From bab593e2ad9fca5a4863e2e02012688dfc2600a2 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Mon, 17 Oct 2022 13:16:38 -0500 Subject: [PATCH 1/2] fix builder id matching Signed-off-by: Asra Ali --- cli/slsa-verifier/main_test.go | 29 ++++++++++--------- .../binary-linux-amd64-multi-subject-first | 0 ...nux-amd64-multi-subject-first.intoto.jsonl | 0 .../binary-linux-amd64-multi-subject-second | 0 ...ux-amd64-multi-subject-second.intoto.jsonl | 0 5 files changed, 15 insertions(+), 14 deletions(-) rename cli/slsa-verifier/testdata/{gha_generic/v1.2.0 => }/binary-linux-amd64-multi-subject-first (100%) rename cli/slsa-verifier/testdata/{gha_generic/v1.2.0 => }/binary-linux-amd64-multi-subject-first.intoto.jsonl (100%) rename cli/slsa-verifier/testdata/{gha_generic/v1.2.0 => }/binary-linux-amd64-multi-subject-second (100%) rename cli/slsa-verifier/testdata/{gha_generic/v1.2.0 => }/binary-linux-amd64-multi-subject-second.intoto.jsonl (100%) diff --git a/cli/slsa-verifier/main_test.go b/cli/slsa-verifier/main_test.go index 4ccb07bf5..188deb37c 100644 --- a/cli/slsa-verifier/main_test.go +++ b/cli/slsa-verifier/main_test.go @@ -72,6 +72,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { t.Parallel() goBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml" genericBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml" + tests := []struct { name string artifact string @@ -157,7 +158,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { }, // Provenance contains tag = v13.0.30. { - name: "tag v31.0.29 no match v13.0.30", + name: "tag v13.0.29 no match v13.0.30", artifact: "binary-linux-amd64-push-v13.0.30", source: "github.com/slsa-framework/example-package", ptag: pString("v13.0.29"), @@ -363,24 +364,24 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { }, // Multiple subjects in version v1.2.0+ { - name: "multiple subject first match", - artifact: "binary-linux-amd64-multi-subject-first", - source: "github.com/slsa-framework/example-package", - minversion: "v1.2.0", - builders: []string{"gha_generic"}, + name: "multiple subject first match", + artifact: "binary-linux-amd64-multi-subject-first", + source: "github.com/slsa-framework/example-package", + noversion: true, + builders: []string{"gha_generic"}, }, { - name: "multiple subject second match", - artifact: "binary-linux-amd64-multi-subject-second", - source: "github.com/slsa-framework/example-package", - minversion: "v1.2.0", - builders: []string{"gha_generic"}, + name: "multiple subject second match", + artifact: "binary-linux-amd64-multi-subject-second", + source: "github.com/slsa-framework/example-package", + noversion: true, + builders: []string{"gha_generic"}, }, { name: "multiple subject second match - builderID", artifact: "binary-linux-amd64-multi-subject-second", source: "github.com/slsa-framework/example-package", - minversion: "v1.2.0", + noversion: true, builders: []string{"gha_generic"}, pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"), outBuilderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml", @@ -557,7 +558,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { } if err != nil { - return + continue } // Validate against test's expected builderID, if provided. @@ -568,7 +569,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { } if bid == nil { - return + continue } // Validate against builderID we generated automatically. diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-first b/cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-first similarity index 100% rename from cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-first rename to cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-first diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-first.intoto.jsonl b/cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-first.intoto.jsonl similarity index 100% rename from cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-first.intoto.jsonl rename to cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-first.intoto.jsonl diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-second b/cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-second similarity index 100% rename from cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-second rename to cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-second diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-second.intoto.jsonl b/cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-second.intoto.jsonl similarity index 100% rename from cli/slsa-verifier/testdata/gha_generic/v1.2.0/binary-linux-amd64-multi-subject-second.intoto.jsonl rename to cli/slsa-verifier/testdata/binary-linux-amd64-multi-subject-second.intoto.jsonl From 56fe5090377a290b812650a7a7504715a0aa90da Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Mon, 17 Oct 2022 13:24:04 -0500 Subject: [PATCH 2/2] plain version tag does not work Signed-off-by: Asra Ali --- cli/slsa-verifier/main_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/slsa-verifier/main_test.go b/cli/slsa-verifier/main_test.go index 188deb37c..99f8e8e58 100644 --- a/cli/slsa-verifier/main_test.go +++ b/cli/slsa-verifier/main_test.go @@ -531,7 +531,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { // before GA. Add the tests for tag verification. if version != "" && semver.Compare(version, "v1.0.0") > 0 { builderIDs = append(builderIDs, []*string{ - pString(builder + "@" + sv), + // pString(builder + "@" + sv), pString(builder + "@refs/tags/" + sv), }...) }