Conform provenance.materials.uri to URI syntax (tektoncd#792)

According to SLSA Provenance v0.2 the `provenance.materials.uri`[1] needs to be a `ResourceURI` which is defined[2] as a _"Uniform Resource Identifier as specified in RFC 3986"_. The `uri` field of `provenance.materials` is populated with the image reference which does not contain the scheme and therefore is not a valid URI. This changes that to prepend the `oci://` prefix to Task and sidecar image references. [1] https://slsa.dev/provenance/v0.2#materials.uri [2] https://github.com/in-toto/attestation/blob/main/spec/v0.1.0/field_types.md#ResourceURI
chitrangpatel · May 15, 2023 · 1a3b099 · 1a3b099
1 parent 3b485fa
commit 1a3b099
Show file tree

Hide file tree

Showing 14 changed files with 95 additions and 86 deletions.
diff --git a/pkg/artifacts/signable.go b/pkg/artifacts/signable.go
@@ -35,6 +35,8 @@ import (
 const (
 	ArtifactsInputsResultName  = "ARTIFACT_INPUTS"
 	ArtifactsOutputsResultName = "ARTIFACT_OUTPUTS"
+	OCIScheme                  = "oci://"
+	GitSchemePrefix            = "git+"
 )
 
 var (

diff --git a/pkg/artifacts/signable_test.go b/pkg/artifacts/signable_test.go
@@ -503,21 +503,21 @@ func TestRetrieveMaterialsFromStructuredResults(t *testing.T) {
 					{
 						Name: "img1_input" + "_" + ArtifactsInputsResultName,
 						Value: *v1beta1.NewObject(map[string]string{
-							"uri":    "gcr.io/foo/bar",
+							"uri":    OCIScheme + "gcr.io/foo/bar",
 							"digest": "sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b7",
 						}),
 					},
 					{
 						Name: "img2_input_no_digest" + "_" + ArtifactsInputsResultName,
 						Value: *v1beta1.NewObject(map[string]string{
-							"uri":    "gcr.io/foo/foo",
+							"uri":    OCIScheme + "gcr.io/foo/foo",
 							"digest": "",
 						}),
 					},
 					{
 						Name: "img2_input_invalid_digest" + "_" + ArtifactsInputsResultName,
 						Value: *v1beta1.NewObject(map[string]string{
-							"uri":    "gcr.io/foo/foo",
+							"uri":    OCIScheme + "gcr.io/foo/foo",
 							"digest": "sha:123",
 						}),
 					},
@@ -527,7 +527,7 @@ func TestRetrieveMaterialsFromStructuredResults(t *testing.T) {
 	}
 	wantMaterials := []common.ProvenanceMaterial{
 		{
-			URI:    "gcr.io/foo/bar",
+			URI:    OCIScheme + "gcr.io/foo/bar",
 			Digest: map[string]string{"sha256": "05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b7"},
 		},
 	}

diff --git a/pkg/chains/formats/slsa/attest/attest.go b/pkg/chains/formats/slsa/attest/attest.go
@@ -21,6 +21,7 @@ import (
 	"strings"
 
 	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	"github.com/tektoncd/chains/pkg/artifacts"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -50,7 +51,7 @@ func Step(step *v1beta1.Step, stepState *v1beta1.StepState) StepAttestation {
 	attestation.Arguments = step.Args
 
 	env := map[string]interface{}{}
-	env["image"] = stepState.ImageID
+	env["image"] = artifacts.OCIScheme + strings.TrimPrefix(stepState.ImageID, "docker-pullable://")
 	env["container"] = stepState.Name
 	attestation.Environment = env
 
@@ -118,9 +119,8 @@ func convertConfigSource(source *v1beta1.RefSource) slsa.ConfigSource {
 // ref: https://spdx.dev/spdx-specification-21-web-version/#h.49x2ik5
 // ref: https://github.com/in-toto/attestation/blob/849867bee97e33678f61cc6bd5da293097f84c25/spec/field_types.md
 func SPDXGit(url, revision string) string {
-	prefix := "git+"
 	if revision == "" {
-		return prefix + url + ".git"
+		return artifacts.GitSchemePrefix + url + ".git"
 	}
-	return prefix + url + fmt.Sprintf("@%s", revision)
+	return artifacts.GitSchemePrefix + url + fmt.Sprintf("@%s", revision)
 }
diff --git a/pkg/chains/formats/slsa/internal/material/material.go b/pkg/chains/formats/slsa/internal/material/material.go
@@ -66,7 +66,8 @@ func AddImageIDToMaterials(imageID string, mats *[]common.ProvenanceMaterial) er
 		if len(digest) == 2 {
 			// no point in partially populating the material
 			// do it if both conditions are valid.
-			m.URI = uriDigest[0]
+			uri := strings.TrimPrefix(uriDigest[0], "docker-pullable://")
+			m.URI = artifacts.OCIScheme + uri
 			m.Digest[digest[0]] = digest[1]
 			*mats = append(*mats, m)
 		} else {

diff --git a/pkg/chains/formats/slsa/internal/material/material_test.go b/pkg/chains/formats/slsa/internal/material/material_test.go
@@ -59,7 +59,7 @@ status:
 
 	want := []common.ProvenanceMaterial{
 		{
-			URI: "git+https://github.com/GoogleContainerTools/distroless.git",
+			URI: artifacts.GitSchemePrefix + "https://github.com/GoogleContainerTools/distroless.git",
 			Digest: common.DigestSet{
 				"sha1": "50c56a48cfb3a5a80fa36ed91c739bdac8381cbe",
 			},
@@ -138,7 +138,7 @@ func TestMaterials(t *testing.T) {
 				},
 			},
 			{
-				URI: "git+https://github.com/GoogleContainerTools/distroless.git",
+				URI: artifacts.GitSchemePrefix + "https://github.com/GoogleContainerTools/distroless.git",
 				Digest: common.DigestSet{
 					"sha1": "50c56a48cfb3a5a80fa36ed91c739bdac8381cbe",
 				},
@@ -159,7 +159,7 @@ func TestMaterials(t *testing.T) {
 		},
 		want: []common.ProvenanceMaterial{
 			{
-				URI: "git+github.com/something.git",
+				URI: artifacts.GitSchemePrefix + "github.com/something.git",
 				Digest: common.DigestSet{
 					"sha1": "my-commit",
 				},
@@ -185,13 +185,13 @@ func TestMaterials(t *testing.T) {
 		},
 		want: []common.ProvenanceMaterial{
 			{
-				URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+				URI: artifacts.OCIScheme + "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
 				Digest: common.DigestSet{
 					"sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
 				},
 			},
 			{
-				URI: "gcr.io/cloud-marketplace-containers/google/bazel",
+				URI: artifacts.OCIScheme + "gcr.io/cloud-marketplace-containers/google/bazel",
 				Digest: common.DigestSet{
 					"sha256": "010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
 				},
@@ -221,17 +221,17 @@ func TestMaterials(t *testing.T) {
 		},
 		want: []common.ProvenanceMaterial{
 			{
-				URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+				URI: artifacts.OCIScheme + "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
 				Digest: common.DigestSet{
 					"sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
 				},
 			}, {
-				URI: "gcr.io/cloud-marketplace-containers/google/bazel",
+				URI: artifacts.OCIScheme + "gcr.io/cloud-marketplace-containers/google/bazel",
 				Digest: common.DigestSet{
 					"sha256": "010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
 				},
 			}, {
-				URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecar-git-init",
+				URI: artifacts.OCIScheme + "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecar-git-init",
 				Digest: common.DigestSet{
 					"sha256": "a1234f6e7a69617db57b685893256f978436277094c21d43b153994acd8a09567",
 				},
@@ -272,19 +272,19 @@ func TestAddStepImagesToMaterials(t *testing.T) {
 		}},
 		want: []common.ProvenanceMaterial{
 			{
-				URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+				URI: artifacts.OCIScheme + "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
 				Digest: common.DigestSet{
 					"sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
 				},
 			},
 			{
-				URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+				URI: artifacts.OCIScheme + "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
 				Digest: common.DigestSet{
 					"sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
 				},
 			},
 			{
-				URI: "gcr.io/cloud-marketplace-containers/google/bazel",
+				URI: artifacts.OCIScheme + "gcr.io/cloud-marketplace-containers/google/bazel",
 				Digest: common.DigestSet{
 					"sha256": "010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
 				},
@@ -342,19 +342,19 @@ func TestAddSidecarImagesToMaterials(t *testing.T) {
 		}},
 		want: []common.ProvenanceMaterial{
 			{
-				URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+				URI: artifacts.OCIScheme + "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
 				Digest: common.DigestSet{
 					"sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
 				},
 			},
 			{
-				URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+				URI: artifacts.OCIScheme + "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
 				Digest: common.DigestSet{
 					"sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
 				},
 			},
 			{
-				URI: "gcr.io/cloud-marketplace-containers/google/bazel",
+				URI: artifacts.OCIScheme + "gcr.io/cloud-marketplace-containers/google/bazel",
 				Digest: common.DigestSet{
 					"sha256": "010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
 				},
@@ -403,7 +403,7 @@ func TestAddImageIDToMaterials(t *testing.T) {
 		imageID: "gcr.io/cloud-marketplace-containers/google/bazel@sha256:010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
 		want: []common.ProvenanceMaterial{
 			{
-				URI: "gcr.io/cloud-marketplace-containers/google/bazel",
+				URI: artifacts.OCIScheme + "gcr.io/cloud-marketplace-containers/google/bazel",
 				Digest: common.DigestSet{
 					"sha256": "010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
 				},