can only have a single severity and method. In practice there are many ways to measure severity and users may need to express both in the vuln attestation.
We can see this in practice in the example.
So perhaps this should be repeated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll make all these changes. 👍🏻
string score = 2; | ||
} | ||
|
||
google.protobuf.Struct annotations = 3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is also a list so perhaps it should be repeated too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch.
Friendly ping on this PR. @hectorj2f Could you please remove the generated Go/Python/Java files and add an entry for this proto here? then I think your PR will be pretty much ready to go. |
@marcelamelara Yes, I'll do it. |
Signed-off-by: hectorj2f <[email protected]>
0d02476
to
cd455a3
Compare
I think something might have gotten a bit screwy with the git commits (I've done this myself for sure). When I look at 'Files Changed' it doesn't look like anything has changed since our earlier comments? |
I'm confused now. I followed what @marcelamelara commented above remove all the generated go/python and java code and leave the entry in protos. |
If I understand correctly, having only the .proto file is what Tom had originally requested. But there may have been some edits to that proto file that were lost when the auto-generated files were removed? I only see 1 commit in this PR right now. Separately, I also had requested a minor documentation update to the /protos/README.md file. This way this new proto is included in that list. |
Signed-off-by: hectorj2f <[email protected]>
Signed-off-by: hectorj2f <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for these changes, just a couple minor updates needed I think.
Signed-off-by: hectorj2f <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @hectorj2f ! LGTM.
One final question (which can be addressed in a separate PR, I think) is about the predicate type URI for this predicate. Right now, in the vuln predicate spec it's listed as @hectorj2f What do you think? Is this a concern? |
This PR adds a proto definition for the vuln predicate type. This was pending since we added the vuln predicate type and it is needed to update the cosign vuln predicate types.