core/images: Ignore attestations when traversing children

vvoland · vvoland · commit e751b6bb1db7 · 2025-01-31T16:38:46.000+01:00
Before this patch, calling `image.Children` on an image built with
BuildKit would produce unnecessary `encountered unknown type
application/vnd.in-toto+json; children may not be fetched` debug logs,
because the media type is neither a known layer or config type.

Make the `image.Children` aware of the attestation layers and don't
attempt to traverse them.

Signed-off-by: Paweł Gronowski &lt;pawel.gronowski@docker.com&gt;
diff --git a/core/images/image.go b/core/images/image.go
@@ -369,8 +369,8 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
 		}
 
 		return append([]ocispec.Descriptor{}, index.Manifests...), nil
-	} else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) {
-		// Layers and configs are childless data types and should not be logged.
+	} else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) && !IsAttestationType(desc.MediaType) {
+		// Layers, configs, and attestations are childless data types and should not be logged.
 		log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType)
 	}
 	return nil, nil
diff --git a/core/images/mediatypes.go b/core/images/mediatypes.go
@@ -58,6 +58,9 @@ const (
 
 	MediaTypeImageLayerEncrypted     = ocispec.MediaTypeImageLayer + "+encrypted"
 	MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted"
+
+	// In-toto attestation
+	MediaTypeInToto = "application/vnd.in-toto+json"
 )
 
 // DiffCompression returns the compression as defined by the layer diff media
@@ -193,6 +196,16 @@ func IsKnownConfig(mt string) bool {
 	return false
 }
 
+// IsAttestationType returns true if the media type is an attestation type
+func IsAttestationType(mt string) bool {
+	switch mt {
+	case MediaTypeInToto:
+		return true
+	default:
+		return false
+	}
+}
+
 // ChildGCLabels returns the label for a given descriptor to reference it
 func ChildGCLabels(desc ocispec.Descriptor) []string {
 	mt := desc.MediaType

Original file line number	Diff line number	Diff line change
`@@ -369,8 +369,8 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr`
`369`	`369`	`}`
`370`	`370`
`371`	`371`	`return append([]ocispec.Descriptor{}, index.Manifests...), nil`
`372`		`- } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) {`
`373`		`- // Layers and configs are childless data types and should not be logged.`
	`372`	`+ } else if !IsLayerType(desc.MediaType) && !IsKnownConfig(desc.MediaType) && !IsAttestationType(desc.MediaType) {`
	`373`	`+ // Layers, configs, and attestations are childless data types and should not be logged.`
`374`	`374`	`log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType)`
`375`	`375`	`}`
`376`	`376`	`return nil, nil`