-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Events for artifact repositories #143
Comments
More details about the Harbor case: goharbor/community#229 |
See also #144 |
Suggestion: add event for vulnerability found and artifact quarantined. It should support CVE URL, SBOM URL, VeX URL, Vulnerability level (severe, etc) |
Thank you for the idea. Are you suggesting that should model a vulnerability as a subject with its own predicates, so that such events could be produced by public registries of software vulnerabilities such as CVE? In terms of events produced by artifact registries (or build systems or test systems), I was thinking of adding an |
This commit contains no functional change to the spec. It moves artifact events to their own file (similar to what we did for testing events), in preparation for further artifact events being added. Cleaned up some wrong references, left over when moving test events, added both testing and artifact events to spec.md too. Partially-fixes: cdevents#143 Signed-off-by: Andrea Frittoli <[email protected]>
From the CDEvents Workgroup: Discussions about what scanning an artifact means and how it should be noted in
|
I realize these may be supported elsewhere in the spec. Please disregard (or annotate) duplication. Possible list of event types to support for artifacts:
|
Apologies for the delayed response @afrittoli , had some emergency health issues in the family that required my attention. Also, I may have missed some of these things in the spec already, so apologies if I re-hash covered ground.
Hadn't thought about it like that, but now that you mention it, yes -- I think that would be a great idea. A moniker for the test type performed would definitely be worthwhile as it can be used in promotion pipeline; which would, IMO, necessitate the creation of an I'd also suggest that Test (Xunit) event type identified by @xbcsmith should be expanded to include additional categories such as the following:
Obviously not all test types apply to all artifacts. There may be others that should be here as well. I could see a fan-out/fan-in pipeline structure that supported different levels of potential artifact promotion based on success or failure of various test type completion results. I'd also suggest that Compliance have the ability to indicate that a Spitballing -- What y'all think about having/creating a Thanks for listening! I hope the information is helpful. Looking forward to hearing y'alls thoughts. |
Separately, the |
I have a feeling that this issue is taking off in many different directions, with many good and interesting proposals in it. We should probably streamline this discussion into multiple dedicated issues. When it comes to To add to the web of thoughts, long time ago we discussed events declaring a |
@afrittoli corrected my understanding of |
This commit contains no functional change to the spec. It moves artifact events to their own file (similar to what we did for testing events), in preparation for further artifact events being added. Cleaned up some wrong references, left over when moving test events, added both testing and artifact events to spec.md too. Partially-fixes: cdevents#143 Signed-off-by: Andrea Frittoli <[email protected]>
Cleaned up some wrong references, left over when moving test events, added testing events to spec.md too. Partially-fixes: cdevents#143 Signed-off-by: Andrea Frittoli <[email protected]>
Cleaned up some wrong references, left over when moving test events, added testing events to spec.md too. Partially-fixes: cdevents#143 Signed-off-by: Andrea Frittoli <[email protected]>
* Add artifact downloaded and deleted events Cleaned up some wrong references, left over when moving test events, added testing events to spec.md too. Partially-fixes: #143 Signed-off-by: Andrea Frittoli <[email protected]>
Today CDEvents only supports one event, artifact.published, which is meant to be produced by artifact repositories.
Repositories usually support more kind of events, for events like
artifact.pulled
,artifact.deleted
andartifact.scanned
, see the Harbor docs for an example.We should consider extending the data model to include such events.
Design doc: https://hackmd.io/AfT-5D3JQZynKk5yDyAWeA
The text was updated successfully, but these errors were encountered: