-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(feat) add support for attestations stored as image manifest #1482
base: main
Are you sure you want to change the base?
(feat) add support for attestations stored as image manifest #1482
Conversation
Signed-off-by: Harsh Thakur <harshthakur9030@gmail.com>
Hi @RealHarshThakur thanks for the PR! This is actually something I created an issue on #1370 so it's great to see somebody picking up this work. There is a bit of overlap here with #1449 which I believe will also cover collection of these types of attestations. But, this change also will move away from |
My bad 😓 I had it on my todo list before the issue was created and just found this weekend to hack on it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @RealHarshThakur. Added some comments
var spdxDoc *v2_3.Document | ||
if doc.Type == processor.DocumentITE6SPDX { | ||
var err error | ||
itespdx, err := parseITESPDXBlob(doc.Blob) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be part of the processor such the parser does not need to change as it will just receive a valid SPDX document at the end.
@@ -44,6 +44,7 @@ func init() { | |||
_ = RegisterDocumentParser(dsse.NewDSSEParser, processor.DocumentDSSE) | |||
_ = RegisterDocumentParser(slsa.NewSLSAParser, processor.DocumentITE6SLSA) | |||
_ = RegisterDocumentParser(vuln.NewVulnCertificationParser, processor.DocumentITE6Vul) | |||
_ = RegisterDocumentParser(spdx.NewSpdxParser, processor.DocumentITE6SPDX) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This pull request has been automatically marked as stale because it has not had recent activity (60 days of inactivity). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RealHarshThakur marking this as not stale as it is an important topic to keep working on.
sorry for delay, I'll try to make some time this month |
This pull request has been automatically marked as stale because it has not had recent activity (60 days of inactivity). |
Adding comment to ensure this does not close. |
This pull request has been automatically marked as stale because it has not had recent activity (60 days of inactivity). |
Description of the PR
Currently, guac only works with certain OCI images. Build tools store attestations in a variety of ways as of now and it might take them a while to adopt to using referrers. As of now, Docker stores the attestation in an image manifest and it would be wonderful for GUAC to support that as docker is a popular tool for building containers. I'm not entirely sure if this is the right way to implement this, I'd appreciate any feedback to make this change a reality.
PR Checklist
-s
flag togit commit
.make generate
has been runcollectsub
protobuf has been changed,make proto
has been run