@rakshitgondwal Another option that might interest you. I can add more details if you are interested.

Hey @pxp928, Yes! I'd be happy to work on this.

@rakshitgondwal Awesome. Here are more details.

I would like to be able to use the guacone cli to add HasMetadata attestations to the graph

This will be very similar to the implementation we did for certifyBad/CertifyGood: https://github.com/guacsec/guac/blob/main/cmd/guacone/cmd/certify.go

The input will be the same: package, source and artifact.

For the ingestion of the hasMetadata, you will use assembler.HasMetadataIngest{} and add in the key, value and other fields that need to be specified.

After that you can call:

	assemblerInputs := []assembler.IngestPredicates{*preds}

		err = assemblerFunc(assemblerInputs)
		if err != nil {
			logger.Fatalf("unable to assemble graphs: %v", err)
		}

similar to https://github.com/guacsec/guac/blob/main/cmd/guacone/cmd/certify.go

You can add this as a new cmd under guacone.

In the long run, we would want this to be some type of in-toto attestation so that we have a record of the metadata being captured and who it came from but for now, this is a good start.

Let us know if you have any questions.

Thank you for the clarification @pxp928, I'll start working on this.

@pxp928 some questions:

• Can you please provide a little more context around hasMetadata annotations?

• Also I'm assuming that a validate function for args will also required for this command? like we have validateCertifyFlags for certify. I'm just a little confused between these different flags that we are passing to certify and trying to make sense out of it and what all other flags will be required for annotate-metadata.

Can you please provide a little more context around hasMetadata annotations?

hasMetadata is a versatile attestation that can be made on any package, source, or artifact. The goal is to add any number of metadata that you would like associated with that particular subject. This can be any key/value that is not already being captured in GUAC in another data node. It can very from user/use case.

Also I'm assuming that a validate function for args will also required for this command? like we have validateCertifyFlags for certify. I'm just a little confused between these different flags that we are passing to certify and trying to make sense out of it and what all other flags will be required for annotate-metadata.

This is used to validate that user passed in the required fields. So for hasMetadata it would be, key, value, the subject, and justification (which can be generic). The timestamp you can set as time.now when the cmd was run.

"""
HasMetadata is an attestation that a package, source, or artifact has a certain
attested property (key) with value (value). For example, a source may have
metadata "SourceRepo2FAEnabled=true".

The intent of this evidence tree predicate is to allow extensibility of metadata
expressible within the GUAC ontology. Metadata that is commonly used will then
be promoted to a predicate on its own.

Justification indicates how the metadata was determined.

The metadata applies to a subject which is a package, source, or artifact.
If the attestation targets a package, it must target a PackageName or a
PackageVersion. If the attestation targets a source, it must target a
SourceName.
"""
type HasMetadata {
  "The package, source or artifact that is attested"
  subject: PackageSourceOrArtifact!
  "Key in the key value pair"
  key: String!
  "Value in the key value pair"
  value: String!
  "Timestamp when the certification was created (in RFC 3339 format)"
  timestamp: Time!
  "The justification for the metadata"
  justification: String!
}

Hey @rakshitgondwal, just wanted to know if you are working on this. If not, I'd love to give it a shot.

Hey @Yaxhveer, yeah I'm still on it