From 3e86381898c8c3934521fd8334d004b3a88ea7d5 Mon Sep 17 00:00:00 2001
From: "Adolfo Garcia Veytia (puerco)" <adolfo.garcia@uservers.net>
Date: Thu, 16 Jan 2025 00:10:42 -0600
Subject: [PATCH] Statement, predicate and AsStatement method to result

Signed-off-by: Adolfo Garcia Veytia (puerco) <adolfo.garcia@uservers.net>
---
 pkg/scorecard/statement.go | 79 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 pkg/scorecard/statement.go

diff --git a/pkg/scorecard/statement.go b/pkg/scorecard/statement.go
new file mode 100644
index 00000000000..d345cada698
--- /dev/null
+++ b/pkg/scorecard/statement.go
@@ -0,0 +1,79 @@
+// Copyright 2025 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package scorecard
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	intoto "github.com/in-toto/attestation/go/v1"
+
+	docs "github.com/ossf/scorecard/v5/docs/checks"
+	sce "github.com/ossf/scorecard/v5/errors"
+)
+
+const (
+	PredicateType = "https://scorecard.dev/result/v0.1"
+)
+
+type Statement struct {
+	intoto.Statement
+	Predicate Predicate `json:"predicate"`
+}
+
+// Predicate overrides JSONScorecardResultV2 with a nullable Repo field.
+type Predicate struct {
+	Repo *jsonRepoV2 `json:"repo,omitempty"`
+	JSONScorecardResultV2
+}
+
+// AsStatement converts the results as an in-toto statement.
+func (r *Result) AsStatement(writer io.Writer, checkDocs docs.Doc, opt *AsJSON2ResultOption) error {
+	// Build the attestation subject from the result Repo.
+	subject := intoto.ResourceDescriptor{
+		Name: r.Repo.Name,
+		Uri:  fmt.Sprintf("git+https://%s@%s", r.Repo.Name, r.Repo.CommitSHA),
+		Digest: map[string]string{
+			"gitCommit": r.Repo.CommitSHA,
+		},
+	}
+
+	json2, err := r.resultsToJSON2(checkDocs, opt)
+	if err != nil {
+		return sce.WithMessage(sce.ErrScorecardInternal, err.Error())
+	}
+
+	out := Statement{
+		Statement: intoto.Statement{
+			Type: intoto.StatementTypeUri,
+			Subject: []*intoto.ResourceDescriptor{
+				&subject,
+			},
+			PredicateType: PredicateType,
+		},
+		Predicate: Predicate{
+			JSONScorecardResultV2: json2,
+			Repo:                  nil,
+		},
+	}
+
+	encoder := json.NewEncoder(writer)
+	if err := encoder.Encode(&out); err != nil {
+		return sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("encoder.Encode: %v", err))
+	}
+
+	return nil
+}