Add support for OpenVEX predicate type (sigstore#3405)

* Add support for OpenVEX predicate type

OpenVEX is an implementation of the Vulnerability Exploitability
Exchange (VEX) designed to be attestable, SBOM-agnostic and lightweight.
It is hosted in the OpenSSF Vulnerability Disclosures WG and has
support in popular scanners such as Trivy adn Grype.

This PR adds support for openvex predicates to the `cosign attest` and
`cosign download attestation` commands.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Update docs of attest subcommands with openvex values

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

cmd/cosign/cli/options/predicate.go

@@ -38,6 +38,7 @@ const (
 	PredicateCycloneDX = "cyclonedx"
 	PredicateLink      = "link"
 	PredicateVuln      = "vuln"
+	PredicateOpenVEX   = "openvex"
 )
 
 // PredicateTypeMap is the mapping between the predicate `type` option to predicate URI.
@@ -51,6 +52,7 @@ var PredicateTypeMap = map[string]string{
 	PredicateCycloneDX: in_toto.PredicateCycloneDX,
 	PredicateLink:      in_toto.PredicateLinkV1,
 	PredicateVuln:      attestation.CosignVulnProvenanceV01,
+	PredicateOpenVEX:   attestation.OpenVexNamespace,
 }
 
 // PredicateOptions is the wrapper for predicate related options.
@@ -63,7 +65,7 @@ var _ Interface = (*PredicateOptions)(nil)
 // AddFlags implements Interface
 func (o *PredicateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Type, "type", "custom",
-		"specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|custom) or an URI")
+		"specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI")
 }
 
 // ParsePredicateType parses the predicate `type` flag passed into a predicate URI, or validates `type` is a valid URI.

pkg/cosign/attestation/attestation.go

@@ -35,6 +35,12 @@ const (
 
 	// CosignVulnProvenanceV01 specifies the type of VulnerabilityScan Predicate
 	CosignVulnProvenanceV01 = "https://cosign.sigstore.dev/attestation/vuln/v1"
+
+	// OpenVexNamespace holds the URI of the OpenVEX context to identify its
+	// predicate type. More info about the specification can be found at
+	// https://github.com/openvex/spec and the attestation spec is found here:
+	// https://github.com/openvex/spec/blob/main/ATTESTING.md
+	OpenVexNamespace = "https://openvex.dev/ns"
 )
 
 // CosignPredicate specifies the format of the Custom Predicate.
@@ -124,6 +130,8 @@ func GenerateStatement(opts GenerateOpts) (interface{}, error) {
 		return generateLinkStatement(predicate, opts.Digest, opts.Repo)
 	case "vuln":
 		return generateVulnStatement(predicate, opts.Digest, opts.Repo)
+	case "openvex":
+		return generateOpenVexStatement(predicate, opts.Digest, opts.Repo)
 	default:
 		stamp := timestamp(opts)
 		predicateType := customType(opts)
@@ -251,6 +259,17 @@ func generateLinkStatement(rawPayload []byte, digest string, repo string) (inter
 	}, nil
 }
 
+func generateOpenVexStatement(rawPayload []byte, digest string, repo string) (interface{}, error) {
+	var data interface{}
+	if err := json.Unmarshal(rawPayload, &data); err != nil {
+		return nil, err
+	}
+	return in_toto.Statement{
+		StatementHeader: generateStatementHeader(digest, repo, OpenVexNamespace),
+		Predicate:       data,
+	}, nil
+}
+
 func generateSPDXStatement(rawPayload []byte, digest string, repo string, parseJSON bool) (interface{}, error) {
 	var data interface{}
 	if parseJSON {