Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Use SLSA resource description's annotations to specify whether the resolvedDependencies were a source or other material #2182

Closed
asraa opened this issue May 26, 2023 · 1 comment · Fixed by #2183
Closed

[feature] Use SLSA resource description's annotations to specify whether the resolvedDependencies were a source or other material #2182

asraa opened this issue May 26, 2023 · 1 comment · Fixed by #2183
Labels
area:BYOB An issue with the BYOB framework specs:v1.0 type:feature New feature or request
Milestone
BYOB framework pr...

Comments

@asraa
Copy link
Collaborator

asraa commented May 26, 2023
edited
Loading

The container-based builder uses two resolved deps: one is the source, and one is the builder binary from this repository.

They are both represented as a ResourceDescriptor in the unordered ResolvedDependencies field of the SLSA v1.0 provenance.

My suggestions is to use an annotation "source" to hint at which was the source, so the slsa-verifier can make an informed decision.

We can keep the default behavior the same - that is, if there is only 1 resolved dep, use that as the source. if there are more than 1, we can use the annotations to narrow the list down.

This is a string-string map, so we can do something like

      "resolvedDependencies": [
        {
          "uri": "git+https://github.com/slsa-framework/slsa-github-generator@refs/heads/main",
          "digest": {
            "sha256": "d5a35d5f711ac09f4cc661ccc42a9c3f9a29a3b140b59239d6c193606063de45"
          }
        },
        {
          "uri": "git+https://github.com/slsa-framework/example-package@refs/heads/main",
          "digest": {
            "sha1": "b11ac9395b936cc5afcbc45112f48d66d85788b7"
          },
          "annotations":{
                "source": "true"
          }
         }
      ],

the verifier can check presence of a source key in the annotation map with the value true.

What do you think?
@asraa asraa added type:feature New feature or request status:triage Issue that has not been triaged labels May 26, 2023
This was referenced May 26, 2023
Merged
Merged
@laurentsimon laurentsimon added area:BYOB An issue with the BYOB framework and removed status:triage Issue that has not been triaged labels May 27, 2023
@laurentsimon laurentsimon added this to the BYOB framework milestone May 27, 2023
@laurentsimon
Copy link
Collaborator

SG. Let's add the same for BYOB then

asraa added a commit that referenced this issue May 29, 2023
@asraa
fix: add source to container-based predicate's resolveddependencies &…
1579332 
… fix internalParams (#2183)

Fixes
#2182

This ensures that the source dependency comes first in the list of
resolved dependencies. This way, the verifier can identify the correct
source.

This will fix the container based e2e tests.

Also took the opportunity to clean up the predicate's internal
paremeters - no more github runner or other invalid fields.

---------

Signed-off-by: Asra Ali <asraa@google.com>
laurentsimon pushed a commit to laurentsimon/slsa-github-generator that referenced this issue Jun 1, 2023
@asraa @laurentsimon
fix: add source to container-based predicate's resolveddependencies &…
bb7e018 
… fix internalParams (slsa-framework#2183)

Fixes
slsa-framework#2182

This ensures that the source dependency comes first in the list of
resolved dependencies. This way, the verifier can identify the correct
source.

This will fix the container based e2e tests.

Also took the opportunity to clean up the predicate's internal
paremeters - no more github runner or other invalid fields.

---------

Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:BYOB An issue with the BYOB framework specs:v1.0 type:feature New feature or request
Projects
None yet
Milestone
BYOB framework pre-release
2 participants
@asraa @laurentsimon