Improved attestation inspect #1498
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Justin Chadwell <[email protected]>
Signed-off-by: Justin Chadwell <[email protected]>
Signed-off-by: Justin Chadwell <[email protected]>
crazy-max
reviewed
Jan 9, 2023
Comment on lines
+294
to
296
| type provenanceStub struct { | ||
| SLSA interface{} `json:",omitempty"` | ||
| } |
There was a problem hiding this comment.
Provenance > SLSA? I thought it was SLSA > Provenance to keep common denominator first? Like in the future we can have SLSA > VSA.
There was a problem hiding this comment.
I think it makes sense to have Type > Format. We have SBOM > SPDX, so I think it makes sense to have Provenance > SLSA.
VSA isn't provenance, so we'd have another "type" for that I think.
|
Need changes in docs too I think: https://github.com/docker/buildx/blob/master/docs/reference/buildx_imagetools_inspect.md#examples |
Signed-off-by: Justin Chadwell <[email protected]>
Signed-off-by: Justin Chadwell <[email protected]>
crazy-max
approved these changes
Jan 9, 2023
tonistiigi
reviewed
Jan 9, 2023
| as.sbom = &sbomStub{ | ||
| SPDX: dt, | ||
| var spdx struct { | ||
| Predicate interface{} `json:"predicate"` |
There was a problem hiding this comment.
Bit concerned that there isn't any way to extract the actual attestation. But I guess we can add some special case/command for that later.
tonistiigi
approved these changes
Jan 9, 2023
Merged
This was referenced Jan 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
⬆️ Follow up to #1444
This includes 3 main changes:
interface{}types instead ofjson.RawMessage; this allows them to be accessed using go template notation, e.g.--format "{{ range .SBOM.SPDX.packages }}{{ println .name .versionInfo }}{{ end }}".Predicatefield to directly access the predicate of the attestation. In the future, we should to sanity check the subject of the attestation against the pulled image, as well as the predicate type - this should be the responsibility of the go-imageinspect library..Attestationsfield, but it seems an edge use-case for now.BUILDKIT_SBOM_SCANargs). The first SPDX document is added to.SPDX, while all documents are appended to.SPDXs- this can allow tools to search through dependencies used in build tooling.