@better-internet/oss-verify 0.1.0-draft
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +133 -0
- package/dist/cli.mjs +2 -0
- package/dist/spec/SPEC.md +329 -0
- package/dist/spec/ci-providers.json +95 -0
- package/dist/spec/contexts/v1/oss-verified.jsonld +37 -0
- package/dist/spec/models.json +82 -0
- package/dist/spec/schemas/predicate.schema.json +138 -0
- package/dist/src/checks/blobs.js +112 -0
- package/dist/src/checks/llm-audit.js +207 -0
- package/dist/src/checks/osi-license.js +115 -0
- package/dist/src/checks/reuse.js +78 -0
- package/dist/src/checks/sbom/cargo.js +124 -0
- package/dist/src/checks/sbom/go.js +137 -0
- package/dist/src/checks/sbom/javascript.js +125 -0
- package/dist/src/checks/sbom/python.js +240 -0
- package/dist/src/checks/sbom/types.js +10 -0
- package/dist/src/checks/sbom.js +173 -0
- package/dist/src/cli.mjs +225 -0
- package/dist/src/git.js +27 -0
- package/dist/src/hash.js +2 -0
- package/dist/src/predicate.js +35 -0
- package/dist/src/types.js +2 -0
- package/package.json +56 -0
- package/spec/SPEC.md +329 -0
- package/spec/ci-providers.json +95 -0
- package/spec/contexts/v1/oss-verified.jsonld +37 -0
- package/spec/models.json +82 -0
- package/spec/schemas/predicate.schema.json +138 -0
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
|
3
|
+
"$id": "https://oss-verified.better-internet.org/schemas/predicate.v1.schema.json",
|
|
4
|
+
"title": "OssVerifiedPredicate",
|
|
5
|
+
"description": "in-toto predicate emitted by the oss-verify CLI and signed via Sigstore. See SPEC.md §5. The predicate type URI is https://oss-verified.better-internet.org/predicate/v1.",
|
|
6
|
+
"type": "object",
|
|
7
|
+
"additionalProperties": false,
|
|
8
|
+
"required": [
|
|
9
|
+
"commit_sha",
|
|
10
|
+
"repo_url",
|
|
11
|
+
"criteria",
|
|
12
|
+
"evidence",
|
|
13
|
+
"model_id",
|
|
14
|
+
"prompt_hash",
|
|
15
|
+
"cli_version",
|
|
16
|
+
"cli_sha",
|
|
17
|
+
"attested_at"
|
|
18
|
+
],
|
|
19
|
+
"properties": {
|
|
20
|
+
"commit_sha": {
|
|
21
|
+
"type": "string",
|
|
22
|
+
"pattern": "^[0-9a-f]{40}$",
|
|
23
|
+
"description": "Git commit SHA being attested. Lowercase hex, length 40 (SHA-1) or 64 (SHA-256). Schema currently constrains to 40; extend when the toolchain migrates."
|
|
24
|
+
},
|
|
25
|
+
"repo_url": {
|
|
26
|
+
"type": "string",
|
|
27
|
+
"format": "uri",
|
|
28
|
+
"description": "Canonical clone URL of the repository, normalised (no trailing .git, https scheme). MUST match the OIDC subject claim of the signing CI."
|
|
29
|
+
},
|
|
30
|
+
"default_branch": {
|
|
31
|
+
"type": "string",
|
|
32
|
+
"description": "Name of the default branch at attestation time (e.g. 'main')."
|
|
33
|
+
},
|
|
34
|
+
"criteria": {
|
|
35
|
+
"type": "object",
|
|
36
|
+
"additionalProperties": false,
|
|
37
|
+
"required": ["reuse", "osi_license", "dependency_licenses", "no_proprietary_blobs"],
|
|
38
|
+
"properties": {
|
|
39
|
+
"reuse": { "$ref": "#/$defs/criterionResult" },
|
|
40
|
+
"osi_license": { "$ref": "#/$defs/criterionResult" },
|
|
41
|
+
"dependency_licenses": { "$ref": "#/$defs/criterionResult" },
|
|
42
|
+
"no_proprietary_blobs": { "$ref": "#/$defs/criterionResult" }
|
|
43
|
+
}
|
|
44
|
+
},
|
|
45
|
+
"evidence": {
|
|
46
|
+
"type": "object",
|
|
47
|
+
"additionalProperties": false,
|
|
48
|
+
"required": ["osi_response_hash", "sbom_hash", "sbom_format"],
|
|
49
|
+
"properties": {
|
|
50
|
+
"osi_response_hash": {
|
|
51
|
+
"type": "string",
|
|
52
|
+
"pattern": "^[0-9a-f]{64}$",
|
|
53
|
+
"description": "sha256 of the JSON response from the OSI license API queried at attestation time."
|
|
54
|
+
},
|
|
55
|
+
"sbom_hash": {
|
|
56
|
+
"type": "string",
|
|
57
|
+
"pattern": "^[0-9a-f]{64}$",
|
|
58
|
+
"description": "sha256 of the SBOM document (canonicalised)."
|
|
59
|
+
},
|
|
60
|
+
"sbom_format": {
|
|
61
|
+
"type": "string",
|
|
62
|
+
"enum": ["spdx-2.3", "cyclonedx-1.5", "cyclonedx-1.6"],
|
|
63
|
+
"description": "SBOM format identifier."
|
|
64
|
+
},
|
|
65
|
+
"sbom_uri": {
|
|
66
|
+
"type": ["string", "null"],
|
|
67
|
+
"format": "uri",
|
|
68
|
+
"description": "Optional URI where the SBOM is published. Verifiers may fetch and re-hash to confirm sbom_hash."
|
|
69
|
+
},
|
|
70
|
+
"exemptions": {
|
|
71
|
+
"type": "array",
|
|
72
|
+
"description": "Maintainer-declared exemptions from .oss-verified.toml, recorded verbatim. Surfaced on the verify page; reviewers and end users may challenge them.",
|
|
73
|
+
"items": {
|
|
74
|
+
"type": "object",
|
|
75
|
+
"additionalProperties": false,
|
|
76
|
+
"required": ["path", "justification"],
|
|
77
|
+
"properties": {
|
|
78
|
+
"path": { "type": "string" },
|
|
79
|
+
"justification": { "type": "string", "minLength": 1 }
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
},
|
|
83
|
+
"llm_verdict": {
|
|
84
|
+
"type": "object",
|
|
85
|
+
"additionalProperties": false,
|
|
86
|
+
"required": ["verdict"],
|
|
87
|
+
"properties": {
|
|
88
|
+
"verdict": { "type": "string", "enum": ["pass", "block"] },
|
|
89
|
+
"rationale": { "type": "string" },
|
|
90
|
+
"passes": {
|
|
91
|
+
"type": "integer",
|
|
92
|
+
"minimum": 1,
|
|
93
|
+
"description": "Number of independent LLM calls. Phase 1 may be 1; Phase 2 mandates 3 with strict-majority voting."
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
},
|
|
99
|
+
"model_id": {
|
|
100
|
+
"type": "string",
|
|
101
|
+
"description": "Stable model identifier from packages/spec/models.json. Verifiers MUST cross-reference against the allowlist version that was current at attested_at."
|
|
102
|
+
},
|
|
103
|
+
"prompt_hash": {
|
|
104
|
+
"type": "string",
|
|
105
|
+
"pattern": "^[0-9a-f]{64}$",
|
|
106
|
+
"description": "sha256 of the canonicalised LLM audit prompt template + the data-envelope wrapper, excluding the repo content itself."
|
|
107
|
+
},
|
|
108
|
+
"cli_version": {
|
|
109
|
+
"type": "string",
|
|
110
|
+
"pattern": "^\\d+\\.\\d+\\.\\d+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$",
|
|
111
|
+
"description": "Semantic version of the oss-verify CLI binary that produced this predicate."
|
|
112
|
+
},
|
|
113
|
+
"cli_sha": {
|
|
114
|
+
"type": "string",
|
|
115
|
+
"pattern": "^[0-9a-f]{64}$",
|
|
116
|
+
"description": "sha256 of the CLI binary. Verifiers cross-check against published release artefacts."
|
|
117
|
+
},
|
|
118
|
+
"attested_at": {
|
|
119
|
+
"type": "string",
|
|
120
|
+
"format": "date-time",
|
|
121
|
+
"description": "RFC 3339 timestamp at which the CLI emitted the predicate. Informational only; the binding time is the Rekor inclusion timestamp."
|
|
122
|
+
}
|
|
123
|
+
},
|
|
124
|
+
"$defs": {
|
|
125
|
+
"criterionResult": {
|
|
126
|
+
"type": "object",
|
|
127
|
+
"additionalProperties": false,
|
|
128
|
+
"required": ["pass"],
|
|
129
|
+
"properties": {
|
|
130
|
+
"pass": { "type": "boolean" },
|
|
131
|
+
"details": {
|
|
132
|
+
"type": "string",
|
|
133
|
+
"description": "Optional human-readable detail. Verifiers MUST treat the boolean as binding; details are surface-area only."
|
|
134
|
+
}
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
}
|