Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(attestation): Allow the auto discovery of material's kind #820

Merged
merged 4 commits into from
May 24, 2024
Merged

feat(attestation): Allow the auto discovery of material's kind #820

merged 4 commits into from
May 24, 2024

Conversation

javirln
Copy link
Member

@javirln javirln commented May 22, 2024
edited
Loading

This patch ease the addition of new materials to an attestation by enabling by default the auto discovery of materials' kind. If the material is not on the contract nor a specific kind is flagged, the CLI will try to match the material with any of the registered kinds.

Please note this is a best effort.

Example of usage. Given the following contract:

$ chainloop --insecure attestation init --replace --workflow-name wf-test
WRN API contacted in insecure mode
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At    │ 22 May 24 13:38 UTC                  │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID    │ 583553ef-d051-4c41-aec4-a4cdd725bf89 │
│ Name              │ wf-test                              │
│ Team              │ founding                             │
│ Project           │ core                                 │
│ Contract Revision │ 3                                    │
└───────────────────┴──────────────────────────────────────┘
┌────────────────────────┐
│ Materials              │
├───────────┬────────────┤
│ Name      │ one-file   │
│ Type      │ ARTIFACT   │
│ Set       │ No         │
│ Required  │ Yes        │
│ Is output │ Yes        │
├───────────┼────────────┤
│ Name      │ other-file │
│ Type      │ EVIDENCE   │
│ Set       │ No         │
│ Required  │ Yes        │
│ Is output │ Yes        │
└───────────┴────────────┘

Let's add the compulsory materials:

$ chainloop --insecure attestation add --value go.mod --name one-file
WRN API contacted in insecure mode
INF material added to attestation

$ chainloop --insecure attestation add --value LICENSE.md --name other-file
WRN API contacted in insecure mode
INF material added to attestation

And finally let's try to discover one material without specifying its type:

$ chainloop --insecure attestation add --value controlplane.cyclonedx.json
WRN API contacted in insecure mode
INF material kind detected kind=SBOM_CYCLONEDX_JSON
INF material added to attestation

As a result we can see how it's added to the result:

$ chainloop --insecure attestation push --key cosign.key
WRN API contacted in insecure mode
Enter password for private key:
INF push completed
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At    │ 22 May 24 13:38 UTC                  │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID    │ 583553ef-d051-4c41-aec4-a4cdd725bf89 │
│ Name              │ wf-test                              │
│ Team              │ founding                             │
│ Project           │ core                                 │
│ Contract Revision │ 3                                    │
└───────────────────┴──────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────┐
│ Materials                                                                           │
├───────────┬─────────────────────────────────────────────────────────────────────────┤
│ Name      │ one-file                                                                │
│ Type      │ ARTIFACT                                                                │
│ Set       │ Yes                                                                     │
│ Required  │ Yes                                                                     │
│ Is output │ Yes                                                                     │
│ Value     │ go.mod                                                                  │
│ Digest    │ sha256:29773f085c46a33efcb6cdb185f6ec30ce1c4ca708b860708cd055b70488ef4d │
├───────────┼─────────────────────────────────────────────────────────────────────────┤
│ Name      │ other-file                                                              │
│ Type      │ EVIDENCE                                                                │
│ Set       │ Yes                                                                     │
│ Required  │ Yes                                                                     │
│ Is output │ Yes                                                                     │
│ Value     │ LICENSE.md                                                              │
│ Digest    │ sha256:c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4 │
├───────────┼─────────────────────────────────────────────────────────────────────────┤
│ Name      │ material-1716385111238449000                                            │
│ Type      │ SBOM_CYCLONEDX_JSON                                                     │
│ Set       │ Yes                                                                     │
│ Required  │ No                                                                      │
│ Value     │ controlplane.cyclonedx.json                                             │
│ Digest    │ sha256:a6bc29d7a2d8d9f6df12a86ee4c86c58189d77bb6ded9487330c39f46ee00d9a │
└───────────┴─────────────────────────────────────────────────────────────────────────┘
Attestation Digest: sha256:8a0b3a9db0372fdf571dbe85c8a9b5202f473ca97e9dbcdf77c3f9b423ea3b9c

Refs #816 #785

@javirln javirln requested review from migmartri and jiparis May 22, 2024 13:55
@javirln javirln self-assigned this May 22, 2024
@javirln
Updates copy
4447f15 
Signed-off-by: Javier Rodriguez <[email protected]>
@javirln
Copy link
Member Author

javirln commented May 22, 2024

Example of auto discovery with the test data found on the repository:

$ for entry in $(ls internal/attestation/crafter/materials/testdata)
echo $entry &&  chainloop --insecure attestation add --value $entry

attestation-invalid-intoto.json
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

attestation-invalid-payload.json
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

attestation.json
WRN API contacted in insecure mode
INF material kind detected kind=ATTESTATION
INF material added to attestation

csaf_informational_advisory.json
WRN API contacted in insecure mode
INF material kind detected kind=CSAF_INFORMATIONAL_ADVISORY
INF material added to attestation

csaf_security_advisory.json
WRN API contacted in insecure mode
INF material kind detected kind=CSAF_SECURITY_ADVISORY
INF material added to attestation

csaf_security_incident_response.json
WRN API contacted in insecure mode
INF material kind detected kind=CSAF_SECURITY_INCIDENT_RESPONSE
INF material added to attestation

csaf_security_incident_response_wrong_category.json
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

csaf_vex_v0.2.0.json
WRN API contacted in insecure mode
INF material kind detected kind=CSAF_VEX
INF material added to attestation

junit-invalid.xml
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

junit.xml
WRN API contacted in insecure mode
INF material kind detected kind=JUNIT_XML
INF material added to attestation

missing-chartyaml.tgz
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

missing-empty.tgz
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

missing-valuesyaml.tgz
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

openvex_v0.2.0.json
WRN API contacted in insecure mode
INF material kind detected kind=OPENVEX
INF material added to attestation

random.json
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

report.sarif
WRN API contacted in insecure mode
INF material kind detected kind=SARIF
INF material added to attestation

sbom-spdx.json
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

sbom.cyclonedx-1.5.json
WRN API contacted in insecure mode
INF material kind detected kind=SBOM_CYCLONEDX_JSON
INF material added to attestation

sbom.cyclonedx.json
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

simple.txt
WRN API contacted in insecure mode
INF material kind detected kind=ARTIFACT
INF material added to attestation

valid-chart.tgz
WRN API contacted in insecure mode
INF material kind detected kind=HELM_CHART
INF material added to attestation

@javirln javirln mentioned this pull request May 22, 2024
Merged
@javirln
Tackle feedback
bdd8312 
Signed-off-by: Javier Rodriguez <[email protected]>
@javirln javirln merged commit 76a41fd into chainloop-dev:main May 24, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis Awaiting requested review from jiparis

Assignees

@javirln javirln

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@javirln @migmartri