in-toto · marcelamelara · Aug 12, 2023 · Jul 8, 2023 · Aug 4, 2023 · Aug 12, 2023
@@ -17,7 +17,7 @@ VENVDIR ?= scai-venv
 PY_VERSION=${shell python3 --version | sed 's/Python \(3\.[0-9]\).*/\1/'}
 PYTHON_DIR=$(VENVDIR)/lib/python$(PY_VERSION)/site-packages/
 
-$(PYTHON_DIR) :
+$(PYTHON_DIR):
 	@echo INSTALL SCAI API
 	python3 -m venv $(VENVDIR)
 	. $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade pip
@@ -26,15 +26,19 @@ $(PYTHON_DIR) :
 	. $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade ../in-toto.attestation/python
 	. $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade ./python
 
-$(VENVDIR) :
+$(VENVDIR):
 	@echo CREATE SCAI VENV DIRECTORY $(VENVDIR)
 	mkdir -p $(VENVDIR)
 
 venv: $(VENVDIR) $(PYTHON_DIR)
 
 clean:
 	@echo REMOVE SCAI VENV AND PYTHON LIB DIRS
-	@rm -rf $(VENVDIR) __pycache__
-	@cd ./python; rm -rf build dist *.egg-info
+	rm -rf $(VENVDIR) __pycache__
+	cd ./python; rm -rf build dist *.egg-info
 
-.phony : clean venv
+test: venv
+	@echo TESTING WITH GCC-HELLOWORLD EXAMPLE
+	./examples/gcc-helloworld/run-example.sh
+
+.phony: clean test venv
@@ -0,0 +1,3 @@
+hello-world
+*-desc.json
+*-spdx.json
@@ -1,9 +1,19 @@
 # SCAI Examples
 
-This directory contains examples of a few basic use cases for SCAI metadata.
+This directory contains examples for SCAI use cases:
 
-## gcc Hello World
-This example shows the SCAI metadata produced when building
-a simple executable binary with a few different gcc flags.
+* [Binary attributes](./gcc-helloworld)
+* [Build process attributes](./sbom+slsa)
 
-Goto [gcc-helloworld](./gcc-helloworld)
+## Usage
+
+Before running any example, make sure to follow the [setup instructions].
+
+Each directory contains a script to run the example:
+```bash
+./run-example.sh
+```
+
+The resulting metadata will be stored in the respective `metadata/` directory.
+
+[setup instructions]: ../docs/usage.md
@@ -1,15 +1,5 @@
-# GCC Hello World Compilation Example
+# Binary attributes example
 
-This example generates a basic SCAI Attribute Assertion
-about binaries built with gcc, and a SCAI Report with
-in-toto Link metadata for the gcc compiler invocation on a
-hello-world.c source file.
-
-Assuming you have followed the general setup [instructions](../../README.md#Usage), use the scripts to
-run the example:
-
-```
-./run-example.sh
-```
-
-The resulting metadata will be stored in the `metadata/` directory.
+This example shows how to capture fine-grained binary properties during
+the compilation of a hello-world program based on the gcc flags used for a
+given build.
@@ -0,0 +1,10 @@
+# SBOM + SLSA example
+
+This example shows how SCAI can be used to bind multiple pieces of metadata
+(in this case an SPDX SBOM and a SLSA Provenance attestation) to capture
+multiple attributes about an artifact's build process or supply chain.
+
+The SPDX and SLSA Provenance files used in this example were generated using
+[this workflow].
+
+[this workflow]: https://github.com/marcelamelara/private-data-objects/blob/generate-swsc-build-metadata/.github/workflows/ci-swsc.yaml
@@ -0,0 +1 @@
+{"name": "pdo_client_wawaka", "digest": {"sha256": "9b151e8b47a372bb686a441349d981ebf38951d70c4e7bf4669672651da7d33e"}}
@@ -0,0 +1,36 @@
+{
+    "_type": "https://in-toto.io/Statement/v1",
+    "subject": [
+        {
+            "name": "pdo_client_wawaka",
+            "digest": {
+                "sha256": "9b151e8b47a372bb686a441349d981ebf38951d70c4e7bf4669672651da7d33e"
+            }
+        }
+    ],
+    "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2",
+    "predicate": {
+        "attributes": [
+            {
+                "evidence": {
+                    "mediaType": "application/spdx+json",
+                    "digest": {
+                        "sha256": "911d4365b61ba7ace55f7333b2c638caca4b811ee73da5beb28b9ecbbd22ca78"
+                    },
+                    "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/14359811861/artifacts/808758122"
+                },
+                "attribute": "HasSBOM"
+            },
+            {
+                "evidence": {
+                    "mediaType": "application/x.dsse+jsonl",
+                    "digest": {
+                        "sha256": "ea4d1e56e739f26a451c095b9fb40a353b3e73ea1778fdddafe13562e81bd745"
+                    },
+                    "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/14359811861/artifacts/808758121"
+                },
+                "attribute": "HasSLSA"
+            }
+        ]
+    }
+}
@@ -0,0 +1,10 @@
+{
+    "attribute": "HasSBOM",
+    "evidence": {
+        "digest": {
+            "sha256": "911d4365b61ba7ace55f7333b2c638caca4b811ee73da5beb28b9ecbbd22ca78"
+        },
+        "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/14359811861/artifacts/808758122",
+        "mediaType": "application/spdx+json"
+    }
+}
@@ -0,0 +1,10 @@
+{
+    "attribute": "HasSLSA",
+    "evidence": {
+        "digest": {
+            "sha256": "ea4d1e56e739f26a451c095b9fb40a353b3e73ea1778fdddafe13562e81bd745"
+        },
+        "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/14359811861/artifacts/808758121",
+        "mediaType": "application/x.dsse+jsonl"
+    }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"name": "pdo_client_wawaka", "digest": {"sha256": "9b151e8b47a372bb686a441349d981ebf38951d70c4e7bf4669672651da7d33e"}}