✨ Support results output as in-toto statement #4491
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4491 +/- ##
==========================================
+ Coverage 66.80% 68.38% +1.57%
==========================================
Files 230 249 +19
Lines 16602 18820 +2218
==========================================
+ Hits 11091 12870 +1779
- Misses 4808 5097 +289
- Partials 703 853 +150 |
dcef5c1 to
f886846
Compare
|
OK, I've updated the patch with changes addressing the statement suggestions (and updated the example in the PR body) |
f886846 to
6757271
Compare
6757271 to
a43c588
Compare
a43c588 to
60aac30
Compare
60aac30 to
05f6ed4
Compare
|
This pull request has been marked stale because it has been open for 10 days with no activity |
|
Oooh sorry I missed the latest reviews! I'm commenting to dismiss the state warning, but I'll handle the review comments tomorrow morning. Thanks! |
05f6ed4 to
35c1683
Compare
|
OK, I've renamed the methods from *Statement to InToto, PTAL! |
aeefdf9 to
28c35e5
Compare
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>
28c35e5 to
74b554b
Compare
This adds the intoto predicate type and the private statement type. Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
Adds a unit test for the attestation functions Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
74b554b to
64bad6b
Compare
|
OK, hopefully, this is the final update that is needed. I've renamed the |
There was a problem hiding this comment.
Thank you!
OK, hopefully, this is the final update that is needed
And thanks for your patience, this pkg/scorecard is the most important API surface for the project as a library, so I wanted to be careful about what was added. And sometimes changes required changes.
|
No problem at all, thank you for the thorough review! Happy to get it right :) |
What kind of change does this PR introduce?
Feature
What is the current behavior?
Currently scorecard does not support generating in-toto statements.
What is the new behavior (if this is a feature change)?**
This PR adds support to generate the scorecard output in an in-toto statement. It introduces a new possible value for the format flag:
--format=intoto.The predicate format is open to discussion, right now is just a reformated version of
JSONScorecardResultV2with the repo removed (as it is now in the statement's subject section):{ "type": "https://in-toto.io/Statement/v1", "subject": [ { "name": "github.com/protobom/protobom", "uri": "git+https://github.com/protobom/protobom@0aa9659c6dc7354c5c60945f44b35bb2ed457857", "digest": { "gitCommit": "0aa9659c6dc7354c5c60945f44b35bb2ed457857" } } ], "predicate_type": "https://scorecard.dev/result/v0.1", "predicate": { "date": "2025-02-19T11:32:25-06:00", "scorecard": { "version": "devel", "commit": "unknown" }, "score": 10.0, "checks": [ { "details": null, "score": 10, "reason": "30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10", "name": "Maintained", "documentation": { "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained", "short": "Determines if the project is \"actively maintained\"." } } ], "metadata": null } }Which issue(s) this PR fixes
Fixes #3352
Special notes for your reviewer
Let me know if the predicate format should change (or if fields should be added or removed).
/cc @adityasaky as the original author of #3352
/cc @marcelamelara @mlieberman85
Does this PR introduce a user-facing change?