33 lines
4.2 KiB
Markdown
33 lines
4.2 KiB
Markdown
<!-- NOTE: THIS FILE IS AUTOGENERATED. DO NOT EDIT BY HAND. -->
|
|
<!-- see templates/registry/markdown/attribute_namespace.md.j2 -->
|
|
|
|
# Artifact
|
|
|
|
## Artifact Attributes
|
|
|
|
This group describes attributes specific to artifacts. Artifacts are files or other immutable objects that are intended for distribution. This definition aligns directly with the [SLSA](https://slsa.dev/spec/v1.0/terminology#package-model) package model.
|
|
|
|
| Attribute | Type | Description | Examples | Stability |
|
|
|---|---|---|---|---|
|
|
| <a id="artifact-attestation-filename" href="#artifact-attestation-filename">`artifact.attestation.filename`</a> | string | The provenance filename of the built attestation which directly relates to the build artifact filename. This filename SHOULD accompany the artifact at publish time. See the [SLSA Relationship](https://slsa.dev/spec/v1.0/distributing-provenance#relationship-between-artifacts-and-attestations) specification for more information. | `golang-binary-amd64-v0.1.0.attestation`; `docker-image-amd64-v0.1.0.intoto.json1`; `release-1.tar.gz.attestation`; `file-name-package.tar.gz.intoto.json1` |  |
|
|
| <a id="artifact-attestation-hash" href="#artifact-attestation-hash">`artifact.attestation.hash`</a> | string | The full [hash value (see glossary)](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf), of the built attestation. Some envelopes in the [software attestation space](https://github.com/in-toto/attestation/tree/main/spec) also refer to this as the **digest**. | `1b31dfcd5b7f9267bf2ff47651df1cfb9147b9e4df1f335accf65b4cda498408` |  |
|
|
| <a id="artifact-attestation-id" href="#artifact-attestation-id">`artifact.attestation.id`</a> | string | The id of the build [software attestation](https://slsa.dev/attestation-model). | `123` |  |
|
|
| <a id="artifact-filename" href="#artifact-filename">`artifact.filename`</a> | string | The human readable file name of the artifact, typically generated during build and release processes. Often includes the package name and version in the file name. [1] | `golang-binary-amd64-v0.1.0`; `docker-image-amd64-v0.1.0`; `release-1.tar.gz`; `file-name-package.tar.gz` |  |
|
|
| <a id="artifact-hash" href="#artifact-hash">`artifact.hash`</a> | string | The full [hash value (see glossary)](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf), often found in checksum.txt on a release of the artifact and used to verify package integrity. [2] | `9ff4c52759e2c4ac70b7d517bc7fcdc1cda631ca0045271ddd1b192544f8a3e9` |  |
|
|
| <a id="artifact-purl" href="#artifact-purl">`artifact.purl`</a> | string | The [Package URL](https://github.com/package-url/purl-spec) of the [package artifact](https://slsa.dev/spec/v1.0/terminology#package-model) provides a standard way to identify and locate the packaged artifact. | `pkg:github/package-url/purl-spec@1209109710924`; `pkg:npm/foo@12.12.3` |  |
|
|
| <a id="artifact-version" href="#artifact-version">`artifact.version`</a> | string | The version of the artifact. | `v0.1.0`; `1.2.1`; `122691-build` |  |
|
|
|
|
**[1] `artifact.filename`:** This file name can also act as the [Package Name](https://slsa.dev/spec/v1.0/terminology#package-model)
|
|
in cases where the package ecosystem maps accordingly.
|
|
Additionally, the artifact [can be published](https://slsa.dev/spec/v1.0/terminology#software-supply-chain)
|
|
for others, but that is not a guarantee.
|
|
|
|
**[2] `artifact.hash`:** The specific algorithm used to create the cryptographic hash value is
|
|
not defined. In situations where an artifact has multiple
|
|
cryptographic hashes, it is up to the implementer to choose which
|
|
hash value to set here; this should be the most secure hash algorithm
|
|
that is suitable for the situation and consistent with the
|
|
corresponding attestation. The implementer can then provide the other
|
|
hash values through an additional set of attribute extensions as they
|
|
deem necessary.
|