Feature: Improve Signed-release for npm package

[laurentsimon]

Npm has support for SLSA provenance. We should improve the check to check for provenance for the corresponding package, if possible - rather than only looking at GitHub releases.

I think this requires a way to search provenance from a repo, rather than from a package. Note, package is attestations_url=$(npm view "$package_name" --json | jq -r '.dist.attestations.url').

So we can either find the right API on the registry; or use a deps.dev API

An alternative is to search for workflow files npm publish --provenance. Another is to search for use of the OpenSSF npm buider.

[laurentsimon]

deps.dev API https://github.com/google/deps.dev/blob/main/api/v3alpha/api.proto

[naveensrinivasan]

deps.dev API https://github.com/google/deps.dev/blob/main/api/v3alpha/api.proto

Is there an API for it?

[spencerschrock]

A better link might be https://docs.deps.dev/api/v3alpha/, which has the example API url

[slugclub]

This should be possible with the deps.dev API in the near future.

We're planning to surface packages associated with a GitHub repository from the GetProject endpoint soon.

You could then use the GetVersion endpoint to discover whether any of these versions have SLSA attestations. Specifically, npm versions with SLSA attestations will include the attestation link in the links field. Note that these attestations are not verified by deps.dev at the moment, though we plan to do so in the future.

[naveensrinivasan]

This should be possible with the deps.dev API in the near future.

We're planning to surface packages associated with a GitHub repository from the GetProject endpoint soon.

You could then use the GetVersion endpoint to discover whether any of these versions have SLSA attestations. Specifically, npm versions with SLSA attestations will include the attestation link in the links field. Note that these attestations are not verified by deps.dev at the moment, though we plan to do so in the future.

Am I right?

Short Summary

Deps.dev plans to add a feature to their API to allow users to discover whether any packages associated with a GitHub repository have SLSA attestations. Attestations for npm versions will be included in the links field.

Key takeaways

1. Deps.dev is adding a new feature to their API to allow users to discover SLSA attestations for packages associated with a GitHub repository.
2. The GetProject endpoint will be used to surface packages associated with a GitHub repository.
3. The GetVersion endpoint will be used to discover whether these versions have SLSA attestations.
4. Attestations for npm versions will be included in the links field.
5. Deps.dev is planning to verify these attestations in the future.

[slugclub]

Yep that's right.

The npm attestation links are already available via the GetVersion endpoint (for package versions that have attestations). For example, curl 'https://api.deps.dev/v3alpha/systems/npm/packages/semver/versions/7.5.1'.

The main thing we need to add is a way for API users to get the packages associated with a GitHub repository. This may be via the GetProject endpoint (or we may also add a new endpoint). I will post more details here as we design and implement.

[naveensrinivasan]

Yep that's right.

The npm attestation links are already available via the GetVersion endpoint (for package versions that have attestations). For example, curl 'https://api.deps.dev/v3alpha/systems/npm/packages/semver/versions/7.5.1'.

The main thing we need to add is a way for API users to get the packages associated with a GitHub repository. This may be via the GetProject endpoint (or we may also add a new endpoint). I will post more details here as we design and implement.

Do you have some kind of timeline for this feature?

[naveensrinivasan]

Yep that's right.

The npm attestation links are already available via the GetVersion endpoint (for package versions that have attestations). For example, curl 'https://api.deps.dev/v3alpha/systems/npm/packages/semver/versions/7.5.1'.

The main thing we need to add is a way for API users to get the packages associated with a GitHub repository. This may be via the GetProject endpoint (or we may also add a new endpoint). I will post more details here as we design and implement.

I don't see it.

{
  "versionKey": {
    "system": "NPM",
    "name": "semver",
    "version": "7.5.1"
  },
  "isDefault": true,
  "licenses": [
    "ISC"
  ],
  "advisoryKeys": [],
  "links": [
    {
      "label": "HOMEPAGE",
      "url": "https://github.com/npm/node-semver#readme"
    },
    {
      "label": "ISSUE_TRACKER",
      "url": "https://github.com/npm/node-semver/issues"
    },
    {
      "label": "ATTESTATION",
      "url": "https://registry.npmjs.org/-/npm/v1/attestations/semver@7.5.1"
    },
    {
      "label": "ORIGIN",
      "url": "https://registry.npmjs.org/semver/7.5.1"
    },
    {
      "label": "SOURCE_REPO",
      "url": "git+https://github.com/npm/node-semver.git"
    }
  ],
  "publishedAt": "2023-05-12T16:39:41Z"
}

[slugclub]

Sorry for the delayed response.

From the GetVersion endpoint: If there is an attestation, a link to the attestation is available in the links field with the label ATTESTATION. We have also added a slsaProvenances field which contains more detailed information extracted from any SLSA provenance attestations attached to the version. For example, https://api.deps.dev/v3alpha/systems/npm/packages/semver/versions/7.5.1:

{
  "versionKey": {
    "system": "NPM",
    "name": "semver",
    "version": "7.5.1"
  },
  "isDefault": false,
  "licenses": [
    "ISC"
  ],
  "advisoryKeys": [
    {
      "id": "GHSA-c2qf-rxjj-qqgw"
    }
  ],
  "links": [
    {
      "label": "HOMEPAGE",
      "url": "https://github.com/npm/node-semver#readme"
    },
    {
      "label": "ISSUE_TRACKER",
      "url": "https://github.com/npm/node-semver/issues"
    },
    {
      "label": "ATTESTATION",
      "url": "https://registry.npmjs.org/-/npm/v1/attestations/semver@7.5.1"
    },
    {
      "label": "ORIGIN",
      "url": "https://registry.npmjs.org/semver/7.5.1"
    },
    {
      "label": "SOURCE_REPO",
      "url": "https://github.com/npm/node-semver"
    }
  ],
  "slsaProvenances": [
    {
      "sourceRepository": "https://github.com/npm/node-semver",
      "commit": "aa016a67162c195938f7873ea29a73dac47ff9ba",
      "url": "https://registry.npmjs.org/-/npm/v1/attestations/semver@7.5.1"
    }
  ],
  "publishedAt": "2023-05-12T16:39:41Z"
}

The new GetProjectPackageVersions endpoint provides a mapping from a repository to the package versions whose SLSA provenance attestations refer to that repository. For example, https://api.deps.dev/v3alpha/projects/github.com%2Fnpm%2Fnode-semver:packageversions:

{
  "versions": [
    {
      "versionKey": {
        "system": "NPM",
        "name": "semver",
        "version": "7.5.1"
      },
      "slsaProvenances": [
        {
          "sourceRepository": "https://github.com/npm/node-semver",
          "commit": "aa016a67162c195938f7873ea29a73dac47ff9ba",
          "url": "https://registry.npmjs.org/-/npm/v1/attestations/semver@7.5.1"
        }
      ]
    },
    {
      "versionKey": {
        "system": "NPM",
        "name": "semver",
        "version": "7.5.2"
      },
      "slsaProvenances": [
        {
          "sourceRepository": "https://github.com/npm/node-semver",
          "commit": "e7b78de06eb14a7fa2075cedf9f167040d8d31af",
          "url": "https://registry.npmjs.org/-/npm/v1/attestations/semver@7.5.2"
        }
      ]
    },
    {
      "versionKey": {
        "system": "NPM",
        "name": "semver",
        "version": "7.5.3"
      },
      "slsaProvenances": [
        {
          "sourceRepository": "https://github.com/npm/node-semver",
          "commit": "7fdf1ef223826b428d7f8aaf906e9eeefa9469f9",
          "url": "https://registry.npmjs.org/-/npm/v1/attestations/semver@7.5.3"
        }
      ]
    },
    {
      "versionKey": {
        "system": "NPM",
        "name": "semver",
        "version": "7.5.4"
      },
      "slsaProvenances": [
        {
          "sourceRepository": "https://github.com/npm/node-semver",
          "commit": "36cd334708ec1f85a71445622fb1864bceee0f4e",
          "url": "https://registry.npmjs.org/-/npm/v1/attestations/semver@7.5.4"
        }
      ]
    }
  ]
}

deps.dev does not currently verify the attestations though it's on the roadmap for us to do so in the future.

[github-actions]

This issue is stale because it has been open for 60 days with no activity.

[raghavkaul]

A proposed update to the Signed-Releases check was discussed in the community meeting (Doc). PTAL, feedback welcome!