131 lines
3.3 KiB
JSON
131 lines
3.3 KiB
JSON
{
|
|
"attestation": {
|
|
"dsse_envelope": {
|
|
"payloadType": "application/vnd.in-toto+json",
|
|
"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoibXlhcHA6djEuMi4zIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImFiYzEyMyJ9fV19",
|
|
"signatures": [
|
|
{
|
|
"keyid": "stella-release-key-001",
|
|
"sig": "MEUCIQDcJT8...signature..."
|
|
}
|
|
]
|
|
},
|
|
"rekor_entry": {
|
|
"log_index": 12345678,
|
|
"log_id": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=",
|
|
"integrated_time": 1705689600,
|
|
"inclusion_proof": {
|
|
"root_hash": "abc123def456...",
|
|
"tree_size": 98765432,
|
|
"hashes": ["hash1", "hash2", "hash3"]
|
|
}
|
|
},
|
|
"trusted_keys": ["stella-release-key-001", "stella-release-key-002"]
|
|
},
|
|
"cve_findings": [
|
|
{
|
|
"cve_id": "CVE-2024-1234",
|
|
"cvss_score": 9.1,
|
|
"severity": "critical",
|
|
"epss_score": 0.72,
|
|
"epss_percentile": 95,
|
|
"is_kev": false,
|
|
"is_reachable": true,
|
|
"reachability_state": "confirmed_reachable",
|
|
"is_suppressed": false,
|
|
"package_name": "vulnerable-lib",
|
|
"package_version": "1.2.3",
|
|
"fix_available": true,
|
|
"fixed_version": "1.2.4"
|
|
},
|
|
{
|
|
"cve_id": "CVE-2024-5678",
|
|
"cvss_score": 7.5,
|
|
"severity": "high",
|
|
"epss_score": 0.42,
|
|
"epss_percentile": 78,
|
|
"is_kev": false,
|
|
"is_reachable": false,
|
|
"reachability_state": "not_reachable",
|
|
"is_suppressed": false,
|
|
"package_name": "another-lib",
|
|
"package_version": "2.0.0",
|
|
"fix_available": false
|
|
},
|
|
{
|
|
"cve_id": "CVE-2024-9012",
|
|
"cvss_score": 5.3,
|
|
"severity": "medium",
|
|
"epss_score": 0.15,
|
|
"epss_percentile": 45,
|
|
"is_kev": false,
|
|
"is_reachable": true,
|
|
"reachability_state": "statically_reachable",
|
|
"is_suppressed": false,
|
|
"package_name": "common-util",
|
|
"package_version": "3.1.0"
|
|
},
|
|
{
|
|
"cve_id": "CVE-2023-44487",
|
|
"cvss_score": 7.5,
|
|
"severity": "high",
|
|
"epss_score": 0.89,
|
|
"epss_percentile": 99,
|
|
"is_kev": true,
|
|
"kev_due_date": "2024-02-15",
|
|
"is_reachable": true,
|
|
"reachability_state": "runtime_observed",
|
|
"is_suppressed": true,
|
|
"package_name": "http2-lib",
|
|
"package_version": "1.0.0"
|
|
}
|
|
],
|
|
"baseline_cve_findings": [
|
|
{
|
|
"cve_id": "CVE-2024-5678",
|
|
"cvss_score": 7.5
|
|
},
|
|
{
|
|
"cve_id": "CVE-2024-0001",
|
|
"cvss_score": 6.0
|
|
}
|
|
],
|
|
"environment": "production",
|
|
"release": {
|
|
"id": "rel-2024-01-19-001",
|
|
"version": "1.2.3",
|
|
"image_digest": "sha256:abc123...",
|
|
"baseline_digest": "sha256:def456..."
|
|
},
|
|
"config": {
|
|
"epss_threshold": 0.6,
|
|
"severity_threshold": 7.0,
|
|
"max_critical": 0,
|
|
"max_high": 3,
|
|
"max_medium": 20,
|
|
"require_rekor": true,
|
|
"count_suppressed": false,
|
|
"only_reachable": false,
|
|
"environments": {
|
|
"production": {
|
|
"epss_threshold": 0.3,
|
|
"severity_threshold": 7.0,
|
|
"max_critical": 0,
|
|
"max_high": 0,
|
|
"only_reachable": true
|
|
},
|
|
"staging": {
|
|
"epss_threshold": 0.7,
|
|
"max_critical": 1,
|
|
"max_high": 5
|
|
},
|
|
"development": {
|
|
"epss_threshold": 0.9,
|
|
"max_critical": null,
|
|
"max_high": null
|
|
}
|
|
}
|
|
},
|
|
"current_time": "2024-01-19T12:00:00Z"
|
|
}
|