fix: validate plugin version for ratify cli

pkg/verifier/factory/factory.go

@@ -97,7 +97,11 @@ func CreateVerifierFromConfig(verifierConfig config.VerifierConfig, configVersio
 		return nil, re.ErrorCodePluginNotFound.NewError(re.Verifier, "", re.EmptyLink, err, "plugin not found", re.HideStackTrace)
 	}
 
-	return plugin.NewVerifier(configVersion, verifierConfig, pluginBinDir)
+	pluginVersion := configVersion
+	if value, ok := verifierConfig[types.Version]; ok {
+		pluginVersion = value.(string)
+	}
+	return plugin.NewVerifier(pluginVersion, verifierConfig, pluginBinDir)
 }
 
 // TODO pointer to avoid copy

pkg/verifier/factory/factory_test.go

@@ -111,8 +111,9 @@ func TestCreateVerifiersFromConfig_PluginVerifiers_ReturnsExpected(t *testing.T)
 	defer os.RemoveAll(dirPath)
 
 	verifierConfig := map[string]interface{}{
-		"name": "plugin-verifier-0",
-		"type": "sample",
+		"name":    "plugin-verifier-0",
+		"type":    "sample",
+		"version": "1.0.0",
 	}
 	verifiersConfig := config.VerifiersConfig{
 		Verifiers: []config.VerifierConfig{verifierConfig},

test/bats/cli-test.bats

@@ -75,6 +75,10 @@ load helpers
 }
 
 @test "sbom verifier test" {
+    # run with mismatch plugin version config should fail
+    run bin/ratify verify -c $RATIFY_DIR/sbom_version_mismatch.json -s $TEST_REGISTRY/sbom:v0
+    assert_cmd_verify_failure
+
     # run with deny license config should fail
     run bin/ratify verify -c $RATIFY_DIR/sbom_denylist_config_licensematch.json -s $TEST_REGISTRY/sbom:v0
     assert_cmd_verify_failure

test/bats/tests/config/sbom_version_mismatch.json

@@ -0,0 +1,31 @@
+{
+    "store": {
+        "version": "1.0.0",
+        "plugins": [
+            {
+                "name": "oras",
+                "useHttp": true
+            }
+        ]
+    },
+    "policy": {
+        "version": "1.0.0",
+        "plugin": {
+            "name": "configPolicy",
+            "artifactVerificationPolicies": {
+                "application/spdx+json": "all"
+            }
+        }
+    },
+    "verifier": {
+        "version": "1.0.0",
+        "plugins": [
+            {
+                "version": "3.0.0",
+                "name": "sbom",
+                "artifactTypes": "application/spdx+json",
+                "disallowedLicenses": ["NOASSERTION"]                 
+            }
+        ]
+    }
+}