Skip to content

Commit

Permalink
propose new changes to the specification and rename to vulns
Browse files Browse the repository at this point in the history
Signed-off-by: hectorj2f <hector@chainguard.dev>
  • Loading branch information
hectorj2f committed Oct 13, 2024
1 parent bd07c01 commit ffffbc7
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 11 deletions.
2 changes: 1 addition & 1 deletion spec/predicates/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ our [vetting process], and may be of general interest:
[Release]: release.md
[Runtime Traces]: runtime-trace.md
[SCAI Report]: scai.md
[Vulnerability]: vuln.md
[Vulnerability]: vulns.md
[SLSA Provenance]: https://slsa.dev/provenance
[SLSA Verification Summary]: vsa.md
[SPDX]: spdx.md
Expand Down
21 changes: 11 additions & 10 deletions spec/predicates/vulns.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,33 +68,29 @@ The `predicate` contains a JSON-encoded data with the following fields:

> > > The timestamp of when the vulnerability DB was updated last time.
**scanner.result, required** list
**scanner.result, required** object list

> > The result contains a list of vulnerabilities. Note that an empty list means the **scanner** found no vulnerabilities.
> > This is the most important part of this field because it'll store the scan result as a whole. So, people might want
> > to use this field to take decisions based on them by making use of Policy Engines tooling whether allow or deny these images.
**scanner.result.[*].vulnerability, optional** object

> > > The vulnerability object defines information about each one of the vulnerabilities found by the scanner.
**scanner.result.[*].vulnerability.id, required** string
**scanner.result.[*].id, required** string

> > > > This is the identifier of the vulnerability, e.g. [GHSA-fxph-q3j8-mv87](https://github.com/advisories/GHSA-fxph-q3j8-mv87) whose CVE id is [CVE-2017-5645](https://nvd.nist.gov/vuln/detail/CVE-2017-5645).
**scanner.result.[*].vulnerability.severity, required** object
**scanner.result.[*].severity, required** object

> > > > The severity contains a list to describe the severity of a vulnerability using one or more quantitative scoring method.
**scanner.result.[*].vulnerability.severity.method, required** string
**scanner.result.[*].severity.method, required** string

> > > > > The method describes the quantitative method used to calculate the associated severity score such as nvd, cvss and others.
**scanner.result.[*].vulnerability.severity.score, required** string
**scanner.result.[*].severity.score, required** string

> > > > > This is a string representing the severity score based on the selected method.
**scanner.result.[*].vulnerability.annotations, optional** list, map <string, value>
**scanner.result.[*].annotations, optional** list, map <string, value>

> > > > > This is a list of key/value pairs where scanners can add additional custom information.
Expand Down Expand Up @@ -158,3 +154,8 @@ The `predicate` contains a JSON-encoded data with the following fields:
Not applicable for this initial version.

[Attestation]: ../README.md


2024-10-11:
- @lumjjb Remove ambiguity from the result object which included a redundant object 'vulnerability'.
- Add missing type to annotations

0 comments on commit ffffbc7

Please sign in to comment.