[feature] Remove SLSA binding to in-toto-golang

[pxp928]

Is your feature request related to a problem? Please describe.
in-toto-golang is being deprecated. We should move the SLSA parser to use in-toto attestations instead for the SLSA provenance.

remove the bindings: "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1" and "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"

GUAC version
main

[kpauljoseph]

Shall I take this up?

[pxp928]

Thanks @kpauljoseph, I will assign you the issue!

[kpauljoseph]

@pxp928
How do we handle the provenance v0.1 and v0.2 requirement in slsa parser?
Noe, the in-toto/attestation has a v0 model which is based on https://slsa.dev/spec/v0.2/provenance

There's a considerable difference between both these versions as well.

[pxp928]

@kpauljoseph Not sure if I understand your question but the SLSA Parser: https://github.com/guacsec/guac/blob/main/pkg/ingestor/parser/slsa/parser_slsa.go uses in-toto-golang for v0.1 and v0.2 SLSA provenance.

	slsa01 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1"
	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"

[kpauljoseph]

@pxp928 yes, based on the conversation here: the v0.2 model was ported over as v0 in in-toto/attestation. Should we separate that to v0.1 and v0.2 like we'd done in the beginning?

[pxp928]

Yes, as want backwards compatibility where possible.