Improved attestation inspect#1498
Merged
tonistiigi merged 5 commits intodocker:masterfrom Jan 9, 2023
Merged
Conversation
Signed-off-by: Justin Chadwell <[email protected]>
Signed-off-by: Justin Chadwell <[email protected]>
Signed-off-by: Justin Chadwell <[email protected]>
crazy-max
reviewed
Jan 9, 2023
Comment on lines
+294
to
296
| type provenanceStub struct { | ||
| SLSA interface{} `json:",omitempty"` | ||
| } |
Member
There was a problem hiding this comment.
Provenance > SLSA? I thought it was SLSA > Provenance to keep common denominator first? Like in the future we can have SLSA > VSA.
Collaborator
Author
There was a problem hiding this comment.
I think it makes sense to have Type > Format. We have SBOM > SPDX, so I think it makes sense to have Provenance > SLSA.
VSA isn't provenance, so we'd have another "type" for that I think.
Member
Signed-off-by: Justin Chadwell <[email protected]>
Signed-off-by: Justin Chadwell <[email protected]>
crazy-max
approved these changes
Jan 9, 2023
Member
crazy-max
left a comment
crazy-max
left a comment
There was a problem hiding this comment.
LGTM! Are we going to document on docs repo advanced use cases to retrieve list of packages in an SBOM for example?
tonistiigi
reviewed
Jan 9, 2023
| as.sbom = &sbomStub{ | ||
| SPDX: dt, | ||
| var spdx struct { | ||
| Predicate interface{} `json:"predicate"` |
Member
There was a problem hiding this comment.
Bit concerned that there isn't any way to extract the actual attestation. But I guess we can add some special case/command for that later.
tonistiigi
approved these changes
Jan 9, 2023
Merged
This was referenced Jan 10, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
⬆️ Follow up to #1444
This includes 3 main changes:
interface{}types instead ofjson.RawMessage; this allows them to be accessed using go template notation, e.g.--format "{{ range .SBOM.SPDX.packages }}{{ println .name .versionInfo }}{{ end }}".Predicatefield to directly access the predicate of the attestation. In the future, we should to sanity check the subject of the attestation against the pulled image, as well as the predicate type - this should be the responsibility of the go-imageinspect library..Attestationsfield, but it seems an edge use-case for now.BUILDKIT_SBOM_SCANargs). The first SPDX document is added to.SPDX, while all documents are appended to.SPDXs- this can allow tools to search through dependencies used in build tooling.