Introduce Resolved Dependencies for SLSAv1.0 predicate

This PR introduces resolved dependencies for the SLSAv1.0 predicate. It addresses part of issue tektoncd#797
chitrangpatel · May 8, 2023 · 4c6dea9 · 4c6dea9
1 parent 18d9939
commit 4c6dea9
Show file tree

Hide file tree

Showing 4 changed files with 1,094 additions and 8 deletions.
diff --git a/pkg/artifacts/signable.go b/pkg/artifacts/signable.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
+	v1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
 	"github.com/opencontainers/go-digest"
 	"github.com/tektoncd/chains/internal/backport"
 	"github.com/tektoncd/chains/pkg/chains/objects"
@@ -323,6 +324,28 @@ func RetrieveMaterialsFromStructuredResults(ctx context.Context, obj objects.Tek
 	return mats
 }
 
+// RetrieveResolvedDependenciesFromStructuredResults retrieves structured results from Tekton Object, and convert them into materials.
+func RetrieveResolvedDependenciesFromStructuredResults(ctx context.Context, obj objects.TektonObject, categoryMarker string) []v1.ResourceDescriptor {
+	logger := logging.FromContext(ctx)
+	// Retrieve structured provenance for inputs.
+	resolvedDependencies := []v1.ResourceDescriptor{}
+	ssts := ExtractStructuredTargetFromResults(ctx, obj, ArtifactsInputsResultName)
+	for _, s := range ssts {
+		if err := checkDigest(s.Digest); err != nil {
+			logger.Debugf("Digest for %s not in the right format: %s, %v", s.URI, s.Digest, err)
+			continue
+		}
+		splits := strings.Split(s.Digest, ":")
+		alg := splits[0]
+		digest := splits[1]
+		resolvedDependencies = append(resolvedDependencies, v1.ResourceDescriptor{
+			URI:    s.URI,
+			Digest: map[string]string{alg: digest},
+		})
+	}
+	return resolvedDependencies
+}
+
 // ExtractStructuredTargetFromResults extracts structured signable targets aim to generate intoto provenance as materials within TaskRun results and store them as StructuredSignable.
 // categoryMarker categorizes signable targets into inputs and outputs.
 func ExtractStructuredTargetFromResults(ctx context.Context, obj objects.TektonObject, categoryMarker string) []*StructuredSignable {

diff --git a/pkg/chains/formats/slsa/internal/material/material.go b/pkg/chains/formats/slsa/internal/material/material.go
@@ -60,22 +60,29 @@ func AddImageIDToMaterials(imageID string, mats *[]common.ProvenanceMaterial) er
 	m := common.ProvenanceMaterial{
 		Digest: common.DigestSet{},
 	}
+	uriDigest, err := ExtractUriDigestFromImageID(imageID)
+	if err != nil {
+		return err
+	}
+	m.URI = uriDigest["uri"]
+	m.Digest[uriDigest["digestAlgorithm"]] = uriDigest["digestValue"]
+	*mats = append(*mats, m)
+	return nil
+}
+
+// ExtractUriDigestFromImageID extracts uri and digest from an imageID with format <uri>@sha256:<digest>
+func ExtractUriDigestFromImageID(imageID string) (map[string]string, error) {
 	uriDigest := strings.Split(imageID, uriSeparator)
 	if len(uriDigest) == 2 {
 		digest := strings.Split(uriDigest[1], digestSeparator)
 		if len(digest) == 2 {
-			// no point in partially populating the material
-			// do it if both conditions are valid.
-			m.URI = uriDigest[0]
-			m.Digest[digest[0]] = digest[1]
-			*mats = append(*mats, m)
+			return map[string]string{"uri": uriDigest[0], "digestAlgorithm": digest[0], "digestValue": digest[1]}, nil
 		} else {
-			return fmt.Errorf("expected imageID %s to be separable by @ and :", imageID)
+			return map[string]string{}, fmt.Errorf("expected imageID %s to be separable by @ and :", imageID)
 		}
 	} else {
-		return fmt.Errorf("expected imageID %s to be separable by @", imageID)
+		return map[string]string{}, fmt.Errorf("expected imageID %s to be separable by @", imageID)
 	}
-	return nil
 }
 
 // Materials constructs `predicate.materials` section by collecting all the artifacts that influence a taskrun such as source code repo and step&sidecar base images.