import "encoding/json"
import "strings"
import "list"
#Predicate: {
Data: string
Timestamp: string
}
#Vulnerability: {
id: "CVE-2023-6931"
...
}
predicate: {
vulnerabilities: [...]
result: list.Contains(result.vulnerabilities, #Vulnerability)
}
predicate: result: list.MaxItems(0)
$ trivy image --format cyclonedx --output result.json --scanners vuln
{
...
"vulnerabilities": [
{
"id": "CVE-2023-6931",
"source": {
"name": "ubuntu",
"url": "https://git.launchpad.net/ubuntu-cve-tracker"
}
]
}
cosign attest --predicate result.json --type cyclonedx ttl.sh/knabben/n3tshoot@sha256:869e0db58ed617fcffc1392548d3ccacad876e4589337b2b5ae18568ed8c2fbb
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: custom-key-attestation-sbom-spdxjson
spec:
images:
- glob: "**"
authorities:
- keyless:
identities:
- issuer: https://accounts.google.com
subject: amim.knabben@gmail.com
attestations:
- name: musthave
predicateType: "https://cyclonedx.org/bom"
policy:
type: cue
data: |
import "encoding/json"
import "strings"
import "list"
#Predicate: {
Data: string
Timestamp: string
}
cveList: [ "CVE-2023-6937", "CVE-2023-6939" ]
predicate: {
vulnerabilities: [...]
result: [ for v in vulnerabilities if list.Contains(cveList, v.id) {v.id} ]
...
}
predicate: result: list.MaxItems(0)
./policy-tester -image ttl.sh/knabben/n3tshoot@sha256:869e0db58ed617fcffc1392548d3ccacad876e4589337b2b5ae18568ed8c2fbb -policy policy.yaml
Error raised missing information of the CVE matching -- can be improved with the CVE found string: