fix: add source to container-based predicate's resolveddependencies &…

… fix internalParams (slsa-framework#2183) Fixes slsa-framework#2182 This ensures that the source dependency comes first in the list of resolved dependencies. This way, the verifier can identify the correct source. This will fix the container based e2e tests. Also took the opportunity to clean up the predicate's internal paremeters - no more github runner or other invalid fields. --------- Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com>
laurentsimon · Jun 1, 2023 · bb7e018 · bb7e018
1 parent 53d0436
commit bb7e018
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 33 deletions.
diff --git a/.github/actions/create-container_based-predicate/dist/index.js b/.github/actions/create-container_based-predicate/dist/index.js
@@ -82,27 +82,23 @@ function addGitHubParameters(predicate, currentRun) {
     }
     const internalParams = predicate.buildDefinition.internalParameters;
     // Put GitHub context and env vars into internalParameters.
+    internalParams.GITHUB_ACTOR_ID = String(((_a = currentRun.actor) === null || _a === void 0 ? void 0 : _a.id) || "");
     internalParams.GITHUB_EVENT_NAME = ctx.eventName;
-    internalParams.GITHUB_JOB = ctx.job;
     internalParams.GITHUB_REF = ctx.ref;
-    internalParams.GITHUB_BASE_REF = env.GITHUB_BASE_REF || "";
     internalParams.GITHUB_REF_TYPE = env.GITHUB_REF_TYPE || "";
     internalParams.GITHUB_REPOSITORY = env.GITHUB_REPOSITORY || "";
+    internalParams.GITHUB_REPOSITORY_ID = String(currentRun.repository.id || "");
+    internalParams.GITHUB_REPOSITORY_OWNER_ID = String(currentRun.repository.owner.id || "");
     internalParams.GITHUB_RUN_ATTEMPT = env.GITHUB_RUN_ATTEMPT || "";
     internalParams.GITHUB_RUN_ID = ctx.runId;
     internalParams.GITHUB_RUN_NUMBER = ctx.runNumber;
     internalParams.GITHUB_SHA = ctx.sha;
+    internalParams.GITHUB_TRIGGERING_ACTOR_ID =
+        currentRun.triggering_actor && String(currentRun.triggering_actor.id);
     internalParams.GITHUB_WORKFLOW = ctx.workflow;
     internalParams.GITHUB_WORKFLOW_REF = env.GITHUB_WORKFLOW_REF || "";
     internalParams.GITHUB_WORKFLOW_SHA = env.GITHUB_WORKFLOW_SHA || "";
-    internalParams.IMAGE_OS = env.ImageOS || "";
-    internalParams.IMAGE_VERSION = env.ImageVersion || "";
-    internalParams.RUNNER_ARCH = env.RUNNER_ARCH || "";
-    internalParams.RUNNER_NAME = env.RUNNER_NAME || "";
-    internalParams.RUNNER_OS = env.RUNNER_OS || "";
-    internalParams.GITHUB_ACTOR_ID = String(((_a = currentRun.actor) === null || _a === void 0 ? void 0 : _a.id) || "");
-    internalParams.GITHUB_REPOSITORY_ID = String(currentRun.repository.id || "");
-    internalParams.GITHUB_REPOSITORY_OWNER_ID = String(currentRun.repository.owner.id || "");
+    internalParams.GITHUB_BASE_REF = env.GITHUB_BASE_REF || "";
     // Put GitHub event payload into internalParameters.
     // TODO(github.com/slsa-framework/slsa-github-generator/issues/1575): Redact sensitive information.
     if (env.GITHUB_EVENT_PATH) {
@@ -286,6 +282,7 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.generatePredicate = void 0;
 const github_1 = __nccwpck_require__(5928);
 function generatePredicate(bd, binaryRef, jobWorkflowRef, currentRun) {
+    var _a;
     let pred = {
         buildDefinition: bd,
         runDetails: {
@@ -298,7 +295,7 @@ function generatePredicate(bd, binaryRef, jobWorkflowRef, currentRun) {
         },
     };
     // Add the builder binary to the resolved dependencies.
-    pred.buildDefinition.resolvedDependencies = [binaryRef];
+    (_a = pred.buildDefinition.resolvedDependencies) === null || _a === void 0 ? void 0 : _a.concat([binaryRef]);
     // Update the parameters with the GH context, including workflow
     // inputs.
     pred = (0, github_1.addGitHubParameters)(pred, currentRun);

diff --git a/.github/actions/create-container_based-predicate/dist/index.js.map b/.github/actions/create-container_based-predicate/dist/index.js.map
diff --git a/.github/actions/create-container_based-predicate/src/github.ts b/.github/actions/create-container_based-predicate/src/github.ts
@@ -50,29 +50,25 @@ export function addGitHubParameters(
   const internalParams = predicate.buildDefinition.internalParameters;
 
   // Put GitHub context and env vars into internalParameters.
+  internalParams.GITHUB_ACTOR_ID = String(currentRun.actor?.id || "");
   internalParams.GITHUB_EVENT_NAME = ctx.eventName;
-  internalParams.GITHUB_JOB = ctx.job;
   internalParams.GITHUB_REF = ctx.ref;
-  internalParams.GITHUB_BASE_REF = env.GITHUB_BASE_REF || "";
   internalParams.GITHUB_REF_TYPE = env.GITHUB_REF_TYPE || "";
   internalParams.GITHUB_REPOSITORY = env.GITHUB_REPOSITORY || "";
+  internalParams.GITHUB_REPOSITORY_ID = String(currentRun.repository.id || "");
+  internalParams.GITHUB_REPOSITORY_OWNER_ID = String(
+    currentRun.repository.owner.id || ""
+  );
   internalParams.GITHUB_RUN_ATTEMPT = env.GITHUB_RUN_ATTEMPT || "";
   internalParams.GITHUB_RUN_ID = ctx.runId;
   internalParams.GITHUB_RUN_NUMBER = ctx.runNumber;
   internalParams.GITHUB_SHA = ctx.sha;
+  internalParams.GITHUB_TRIGGERING_ACTOR_ID =
+    currentRun.triggering_actor && String(currentRun.triggering_actor.id);
   internalParams.GITHUB_WORKFLOW = ctx.workflow;
   internalParams.GITHUB_WORKFLOW_REF = env.GITHUB_WORKFLOW_REF || "";
   internalParams.GITHUB_WORKFLOW_SHA = env.GITHUB_WORKFLOW_SHA || "";
-  internalParams.IMAGE_OS = env.ImageOS || "";
-  internalParams.IMAGE_VERSION = env.ImageVersion || "";
-  internalParams.RUNNER_ARCH = env.RUNNER_ARCH || "";
-  internalParams.RUNNER_NAME = env.RUNNER_NAME || "";
-  internalParams.RUNNER_OS = env.RUNNER_OS || "";
-  internalParams.GITHUB_ACTOR_ID = String(currentRun.actor?.id || "");
-  internalParams.GITHUB_REPOSITORY_ID = String(currentRun.repository.id || "");
-  internalParams.GITHUB_REPOSITORY_OWNER_ID = String(
-    currentRun.repository.owner.id || ""
-  );
+  internalParams.GITHUB_BASE_REF = env.GITHUB_BASE_REF || "";
 
   // Put GitHub event payload into internalParameters.
   // TODO(github.com/slsa-framework/slsa-github-generator/issues/1575): Redact sensitive information.

diff --git a/.github/actions/create-container_based-predicate/src/predicate.ts b/.github/actions/create-container_based-predicate/src/predicate.ts
@@ -95,7 +95,7 @@ export function generatePredicate(
     },
   };
   // Add the builder binary to the resolved dependencies.
-  pred.buildDefinition.resolvedDependencies = [binaryRef];
+  pred.buildDefinition.resolvedDependencies?.concat([binaryRef]);
 
   // Update the parameters with the GH context, including workflow
   // inputs.

diff --git a/internal/builders/docker/pkg/builder.go b/internal/builders/docker/pkg/builder.go
@@ -111,11 +111,12 @@ func (db *DockerBuild) CreateBuildDefinition() *slsa1.ProvenanceBuildDefinition
 		Config:       *db.buildConfig,
 	}
 
-	// Currently we don't have any SystemParameters or ResolvedDependencies.
-	// So these fields are left empty.
+	// Currently we don't have any SystemParameters, so this fields is left empty.
 	return &slsa1.ProvenanceBuildDefinition{
 		BuildType:          ContainerBasedBuildType,
 		ExternalParameters: ep,
+		// The source repository is also added as a resolved dependency.
+		ResolvedDependencies: []slsa1.ResourceDescriptor{sourceArtifact(db.config)},
 	}
 }
 

diff --git a/internal/builders/docker/pkg/builder_test.go b/internal/builders/docker/pkg/builder_test.go
@@ -176,7 +176,7 @@ func Test_inspectArtifacts(t *testing.T) {
 
 	s1 := intoto.Subject{
 		Name:   "build-definition.json",
-		Digest: map[string]string{"sha256": "b1c74863007166aadca8ff54a0e647047696bee38e8e8a25a1290f494e3abc46"},
+		Digest: map[string]string{"sha256": "ab5582bfb6128c534583e1fea92421158c9de5e72e86c78cf550a8adcbf12db5"},
 	}
 	s2 := intoto.Subject{
 		Name:   "config.toml",
@@ -185,7 +185,7 @@ func Test_inspectArtifacts(t *testing.T) {
 
 	s3 := intoto.Subject{
 		Name:   "slsa1-provenance.json",
-		Digest: map[string]string{"sha256": "f472aaf04468ae881ab502f1f02f23476fe0d4dbb7a8a4b5d3eae9b2843e2ecd"},
+		Digest: map[string]string{"sha256": "8b43bccfe6704594dcfbd8824097c16f61b79b32ec5439f4704cdf0b4529958b"},
 	}
 
 	s4 := intoto.Subject{
@@ -226,7 +226,7 @@ func Test_inspectArtifactsNoRoot(t *testing.T) {
 
 	s1 := intoto.Subject{
 		Name:   "build-definition.json",
-		Digest: map[string]string{"sha256": "b1c74863007166aadca8ff54a0e647047696bee38e8e8a25a1290f494e3abc46"},
+		Digest: map[string]string{"sha256": "ab5582bfb6128c534583e1fea92421158c9de5e72e86c78cf550a8adcbf12db5"},
 	}
 	s2 := intoto.Subject{
 		Name:   "config.toml",
@@ -235,7 +235,7 @@ func Test_inspectArtifactsNoRoot(t *testing.T) {
 
 	s3 := intoto.Subject{
 		Name:   "slsa1-provenance.json",
-		Digest: map[string]string{"sha256": "f472aaf04468ae881ab502f1f02f23476fe0d4dbb7a8a4b5d3eae9b2843e2ecd"},
+		Digest: map[string]string{"sha256": "8b43bccfe6704594dcfbd8824097c16f61b79b32ec5439f4704cdf0b4529958b"},
 	}
 
 	s4 := intoto.Subject{

diff --git a/internal/builders/docker/pkg/common_test.go b/internal/builders/docker/pkg/common_test.go
@@ -56,6 +56,9 @@ func Test_BuildDefinition(t *testing.T) {
 				},
 			},
 		},
+		ResolvedDependencies: []slsa1.ResourceDescriptor{
+			wantSource,
+		},
 	}
 
 	if diff := cmp.Diff(got, want); diff != "" {

diff --git a/internal/builders/docker/testdata/build-definition.json b/internal/builders/docker/testdata/build-definition.json
@@ -22,5 +22,13 @@
             ]
         },
         "configPath": "internal/builders/docker/testdata/config.toml"
-    }
+    },
+    "resolvedDependencies": [
+        {
+            "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/heads/main",
+            "digest": {
+                "sha1": "cf5804b5c6f1a4b2a0b03401a487dfdfbe3a5f00"
+            }
+        }
+    ]
 }
diff --git a/internal/builders/docker/testdata/slsa1-provenance.json b/internal/builders/docker/testdata/slsa1-provenance.json
@@ -34,7 +34,15 @@
                         "config.toml"
                     ]
                 }
-            }
+            },
+            "resolvedDependencies": [
+                {
+                    "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/heads/main",
+                    "digest": {
+                        "sha1": "cf5804b5c6f1a4b2a0b03401a487dfdfbe3a5f00"
+                    }
+                }
+            ]
         }
     }
 }