Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store the digest of each verified attestation in the PolicyAttestation object #925

Merged
merged 2 commits into from
Aug 8, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions pkg/webhook/validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -713,6 +713,7 @@

PredicateType string
Payload []byte
Digest string
}

func attestationToPolicyAttestations(ctx context.Context, atts []attestation) []PolicyAttestation {
Expand Down Expand Up @@ -743,6 +744,7 @@
WorkflowRef: ce.GetCertExtensionGithubWorkflowRef(),
},
},
Digest: att.Digest,
PredicateType: att.PredicateType,
Payload: att.Payload,
})
Expand All @@ -754,6 +756,7 @@
},
PredicateType: att.PredicateType,
Payload: att.Payload,
Digest: att.Digest,

Check warning on line 759 in pkg/webhook/validator.go

View check run for this annotation

Codecov / codecov/patch

pkg/webhook/validator.go#L759

Added line #L759 was not covered by tests
})
}
}
Expand Down Expand Up @@ -890,6 +893,11 @@
// attestations and make sure that our particular one is satisfied.
checkedAttestations := make([]attestation, 0, len(verifiedAttestations))
for _, va := range verifiedAttestations {
attDigest, err := va.Digest()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for the layer right? Just to make sure that with all the wonkiness for the OCI that we're getting the right one, that @wlynch had to make changes in here for:
#826

@wlynch could you take provide another set of 👀 here.

Copy link
Member

@wlynch wlynch Aug 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be fine?

Digest (somewhat counterintuitively) is the SHA of the image layer.

For signatures this is problematic because because the signature bits are in the annotations, not the layer itself, so calling digest gets you the same value for different signatures.

But for attestations, the data is in the layer, so this might be fine? I'd spot check this with some real world examples first.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. The code is using VerifyImageAttestations which is also used in the mono PR, and cosign tree to show the digest of the attestation of an image.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cosign tree ghcr.io/mattmoor/sbom-attestations/spdx-test@sha256:ba4037061b76ad8f306dd9e442877236015747ec42141caf504dc0df4d10708d
📦 Supply Chain Security Related artifacts for an image: ghcr.io/mattmoor/sbom-attestations/spdx-test@sha256:ba4037061b76ad8f306dd9e442877236015747ec42141caf504dc0df4d10708d
└── 💾 Attestations for an image tag: ghcr.io/mattmoor/sbom-attestations/spdx-test:sha256-ba4037061b76ad8f306dd9e442877236015747ec42141caf504dc0df4d10708d.att
   ├── 🍒 sha256:e9b75fb9a63666bd25c719a9fa3005ebd718e785d3a78844d5fcfd046e6bddc2
   ├── 🍒 sha256:f764a4251b2fe3c85dd46896b9d6e65361c9683755099d6dcd13009836d2e0e4
   └── 🍒 sha256:44726310314767412228d897a45943f158ef15a180270461b9f9847efa5c15de
└── 🔐 Signatures for an image tag: ghcr.io/mattmoor/sbom-attestations/spdx-test:sha256-ba4037061b76ad8f306dd9e442877236015747ec42141caf504dc0df4d10708d.sig
   └── 🍒 sha256:0f3404bb8c65cb8e1184c2d2fb3d1cec08771c1cd40c08f21b63cfaa96d13938

Found the att.Digest sha256:f764a4251b2fe3c85dd46896b9d6e65361c9683755099d6dcd13009836d2e0e4 for a spdx attestation.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for checking!

if err != nil {
logging.FromContext(ctx).Errorf("failed to get the attestation digest for %s: %v", wantedAttestation.Name, err)
continue

Check warning on line 899 in pkg/webhook/validator.go

View check run for this annotation

Codecov / codecov/patch

pkg/webhook/validator.go#L898-L899

Added lines #L898 - L899 were not covered by tests
}
attBytes, gotPredicateType, err := policy.AttestationToPayloadJSON(ctx, wantedAttestation.PredicateType, va)
if gotPredicateType != "" {
checkedPredicateTypes[gotPredicateType] = struct{}{}
Expand Down Expand Up @@ -926,6 +934,7 @@
Signature: va,
PredicateType: wantedAttestation.PredicateType,
Payload: attBytes,
Digest: attDigest.String(),
})
}
if len(checkedAttestations) == 0 {
Expand Down
3 changes: 3 additions & 0 deletions pkg/webhook/validator_result.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,9 @@ type PolicyAttestation struct {
// not intended for consumption in the ClusterImagePolicy's outer policy
// block.
Payload []byte `json:"-"`

// Digest of the attestation
Digest string `json:"digest,omitempty"`
}

// GithubExtensions holds the Github-related OID extensions.
Expand Down
1 change: 1 addition & 0 deletions pkg/webhook/validator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1776,6 +1776,7 @@ func TestValidatePolicy(t *testing.T) {
},
},
PredicateType: "vuln",
Digest: "sha256:01bd6aec99ad7c5d045d9aab649fd95b7af2b3b23887d34d7fce8b2e3c38ca0e",
Payload: []byte(`{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://cosign.sigstore.dev/attestation/vuln/v1","subject":[{"name":"ghcr.io/distroless/static","digest":{"sha256":"a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8"}}],"predicate":{"invocation":{"parameters":null,"uri":"https://github.com/distroless/static/actions/runs/2757953139","event_id":"2757953139","builder.id":"Create Release"},"scanner":{"uri":"https://github.com/aquasecurity/trivy","version":"0.29.2","db":{"uri":"","version":""},"result":{"$schema":"https://json.schemastore.org/sarif-2.1.0-rtm.5.json","runs":[{"columnKind":"utf16CodeUnits","originalUriBaseIds":{"ROOTPATH":{"uri":"file:///"}},"results":[],"tool":{"driver":{"fullName":"Trivy Vulnerability Scanner","informationUri":"https://github.com/aquasecurity/trivy","name":"Trivy","rules":[],"version":"0.29.2"}}}],"version":"2.1.0"}},"metadata":{"scanStartedOn":"2022-07-29T02:28:42Z","scanFinishedOn":"2022-07-29T02:28:48Z"}}}`),
}},
},
Expand Down
Loading