vuln-cve-2022-xxxx-openssl.cue

import (
	"encoding/json"
)

#Predicate: {
    Data: string
    Timestamp: string
}

#ExternalRefs: {
    referenceLocator: string
	referenceLocator: !~ "(.*)(libcrypto3|libssl3)[@|:]3.0.[0-6]{1}(.*)"
	...
}

predicate: #Predicate & {
    Data: string
    Data: #ExternalRefs.referenceLocator
}

vuln-cve-2022-xxxx-openssl.yaml

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: vuln-cve-2022-xxxx-openssl
spec:
  images:
  - glob: "gcr.io/image-scans/*"
  authorities:
  - name: keyless
    keyless:
      url: "https://fulcio.sigstore.dev"
      identities:
        - issuer: "https://accounts.google.com"
          subjectRegExp: "[email protected]$"
    attestations:
    - name: must-have-spdx
      predicateType: spdx
      policy:
        type: cue
        data: |
          #Predicate: {
              Data: string
              Timestamp: string
          }

          #ExternalRefs: {
              referenceLocator: string
              referenceLocator: !~ "(.*)(libcrypto3|libssl3)[@|:]3.0.[0-6]{1}(.*)"
              ...
          }

          predicate: #Predicate & {
              Data: string
              Data: #ExternalRefs.referenceLocator
          }