1 package in_toto 2 3 import ( 4 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" 5 slsa01 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1" 6 slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" 7 slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1" 8 ) 9 10 const ( 11 // StatementInTotoV01 is the statement type for the generalized link format 12 // containing statements. This is constant for all predicate types. 13 StatementInTotoV01 = "https://in-toto.io/Statement/v0.1" 14 // PredicateSPDX represents a SBOM using the SPDX standard. 15 // The SPDX mandates 'spdxVersion' field, so predicate type can omit 16 // version. 17 PredicateSPDX = "https://spdx.dev/Document" 18 // PredicateCycloneDX represents a CycloneDX SBOM 19 PredicateCycloneDX = "https://cyclonedx.org/bom" 20 // PredicateLinkV1 represents an in-toto 0.9 link. 21 PredicateLinkV1 = "https://in-toto.io/Link/v1" 22 ) 23 24 // Subject describes the set of software artifacts the statement applies to. 25 type Subject struct { 26 Name string `json:"name"` 27 Digest common.DigestSet `json:"digest"` 28 } 29 30 // StatementHeader defines the common fields for all statements 31 type StatementHeader struct { 32 Type string `json:"_type"` 33 PredicateType string `json:"predicateType"` 34 Subject []Subject `json:"subject"` 35 } 36 37 /* 38 Statement binds the attestation to a particular subject and identifies the 39 of the predicate. This struct represents a generic statement. 40 */ 41 type Statement struct { 42 StatementHeader 43 // Predicate contains type speficic metadata. 44 Predicate interface{} `json:"predicate"` 45 } 46 47 // ProvenanceStatementSLSA01 is the definition for an entire provenance statement with SLSA 0.1 predicate. 48 type ProvenanceStatementSLSA01 struct { 49 StatementHeader 50 Predicate slsa01.ProvenancePredicate `json:"predicate"` 51 } 52 53 // ProvenanceStatementSLSA02 is the definition for an entire provenance statement with SLSA 0.2 predicate. 54 type ProvenanceStatementSLSA02 struct { 55 StatementHeader 56 Predicate slsa02.ProvenancePredicate `json:"predicate"` 57 } 58 59 // ProvenanceStatementSLSA1 is the definition for an entire provenance statement with SLSA 1.0 predicate. 60 type ProvenanceStatementSLSA1 struct { 61 StatementHeader 62 Predicate slsa1.ProvenancePredicate `json:"predicate"` 63 } 64 65 // ProvenanceStatement is the definition for an entire provenance statement with SLSA 0.2 predicate. 66 // Deprecated: Only version-specific provenance structs will be maintained (ProvenanceStatementSLSA01, ProvenanceStatementSLSA02). 67 type ProvenanceStatement struct { 68 StatementHeader 69 Predicate slsa02.ProvenancePredicate `json:"predicate"` 70 } 71 72 // LinkStatement is the definition for an entire link statement. 73 type LinkStatement struct { 74 StatementHeader 75 Predicate Link `json:"predicate"` 76 } 77 78 /* 79 SPDXStatement is the definition for an entire SPDX statement. 80 This is currently not implemented. Some tooling exists here: 81 https://github.com/spdx/tools-golang, but this software is still in 82 early state. 83 This struct is the same as the generic Statement struct but is added for 84 completeness 85 */ 86 type SPDXStatement struct { 87 StatementHeader 88 Predicate interface{} `json:"predicate"` 89 } 90 91 /* 92 CycloneDXStatement defines a cyclonedx sbom in the predicate. It is not 93 currently serialized just as its SPDX counterpart. It is an empty 94 interface, like the generic Statement. 95 */ 96 type CycloneDXStatement struct { 97 StatementHeader 98 Predicate interface{} `json:"predicate"` 99 } 100