Making predicateTypes consistent with predicate names

[marcelamelara]

We recently introduced the notion of the predicate name, which we use in a couple ways: as a hint in the envelope mediaType, and in the predicateType URI for predicates in the in-toto/attestation namespace (see step 4).

Most predicates in the in-toto/attestation namespace already follow this convention for the predicateTypes, but we have two that were defined before we introduced this convention and don't:

• scai: https://in-toto/attestatoin/scai/attribute-report/v* (adds extra dir in path)
• vuln: https://in-toto/attestation/vulns/v* (adds S to predicate name).

How should we resolve these two cases?

My recommendation for SCAI is to remove the "attribute-report" piece since it somehow implies that there may be other subtypes of SCAI, and we don't currently support predicate subtypes. This may break existing tooling (mostly in-toto/scai-demos), and we may need to bump the predicate version number.

My suggestion for vuln may be to update the predicate name to vulns.md since that won't break current tools.

Any other thoughts? If this looks good, I'll open a PR to make the relevant changes.

[marcelamelara]

Update: We may probably also move the expected naming convention to the predicate template in spec/predicates/templates.

[adityasaky]

My suggestion for vuln may be to update the predicate name to vulns.md since that won't break current tools.

This seems reasonable to me.