guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

[feature] Update vulnerability attestation to match new ITE-9 implementation

Open pxp928 opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe.

Currently, we are using our own version to attest to vulnerability information. A formal vulnerability predicate has been created by the in-toto community that we should instead switch to.

Describe the solution you'd like

Once the protobuf is defined in the upstream in-toto attestations repo, we can use that to replace the current temporary vulnerability attestation we have been using.

The existing and new predicates are very similar but the new predicate contains extra fields (such as vulnerability score) that we need to capture.

This requires a change to both the osv ceritifier and vulnerability parser to capture the added information (such as vulnerability score) into GUAC

pxp928 avatar Sep 08 '23 16:09 pxp928

Hey @pxp928, I'd like to have a go at this!

rakshitgondwal avatar Apr 26 '24 08:04 rakshitgondwal

Hey @rakshitgondwal sure thing but the vuln predicate type proto definition PR has not been merged yet: https://github.com/in-toto/attestation/pull/345. Once it has been, that would be great to transition over.

In the meantime, you can take a look at another issue that you would like to work on. Thank You!

pxp928 avatar Apr 26 '24 12:04 pxp928

Sure, thank you @pxp928

rakshitgondwal avatar Apr 27 '24 04:04 rakshitgondwal