feat(sbom): scan sbom attestation in the rekor record (#2699)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-12 07:40:48 -08:00 · 2022-09-16 02:16:39 +09:00
parent 597836c3a2
commit 192fd78ca2
20 changed files with 956 additions and 96 deletions
--- a/pkg/fanal/artifact/sbom/sbom.go
+++ b/pkg/fanal/artifact/sbom/sbom.go
@@ -112,9 +112,10 @@ func (a Artifact) Decode(f io.Reader, format sbom.Format) (sbom.SBOM, error) {
 		v = &cyclonedx.CycloneDX{SBOM: &bom}
 		decoder = json.NewDecoder(f)
 	case sbom.FormatAttestCycloneDXJSON:
-		// in-toto attestation
-		//   => cosign predicate
-		//     => CycloneDX JSON
+		// dsse envelope
+		//   => in-toto attestation
+		//     => cosign predicate
+		//       => CycloneDX JSON
 		v = &attestation.Statement{
 			Predicate: &attestation.CosignPredicate{
 				Data: &cyclonedx.CycloneDX{SBOM: &bom},