From 4e406084434960a9fce347e6d9675df089074acc Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Mon, 8 Jan 2024 14:55:25 +1000 Subject: [PATCH 01/30] feat: generate Verification Summary Attestation Signed-off-by: Nathan Nguyen --- src/macaron/__main__.py | 19 +- src/macaron/policy_engine/policy_engine.py | 21 +- src/macaron/vsa/__init__.py | 2 + src/macaron/vsa/vsa.py | 248 +++++++++++++++++++++ tests/policy_engine/test_policy.py | 6 +- tests/vsa/__init__.py | 2 + tests/vsa/test_vsa.py | 199 +++++++++++++++++ 7 files changed, 481 insertions(+), 16 deletions(-) create mode 100644 src/macaron/vsa/__init__.py create mode 100644 src/macaron/vsa/vsa.py create mode 100644 tests/vsa/__init__.py create mode 100644 tests/vsa/test_vsa.py diff --git a/src/macaron/__main__.py b/src/macaron/__main__.py index a600e486d..149a69211 100644 --- a/src/macaron/__main__.py +++ b/src/macaron/__main__.py @@ -1,9 +1,10 @@ -# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. """This is the main entrypoint to run Macaron.""" import argparse +import json import logging import os import sys @@ -21,6 +22,7 @@ from macaron.slsa_analyzer.analyzer import Analyzer from macaron.slsa_analyzer.git_service import GIT_SERVICES from macaron.slsa_analyzer.package_registry import PACKAGE_REGISTRIES +from macaron.vsa.vsa import generate_vsa logger: logging.Logger = logging.getLogger(__name__) @@ -144,7 +146,20 @@ def verify_policy(verify_policy_args: argparse.Namespace) -> int: logger.critical('The policy file "%s" does not exist.', verify_policy_args.file) return os.EX_OSFILE - result = run_policy_engine(verify_policy_args.database, verify_policy_args.file) + with open(verify_policy_args.file, encoding="utf-8") as file: + policy_content = file.read() + + result = run_policy_engine(verify_policy_args.database, policy_content) + vsa = generate_vsa(policy_content=policy_content, policy_result=result) + if vsa is not None: + vsa_filepath = os.path.join(global_config.output_path, "vsa.intoto.jsonl") + logger.info("Generating a VSA to %s", vsa_filepath) + try: + with open(vsa_filepath, mode="w", encoding="utf-8") as file: + file.write(json.dumps(vsa)) + except OSError as err: + logger.error("Could not generate the VSA to %s. Error: %s", vsa_filepath, err) + policy_reporter = PolicyReporter() policy_reporter.generate(global_config.output_path, result) diff --git a/src/macaron/policy_engine/policy_engine.py b/src/macaron/policy_engine/policy_engine.py index a0e7704fe..1b9bec29c 100644 --- a/src/macaron/policy_engine/policy_engine.py +++ b/src/macaron/policy_engine/policy_engine.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. """This module handles invoking the souffle policy engine on a database.""" @@ -86,15 +86,15 @@ def copy_prelude(database_path: os.PathLike | str, sfl: SouffleWrapper, prelude: sfl.copy_to_includes(file_name, text) -def run_souffle(database_path: str, policy_file: str) -> dict: +def run_souffle(database_path: str, policy_content: str) -> dict: """Invoke souffle and report result. Parameters ---------- database_path: str The path to the database to evaluate the policy on - policy_file: str - The path to the policy file to evaluate + policy_content: str + The Souffle policy code to evaluate Returns ------- @@ -103,11 +103,8 @@ def run_souffle(database_path: str, policy_file: str) -> dict: """ with SouffleWrapper() as sfl: copy_prelude(database_path, sfl) - with open(policy_file, encoding="utf-8") as file: - text = file.read() - try: - res = sfl.interpret_text(text) + res = sfl.interpret_text(policy_content) except SouffleError as error: logger.error("COMMAND: %s", error.command) logger.error("ERROR: %s", error.message) @@ -151,15 +148,15 @@ def show_prelude(database_path: str) -> None: logger.info("\n%s", prelude) -def run_policy_engine(database_path: str, policy_file: str) -> dict: +def run_policy_engine(database_path: str, policy_content: str) -> dict: """Evaluate a policy based on configuration and exit. Parameters ---------- database_path: str The SQLite database file to evaluate the policy against - policy_file: str - The policy file to evaluate + policy_content: str + The Souffle policy code to evaluate Returns ------- @@ -169,7 +166,7 @@ def run_policy_engine(database_path: str, policy_file: str) -> dict: # TODO: uncomment the following line when the check is improved. # _check_version(database_path) - res = run_souffle(database_path, policy_file) + res = run_souffle(database_path, policy_content) output = [] for key, values in res.items(): diff --git a/src/macaron/vsa/__init__.py b/src/macaron/vsa/__init__.py new file mode 100644 index 000000000..c8a50abb7 --- /dev/null +++ b/src/macaron/vsa/__init__.py @@ -0,0 +1,2 @@ +# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py new file mode 100644 index 000000000..05ace1649 --- /dev/null +++ b/src/macaron/vsa/vsa.py @@ -0,0 +1,248 @@ +# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""VSA schema and generation.""" + +from __future__ import annotations + +import base64 +import json +from datetime import datetime +from enum import StrEnum +from importlib import metadata as importlib_metadata +from typing import Any, TypedDict + + +class Vsa(TypedDict): + """The Macaron Verification Summary Attestation. + + For reference, see: + * `SLSA `_. + * `in-toto `_. + """ + + #: The payload type. Following in-toto, this is always ``application/vnd.in-toto+json``. + payloadType: str # noqa: N815 + + #: The payload of the VSA, base64 encoded. + payload: str + + +class VsaStatement(TypedDict): + """The Statement layer of a Macaron VSA. + + For reference, see: + * in-toto Statement layer specification: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md. + """ + + _type: str + subject: list[dict] + predicateType: str # noqa: N815 + predicate: VsaPredicate + + +class VsaPredicate(TypedDict): + """The 'predicate' field in the Statement layer of a Macaron VSA. + + For reference, see: + * in-toto Predicate layer specification: + https://github.com/in-toto/attestation/blob/main/spec/v1/predicate.md. + * SLSA VSA predicate schema: + https://slsa.dev/spec/v1.0/verification_summary#schema. + """ + + #: Identity of the verifier, as a tool carrying out the verification. + verifier: Verifier + + #: The timestamp when the verification occurred. + #: The field has the type + # `Timestamp `_. + timeVerified: str # noqa: N815 + + #: URI that identifies the resource associated with the software component being verified. + #: This field has the type + #: `ResourceURI `_. + #: Currently, this has the same value as the subject of the VSA, i.e. the PURL of + #: the software component being verified against. + resourceUri: str # noqa: N815 + + #: The policy that the subject software component was verified against. + #: This field has the type + #: `ResourceDescriptor `_. + policy: dict[str, Any] + + #: The verification result. + verificationResult: VerificationResult # noqa: N815 + + #: According to SLSA, this field "indicates the highest level of each track verified + #: for the artifact (and not its dependencies), or ``FAILED`` if policy verification failed". + #: We currently leave this list empty. + verifiedLevels: list # noqa: N815 + + +class Verifier(TypedDict): + """The 'verifier' field within the Macaron VSA predicate field. + + This field provides the identity of the verifier, as well as the versioning details of its components. + """ + + #: The identity of the verifier as a value of type + #: `TypeURI `_. + id: str # noqa: A003 + + #: A mapping from components of the verifier and their corresponding versions. + #: At the moment, this field only includes Macaron itself. + version: dict[str, str] + + +class VerificationResult(StrEnum): + """Verification result, which is either 'PASSED' or 'FAILED'.""" + + FAILED = "FAILED" + PASSED = "PASSED" + + +def create_vsa_statement( + subject_purl: str, + policy_content: str, + verification_result: VerificationResult, +) -> VsaStatement: + """Construct the Statement layer of the VSA. + + Parameters + ---------- + subject_purl : str + The PURL (string) of the subject of the VSA. This identifies the unique + software component that the policy applies to. + policy_content : str + The Souffle policy code defining the policy. + verification_result : VerificationResult + The verification result of the subject. + + Returns + ------- + VsaStatement + A Statement layer of the VSA. + """ + return VsaStatement( + _type="https://in-toto.io/Statement/v1", + subject=[ + { + "uri": subject_purl, + } + ], + predicateType="https://slsa.dev/verification_summary/v1", + predicate=VsaPredicate( + verifier=Verifier( + id="https://github.com/oracle/macaron", + version={ + "macaron": importlib_metadata.version("macaron"), + }, + ), + timeVerified=datetime.utcnow().isoformat("T") + "Z", + resourceUri=subject_purl, + policy={ + "content": policy_content, + }, + verificationResult=verification_result, + verifiedLevels=[], + ), + ) + + +def get_subject_verification_result(policy_result: dict) -> tuple[str, VerificationResult] | None: + """Get the PURL (string) and verification result of the single software component the policy applies to. + + This is currently done by reading the facts of two relations: + ``component_violates_policy``, and ``component_satisfies_policy`` + from the result of the policy engine. + + We define two PURLs to be different if the two PURL strings are different. + + The result of this function depends on the policy engine result: + + - If there exist multiple different PURLs, this function returns ``None``. + - If there exist multiple occurrences of the same PURL and it is the only unique + PURL in the policy engine result, this function returns the latest occurrence, + which is the PURL that goes with the highest component ID, taking advantage of + component IDs being auto-incremented. + - If there is no PURL in the result, i.e. the policy applies to no software component + in the database, this function also returns ``None``. + + Parameters + ---------- + policy_result : dict + The result of the policy engine, including two relations: + ``component_violates_policy``, and ``component_satisfies_policy``. + + Returns + ------- + tuple[str, VerificationResult] | None + A pair of PURL and verification result of the only software component that + the policy applies to, or ``None`` according to the aforementioned conditions. + """ + component_violates_policy_facts = policy_result.get("component_violates_policy", []) + component_satisfies_policy_facts = policy_result.get("component_satisfies_policy", []) + + # key: PURL; value: result with the highest component id + component_results: dict[str, tuple[int, VerificationResult]] = {} + + for component_id_string, purl, _ in component_violates_policy_facts: + component_id = int(component_id_string) + if purl not in component_results: + component_results[purl] = (component_id, VerificationResult.FAILED) + else: + current_component_id, _ = component_results[purl] + if component_id > current_component_id: + component_results[purl] = (component_id, VerificationResult.FAILED) + for component_id_string, purl, _ in component_satisfies_policy_facts: + component_id = int(component_id_string) + if purl not in component_results: + component_results[purl] = (component_id, VerificationResult.PASSED) + else: + current_component_id, _ = component_results[purl] + if component_id > current_component_id: + component_results[purl] = (component_id, VerificationResult.PASSED) + + if len(component_results) != 1: + return None + + subject_purl = next(iter(component_results.keys())) + _, verification_result = component_results[subject_purl] + + return subject_purl, verification_result + + +def generate_vsa(policy_content: str, policy_result: dict) -> Vsa | None: + """Generate a VSA, if appropriate, based on the result of the policy engine. + + Parameters + ---------- + policy_content : str + The Souffle policy code defining the policy. + policy_result : dict + The result of the policy engine. + + Returns + ------- + Vsa | None + The VSA, or ``None`` if generating a VSA is not appropriate according + to the policy engine result. + """ + subject_verification_result = get_subject_verification_result(policy_result) + + if subject_verification_result is None: + return None + + subject_purl, verification_result = subject_verification_result + + payload = create_vsa_statement( + subject_purl=subject_purl, + policy_content=policy_content, + verification_result=verification_result, + ) + + return Vsa( + payloadType="application/vnd.in-toto+json", + payload=base64.b64encode(json.dumps(payload).encode()).decode("ascii"), + ) diff --git a/tests/policy_engine/test_policy.py b/tests/policy_engine/test_policy.py index 9a9dff9b7..b38346c22 100644 --- a/tests/policy_engine/test_policy.py +++ b/tests/policy_engine/test_policy.py @@ -1,4 +1,4 @@ -# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. """This module tests the policies supported by the policy engine.""" @@ -32,7 +32,9 @@ def test_dump_prelude(database_setup) -> None: # type: ignore # pylint: disable def test_eval_policy(database_setup) -> None: # type: ignore # pylint: disable=unused-argument,redefined-outer-name """Test loading the policy from file.""" - res = run_souffle(os.path.join(POLICY_FILE, DATABASE_FILE), POLICY_FILE) + with open(POLICY_FILE, encoding="utf-8") as file: + policy_content = file.read() + res = run_souffle(os.path.join(POLICY_FILE, DATABASE_FILE), policy_content) assert res == { "passed_policies": [["trusted_builder"]], "component_satisfies_policy": [ diff --git a/tests/vsa/__init__.py b/tests/vsa/__init__.py new file mode 100644 index 000000000..c8a50abb7 --- /dev/null +++ b/tests/vsa/__init__.py @@ -0,0 +1,2 @@ +# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. diff --git a/tests/vsa/test_vsa.py b/tests/vsa/test_vsa.py new file mode 100644 index 000000000..b759fe523 --- /dev/null +++ b/tests/vsa/test_vsa.py @@ -0,0 +1,199 @@ +# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""Tests for VSA generation.""" + + +import pytest + +from macaron.vsa.vsa import VerificationResult, get_subject_verification_result + + +@pytest.mark.parametrize( + ("policy_result", "expected"), + [ + pytest.param( + { + "component_satisfies_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + "component_violates_policy": [], + }, + ("pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", VerificationResult.PASSED), + id="A single PURL satisfying policy", + ), + pytest.param( + { + "component_satisfies_policy": [], + "component_violates_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + }, + ("pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", VerificationResult.FAILED), + id="A single PURL violating policy", + ), + pytest.param( + { + "component_satisfies_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + [ + "2", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + "component_violates_policy": [], + }, + ("pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", VerificationResult.PASSED), + id="Two occurrences of the same PURL both satisfying a policy", + ), + pytest.param( + { + "component_satisfies_policy": [], + "component_violates_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + [ + "2", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + }, + ("pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", VerificationResult.FAILED), + id="Two occurrences of the same PURL both violating a policy", + ), + pytest.param( + { + "component_satisfies_policy": [ + [ + "1000", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + "component_violates_policy": [ + [ + "9", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + }, + ("pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", VerificationResult.PASSED), + id="Two occurrences of the same PURL, the one satisfying the policy is latest", + ), + pytest.param( + { + "component_satisfies_policy": [ + [ + "9", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + "component_violates_policy": [ + [ + "1000", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + }, + ("pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", VerificationResult.FAILED), + id="Two occurrences of the same PURL, the one violating the policy is latest", + ), + ], +) +def test_valid_subject_verification_result( + policy_result: dict, + expected: tuple[str, VerificationResult], +) -> None: + """Test the ``get_subject_verification_result`` in cases where there is a result.""" + assert get_subject_verification_result(policy_result) == expected + + +@pytest.mark.parametrize( + ("policy_result"), + [ + pytest.param( + { + "component_satisfies_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + [ + "2", + "pkg:github.com/slsa-framework/slsa-github-generator@v1.0.0", + "slsa_verifier_policy", + ], + ], + "component_violates_policy": [], + }, + id="Two different PURLs both satisfying a policy", + ), + pytest.param( + { + "component_satisfies_policy": [], + "component_violates_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + [ + "2", + "pkg:github.com/slsa-framework/slsa-github-generator@v1.0.0", + "slsa_verifier_policy", + ], + ], + }, + id="Two different PURLs both violating a policy", + ), + pytest.param( + { + "component_satisfies_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + "component_violates_policy": [ + [ + "2", + "pkg:github.com/slsa-framework/slsa-github-generator@v1.0.0", + "slsa_verifier_policy", + ], + ], + }, + id="Two different PURLs, one satisfying and one violating a policy", + ), + pytest.param( + {}, + id="Policy engine result is empty", + ), + ], +) +def test_invalid_subject_verification_result( + policy_result: dict, +) -> None: + """Test the ``get_subject_verification_result`` in cases where the result should be ``None``.""" + assert get_subject_verification_result(policy_result) is None From 10e246e5def5643da87404600f21522748e67f93 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Mon, 8 Jan 2024 14:57:39 +1000 Subject: [PATCH 02/30] chore: add integration tests for VSA generation Signed-off-by: Nathan Nguyen --- scripts/dev_scripts/integration_tests.sh | 30 +- tests/vsa/compare_vsa.py | 264 +++ .../policy.dl | 16 + .../policy_report.json | 16 + .../slsa-verifier.json | 1887 +++++++++++++++++ .../vsa.intoto.jsonl | 24 + 6 files changed, 2236 insertions(+), 1 deletion(-) create mode 100644 tests/vsa/compare_vsa.py create mode 100644 tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl create mode 100644 tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json create mode 100644 tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json create mode 100644 tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl diff --git a/scripts/dev_scripts/integration_tests.sh b/scripts/dev_scripts/integration_tests.sh index 36928532c..c5d1a8076 100755 --- a/scripts/dev_scripts/integration_tests.sh +++ b/scripts/dev_scripts/integration_tests.sh @@ -9,6 +9,8 @@ HOMEDIR=$2 RESOURCES=$WORKSPACE/src/macaron/resources COMPARE_DEPS=$WORKSPACE/tests/dependency_analyzer/compare_dependencies.py COMPARE_JSON_OUT=$WORKSPACE/tests/e2e/compare_e2e_result.py +COMPARE_POLICIES=$WORKSPACE/tests/policy_engine/compare_policy_reports.py +COMPARE_VSA=$WORKSPACE/tests/vsa/compare_vsa.py TEST_REPO_FINDER=$WORKSPACE/tests/e2e/repo_finder/repo_finder.py TEST_COMMIT_FINDER=$WORKSPACE/tests/e2e/repo_finder/commit_finder.py RUN_MACARON="python -m macaron -o $WORKSPACE/output" @@ -19,6 +21,7 @@ UPDATE=0 if [ $# -eq 3 ] && [ "$3" == "--update" ] ; then echo "Updating the expected results to match those currently produced by Macaron." UPDATE=1 + COMPARE_VSA="$COMPARE_VSA --update" fi function check_or_update_expected_output() { @@ -627,7 +630,6 @@ echo -e "\n--------------------------------------------------------------------- echo "Run policy CLI with slsa-verifier results." echo -e "----------------------------------------------------------------------------------\n" RUN_POLICY="macaron verify-policy" -COMPARE_POLICIES=$WORKSPACE/tests/policy_engine/compare_policy_reports.py POLICY_FILE=$WORKSPACE/tests/policy_engine/resources/policies/valid/slsa-verifier.dl POLICY_RESULT=$WORKSPACE/output/policy_report.json POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/policy_report.json @@ -636,6 +638,32 @@ POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/policy_report.js $RUN_POLICY -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail check_or_update_expected_output $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail +# Testing the VSA generation feature +# Running Macaron without config files +echo -e "\n==================================================================================" +echo "Run integration tests for VSA generation" +echo -e "==================================================================================\n" +TEST_CASE_DIR="$WORKSPACE/tests/vsa/integration/github_slsa-framework_slsa-verifier" +OUTPUT_DIR="$TEST_CASE_DIR/output" + +rm -rf "$OUTPUT_DIR" # Make sure we regenerate a fresh database every time. +macaron --output "$OUTPUT_DIR" analyze \ + --repo-path "https://github.com/slsa-framework/slsa-verifier" \ + --digest 7e1e47d7d793930ab0082c15c2b971fdb53a3c95 \ + --skip-deps || log_fail +check_or_update_expected_output "$COMPARE_JSON_OUT" \ + "$OUTPUT_DIR/reports/github_com/slsa-framework/slsa-verifier/slsa-verifier.json" \ + "$TEST_CASE_DIR/slsa-verifier.json" || log_fail +macaron --output "$OUTPUT_DIR" verify-policy \ + --database "$OUTPUT_DIR/macaron.db" \ + --file "$TEST_CASE_DIR/policy.dl" || log_fail +check_or_update_expected_output "$COMPARE_POLICIES" \ + "$OUTPUT_DIR/policy_report.json" \ + "$TEST_CASE_DIR/policy_report.json" || log_fail +python3 "$COMPARE_VSA" \ + "$OUTPUT_DIR/vsa.intoto.jsonl" \ + "$TEST_CASE_DIR/vsa.intoto.jsonl" || log_fail + # Testing the Repo Finder's remote calls. # This requires the 'packageurl' Python module echo -e "\n----------------------------------------------------------------------------------" diff --git a/tests/vsa/compare_vsa.py b/tests/vsa/compare_vsa.py new file mode 100644 index 000000000..39ef54ae9 --- /dev/null +++ b/tests/vsa/compare_vsa.py @@ -0,0 +1,264 @@ +# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""Script to compare a generated VSA with an expected payload.""" + +from __future__ import annotations + +import argparse +import base64 +import json +import os +import sys +import traceback +from collections.abc import Callable +from difflib import context_diff +from functools import partial +from pprint import pformat + +# Works similarly to print, but prints to stderr by default. +log = partial(print, file=sys.stderr) + + +def log_with_tag(tag: str) -> Callable[[str], None]: + """Generate a log function that prints the name of the file and a tag at the beginning of each line.""" + + def log_fn(msg: str) -> None: + log(f"[{os.path.basename(__file__)} {tag}] {msg}") + + return log_fn + + +log_info = log_with_tag("INFO") +log_err = log_with_tag("ERROR") +log_failed = log_with_tag("FAILED") +log_passed = log_with_tag("PASSED") + + +def log_diff(result: object, expected: object) -> None: + """Pretty-print the diff of two Python objects.""" + log( + "".join( + context_diff(pformat(result), pformat(expected), "result", "expected"), + ), + ) + + +CompareFn = Callable[[object, object], bool] + + +def skip_compare(_result: object, _expected: object) -> bool: + """Return ``True`` always. + + This compare function is used when we want to skip comparing a field. + """ + return True + + +def compare_json( + result: object, + expected: object, + compare_fn_map: dict[str, CompareFn], + name: str = "", +) -> bool: + """Compare two JSON values. + + This function should not try to return immediately when it encounters a mismatch. + Rather, it should try to report as many mismatches as possible. + + Parameters + ---------- + result : object + The result value. + expected : object + The expected value. + compare_fn_map : dict[str, CompareFn] + A map from field name to corresponding compare function. + name : str + The name of the field. + Field names must follow the following rules: + - At the top level: empty string "" + - A subfield "bar" in an object field with name ".foo" has the name ".foo.bar". + - A subfield "baz" in an object field with name ".foo.bar" has the name ".foo.bar.baz". + - All array elements in an array field with name ".foo" have the name ".foo[*]". + + Returns + ------- + bool + ``True`` if the comparison is successful, ``False`` otherwise. + """ + if name in compare_fn_map: + return compare_fn_map[name](result, expected) + + if isinstance(expected, list): + if not isinstance(result, list): + log_err(f"Expected '{name}' to be a JSON array.") + # Nothing else to check. + return False + return compare_list(result, expected, compare_fn_map, name) + if isinstance(expected, dict): + if not isinstance(result, dict): + log_err(f"Expected '{name}' to be a JSON object.") + # Nothing else to check. + return False + return compare_dict(result, expected, compare_fn_map, name) + + if result != expected: + log_err(f"Mismatch found in '{name}': expected {expected}, found {result}.") + return False + + return True + + +def compare_list( + result: list, + expected: list, + compare_fn_map: dict[str, CompareFn], + name: str, +) -> bool: + """Compare two JSON arrays. + + Parameters + ---------- + result : list + The result array. + expected : list + The expected array. + compare_fn_map : str + A map from field name to corresponding compare function. + name : str + The name of the field whose value is being compared in this function. + + Returns + ------- + bool + ``True`` if the comparison is successful, ``False`` otherwise. + """ + if len(result) != len(expected): + log_err(f"Expected field '{name}' of length {len(result)} in result to have length {len(expected)}") + log_diff(result, expected) + # Nothing else to compare + return False + + equal = True + + for result_element, expected_element in zip(result, expected): + equal &= compare_json( + result=result_element, + expected=expected_element, + compare_fn_map=compare_fn_map, + name=f"{name}[*]", + ) + + return equal + + +def compare_dict( + result: dict, + expected: dict, + compare_fn_map: dict[str, CompareFn], + name: str, +) -> bool: + """Compare two JSON objects. + + Parameters + ---------- + result : dict + The result object. + expected : dict + The expected object. + compare_fn_map : str + A map from field name to corresponding compare function. + name : str + The name of the field whose value is being compared in this function. + + Returns + ------- + bool + ``True`` if the comparison is successful, ``False`` otherwise. + """ + result_keys_only = result.keys() - expected.keys() + expected_keys_only = expected.keys() - result.keys() + + equal = True + + if len(result_keys_only) > 0: + log_err(f"'{name}' in result has the following extraneous fields: {result_keys_only}") + equal = False + + if len(expected_keys_only) > 0: + log_err(f"'{name}' in result does not contain these expected fields: {expected_keys_only}") + equal = False + + common_keys = set(result.keys()).intersection(set(expected.keys())) + + for key in common_keys: + equal &= compare_json( + result=result[key], + expected=expected[key], + name=f"{name}.{key}", + compare_fn_map=compare_fn_map, + ) + + return equal + + +def main() -> int: + """Compare a Macaron generated VSA with an expected VSA payload. + + Returns + ------- + int + 0 if the payload in the generated VSA matches the expected payload, or + non-zero otherwise. + """ + parser = argparse.ArgumentParser() + parser.add_argument("result_file", help="the result VSA file") + parser.add_argument("expected_payload_file", help="the expected VSA payload file") + parser.add_argument( + "-u", + "--update", + action="store_true", + help="update the expected payload file", + ) + args = parser.parse_args() + + with open(args.result_file, encoding="utf-8") as file: + vsa = json.load(file) + + try: + payload = json.loads(base64.b64decode(vsa["payload"])) + except (UnicodeDecodeError, json.JSONDecodeError, TypeError): + log_err("Error while decoding the VSA payload:") + log(traceback.format_exc()) + return 1 + + if args.update: + with open(args.expected_payload_file, mode="w", encoding="utf-8") as file: + json.dump(payload, fp=file, indent=4) + log_info(f"Updated {args.expected_payload_file}.") + return 0 + + with open(args.expected_payload_file, encoding="utf-8") as file: + expected_payload = json.load(file) + + log_info(f"Comparing the VSA file {args.result_file} with the expected payload file {args.expected_payload_file}") + + equal = compare_json( + result=payload, + expected=expected_payload, + compare_fn_map={ + ".predicate.timeVerified": skip_compare, + }, + ) + + if not equal: + log_failed("The payload of the generated VSA does not match the expected payload.") + return 1 + + log_passed("The payload of the generated VSA matches the expected payload.") + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl b/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl new file mode 100644 index 000000000..678fa8636 --- /dev/null +++ b/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl @@ -0,0 +1,16 @@ +/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */ +/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */ + +#include "prelude.dl" + +Policy("slsa_verifier_policy", component_id, "Policy for SLSA Verifier") :- + check_passed(component_id, "mcn_build_as_code_1"), + check_passed(component_id, "mcn_provenance_level_three_1"), + check_passed(component_id, "mcn_provenance_available_1"). + +apply_policy_to("slsa_verifier_policy", component_id) :- + is_repo( + _, // repo_id + "github.com/slsa-framework/slsa-verifier", + component_id + ). diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json b/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json new file mode 100644 index 000000000..f17f562dc --- /dev/null +++ b/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json @@ -0,0 +1,16 @@ +{ + "component_satisfies_policy": [ + [ + "1", + "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "slsa_verifier_policy" + ] + ], + "component_violates_policy": [], + "failed_policies": [], + "passed_policies": [ + [ + "slsa_verifier_policy" + ] + ] +} diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json b/tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json new file mode 100644 index 000000000..4549b087c --- /dev/null +++ b/tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json @@ -0,0 +1,1887 @@ +{ + "metadata": { + "timestamps": "2024-01-05 16:53:37", + "has_passing_check": true + }, + "target": { + "info": { + "full_name": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "local_cloned_path": "git_repos/github_com/slsa-framework/slsa-verifier", + "remote_path": "https://github.com/slsa-framework/slsa-verifier", + "branch": null, + "commit_hash": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "commit_date": "2023-10-16T13:44:13-07:00" + }, + "provenances": { + "is_inferred": false, + "content": { + "github_actions": [ + { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": [ + { + "name": "slsa-verifier-darwin-amd64", + "digest": { + "sha256": "69fa1ea5bb734e765aae1fa855f50e823c2b90b019994610960b7eb3c83feeb3" + } + } + ], + "predicate": { + "builder": { + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" + }, + "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", + "invocation": { + "configSource": { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "entryPoint": ".github/workflows/release.yml" + }, + "parameters": {}, + "environment": { + "arch": "X64", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", + "github_base_ref": "", + "github_event_name": "push", + "github_event_payload": { + "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "base_ref": "refs/heads/main", + "before": "0000000000000000000000000000000000000000", + "commits": [], + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", + "created": true, + "deleted": false, + "forced": false, + "head_commit": { + "author": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" + }, + "committer": { + "email": "noreply@github.com", + "name": "GitHub", + "username": "web-flow" + }, + "distinct": true, + "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-10-16T13:44:13-07:00", + "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "organization": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "description": "Supply-chain Levels for Software Artifacts", + "events_url": "https://api.github.com/orgs/slsa-framework/events", + "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", + "id": 80431187, + "issues_url": "https://api.github.com/orgs/slsa-framework/issues", + "login": "slsa-framework", + "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", + "repos_url": "https://api.github.com/orgs/slsa-framework/repos", + "url": "https://api.github.com/orgs/slsa-framework" + }, + "pusher": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" + }, + "ref": "refs/tags/v2.4.1", + "repository": { + "allow_forking": true, + "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", + "archived": false, + "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", + "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", + "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", + "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", + "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", + "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", + "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", + "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", + "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", + "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", + "created_at": 1648242107, + "custom_properties": {}, + "default_branch": "main", + "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", + "description": "Verify provenance from SLSA compliant builders", + "disabled": false, + "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", + "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", + "fork": false, + "forks": 35, + "forks_count": 35, + "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", + "full_name": "slsa-framework/slsa-verifier", + "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", + "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", + "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", + "git_url": "git://github.com/slsa-framework/slsa-verifier.git", + "has_discussions": false, + "has_downloads": true, + "has_issues": true, + "has_pages": false, + "has_projects": true, + "has_wiki": true, + "homepage": "", + "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", + "html_url": "https://github.com/slsa-framework/slsa-verifier", + "id": 474162642, + "is_template": false, + "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", + "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", + "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", + "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", + "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", + "language": "Go", + "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "node_id": "MDc6TGljZW5zZTI=", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0" + }, + "master_branch": "main", + "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", + "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", + "mirror_url": null, + "name": "slsa-verifier", + "node_id": "R_kgDOHEMl0g", + "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", + "open_issues": 123, + "open_issues_count": 123, + "organization": "slsa-framework", + "owner": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "email": null, + "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", + "followers_url": "https://api.github.com/users/slsa-framework/followers", + "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", + "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/slsa-framework", + "id": 80431187, + "login": "slsa-framework", + "name": "slsa-framework", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "organizations_url": "https://api.github.com/users/slsa-framework/orgs", + "received_events_url": "https://api.github.com/users/slsa-framework/received_events", + "repos_url": "https://api.github.com/users/slsa-framework/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", + "type": "Organization", + "url": "https://api.github.com/users/slsa-framework" + }, + "private": false, + "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", + "pushed_at": 1699396985, + "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", + "size": 88467, + "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", + "stargazers": 170, + "stargazers_count": 170, + "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", + "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", + "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", + "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", + "svn_url": "https://github.com/slsa-framework/slsa-verifier", + "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", + "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", + "topics": [], + "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", + "updated_at": "2023-10-17T17:58:10Z", + "url": "https://github.com/slsa-framework/slsa-verifier", + "visibility": "public", + "watchers": 170, + "watchers_count": 170, + "web_commit_signoff_required": true + }, + "sender": { + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", + "type": "User", + "url": "https://api.github.com/users/laurentsimon" + } + }, + "github_head_ref": "", + "github_ref": "refs/tags/v2.4.1", + "github_ref_type": "tag", + "github_repository_id": "474162642", + "github_repository_owner": "slsa-framework", + "github_repository_owner_id": "80431187", + "github_run_attempt": "1", + "github_run_id": "6791195934", + "github_run_number": "511", + "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "os": "ubuntu22" + } + }, + "buildConfig": { + "steps": [ + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "mod", + "vendor" + ], + "env": null + }, + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "build", + "-mod=vendor", + "-trimpath", + "-tags=netgo", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", + "-o", + "slsa-verifier-darwin-amd64" + ], + "env": [ + "GOOS=darwin", + "GOARCH=amd64", + "GO111MODULE=on", + "CGO_ENABLED=0" + ] + } + ], + "version": 1 + }, + "metadata": { + "buildInvocationID": "6791195934-1", + "completeness": { + "parameters": true, + "environment": false, + "materials": false + }, + "reproducible": false + }, + "materials": [ + { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + }, + { + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" + } + ] + } + }, + { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": [ + { + "name": "slsa-verifier-darwin-arm64", + "digest": { + "sha256": "ce1de214cb5ae24dfafce18640a0e7c4d2fbbd014bf4b2944a0c1b7b3cfa803a" + } + } + ], + "predicate": { + "builder": { + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" + }, + "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", + "invocation": { + "configSource": { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "entryPoint": ".github/workflows/release.yml" + }, + "parameters": {}, + "environment": { + "arch": "X64", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", + "github_base_ref": "", + "github_event_name": "push", + "github_event_payload": { + "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "base_ref": "refs/heads/main", + "before": "0000000000000000000000000000000000000000", + "commits": [], + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", + "created": true, + "deleted": false, + "forced": false, + "head_commit": { + "author": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" + }, + "committer": { + "email": "noreply@github.com", + "name": "GitHub", + "username": "web-flow" + }, + "distinct": true, + "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-10-16T13:44:13-07:00", + "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "organization": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "description": "Supply-chain Levels for Software Artifacts", + "events_url": "https://api.github.com/orgs/slsa-framework/events", + "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", + "id": 80431187, + "issues_url": "https://api.github.com/orgs/slsa-framework/issues", + "login": "slsa-framework", + "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", + "repos_url": "https://api.github.com/orgs/slsa-framework/repos", + "url": "https://api.github.com/orgs/slsa-framework" + }, + "pusher": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" + }, + "ref": "refs/tags/v2.4.1", + "repository": { + "allow_forking": true, + "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", + "archived": false, + "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", + "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", + "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", + "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", + "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", + "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", + "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", + "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", + "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", + "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", + "created_at": 1648242107, + "custom_properties": {}, + "default_branch": "main", + "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", + "description": "Verify provenance from SLSA compliant builders", + "disabled": false, + "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", + "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", + "fork": false, + "forks": 35, + "forks_count": 35, + "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", + "full_name": "slsa-framework/slsa-verifier", + "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", + "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", + "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", + "git_url": "git://github.com/slsa-framework/slsa-verifier.git", + "has_discussions": false, + "has_downloads": true, + "has_issues": true, + "has_pages": false, + "has_projects": true, + "has_wiki": true, + "homepage": "", + "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", + "html_url": "https://github.com/slsa-framework/slsa-verifier", + "id": 474162642, + "is_template": false, + "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", + "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", + "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", + "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", + "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", + "language": "Go", + "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "node_id": "MDc6TGljZW5zZTI=", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0" + }, + "master_branch": "main", + "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", + "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", + "mirror_url": null, + "name": "slsa-verifier", + "node_id": "R_kgDOHEMl0g", + "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", + "open_issues": 123, + "open_issues_count": 123, + "organization": "slsa-framework", + "owner": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "email": null, + "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", + "followers_url": "https://api.github.com/users/slsa-framework/followers", + "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", + "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/slsa-framework", + "id": 80431187, + "login": "slsa-framework", + "name": "slsa-framework", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "organizations_url": "https://api.github.com/users/slsa-framework/orgs", + "received_events_url": "https://api.github.com/users/slsa-framework/received_events", + "repos_url": "https://api.github.com/users/slsa-framework/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", + "type": "Organization", + "url": "https://api.github.com/users/slsa-framework" + }, + "private": false, + "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", + "pushed_at": 1699396985, + "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", + "size": 88467, + "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", + "stargazers": 170, + "stargazers_count": 170, + "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", + "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", + "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", + "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", + "svn_url": "https://github.com/slsa-framework/slsa-verifier", + "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", + "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", + "topics": [], + "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", + "updated_at": "2023-10-17T17:58:10Z", + "url": "https://github.com/slsa-framework/slsa-verifier", + "visibility": "public", + "watchers": 170, + "watchers_count": 170, + "web_commit_signoff_required": true + }, + "sender": { + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", + "type": "User", + "url": "https://api.github.com/users/laurentsimon" + } + }, + "github_head_ref": "", + "github_ref": "refs/tags/v2.4.1", + "github_ref_type": "tag", + "github_repository_id": "474162642", + "github_repository_owner": "slsa-framework", + "github_repository_owner_id": "80431187", + "github_run_attempt": "1", + "github_run_id": "6791195934", + "github_run_number": "511", + "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "os": "ubuntu22" + } + }, + "buildConfig": { + "steps": [ + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "mod", + "vendor" + ], + "env": null + }, + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "build", + "-mod=vendor", + "-trimpath", + "-tags=netgo", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", + "-o", + "slsa-verifier-darwin-arm64" + ], + "env": [ + "GOOS=darwin", + "GOARCH=arm64", + "CGO_ENABLED=0", + "GO111MODULE=on" + ] + } + ], + "version": 1 + }, + "metadata": { + "buildInvocationID": "6791195934-1", + "completeness": { + "parameters": true, + "environment": false, + "materials": false + }, + "reproducible": false + }, + "materials": [ + { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + }, + { + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" + } + ] + } + }, + { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": [ + { + "name": "slsa-verifier-linux-amd64", + "digest": { + "sha256": "e81900c9f11a44276e1552afb7c1f6ea7b13ad9c6efdb920d97f23a76659e25f" + } + } + ], + "predicate": { + "builder": { + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" + }, + "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", + "invocation": { + "configSource": { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "entryPoint": ".github/workflows/release.yml" + }, + "parameters": {}, + "environment": { + "arch": "X64", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", + "github_base_ref": "", + "github_event_name": "push", + "github_event_payload": { + "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "base_ref": "refs/heads/main", + "before": "0000000000000000000000000000000000000000", + "commits": [], + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", + "created": true, + "deleted": false, + "forced": false, + "head_commit": { + "author": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" + }, + "committer": { + "email": "noreply@github.com", + "name": "GitHub", + "username": "web-flow" + }, + "distinct": true, + "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-10-16T13:44:13-07:00", + "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "organization": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "description": "Supply-chain Levels for Software Artifacts", + "events_url": "https://api.github.com/orgs/slsa-framework/events", + "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", + "id": 80431187, + "issues_url": "https://api.github.com/orgs/slsa-framework/issues", + "login": "slsa-framework", + "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", + "repos_url": "https://api.github.com/orgs/slsa-framework/repos", + "url": "https://api.github.com/orgs/slsa-framework" + }, + "pusher": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" + }, + "ref": "refs/tags/v2.4.1", + "repository": { + "allow_forking": true, + "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", + "archived": false, + "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", + "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", + "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", + "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", + "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", + "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", + "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", + "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", + "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", + "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", + "created_at": 1648242107, + "custom_properties": {}, + "default_branch": "main", + "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", + "description": "Verify provenance from SLSA compliant builders", + "disabled": false, + "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", + "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", + "fork": false, + "forks": 35, + "forks_count": 35, + "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", + "full_name": "slsa-framework/slsa-verifier", + "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", + "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", + "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", + "git_url": "git://github.com/slsa-framework/slsa-verifier.git", + "has_discussions": false, + "has_downloads": true, + "has_issues": true, + "has_pages": false, + "has_projects": true, + "has_wiki": true, + "homepage": "", + "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", + "html_url": "https://github.com/slsa-framework/slsa-verifier", + "id": 474162642, + "is_template": false, + "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", + "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", + "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", + "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", + "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", + "language": "Go", + "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "node_id": "MDc6TGljZW5zZTI=", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0" + }, + "master_branch": "main", + "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", + "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", + "mirror_url": null, + "name": "slsa-verifier", + "node_id": "R_kgDOHEMl0g", + "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", + "open_issues": 123, + "open_issues_count": 123, + "organization": "slsa-framework", + "owner": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "email": null, + "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", + "followers_url": "https://api.github.com/users/slsa-framework/followers", + "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", + "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/slsa-framework", + "id": 80431187, + "login": "slsa-framework", + "name": "slsa-framework", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "organizations_url": "https://api.github.com/users/slsa-framework/orgs", + "received_events_url": "https://api.github.com/users/slsa-framework/received_events", + "repos_url": "https://api.github.com/users/slsa-framework/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", + "type": "Organization", + "url": "https://api.github.com/users/slsa-framework" + }, + "private": false, + "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", + "pushed_at": 1699396985, + "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", + "size": 88467, + "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", + "stargazers": 170, + "stargazers_count": 170, + "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", + "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", + "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", + "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", + "svn_url": "https://github.com/slsa-framework/slsa-verifier", + "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", + "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", + "topics": [], + "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", + "updated_at": "2023-10-17T17:58:10Z", + "url": "https://github.com/slsa-framework/slsa-verifier", + "visibility": "public", + "watchers": 170, + "watchers_count": 170, + "web_commit_signoff_required": true + }, + "sender": { + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", + "type": "User", + "url": "https://api.github.com/users/laurentsimon" + } + }, + "github_head_ref": "", + "github_ref": "refs/tags/v2.4.1", + "github_ref_type": "tag", + "github_repository_id": "474162642", + "github_repository_owner": "slsa-framework", + "github_repository_owner_id": "80431187", + "github_run_attempt": "1", + "github_run_id": "6791195934", + "github_run_number": "511", + "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "os": "ubuntu22" + } + }, + "buildConfig": { + "steps": [ + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "mod", + "vendor" + ], + "env": null + }, + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "build", + "-mod=vendor", + "-trimpath", + "-tags=netgo", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", + "-o", + "slsa-verifier-linux-amd64" + ], + "env": [ + "GOOS=linux", + "GOARCH=amd64", + "GO111MODULE=on", + "CGO_ENABLED=0" + ] + } + ], + "version": 1 + }, + "metadata": { + "buildInvocationID": "6791195934-1", + "completeness": { + "parameters": true, + "environment": false, + "materials": false + }, + "reproducible": false + }, + "materials": [ + { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + }, + { + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" + } + ] + } + }, + { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": [ + { + "name": "slsa-verifier-linux-arm64", + "digest": { + "sha256": "8b9bcc51576a8f962a0f91f50bed8ca769563ef568a2e9997ca4cd59dc2e341a" + } + } + ], + "predicate": { + "builder": { + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" + }, + "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", + "invocation": { + "configSource": { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "entryPoint": ".github/workflows/release.yml" + }, + "parameters": {}, + "environment": { + "arch": "X64", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", + "github_base_ref": "", + "github_event_name": "push", + "github_event_payload": { + "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "base_ref": "refs/heads/main", + "before": "0000000000000000000000000000000000000000", + "commits": [], + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", + "created": true, + "deleted": false, + "forced": false, + "head_commit": { + "author": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" + }, + "committer": { + "email": "noreply@github.com", + "name": "GitHub", + "username": "web-flow" + }, + "distinct": true, + "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-10-16T13:44:13-07:00", + "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "organization": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "description": "Supply-chain Levels for Software Artifacts", + "events_url": "https://api.github.com/orgs/slsa-framework/events", + "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", + "id": 80431187, + "issues_url": "https://api.github.com/orgs/slsa-framework/issues", + "login": "slsa-framework", + "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", + "repos_url": "https://api.github.com/orgs/slsa-framework/repos", + "url": "https://api.github.com/orgs/slsa-framework" + }, + "pusher": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" + }, + "ref": "refs/tags/v2.4.1", + "repository": { + "allow_forking": true, + "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", + "archived": false, + "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", + "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", + "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", + "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", + "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", + "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", + "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", + "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", + "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", + "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", + "created_at": 1648242107, + "custom_properties": {}, + "default_branch": "main", + "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", + "description": "Verify provenance from SLSA compliant builders", + "disabled": false, + "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", + "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", + "fork": false, + "forks": 35, + "forks_count": 35, + "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", + "full_name": "slsa-framework/slsa-verifier", + "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", + "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", + "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", + "git_url": "git://github.com/slsa-framework/slsa-verifier.git", + "has_discussions": false, + "has_downloads": true, + "has_issues": true, + "has_pages": false, + "has_projects": true, + "has_wiki": true, + "homepage": "", + "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", + "html_url": "https://github.com/slsa-framework/slsa-verifier", + "id": 474162642, + "is_template": false, + "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", + "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", + "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", + "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", + "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", + "language": "Go", + "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "node_id": "MDc6TGljZW5zZTI=", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0" + }, + "master_branch": "main", + "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", + "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", + "mirror_url": null, + "name": "slsa-verifier", + "node_id": "R_kgDOHEMl0g", + "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", + "open_issues": 123, + "open_issues_count": 123, + "organization": "slsa-framework", + "owner": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "email": null, + "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", + "followers_url": "https://api.github.com/users/slsa-framework/followers", + "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", + "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/slsa-framework", + "id": 80431187, + "login": "slsa-framework", + "name": "slsa-framework", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "organizations_url": "https://api.github.com/users/slsa-framework/orgs", + "received_events_url": "https://api.github.com/users/slsa-framework/received_events", + "repos_url": "https://api.github.com/users/slsa-framework/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", + "type": "Organization", + "url": "https://api.github.com/users/slsa-framework" + }, + "private": false, + "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", + "pushed_at": 1699396985, + "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", + "size": 88467, + "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", + "stargazers": 170, + "stargazers_count": 170, + "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", + "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", + "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", + "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", + "svn_url": "https://github.com/slsa-framework/slsa-verifier", + "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", + "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", + "topics": [], + "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", + "updated_at": "2023-10-17T17:58:10Z", + "url": "https://github.com/slsa-framework/slsa-verifier", + "visibility": "public", + "watchers": 170, + "watchers_count": 170, + "web_commit_signoff_required": true + }, + "sender": { + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", + "type": "User", + "url": "https://api.github.com/users/laurentsimon" + } + }, + "github_head_ref": "", + "github_ref": "refs/tags/v2.4.1", + "github_ref_type": "tag", + "github_repository_id": "474162642", + "github_repository_owner": "slsa-framework", + "github_repository_owner_id": "80431187", + "github_run_attempt": "1", + "github_run_id": "6791195934", + "github_run_number": "511", + "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "os": "ubuntu22" + } + }, + "buildConfig": { + "steps": [ + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "mod", + "vendor" + ], + "env": null + }, + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "build", + "-mod=vendor", + "-trimpath", + "-tags=netgo", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", + "-o", + "slsa-verifier-linux-arm64" + ], + "env": [ + "GOOS=linux", + "GOARCH=arm64", + "GO111MODULE=on", + "CGO_ENABLED=0" + ] + } + ], + "version": 1 + }, + "metadata": { + "buildInvocationID": "6791195934-1", + "completeness": { + "parameters": true, + "environment": false, + "materials": false + }, + "reproducible": false + }, + "materials": [ + { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + }, + { + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" + } + ] + } + }, + { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": [ + { + "name": "slsa-verifier-windows-amd64.exe", + "digest": { + "sha256": "cda4a71f6e6fbfb32aa5b461b650d807503ad509145dc0df9b68adb9e23e674f" + } + } + ], + "predicate": { + "builder": { + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" + }, + "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", + "invocation": { + "configSource": { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "entryPoint": ".github/workflows/release.yml" + }, + "parameters": {}, + "environment": { + "arch": "X64", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", + "github_base_ref": "", + "github_event_name": "push", + "github_event_payload": { + "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "base_ref": "refs/heads/main", + "before": "0000000000000000000000000000000000000000", + "commits": [], + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", + "created": true, + "deleted": false, + "forced": false, + "head_commit": { + "author": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" + }, + "committer": { + "email": "noreply@github.com", + "name": "GitHub", + "username": "web-flow" + }, + "distinct": true, + "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-10-16T13:44:13-07:00", + "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "organization": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "description": "Supply-chain Levels for Software Artifacts", + "events_url": "https://api.github.com/orgs/slsa-framework/events", + "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", + "id": 80431187, + "issues_url": "https://api.github.com/orgs/slsa-framework/issues", + "login": "slsa-framework", + "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", + "repos_url": "https://api.github.com/orgs/slsa-framework/repos", + "url": "https://api.github.com/orgs/slsa-framework" + }, + "pusher": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" + }, + "ref": "refs/tags/v2.4.1", + "repository": { + "allow_forking": true, + "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", + "archived": false, + "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", + "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", + "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", + "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", + "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", + "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", + "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", + "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", + "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", + "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", + "created_at": 1648242107, + "custom_properties": {}, + "default_branch": "main", + "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", + "description": "Verify provenance from SLSA compliant builders", + "disabled": false, + "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", + "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", + "fork": false, + "forks": 35, + "forks_count": 35, + "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", + "full_name": "slsa-framework/slsa-verifier", + "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", + "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", + "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", + "git_url": "git://github.com/slsa-framework/slsa-verifier.git", + "has_discussions": false, + "has_downloads": true, + "has_issues": true, + "has_pages": false, + "has_projects": true, + "has_wiki": true, + "homepage": "", + "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", + "html_url": "https://github.com/slsa-framework/slsa-verifier", + "id": 474162642, + "is_template": false, + "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", + "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", + "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", + "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", + "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", + "language": "Go", + "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "node_id": "MDc6TGljZW5zZTI=", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0" + }, + "master_branch": "main", + "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", + "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", + "mirror_url": null, + "name": "slsa-verifier", + "node_id": "R_kgDOHEMl0g", + "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", + "open_issues": 123, + "open_issues_count": 123, + "organization": "slsa-framework", + "owner": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "email": null, + "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", + "followers_url": "https://api.github.com/users/slsa-framework/followers", + "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", + "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/slsa-framework", + "id": 80431187, + "login": "slsa-framework", + "name": "slsa-framework", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "organizations_url": "https://api.github.com/users/slsa-framework/orgs", + "received_events_url": "https://api.github.com/users/slsa-framework/received_events", + "repos_url": "https://api.github.com/users/slsa-framework/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", + "type": "Organization", + "url": "https://api.github.com/users/slsa-framework" + }, + "private": false, + "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", + "pushed_at": 1699396985, + "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", + "size": 88467, + "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", + "stargazers": 170, + "stargazers_count": 170, + "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", + "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", + "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", + "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", + "svn_url": "https://github.com/slsa-framework/slsa-verifier", + "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", + "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", + "topics": [], + "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", + "updated_at": "2023-10-17T17:58:10Z", + "url": "https://github.com/slsa-framework/slsa-verifier", + "visibility": "public", + "watchers": 170, + "watchers_count": 170, + "web_commit_signoff_required": true + }, + "sender": { + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", + "type": "User", + "url": "https://api.github.com/users/laurentsimon" + } + }, + "github_head_ref": "", + "github_ref": "refs/tags/v2.4.1", + "github_ref_type": "tag", + "github_repository_id": "474162642", + "github_repository_owner": "slsa-framework", + "github_repository_owner_id": "80431187", + "github_run_attempt": "1", + "github_run_id": "6791195934", + "github_run_number": "511", + "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "os": "ubuntu22" + } + }, + "buildConfig": { + "steps": [ + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "mod", + "vendor" + ], + "env": null + }, + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "build", + "-mod=vendor", + "-trimpath", + "-tags=netgo", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", + "-o", + "slsa-verifier-windows-amd64.exe" + ], + "env": [ + "GOOS=windows", + "GOARCH=amd64", + "GO111MODULE=on", + "CGO_ENABLED=0" + ] + } + ], + "version": 1 + }, + "metadata": { + "buildInvocationID": "6791195934-1", + "completeness": { + "parameters": true, + "environment": false, + "materials": false + }, + "reproducible": false + }, + "materials": [ + { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + }, + { + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" + } + ] + } + }, + { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "subject": [ + { + "name": "slsa-verifier-windows-arm64.exe", + "digest": { + "sha256": "8f0b03c01271c7228e99f21c89b99c0b02dc0cc7bdce0fe842af1dc7554d644f" + } + } + ], + "predicate": { + "builder": { + "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" + }, + "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", + "invocation": { + "configSource": { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "entryPoint": ".github/workflows/release.yml" + }, + "parameters": {}, + "environment": { + "arch": "X64", + "github_actor": "laurentsimon", + "github_actor_id": "64505099", + "github_base_ref": "", + "github_event_name": "push", + "github_event_payload": { + "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "base_ref": "refs/heads/main", + "before": "0000000000000000000000000000000000000000", + "commits": [], + "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", + "created": true, + "deleted": false, + "forced": false, + "head_commit": { + "author": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon", + "username": "laurentsimon" + }, + "committer": { + "email": "noreply@github.com", + "name": "GitHub", + "username": "web-flow" + }, + "distinct": true, + "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", + "timestamp": "2023-10-16T13:44:13-07:00", + "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", + "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + }, + "organization": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "description": "Supply-chain Levels for Software Artifacts", + "events_url": "https://api.github.com/orgs/slsa-framework/events", + "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", + "id": 80431187, + "issues_url": "https://api.github.com/orgs/slsa-framework/issues", + "login": "slsa-framework", + "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", + "repos_url": "https://api.github.com/orgs/slsa-framework/repos", + "url": "https://api.github.com/orgs/slsa-framework" + }, + "pusher": { + "email": "64505099+laurentsimon@users.noreply.github.com", + "name": "laurentsimon" + }, + "ref": "refs/tags/v2.4.1", + "repository": { + "allow_forking": true, + "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", + "archived": false, + "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", + "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", + "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", + "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", + "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", + "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", + "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", + "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", + "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", + "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", + "created_at": 1648242107, + "custom_properties": {}, + "default_branch": "main", + "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", + "description": "Verify provenance from SLSA compliant builders", + "disabled": false, + "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", + "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", + "fork": false, + "forks": 35, + "forks_count": 35, + "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", + "full_name": "slsa-framework/slsa-verifier", + "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", + "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", + "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", + "git_url": "git://github.com/slsa-framework/slsa-verifier.git", + "has_discussions": false, + "has_downloads": true, + "has_issues": true, + "has_pages": false, + "has_projects": true, + "has_wiki": true, + "homepage": "", + "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", + "html_url": "https://github.com/slsa-framework/slsa-verifier", + "id": 474162642, + "is_template": false, + "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", + "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", + "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", + "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", + "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", + "language": "Go", + "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", + "license": { + "key": "apache-2.0", + "name": "Apache License 2.0", + "node_id": "MDc6TGljZW5zZTI=", + "spdx_id": "Apache-2.0", + "url": "https://api.github.com/licenses/apache-2.0" + }, + "master_branch": "main", + "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", + "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", + "mirror_url": null, + "name": "slsa-verifier", + "node_id": "R_kgDOHEMl0g", + "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", + "open_issues": 123, + "open_issues_count": 123, + "organization": "slsa-framework", + "owner": { + "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", + "email": null, + "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", + "followers_url": "https://api.github.com/users/slsa-framework/followers", + "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", + "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/slsa-framework", + "id": 80431187, + "login": "slsa-framework", + "name": "slsa-framework", + "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", + "organizations_url": "https://api.github.com/users/slsa-framework/orgs", + "received_events_url": "https://api.github.com/users/slsa-framework/received_events", + "repos_url": "https://api.github.com/users/slsa-framework/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", + "type": "Organization", + "url": "https://api.github.com/users/slsa-framework" + }, + "private": false, + "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", + "pushed_at": 1699396985, + "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", + "size": 88467, + "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", + "stargazers": 170, + "stargazers_count": 170, + "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", + "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", + "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", + "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", + "svn_url": "https://github.com/slsa-framework/slsa-verifier", + "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", + "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", + "topics": [], + "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", + "updated_at": "2023-10-17T17:58:10Z", + "url": "https://github.com/slsa-framework/slsa-verifier", + "visibility": "public", + "watchers": 170, + "watchers_count": 170, + "web_commit_signoff_required": true + }, + "sender": { + "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", + "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", + "followers_url": "https://api.github.com/users/laurentsimon/followers", + "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", + "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", + "gravatar_id": "", + "html_url": "https://github.com/laurentsimon", + "id": 64505099, + "login": "laurentsimon", + "node_id": "MDQ6VXNlcjY0NTA1MDk5", + "organizations_url": "https://api.github.com/users/laurentsimon/orgs", + "received_events_url": "https://api.github.com/users/laurentsimon/received_events", + "repos_url": "https://api.github.com/users/laurentsimon/repos", + "site_admin": false, + "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", + "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", + "type": "User", + "url": "https://api.github.com/users/laurentsimon" + } + }, + "github_head_ref": "", + "github_ref": "refs/tags/v2.4.1", + "github_ref_type": "tag", + "github_repository_id": "474162642", + "github_repository_owner": "slsa-framework", + "github_repository_owner_id": "80431187", + "github_run_attempt": "1", + "github_run_id": "6791195934", + "github_run_number": "511", + "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "os": "ubuntu22" + } + }, + "buildConfig": { + "steps": [ + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "mod", + "vendor" + ], + "env": null + }, + { + "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", + "command": [ + "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", + "build", + "-mod=vendor", + "-trimpath", + "-tags=netgo", + "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", + "-o", + "slsa-verifier-windows-arm64.exe" + ], + "env": [ + "GOOS=windows", + "GOARCH=arm64", + "CGO_ENABLED=0", + "GO111MODULE=on" + ] + } + ], + "version": 1 + }, + "metadata": { + "buildInvocationID": "6791195934-1", + "completeness": { + "parameters": true, + "environment": false, + "materials": false + }, + "reproducible": false + }, + "materials": [ + { + "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", + "digest": { + "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + }, + { + "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" + } + ] + } + } + ], + "Maven Central Registry": [], + "npm Registry": [] + } + }, + "checks": { + "summary": { + "DISABLED": 0, + "FAILED": 2, + "PASSED": 7, + "SKIPPED": 0, + "UNKNOWN": 1 + }, + "results": [ + { + "check_id": "mcn_provenance_expectation_1", + "check_description": "Check whether the SLSA provenance for the produced artifact conforms to the expected value.", + "slsa_requirements": [ + "Provenance conforms with expectations - SLSA Level 3" + ], + "justification": [ + "No expectation defined for this repository." + ], + "result_type": "UNKNOWN" + }, + { + "check_id": "mcn_build_as_code_1", + "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Check mcn_build_as_code_1 is set to PASSED because mcn_trusted_builder_level_three_1 PASSED." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_build_script_1", + "check_description": "Check if the target repo has a valid build script.", + "slsa_requirements": [ + "Scripted Build - SLSA Level 1" + ], + "justification": [ + "Check mcn_build_script_1 is set to PASSED because mcn_build_service_1 PASSED." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_build_service_1", + "check_description": "Check if the target repo has a valid build service.", + "slsa_requirements": [ + "Build service - SLSA Level 2" + ], + "justification": [ + "Check mcn_build_service_1 is set to PASSED because mcn_build_as_code_1 PASSED." + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_provenance_available_1", + "check_description": "Check whether the target has intoto provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Found provenance in release assets:", + "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437052", + "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437111", + "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437099", + "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437059", + "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437166", + "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437048" + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_provenance_level_three_1", + "check_description": "Check whether the target has SLSA provenance level 3.", + "slsa_requirements": [ + "Provenance - Non falsifiable - SLSA Level 3", + "Provenance content - Includes all build parameters - SLSA Level 3", + "Provenance content - Identifies entry point - SLSA Level 3", + "Provenance content - Identifies source code - SLSA Level 2" + ], + "justification": [ + "Successfully verified level 3: ", + "verify passed : slsa-verifier-darwin-amd64,verify passed : slsa-verifier-darwin-arm64,verify passed : slsa-verifier-linux-amd64,verify passed : slsa-verifier-linux-arm64,verify passed : slsa-verifier-windows-amd64.exe,verify passed : slsa-verifier-windows-arm64.exe" + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_trusted_builder_level_three_1", + "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", + "slsa_requirements": [ + "Hermetic - SLSA Level 4", + "Isolated - SLSA Level 3", + "Parameterless - SLSA Level 4", + "Ephemeral environment - SLSA Level 3" + ], + "justification": [ + { + "Found trusted builder GitHub Actions: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.8.0 triggered by": "https://github.com/slsa-framework/slsa-verifier/blob/7e1e47d7d793930ab0082c15c2b971fdb53a3c95/.github/workflows/release.yml" + }, + { + "The status of the build can be seen at": "https://github.com/slsa-framework/slsa-verifier/actions/runs/6791195934" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_version_control_system_1", + "check_description": "Check whether the target repo uses a version control system.", + "slsa_requirements": [ + "Version controlled - SLSA Level 2" + ], + "justification": [ + { + "This is a Git repository": "https://github.com/slsa-framework/slsa-verifier" + } + ], + "result_type": "PASSED" + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "check_description": "Detects potential pipelines from which an artifact is published.", + "slsa_requirements": [ + "Build as code - SLSA Level 3" + ], + "justification": [ + "Unable to find a publishing timestamp for the artifact." + ], + "result_type": "FAILED" + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "check_description": "Check whether the target has a level-1 witness provenance.", + "slsa_requirements": [ + "Provenance - Available - SLSA Level 1", + "Provenance content - Identifies build instructions - SLSA Level 1", + "Provenance content - Identifies artifacts - SLSA Level 1", + "Provenance content - Identifies builder - SLSA Level 1" + ], + "justification": [ + "Failed to discover any witness provenance." + ], + "result_type": "FAILED" + } + ] + } + }, + "dependencies": { + "analyzed_deps": 0, + "unique_dep_repos": 0, + "checks_summary": [ + { + "check_id": "mcn_build_script_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_service_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_trusted_builder_level_three_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_version_control_system_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_build_as_code_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_available_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_expectation_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_infer_artifact_pipeline_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_witness_level_one_1", + "num_deps_pass": 0 + }, + { + "check_id": "mcn_provenance_level_three_1", + "num_deps_pass": 0 + } + ], + "dep_status": [] + } +} diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl b/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl new file mode 100644 index 000000000..0b9b1f13e --- /dev/null +++ b/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl @@ -0,0 +1,24 @@ +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "uri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + ], + "predicateType": "https://slsa.dev/verification_summary/v1", + "predicate": { + "verifier": { + "id": "https://github.com/oracle/macaron", + "version": { + "macaron": "0.6.0" + } + }, + "timeVerified": "2024-01-04T11:13:03.496399Z", + "resourceUri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "policy": { + "content": "/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */\n/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */\n\n#include \"prelude.dl\"\n\nPolicy(\"slsa_verifier_policy\", component_id, \"Policy for SLSA Verifier\") :-\n check_passed(component_id, \"mcn_build_as_code_1\"),\n check_passed(component_id, \"mcn_provenance_level_three_1\"),\n check_passed(component_id, \"mcn_provenance_available_1\").\n\napply_policy_to(\"slsa_verifier_policy\", component_id) :-\n is_repo(\n _, // repo_id\n \"github.com/slsa-framework/slsa-verifier\",\n component_id\n ).\n" + }, + "verificationResult": "PASSED", + "verifiedLevels": [] + } +} From e5e1d30f7c7c601525f3ba196cb8052207c87be6 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Sat, 6 Jan 2024 00:07:28 +1000 Subject: [PATCH 03/30] chore: add unit tests for compare vsa script --- tests/vsa/compare_vsa.py | 9 +- tests/vsa/test_compare_vsa.py | 175 ++++++++++++++++++++++++++++++++++ 2 files changed, 180 insertions(+), 4 deletions(-) create mode 100644 tests/vsa/test_compare_vsa.py diff --git a/tests/vsa/compare_vsa.py b/tests/vsa/compare_vsa.py index 39ef54ae9..e881195c2 100644 --- a/tests/vsa/compare_vsa.py +++ b/tests/vsa/compare_vsa.py @@ -80,7 +80,7 @@ def compare_json( - At the top level: empty string "" - A subfield "bar" in an object field with name ".foo" has the name ".foo.bar". - A subfield "baz" in an object field with name ".foo.bar" has the name ".foo.bar.baz". - - All array elements in an array field with name ".foo" have the name ".foo[*]". + - The ith element in an array field with name ".foo" have the name ".foo[i]". Returns ------- @@ -104,7 +104,8 @@ def compare_json( return compare_dict(result, expected, compare_fn_map, name) if result != expected: - log_err(f"Mismatch found in '{name}': expected {expected}, found {result}.") + log_err(f"Mismatch found in '{name}'") + log_diff(result, expected) return False return True @@ -142,12 +143,12 @@ def compare_list( equal = True - for result_element, expected_element in zip(result, expected): + for i, (result_element, expected_element) in enumerate(zip(result, expected)): equal &= compare_json( result=result_element, expected=expected_element, compare_fn_map=compare_fn_map, - name=f"{name}[*]", + name=f"{name}[{i}]", ) return equal diff --git a/tests/vsa/test_compare_vsa.py b/tests/vsa/test_compare_vsa.py new file mode 100644 index 000000000..a49db8d3f --- /dev/null +++ b/tests/vsa/test_compare_vsa.py @@ -0,0 +1,175 @@ +# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +"""Tests for the compare VSA script.""" + +import pytest + +from macaron.util import JsonType +from tests.vsa.compare_vsa import compare_json, skip_compare + + +@pytest.mark.parametrize( + ("result_value", "expected_value"), + [ + pytest.param( + "1", + 1, + id="Different types of value 1", + ), + pytest.param( + 1, + "1", + id="Different types of value 2", + ), + pytest.param( + [], + {}, + id="Different types of value 3", + ), + pytest.param( + {}, + [], + id="Different types of value 4", + ), + pytest.param( + [1, 3], + [1, 2, 3], + id="Array missing a field", + ), + pytest.param( + [1, 2, 3], + [1, 3], + id="Array having extraneous field", + ), + pytest.param( + { + "foo": 1, + "bar": 2, + }, + { + "foo": 1, + }, + id="Object missing a field", + ), + pytest.param( + { + "baz": { + "foo": 1, + "bar": 2, + }, + }, + { + "baz": { + "foo": 1, + }, + }, + id="Nested object missing a field", + ), + pytest.param( + { + "foo": 1, + }, + { + "foo": 1, + "bar": 2, + }, + id="Object containing extraneous field", + ), + pytest.param( + { + "baz": { + "foo": 1, + }, + }, + { + "baz": { + "foo": 1, + "bar": 2, + }, + }, + id="Nested object containing extraneous field", + ), + ], +) +def test_compare_json_fails(result_value: JsonType, expected_value: JsonType) -> None: + """Test cases where compare should fail.""" + assert ( + compare_json( + result=result_value, + expected=expected_value, + compare_fn_map={}, + ) + is False + ) + + +@pytest.mark.parametrize( + ("result_value", "expected_value", "skipped_field_name"), + [ + pytest.param( + { + "foo": "foo", + }, + { + "foo": "bar", + }, + ".foo", + id="Top-level object field", + ), + pytest.param( + { + "foo": {"bar": "bar"}, + }, + { + "foo": {"bar": "baz"}, + }, + ".foo.bar", + id="Nested object field", + ), + pytest.param( + { + "foo": [0, 1, 2], + }, + { + "foo": [0, 99, 2], + }, + ".foo[1]", + id="Array field", + ), + pytest.param( + { + "foo": [ + ["bar1"], + ["bar2a", "bar2b"], + ["bar3"], + ], + }, + { + "foo": [ + ["bar1"], + ["foobar", "bar2b"], + ["bar3"], + ], + }, + ".foo[1][0]", + id="Nested array field", + ), + ], +) +def test_skip_compare( + result_value: JsonType, + expected_value: JsonType, + skipped_field_name: str, +) -> None: + """Test cases where compare should succeed while skipping certain fields.""" + assert ( + compare_json( + result=result_value, + expected=expected_value, + compare_fn_map={ + skipped_field_name: skip_compare, + }, + ) + is True + ) From a694270f8574c23f1191c6789884233800e38331 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Mon, 8 Jan 2024 09:20:15 +1000 Subject: [PATCH 04/30] chore: update API docs --- .../pages/developers_guide/apidoc/macaron.rst | 1 + .../developers_guide/apidoc/macaron.vsa.rst | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 docs/source/pages/developers_guide/apidoc/macaron.vsa.rst diff --git a/docs/source/pages/developers_guide/apidoc/macaron.rst b/docs/source/pages/developers_guide/apidoc/macaron.rst index 01ce11712..b41b65f6d 100644 --- a/docs/source/pages/developers_guide/apidoc/macaron.rst +++ b/docs/source/pages/developers_guide/apidoc/macaron.rst @@ -21,6 +21,7 @@ Subpackages macaron.policy_engine macaron.repo_finder macaron.slsa_analyzer + macaron.vsa Submodules ---------- diff --git a/docs/source/pages/developers_guide/apidoc/macaron.vsa.rst b/docs/source/pages/developers_guide/apidoc/macaron.vsa.rst new file mode 100644 index 000000000..7e2b404a2 --- /dev/null +++ b/docs/source/pages/developers_guide/apidoc/macaron.vsa.rst @@ -0,0 +1,18 @@ +macaron.vsa package +=================== + +.. automodule:: macaron.vsa + :members: + :undoc-members: + :show-inheritance: + +Submodules +---------- + +macaron.vsa.vsa module +---------------------- + +.. automodule:: macaron.vsa.vsa + :members: + :undoc-members: + :show-inheritance: From 8334460935909d7fa8b05ee32fad02107185176d Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Mon, 8 Jan 2024 12:14:08 +1000 Subject: [PATCH 05/30] chore: add public documentation for VSA Signed-off-by: Nathan Nguyen --- docs/source/index.rst | 1 + docs/source/pages/output_files.rst | 63 +++++++++++++++------ docs/source/pages/vsa.rst | 88 ++++++++++++++++++++++++++++++ 3 files changed, 136 insertions(+), 16 deletions(-) create mode 100644 docs/source/pages/vsa.rst diff --git a/docs/source/index.rst b/docs/source/index.rst index 2f742b6c2..79296fc9a 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -112,5 +112,6 @@ intermediate representations as abstractions. Using such abstractions, Macaron i pages/cli_usage/index pages/tutorials/index pages/output_files + pages/vsa pages/supported_technologies/index pages/developers_guide/index diff --git a/docs/source/pages/output_files.rst b/docs/source/pages/output_files.rst index 069ee7954..6c5c7ded3 100644 --- a/docs/source/pages/output_files.rst +++ b/docs/source/pages/output_files.rst @@ -9,9 +9,13 @@ Output Files Guide .. note:: Please see :ref:`pages/cli_usage/index:common options` for the instructions on how to set the output directory of Macaron. -------------------- +-------------------------------- +Output files of macaron analyze +-------------------------------- + +^^^^^^^^^^^^^^^^^^^ Top level structure -------------------- +^^^^^^^^^^^^^^^^^^^ .. code-block:: @@ -25,9 +29,9 @@ Top level structure ├── macaron.db └── sbom_debug.json -------- +^^^^^^^ Reports -------- +^^^^^^^ The report files of Macaron (from using the :ref:`analyze command `) are generated into the ``reports`` directory. @@ -102,9 +106,9 @@ For example, for ``_ the r ├── dependency_2.json └── ... -------------------- +^^^^^^^^^^^^^^^^^^^ Cloned repositories -------------------- +^^^^^^^^^^^^^^^^^^^ The ``git_repos`` directory is used to clone repositories into during the analysis. Each remote repository is cloned to a unique path within ``git_repos`` following the same strategy as `Unique result path`_. @@ -129,37 +133,64 @@ to the directory: .. note:: Please see :ref:`pages/using:analyzing a locally cloned repository` to know how to set the directory for analyzing local repositories. +------------------------------------- +Output files of macaron verify-policy +------------------------------------- + +As part of the ``macaron verify-policy`` command, Macaron generates a :ref:`Verification Summary Attestation` (VSA) with the following strategy: + +* If the Datalog policy applies to a unique software component identified by a unique PURL, a VSA is generated based on the latest analysis results for that specific software component in the Macaron database. +* Otherwise, if the Datalog policy applies to multiple software components identified by multiple different PURLs, no VSA will be generated. + +The VSA file will be generated into ``output/vsa.intoto.jsonl`` by default. + +.. code-block:: + + output/ + └── vsa.intoto.jsonl + + +Users can manually inspect the VSA generated by Macaron with the following command: + +.. code-block:: bash + + cat output/vsa.intoto.json | jq -r '.payload' | base64 -d + + +For more details about the Macaron-generated VSAs, please refer to the :ref:`Verification Summary Attestation page`. + + ------ Others ------ -'''''''''' +^^^^^^^^^^ macaron.db -'''''''''' +^^^^^^^^^^ The file is the SQLite database used by Macaron for storing analysis results. -''''''''' +^^^^^^^^^ debug.log -''''''''' +^^^^^^^^^ This file stores the log messages from the latest run of Macaron. -''''''''' +^^^^^^^^^ build_log -''''''''' +^^^^^^^^^ This is the directory for storing the log from running external components such as `CycloneDx SBOM Maven plugin `_, `CycloneDx SBOM Gradle plugin `_ or the `slsa-verifier `_. -''''''''''''''' +^^^^^^^^^^^^^^^ sbom_debug.json -''''''''''''''' +^^^^^^^^^^^^^^^ This file contain the debug information for running the SBOM generator to obtain dependencies of a repository. -''''''''''''''' +^^^^^^^^^^^^^^^ .m2 and .gradle -''''''''''''''' +^^^^^^^^^^^^^^^ These two directories cache the content of ``~/.m2`` and ``~/.gradle`` in the Docker container between different runs (which are mainly updated by the CycloneDX SBOM plugins). diff --git a/docs/source/pages/vsa.rst b/docs/source/pages/vsa.rst new file mode 100644 index 000000000..ceebfc989 --- /dev/null +++ b/docs/source/pages/vsa.rst @@ -0,0 +1,88 @@ +================================= +Verification Summary Attestations +================================= + +.. _vsa: + +Macaron generates Verification Summary Attestations (VSAs) as part of its verification to communicate the fact that "some software component has been verified against a policy". + +The concept of VSA in Macaron largely follows the concept of VSA in `SLSA `_ and `in-toto `_. + + +--------- +Use cases +--------- + +The use cases of Macaron VSAs includes, but not limited to: + +- **Caching verification results**: It could be expensive or inconvenient to run a full Macaron verification in certain circumstances. A VSA helps with caching and reusing verification results. +- **Enabling delegated verification**: This allows software consumers to make use of verification results from another party. + + +------ +Schema +------ + +.. code-block:: js+jinja + + { + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "uri": {{ PackageURL of the software component being verified }}, + } + ], + "predicateType": "https://slsa.dev/verification_summary/v1", + "predicate": { + "verifier": { + "id": "https://github.com/oracle/macaron", + "version": { + "macaron": {{ Macaron version }} + } + }, + "timeVerified": "2024-01-04T11:13:03.496399Z", + "resourceUri": {{ PackageURL of the software component being verified }}, + "policy": { + "content": {{ Datalog policy applies to the software component being verified }} + }, + "verificationResult": {{ Either "PASSED" or "FAILED" }}, + "verifiedLevels": [] + } + } + + +------- +Example +------- + +The following is an example of Macaron VSA generated from verification on the `slsa-verifier `_ repository. + + +.. code-block:: json + + { + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "uri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + } + ], + "predicateType": "https://slsa.dev/verification_summary/v1", + "predicate": { + "verifier": { + "id": "https://github.com/oracle/macaron", + "version": { + "macaron": "0.6.0" + } + }, + "timeVerified": "2024-01-04T11:13:03.496399Z", + "resourceUri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "policy": { + "content": "#include \"prelude.dl\"\n\nPolicy(\"slsa_verifier_policy\", component_id, \"Policy for SLSA Verifier\") :-\n check_passed(component_id, \"mcn_build_as_code_1\"),\n check_passed(component_id, \"mcn_provenance_level_three_1\"),\n check_passed(component_id, \"mcn_provenance_available_1\").\n\napply_policy_to(\"slsa_verifier_policy\", component_id) :-\n is_repo(\n _, // repo_id\n \"github.com/slsa-framework/slsa-verifier\",\n component_id\n ).\n" + }, + "verificationResult": "PASSED", + "verifiedLevels": [] + } + } + +For more details on using the Macaron VSA generation feature, please refer to the :ref:`Output File Guide `. From e4d21c6515c6c67ac3cb255e99806ead40994d9d Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 13:21:13 +1000 Subject: [PATCH 06/30] chore: adjust vsa decode command for manual inspection Co-authored-by: Behnaz Hassanshahi Signed-off-by: Nathan Nguyen --- docs/source/pages/output_files.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/pages/output_files.rst b/docs/source/pages/output_files.rst index 6c5c7ded3..daa507abe 100644 --- a/docs/source/pages/output_files.rst +++ b/docs/source/pages/output_files.rst @@ -154,7 +154,7 @@ Users can manually inspect the VSA generated by Macaron with the following comma .. code-block:: bash - cat output/vsa.intoto.json | jq -r '.payload' | base64 -d + cat output/vsa.intoto.jsonl | jq -r '.payload' | base64 -d | jq For more details about the Macaron-generated VSAs, please refer to the :ref:`Verification Summary Attestation page`. From 7a69d314e65e31a44397bf47e0478385e6e14c09 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 13:34:57 +1000 Subject: [PATCH 07/30] chore(docs): add more detailed explanations for VSA fields and usage Signed-off-by: Nathan Nguyen --- docs/source/pages/output_files.rst | 2 +- docs/source/pages/vsa.rst | 88 +++++++++++++++++++++++++++++- 2 files changed, 86 insertions(+), 4 deletions(-) diff --git a/docs/source/pages/output_files.rst b/docs/source/pages/output_files.rst index daa507abe..77d156bf4 100644 --- a/docs/source/pages/output_files.rst +++ b/docs/source/pages/output_files.rst @@ -150,7 +150,7 @@ The VSA file will be generated into ``output/vsa.intoto.jsonl`` by default. └── vsa.intoto.jsonl -Users can manually inspect the VSA generated by Macaron with the following command: +Users can manually inspect the payload of the VSA generated by Macaron with the following command: .. code-block:: bash diff --git a/docs/source/pages/vsa.rst b/docs/source/pages/vsa.rst index ceebfc989..0c6b7a8f7 100644 --- a/docs/source/pages/vsa.rst +++ b/docs/source/pages/vsa.rst @@ -23,6 +23,20 @@ The use cases of Macaron VSAs includes, but not limited to: Schema ------ +.. Type references +.. _PackageURL: https://github.com/package-url/purl-spec +.. _Envelope: https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md +.. _TypeURI: https://github.com/in-toto/attestation/blob/main/spec/v1/field_types.md#TypeURI +.. _Timestamp: https://github.com/in-toto/attestation/blob/main/spec/v1/field_types.md#timestamp +.. _ResourceURI: https://github.com/in-toto/attestation/blob/main/spec/v1/field_types.md#ResourceURI +.. _ResourceDescriptor: https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md +.. _SlsaResult: https://slsa.dev/spec/v1.0/verification_summary#slsaresult + +Following in-toto attestation schema, the outermost layer if a Macaron-generated VSA is a `DSSE envelope `_ containing a base64-encoded ``payload`` of type `in-toto Statement `_. + +The following is the schema of the Statement layer: + + .. code-block:: js+jinja { @@ -40,7 +54,7 @@ Schema "macaron": {{ Macaron version }} } }, - "timeVerified": "2024-01-04T11:13:03.496399Z", + "timeVerified": {{ The timestamp of when the verification happened }}, "resourceUri": {{ PackageURL of the software component being verified }}, "policy": { "content": {{ Datalog policy applies to the software component being verified }} @@ -51,12 +65,56 @@ Schema } + +* ``_type``: string (`TypeURI`_) + Identifier for the schema of the Statement layer. This follows `in-toto v1 Statement layer schema `_ and is always ``https://in-toto.io/Statement/v1``. + +* ``subject``: array of `ResourceDescriptor`_ objects + Subjects of the VSA. Each entry is a software component being verified by Macaron. + + *Note: In the current version of Macaron, this field only contains one single software component, identified by a `PackageURL`_.* + +* ``predicateType``: string (`TypeURI`_) + Identifier for the type of the Predicate. For Macaron-generated VSAs, this is always ``https://slsa.dev/verification_summary/v1``. + +* ``predicate``: object + The Predicate of the attestation, providing information about the verification. + +* ``predicate.verifier``: object + Information about the tool running the verification, which is Macaron. + +* ``predicate.verifier.id``: string (`TypeURI`_) + The identifier for Macaron. + +* ``predicate.timeVerified``: string (`Timestamp`_) + The timestamp of when the verification happened. + +* ``predicate.resourceUri``: string (`ResourceURI`_) + URI identifying the resource associated with the software component being verified. + + *Note: In the current version of Macaron, the value of this field is similar to the `PackageURL`_ identifying the only subject software component of the VSA.* + +* ``policy``: object + Details about the policy that the subject software component was verified against. + +* ``policy.content``: string + The Souffle datalog policy used for verification, in plain text. + +* ``verificationResult``: string, either ``"PASSED"`` or ``"FAILED"`` + The verification result. The result of ``"PASSED"`` means the subject software component conforms to the policy. + +* ``verificationResult``: array (`SlsaResult`_), required + Indicates the highest level of each SLSA track verified for the software component (and not its dependencies), or “FAILED” if policy verification failed. + + *Note: For the current version of Macaron, this is left empty.* + + ------- Example ------- -The following is an example of Macaron VSA generated from verification on the `slsa-verifier `_ repository. +The following is an example payload (Statement layer) of a Macaron VSA generated from verification on the `slsa-verifier `_ repository. .. code-block:: json @@ -85,4 +143,28 @@ The following is an example of Macaron VSA generated from verification on the `s } } -For more details on using the Macaron VSA generation feature, please refer to the :ref:`Output File Guide `. +This VSA communicates that the subject software component ``"pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95"`` passed the following policy in the ``policy.content`` field: + +.. code-block:: prolog + + #include "prelude.dl" + + Policy("slsa_verifier_policy", component_id, "Policy for SLSA Verifier") :- + check_passed(component_id, "mcn_build_as_code_1"), + check_passed(component_id, "mcn_provenance_level_three_1"), + check_passed(component_id, "mcn_provenance_available_1"). + + apply_policy_to("slsa_verifier_policy", component_id) :- + is_repo( + _, // repo_id + "github.com/slsa-framework/slsa-verifier", + component_id + ). + +This policy enforces the subject software component to pass 3 Macaron checks: + +* ``mcn_build_as_code_1`` +* ``mcn_provenance_level_three_1`` +* ``mcn_provenance_available_1`` + +For more details on using the Macaron VSA generation feature and inspecting the resulting VSA, please refer to the :ref:`Output File Guide `. From 9b6338c637d991af44b97b405f165e3bb4170244 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 13:39:07 +1000 Subject: [PATCH 08/30] chore: adjust log message when generating a VSA Signed-off-by: Nathan Nguyen --- src/macaron/__main__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/macaron/__main__.py b/src/macaron/__main__.py index 149a69211..345b67fd5 100644 --- a/src/macaron/__main__.py +++ b/src/macaron/__main__.py @@ -153,7 +153,7 @@ def verify_policy(verify_policy_args: argparse.Namespace) -> int: vsa = generate_vsa(policy_content=policy_content, policy_result=result) if vsa is not None: vsa_filepath = os.path.join(global_config.output_path, "vsa.intoto.jsonl") - logger.info("Generating a VSA to %s", vsa_filepath) + logger.info("Generating the Verification Summary Attestation (VSA) to %s.", vsa_filepath) try: with open(vsa_filepath, mode="w", encoding="utf-8") as file: file.write(json.dumps(vsa)) From 24896445bedb585bf631f884ae2b8986658e8cc3 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 13:46:17 +1000 Subject: [PATCH 09/30] chore: add note about disabling N815 for VSA field names Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 05ace1649..ecb6d4e99 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -12,6 +12,9 @@ from importlib import metadata as importlib_metadata from typing import Any, TypedDict +# Note: The lint error "N815:mixedCase variable in class scope" is disabled for +# field names in the VSA to conform with in-toto naming conventions. + class Vsa(TypedDict): """The Macaron Verification Summary Attestation. From a59da72469db757674fb2dfe5af3851e8057c29c Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 14:03:17 +1000 Subject: [PATCH 10/30] chore: adjust timestamp generation Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 4 ++-- .../github_slsa-framework_slsa-verifier/vsa.intoto.jsonl | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index ecb6d4e99..f9065b7ec 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -6,8 +6,8 @@ from __future__ import annotations import base64 +import datetime import json -from datetime import datetime from enum import StrEnum from importlib import metadata as importlib_metadata from typing import Any, TypedDict @@ -142,7 +142,7 @@ def create_vsa_statement( "macaron": importlib_metadata.version("macaron"), }, ), - timeVerified=datetime.utcnow().isoformat("T") + "Z", + timeVerified=datetime.datetime.now(tz=datetime.UTC).isoformat(), resourceUri=subject_purl, policy={ "content": policy_content, diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl b/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl index 0b9b1f13e..bb532214b 100644 --- a/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl +++ b/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl @@ -13,7 +13,7 @@ "macaron": "0.6.0" } }, - "timeVerified": "2024-01-04T11:13:03.496399Z", + "timeVerified": "2024-01-10T03:56:17.237887+00:00", "resourceUri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", "policy": { "content": "/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */\n/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */\n\n#include \"prelude.dl\"\n\nPolicy(\"slsa_verifier_policy\", component_id, \"Policy for SLSA Verifier\") :-\n check_passed(component_id, \"mcn_build_as_code_1\"),\n check_passed(component_id, \"mcn_provenance_level_three_1\"),\n check_passed(component_id, \"mcn_provenance_available_1\").\n\napply_policy_to(\"slsa_verifier_policy\", component_id) :-\n is_repo(\n _, // repo_id\n \"github.com/slsa-framework/slsa-verifier\",\n component_id\n ).\n" From 4e168f83169cd10abd9a95a52761d1b05580060b Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 14:17:35 +1000 Subject: [PATCH 11/30] chore: adjust minor docstring typos and formatting issues in vsa module Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index f9065b7ec..2eb7793f8 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -20,6 +20,7 @@ class Vsa(TypedDict): """The Macaron Verification Summary Attestation. For reference, see: + * `SLSA `_. * `in-toto `_. """ @@ -35,6 +36,7 @@ class VsaStatement(TypedDict): """The Statement layer of a Macaron VSA. For reference, see: + * in-toto Statement layer specification: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md. """ @@ -48,10 +50,11 @@ class VsaPredicate(TypedDict): """The 'predicate' field in the Statement layer of a Macaron VSA. For reference, see: + * in-toto Predicate layer specification: - https://github.com/in-toto/attestation/blob/main/spec/v1/predicate.md. + https://github.com/in-toto/attestation/blob/main/spec/v1/predicate.md. * SLSA VSA predicate schema: - https://slsa.dev/spec/v1.0/verification_summary#schema. + https://slsa.dev/spec/v1.0/verification_summary#schema. """ #: Identity of the verifier, as a tool carrying out the verification. @@ -59,7 +62,7 @@ class VsaPredicate(TypedDict): #: The timestamp when the verification occurred. #: The field has the type - # `Timestamp `_. + #: `Timestamp `_. timeVerified: str # noqa: N815 #: URI that identifies the resource associated with the software component being verified. From aa5a9553fac86c6dfe98633bd4c3a7ed132d568e Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 14:24:51 +1000 Subject: [PATCH 12/30] chore: reorder the use cases of VSA Signed-off-by: Nathan Nguyen --- docs/source/pages/vsa.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/pages/vsa.rst b/docs/source/pages/vsa.rst index 0c6b7a8f7..5d21fbd8d 100644 --- a/docs/source/pages/vsa.rst +++ b/docs/source/pages/vsa.rst @@ -15,8 +15,8 @@ Use cases The use cases of Macaron VSAs includes, but not limited to: -- **Caching verification results**: It could be expensive or inconvenient to run a full Macaron verification in certain circumstances. A VSA helps with caching and reusing verification results. - **Enabling delegated verification**: This allows software consumers to make use of verification results from another party. +- **Caching verification results**: It could be expensive or inconvenient to run a full Macaron verification in certain circumstances. A VSA helps with caching and reusing verification results. ------ From bcfea7f5aea0124c0421336ff1c85ac131deb0b6 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 14:32:34 +1000 Subject: [PATCH 13/30] chore: add docstrings for VSA Statement layer fields Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 2eb7793f8..e8467459e 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -40,9 +40,23 @@ class VsaStatement(TypedDict): * in-toto Statement layer specification: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md. """ + #: Identifier for the schema of the Statement layer. + #: This follows `in-toto v1 Statement layer schema + #: `_ + #: and is always ``https://in-toto.io/Statement/v1``. _type: str + + #: Subjects of the VSA. + #: Each entry is a software component being verified by Macaron. + #: *Note: In the current version of Macaron, this field only contains one single + #: software component, identified by a `PackageURL`_.* subject: list[dict] + + #: Identifier for the type of the Predicate. + #: For Macaron-generated VSAs, this is always ``https://slsa.dev/verification_summary/v1``. predicateType: str # noqa: N815 + + #: The Predicate of the attestation, providing information about the verification. predicate: VsaPredicate From 60ca8cf3970350aeb6df1a6b260a3d4189571969 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 15:32:16 +1000 Subject: [PATCH 14/30] chore: add error handling in cases where `component_id` may not be integers Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 15 +++++++++++++-- tests/vsa/test_vsa.py | 26 ++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index e8467459e..0b34f4d94 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -8,10 +8,13 @@ import base64 import datetime import json +import logging from enum import StrEnum from importlib import metadata as importlib_metadata from typing import Any, TypedDict +logger: logging.Logger = logging.getLogger(__name__) + # Note: The lint error "N815:mixedCase variable in class scope" is disabled for # field names in the VSA to conform with in-toto naming conventions. @@ -208,7 +211,11 @@ def get_subject_verification_result(policy_result: dict) -> tuple[str, Verificat component_results: dict[str, tuple[int, VerificationResult]] = {} for component_id_string, purl, _ in component_violates_policy_facts: - component_id = int(component_id_string) + try: + component_id = int(component_id_string) + except ValueError: + logger.error("Expected component id %s to be an integer.", component_id_string) + return None if purl not in component_results: component_results[purl] = (component_id, VerificationResult.FAILED) else: @@ -216,7 +223,11 @@ def get_subject_verification_result(policy_result: dict) -> tuple[str, Verificat if component_id > current_component_id: component_results[purl] = (component_id, VerificationResult.FAILED) for component_id_string, purl, _ in component_satisfies_policy_facts: - component_id = int(component_id_string) + try: + component_id = int(component_id_string) + except ValueError: + logger.error("Expected component id %s to be an integer.", component_id_string) + return None if purl not in component_results: component_results[purl] = (component_id, VerificationResult.PASSED) else: diff --git a/tests/vsa/test_vsa.py b/tests/vsa/test_vsa.py index b759fe523..f96a28861 100644 --- a/tests/vsa/test_vsa.py +++ b/tests/vsa/test_vsa.py @@ -190,6 +190,32 @@ def test_valid_subject_verification_result( {}, id="Policy engine result is empty", ), + pytest.param( + { + "component_satisfies_policy": [ + [ + "foo", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + "component_violates_policy": [], + }, + id="Component id is not an auto-incremented number 1", + ), + pytest.param( + { + "component_satisfies_policy": [], + "component_violates_policy": [ + [ + "foo", + "pkg:github.com/slsa-framework/slsa-verifier@v2.0.0", + "slsa_verifier_policy", + ], + ], + }, + id="Component id is not an auto-incremented number 2", + ), ], ) def test_invalid_subject_verification_result( From 6870a3ab50fc1342a3727cb0f6aa51ecc0933e33 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 15:36:48 +1000 Subject: [PATCH 15/30] chore: clarify docstring for VSA fields with special in-toto types Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 0b34f4d94..651e3e385 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -78,19 +78,19 @@ class VsaPredicate(TypedDict): verifier: Verifier #: The timestamp when the verification occurred. - #: The field has the type + #: The field is a #: `Timestamp `_. timeVerified: str # noqa: N815 #: URI that identifies the resource associated with the software component being verified. - #: This field has the type + #: This field is a #: `ResourceURI `_. #: Currently, this has the same value as the subject of the VSA, i.e. the PURL of #: the software component being verified against. resourceUri: str # noqa: N815 #: The policy that the subject software component was verified against. - #: This field has the type + #: This field is a #: `ResourceDescriptor `_. policy: dict[str, Any] From e621ec3a2711205766450727cdd4736d2d70dcb3 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 15:56:14 +1000 Subject: [PATCH 16/30] chore: adjust `check_or_update_expected_output` function in integration test script to accommodate the compare vsa script Signed-off-by: Nathan Nguyen --- scripts/dev_scripts/integration_tests.sh | 26 +++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/scripts/dev_scripts/integration_tests.sh b/scripts/dev_scripts/integration_tests.sh index c5d1a8076..65729cba7 100755 --- a/scripts/dev_scripts/integration_tests.sh +++ b/scripts/dev_scripts/integration_tests.sh @@ -26,15 +26,27 @@ fi function check_or_update_expected_output() { if [ $UPDATE -eq 1 ] ; then - # Perform update of expected results by copying over produced output files. - # The copy only takes place if sufficient arguments are present. - # This function assumes arguments #2 and #3 are files: , . + # Perform update of expected results. + # The update only takes place if sufficient arguments are present. + # This function assumes: + # - argument #1 is the path to the compare script. + # - arguments #2 and #3 are files: , . if [ $# -eq 3 ] ; then - echo "Copying $2 to $3" - cp "$2" "$3" + compare_script_name=$(basename "$1") + case "$compare_script_name" in + # For scripts having an `--update` flag, use it. + compare_vsa.py) + python "$1" --update "$2" "$3" + ;; + # For the other scripts, copy over the produced output files. + *) + echo "Copying $2 to $3" + cp "$2" "$3" + ;; + esac else # Calls with insufficient arguments are ignored to avoid some needless computation during updates. - echo "Ignoring $@" + echo "Ignoring" "$@" fi else # Perform normal operation. @@ -660,7 +672,7 @@ macaron --output "$OUTPUT_DIR" verify-policy \ check_or_update_expected_output "$COMPARE_POLICIES" \ "$OUTPUT_DIR/policy_report.json" \ "$TEST_CASE_DIR/policy_report.json" || log_fail -python3 "$COMPARE_VSA" \ +check_or_update_expected_output "$COMPARE_VSA" \ "$OUTPUT_DIR/vsa.intoto.jsonl" \ "$TEST_CASE_DIR/vsa.intoto.jsonl" || log_fail From 450608c15d80c7b731eccba3c177a53872983b5a Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Wed, 10 Jan 2024 16:08:40 +1000 Subject: [PATCH 17/30] chore: add useful info log to differentiate cases where no VSA is generated Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 651e3e385..6e6ff8095 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -236,6 +236,11 @@ def get_subject_verification_result(policy_result: dict) -> tuple[str, Verificat component_results[purl] = (component_id, VerificationResult.PASSED) if len(component_results) != 1: + if len(component_results) == 0: + logger.info("The policy applies to no software components.") + if len(component_results) > 1: + logger.info("The policy applies to more than one software components.") + logger.info("No VSA will be generated.") return None subject_purl = next(iter(component_results.keys())) From a46f3022af810cd3338570f68ce67ae4614d2928 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 11:41:47 +1000 Subject: [PATCH 18/30] chore: adjust how the diff is displayed by the compare_vsa script Signed-off-by: Nathan Nguyen --- tests/vsa/compare_vsa.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/vsa/compare_vsa.py b/tests/vsa/compare_vsa.py index e881195c2..cc52f4868 100644 --- a/tests/vsa/compare_vsa.py +++ b/tests/vsa/compare_vsa.py @@ -12,9 +12,7 @@ import sys import traceback from collections.abc import Callable -from difflib import context_diff from functools import partial -from pprint import pformat # Works similarly to print, but prints to stderr by default. log = partial(print, file=sys.stderr) @@ -37,11 +35,11 @@ def log_fn(msg: str) -> None: def log_diff(result: object, expected: object) -> None: """Pretty-print the diff of two Python objects.""" - log( - "".join( - context_diff(pformat(result), pformat(expected), "result", "expected"), - ), - ) + log("---- Result ---") + log(json.dumps(result, indent=4)) + log("---- Expected ---") + log(json.dumps(expected, indent=4)) + log("-----------------") CompareFn = Callable[[object, object], bool] @@ -93,12 +91,14 @@ def compare_json( if isinstance(expected, list): if not isinstance(result, list): log_err(f"Expected '{name}' to be a JSON array.") + log_diff(result, expected) # Nothing else to check. return False return compare_list(result, expected, compare_fn_map, name) if isinstance(expected, dict): if not isinstance(result, dict): log_err(f"Expected '{name}' to be a JSON object.") + log_diff(result, expected) # Nothing else to check. return False return compare_dict(result, expected, compare_fn_map, name) From d5c6a7935e75d7d5cc01e34942a2d2f645fd6830 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 11:56:16 +1000 Subject: [PATCH 19/30] chore: add error handling while encoding the vsa payload Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 6e6ff8095..9c9a071b4 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -272,13 +272,37 @@ def generate_vsa(policy_content: str, policy_result: dict) -> Vsa | None: subject_purl, verification_result = subject_verification_result - payload = create_vsa_statement( + unencoded_payload = create_vsa_statement( subject_purl=subject_purl, policy_content=policy_content, verification_result=verification_result, ) + try: + payload = json.dumps(unencoded_payload) + except (TypeError, RecursionError, ValueError) as err: + logger.debug("Error encountered while deserializing the VSA payload: %s", err) + return None + + try: + payload_bytes = payload.encode() + except UnicodeError as err: + logger.debug("Error encountered while byte-encoding the VSA payload: %s", err) + return None + + try: + encoded_payload_bytes = base64.b64encode(payload_bytes) + except (ValueError, TypeError) as err: + logger.debug("Error encountered while base64-encoding the VSA payload: %s", err) + return None + + try: + encoded_payload = encoded_payload_bytes.decode("ascii") + except (ValueError, TypeError) as err: + logger.debug("Error encountered while converting the base64-encoded VSA payload to string: %s", err) + return None + return Vsa( payloadType="application/vnd.in-toto+json", - payload=base64.b64encode(json.dumps(payload).encode()).decode("ascii"), + payload=encoded_payload, ) From 52c4704d5542cebd35fa3a6de9709781d529e938 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 12:43:01 +1000 Subject: [PATCH 20/30] chore: adjust logging to use the built-in logging utilities instead of print Signed-off-by: Nathan Nguyen --- tests/vsa/compare_vsa.py | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/tests/vsa/compare_vsa.py b/tests/vsa/compare_vsa.py index cc52f4868..60aad149f 100644 --- a/tests/vsa/compare_vsa.py +++ b/tests/vsa/compare_vsa.py @@ -8,21 +8,20 @@ import argparse import base64 import json -import os -import sys +import logging import traceback from collections.abc import Callable -from functools import partial -# Works similarly to print, but prints to stderr by default. -log = partial(print, file=sys.stderr) +logger = logging.getLogger(__name__) +logger.setLevel(logging.DEBUG) +logging.basicConfig(format="[%(filename)s:%(lineno)s %(tag)s] %(message)s") def log_with_tag(tag: str) -> Callable[[str], None]: """Generate a log function that prints the name of the file and a tag at the beginning of each line.""" def log_fn(msg: str) -> None: - log(f"[{os.path.basename(__file__)} {tag}] {msg}") + logger.info(msg, extra={"tag": tag}) return log_fn @@ -33,13 +32,15 @@ def log_fn(msg: str) -> None: log_passed = log_with_tag("PASSED") -def log_diff(result: object, expected: object) -> None: +def log_diff(name: str, result: object, expected: object) -> None: """Pretty-print the diff of two Python objects.""" - log("---- Result ---") - log(json.dumps(result, indent=4)) - log("---- Expected ---") - log(json.dumps(expected, indent=4)) - log("-----------------") + output = [ + f"'{name}'", + *("---- Result ---", json.dumps(result, indent=4)), + *("---- Expected ---", json.dumps(expected, indent=4)), + "-----------------", + ] + log_info("\n".join(output)) CompareFn = Callable[[object, object], bool] @@ -91,21 +92,21 @@ def compare_json( if isinstance(expected, list): if not isinstance(result, list): log_err(f"Expected '{name}' to be a JSON array.") - log_diff(result, expected) + log_diff(name, result, expected) # Nothing else to check. return False return compare_list(result, expected, compare_fn_map, name) if isinstance(expected, dict): if not isinstance(result, dict): log_err(f"Expected '{name}' to be a JSON object.") - log_diff(result, expected) + log_diff(name, result, expected) # Nothing else to check. return False return compare_dict(result, expected, compare_fn_map, name) if result != expected: log_err(f"Mismatch found in '{name}'") - log_diff(result, expected) + log_diff(name, result, expected) return False return True @@ -137,7 +138,7 @@ def compare_list( """ if len(result) != len(expected): log_err(f"Expected field '{name}' of length {len(result)} in result to have length {len(expected)}") - log_diff(result, expected) + log_diff(name, result, expected) # Nothing else to compare return False @@ -230,8 +231,7 @@ def main() -> int: try: payload = json.loads(base64.b64decode(vsa["payload"])) except (UnicodeDecodeError, json.JSONDecodeError, TypeError): - log_err("Error while decoding the VSA payload:") - log(traceback.format_exc()) + log_err(f"Error while decoding the VSA payload:\n{traceback.format_exc()}") return 1 if args.update: @@ -257,7 +257,7 @@ def main() -> int: log_failed("The payload of the generated VSA does not match the expected payload.") return 1 - log_passed("The payload of the generated VSA matches the expected payload.") + log_passed("The payload of the generated VSA matches the expected payload") return 0 From ea5aa606f38abc58d8d91378a6af9e78a7ec8e8b Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 12:51:40 +1000 Subject: [PATCH 21/30] chore: provide tighter type annotation for the 'policy' field Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 9c9a071b4..6d620677e 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -11,7 +11,7 @@ import logging from enum import StrEnum from importlib import metadata as importlib_metadata -from typing import Any, TypedDict +from typing import TypedDict logger: logging.Logger = logging.getLogger(__name__) @@ -92,7 +92,7 @@ class VsaPredicate(TypedDict): #: The policy that the subject software component was verified against. #: This field is a #: `ResourceDescriptor `_. - policy: dict[str, Any] + policy: Policy #: The verification result. verificationResult: VerificationResult # noqa: N815 @@ -118,6 +118,16 @@ class Verifier(TypedDict): version: dict[str, str] +class Policy(TypedDict): + """The 'policy' field within the Macaron VSA predicate field. + + This field provides information about the policy used for verification. + """ + + #: The Souffle Datalog code defining the policy in plain text. + content: str + + class VerificationResult(StrEnum): """Verification result, which is either 'PASSED' or 'FAILED'.""" From f03eb12d232336cc1e803ab7ffd8cd3a0e242355 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 12:59:21 +1000 Subject: [PATCH 22/30] chore: rename expected payload file to distinguish it from the actual vsa format Signed-off-by: Nathan Nguyen --- scripts/dev_scripts/integration_tests.sh | 2 +- .../{vsa.intoto.jsonl => vsa_payload.json} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename tests/vsa/integration/github_slsa-framework_slsa-verifier/{vsa.intoto.jsonl => vsa_payload.json} (100%) diff --git a/scripts/dev_scripts/integration_tests.sh b/scripts/dev_scripts/integration_tests.sh index 65729cba7..39f9622ef 100755 --- a/scripts/dev_scripts/integration_tests.sh +++ b/scripts/dev_scripts/integration_tests.sh @@ -674,7 +674,7 @@ check_or_update_expected_output "$COMPARE_POLICIES" \ "$TEST_CASE_DIR/policy_report.json" || log_fail check_or_update_expected_output "$COMPARE_VSA" \ "$OUTPUT_DIR/vsa.intoto.jsonl" \ - "$TEST_CASE_DIR/vsa.intoto.jsonl" || log_fail + "$TEST_CASE_DIR/vsa_payload.json" || log_fail # Testing the Repo Finder's remote calls. # This requires the 'packageurl' Python module diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl b/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa_payload.json similarity index 100% rename from tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa.intoto.jsonl rename to tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa_payload.json From ef34b67914e3b2485daa51be019efb880724ed06 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 13:29:16 +1000 Subject: [PATCH 23/30] chore: add whitespace at the end of file when updating vsa expected payload files to avoid pre-commit issues Signed-off-by: Nathan Nguyen --- tests/vsa/compare_vsa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/vsa/compare_vsa.py b/tests/vsa/compare_vsa.py index 60aad149f..d4e1dced6 100644 --- a/tests/vsa/compare_vsa.py +++ b/tests/vsa/compare_vsa.py @@ -236,7 +236,7 @@ def main() -> int: if args.update: with open(args.expected_payload_file, mode="w", encoding="utf-8") as file: - json.dump(payload, fp=file, indent=4) + file.write(f"{json.dumps(payload, indent=4)}\n") log_info(f"Updated {args.expected_payload_file}.") return 0 From a272ff9c0cc09840ac87a9e9b1a402a1733a3172 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 13:30:28 +1000 Subject: [PATCH 24/30] chore: run vsa generation integration test on cached results Signed-off-by: Nathan Nguyen --- scripts/dev_scripts/integration_tests.sh | 29 ++----------------- .../vsa_payload.json | 8 ++--- 2 files changed, 7 insertions(+), 30 deletions(-) diff --git a/scripts/dev_scripts/integration_tests.sh b/scripts/dev_scripts/integration_tests.sh index 39f9622ef..e8522b3c4 100755 --- a/scripts/dev_scripts/integration_tests.sh +++ b/scripts/dev_scripts/integration_tests.sh @@ -645,36 +645,13 @@ RUN_POLICY="macaron verify-policy" POLICY_FILE=$WORKSPACE/tests/policy_engine/resources/policies/valid/slsa-verifier.dl POLICY_RESULT=$WORKSPACE/output/policy_report.json POLICY_EXPECTED=$WORKSPACE/tests/policy_engine/expected_results/policy_report.json +VSA_RESULT=$WORKSPACE/output/vsa.intoto.jsonl +VSA_PAYLOAD_EXPECTED=$WORKSPACE/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa_payload.json # Run policy engine on the database and compare results. $RUN_POLICY -f $POLICY_FILE -d "$WORKSPACE/output/macaron.db" || log_fail check_or_update_expected_output $COMPARE_POLICIES $POLICY_RESULT $POLICY_EXPECTED || log_fail - -# Testing the VSA generation feature -# Running Macaron without config files -echo -e "\n==================================================================================" -echo "Run integration tests for VSA generation" -echo -e "==================================================================================\n" -TEST_CASE_DIR="$WORKSPACE/tests/vsa/integration/github_slsa-framework_slsa-verifier" -OUTPUT_DIR="$TEST_CASE_DIR/output" - -rm -rf "$OUTPUT_DIR" # Make sure we regenerate a fresh database every time. -macaron --output "$OUTPUT_DIR" analyze \ - --repo-path "https://github.com/slsa-framework/slsa-verifier" \ - --digest 7e1e47d7d793930ab0082c15c2b971fdb53a3c95 \ - --skip-deps || log_fail -check_or_update_expected_output "$COMPARE_JSON_OUT" \ - "$OUTPUT_DIR/reports/github_com/slsa-framework/slsa-verifier/slsa-verifier.json" \ - "$TEST_CASE_DIR/slsa-verifier.json" || log_fail -macaron --output "$OUTPUT_DIR" verify-policy \ - --database "$OUTPUT_DIR/macaron.db" \ - --file "$TEST_CASE_DIR/policy.dl" || log_fail -check_or_update_expected_output "$COMPARE_POLICIES" \ - "$OUTPUT_DIR/policy_report.json" \ - "$TEST_CASE_DIR/policy_report.json" || log_fail -check_or_update_expected_output "$COMPARE_VSA" \ - "$OUTPUT_DIR/vsa.intoto.jsonl" \ - "$TEST_CASE_DIR/vsa_payload.json" || log_fail +check_or_update_expected_output "$COMPARE_VSA" "$VSA_RESULT" "$VSA_PAYLOAD_EXPECTED" || log_fail # Testing the Repo Finder's remote calls. # This requires the 'packageurl' Python module diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa_payload.json b/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa_payload.json index bb532214b..99d8891b2 100644 --- a/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa_payload.json +++ b/tests/vsa/integration/github_slsa-framework_slsa-verifier/vsa_payload.json @@ -2,7 +2,7 @@ "_type": "https://in-toto.io/Statement/v1", "subject": [ { - "uri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95" + "uri": "pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac" } ], "predicateType": "https://slsa.dev/verification_summary/v1", @@ -13,10 +13,10 @@ "macaron": "0.6.0" } }, - "timeVerified": "2024-01-10T03:56:17.237887+00:00", - "resourceUri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", + "timeVerified": "2024-01-11T03:21:10.696997+00:00", + "resourceUri": "pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac", "policy": { - "content": "/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */\n/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */\n\n#include \"prelude.dl\"\n\nPolicy(\"slsa_verifier_policy\", component_id, \"Policy for SLSA Verifier\") :-\n check_passed(component_id, \"mcn_build_as_code_1\"),\n check_passed(component_id, \"mcn_provenance_level_three_1\"),\n check_passed(component_id, \"mcn_provenance_available_1\").\n\napply_policy_to(\"slsa_verifier_policy\", component_id) :-\n is_repo(\n _, // repo_id\n \"github.com/slsa-framework/slsa-verifier\",\n component_id\n ).\n" + "content": "/* Copyright (c) 2023 - 2023, Oracle and/or its affiliates. All rights reserved. */\n/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */\n\n\n#include \"prelude.dl\"\n\nPolicy(\"auth-provenance\", component_id, \"\") :- check_passed(component_id, \"mcn_provenance_level_three_1\").\napply_policy_to(\"auth-provenance\", component_id) :- is_component(component_id, \"pkg:github.com/slsa-framework/slsa-verifier@fc50b662fcfeeeb0e97243554b47d9b20b14efac\").\n" }, "verificationResult": "PASSED", "verifiedLevels": [] From 02c2dd2ad8814a94ae88b76bba2c000016f94d6a Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 13:43:59 +1000 Subject: [PATCH 25/30] chore: remove expected result files that are no longer needed Signed-off-by: Nathan Nguyen --- .../policy.dl | 16 - .../policy_report.json | 16 - .../slsa-verifier.json | 1887 ----------------- 3 files changed, 1919 deletions(-) delete mode 100644 tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl delete mode 100644 tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json delete mode 100644 tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl b/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl deleted file mode 100644 index 678fa8636..000000000 --- a/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy.dl +++ /dev/null @@ -1,16 +0,0 @@ -/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */ -/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */ - -#include "prelude.dl" - -Policy("slsa_verifier_policy", component_id, "Policy for SLSA Verifier") :- - check_passed(component_id, "mcn_build_as_code_1"), - check_passed(component_id, "mcn_provenance_level_three_1"), - check_passed(component_id, "mcn_provenance_available_1"). - -apply_policy_to("slsa_verifier_policy", component_id) :- - is_repo( - _, // repo_id - "github.com/slsa-framework/slsa-verifier", - component_id - ). diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json b/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json deleted file mode 100644 index f17f562dc..000000000 --- a/tests/vsa/integration/github_slsa-framework_slsa-verifier/policy_report.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "component_satisfies_policy": [ - [ - "1", - "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "slsa_verifier_policy" - ] - ], - "component_violates_policy": [], - "failed_policies": [], - "passed_policies": [ - [ - "slsa_verifier_policy" - ] - ] -} diff --git a/tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json b/tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json deleted file mode 100644 index 4549b087c..000000000 --- a/tests/vsa/integration/github_slsa-framework_slsa-verifier/slsa-verifier.json +++ /dev/null @@ -1,1887 +0,0 @@ -{ - "metadata": { - "timestamps": "2024-01-05 16:53:37", - "has_passing_check": true - }, - "target": { - "info": { - "full_name": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "local_cloned_path": "git_repos/github_com/slsa-framework/slsa-verifier", - "remote_path": "https://github.com/slsa-framework/slsa-verifier", - "branch": null, - "commit_hash": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "commit_date": "2023-10-16T13:44:13-07:00" - }, - "provenances": { - "is_inferred": false, - "content": { - "github_actions": [ - { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "slsa-verifier-darwin-amd64", - "digest": { - "sha256": "69fa1ea5bb734e765aae1fa855f50e823c2b90b019994610960b7eb3c83feeb3" - } - } - ], - "predicate": { - "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" - }, - "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", - "invocation": { - "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "entryPoint": ".github/workflows/release.yml" - }, - "parameters": {}, - "environment": { - "arch": "X64", - "github_actor": "laurentsimon", - "github_actor_id": "64505099", - "github_base_ref": "", - "github_event_name": "push", - "github_event_payload": { - "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "base_ref": "refs/heads/main", - "before": "0000000000000000000000000000000000000000", - "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", - "created": true, - "deleted": false, - "forced": false, - "head_commit": { - "author": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon", - "username": "laurentsimon" - }, - "committer": { - "email": "noreply@github.com", - "name": "GitHub", - "username": "web-flow" - }, - "distinct": true, - "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", - "timestamp": "2023-10-16T13:44:13-07:00", - "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "organization": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "description": "Supply-chain Levels for Software Artifacts", - "events_url": "https://api.github.com/orgs/slsa-framework/events", - "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", - "id": 80431187, - "issues_url": "https://api.github.com/orgs/slsa-framework/issues", - "login": "slsa-framework", - "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", - "repos_url": "https://api.github.com/orgs/slsa-framework/repos", - "url": "https://api.github.com/orgs/slsa-framework" - }, - "pusher": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon" - }, - "ref": "refs/tags/v2.4.1", - "repository": { - "allow_forking": true, - "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", - "archived": false, - "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", - "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", - "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", - "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", - "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", - "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", - "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", - "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", - "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", - "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", - "created_at": 1648242107, - "custom_properties": {}, - "default_branch": "main", - "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", - "description": "Verify provenance from SLSA compliant builders", - "disabled": false, - "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", - "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", - "fork": false, - "forks": 35, - "forks_count": 35, - "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", - "full_name": "slsa-framework/slsa-verifier", - "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", - "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", - "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", - "git_url": "git://github.com/slsa-framework/slsa-verifier.git", - "has_discussions": false, - "has_downloads": true, - "has_issues": true, - "has_pages": false, - "has_projects": true, - "has_wiki": true, - "homepage": "", - "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", - "html_url": "https://github.com/slsa-framework/slsa-verifier", - "id": 474162642, - "is_template": false, - "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", - "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", - "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", - "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", - "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", - "language": "Go", - "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", - "license": { - "key": "apache-2.0", - "name": "Apache License 2.0", - "node_id": "MDc6TGljZW5zZTI=", - "spdx_id": "Apache-2.0", - "url": "https://api.github.com/licenses/apache-2.0" - }, - "master_branch": "main", - "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", - "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", - "mirror_url": null, - "name": "slsa-verifier", - "node_id": "R_kgDOHEMl0g", - "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 123, - "open_issues_count": 123, - "organization": "slsa-framework", - "owner": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "email": null, - "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", - "followers_url": "https://api.github.com/users/slsa-framework/followers", - "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", - "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/slsa-framework", - "id": 80431187, - "login": "slsa-framework", - "name": "slsa-framework", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "organizations_url": "https://api.github.com/users/slsa-framework/orgs", - "received_events_url": "https://api.github.com/users/slsa-framework/received_events", - "repos_url": "https://api.github.com/users/slsa-framework/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", - "type": "Organization", - "url": "https://api.github.com/users/slsa-framework" - }, - "private": false, - "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1699396985, - "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 88467, - "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 170, - "stargazers_count": 170, - "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", - "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", - "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", - "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", - "svn_url": "https://github.com/slsa-framework/slsa-verifier", - "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", - "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", - "topics": [], - "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-10-17T17:58:10Z", - "url": "https://github.com/slsa-framework/slsa-verifier", - "visibility": "public", - "watchers": 170, - "watchers_count": 170, - "web_commit_signoff_required": true - }, - "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", - "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", - "followers_url": "https://api.github.com/users/laurentsimon/followers", - "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", - "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/laurentsimon", - "id": 64505099, - "login": "laurentsimon", - "node_id": "MDQ6VXNlcjY0NTA1MDk5", - "organizations_url": "https://api.github.com/users/laurentsimon/orgs", - "received_events_url": "https://api.github.com/users/laurentsimon/received_events", - "repos_url": "https://api.github.com/users/laurentsimon/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", - "type": "User", - "url": "https://api.github.com/users/laurentsimon" - } - }, - "github_head_ref": "", - "github_ref": "refs/tags/v2.4.1", - "github_ref_type": "tag", - "github_repository_id": "474162642", - "github_repository_owner": "slsa-framework", - "github_repository_owner_id": "80431187", - "github_run_attempt": "1", - "github_run_id": "6791195934", - "github_run_number": "511", - "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "os": "ubuntu22" - } - }, - "buildConfig": { - "steps": [ - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "mod", - "vendor" - ], - "env": null - }, - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "build", - "-mod=vendor", - "-trimpath", - "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", - "-o", - "slsa-verifier-darwin-amd64" - ], - "env": [ - "GOOS=darwin", - "GOARCH=amd64", - "GO111MODULE=on", - "CGO_ENABLED=0" - ] - } - ], - "version": 1 - }, - "metadata": { - "buildInvocationID": "6791195934-1", - "completeness": { - "parameters": true, - "environment": false, - "materials": false - }, - "reproducible": false - }, - "materials": [ - { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - } - }, - { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" - } - ] - } - }, - { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "slsa-verifier-darwin-arm64", - "digest": { - "sha256": "ce1de214cb5ae24dfafce18640a0e7c4d2fbbd014bf4b2944a0c1b7b3cfa803a" - } - } - ], - "predicate": { - "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" - }, - "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", - "invocation": { - "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "entryPoint": ".github/workflows/release.yml" - }, - "parameters": {}, - "environment": { - "arch": "X64", - "github_actor": "laurentsimon", - "github_actor_id": "64505099", - "github_base_ref": "", - "github_event_name": "push", - "github_event_payload": { - "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "base_ref": "refs/heads/main", - "before": "0000000000000000000000000000000000000000", - "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", - "created": true, - "deleted": false, - "forced": false, - "head_commit": { - "author": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon", - "username": "laurentsimon" - }, - "committer": { - "email": "noreply@github.com", - "name": "GitHub", - "username": "web-flow" - }, - "distinct": true, - "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", - "timestamp": "2023-10-16T13:44:13-07:00", - "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "organization": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "description": "Supply-chain Levels for Software Artifacts", - "events_url": "https://api.github.com/orgs/slsa-framework/events", - "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", - "id": 80431187, - "issues_url": "https://api.github.com/orgs/slsa-framework/issues", - "login": "slsa-framework", - "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", - "repos_url": "https://api.github.com/orgs/slsa-framework/repos", - "url": "https://api.github.com/orgs/slsa-framework" - }, - "pusher": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon" - }, - "ref": "refs/tags/v2.4.1", - "repository": { - "allow_forking": true, - "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", - "archived": false, - "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", - "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", - "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", - "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", - "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", - "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", - "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", - "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", - "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", - "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", - "created_at": 1648242107, - "custom_properties": {}, - "default_branch": "main", - "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", - "description": "Verify provenance from SLSA compliant builders", - "disabled": false, - "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", - "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", - "fork": false, - "forks": 35, - "forks_count": 35, - "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", - "full_name": "slsa-framework/slsa-verifier", - "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", - "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", - "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", - "git_url": "git://github.com/slsa-framework/slsa-verifier.git", - "has_discussions": false, - "has_downloads": true, - "has_issues": true, - "has_pages": false, - "has_projects": true, - "has_wiki": true, - "homepage": "", - "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", - "html_url": "https://github.com/slsa-framework/slsa-verifier", - "id": 474162642, - "is_template": false, - "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", - "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", - "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", - "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", - "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", - "language": "Go", - "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", - "license": { - "key": "apache-2.0", - "name": "Apache License 2.0", - "node_id": "MDc6TGljZW5zZTI=", - "spdx_id": "Apache-2.0", - "url": "https://api.github.com/licenses/apache-2.0" - }, - "master_branch": "main", - "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", - "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", - "mirror_url": null, - "name": "slsa-verifier", - "node_id": "R_kgDOHEMl0g", - "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 123, - "open_issues_count": 123, - "organization": "slsa-framework", - "owner": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "email": null, - "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", - "followers_url": "https://api.github.com/users/slsa-framework/followers", - "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", - "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/slsa-framework", - "id": 80431187, - "login": "slsa-framework", - "name": "slsa-framework", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "organizations_url": "https://api.github.com/users/slsa-framework/orgs", - "received_events_url": "https://api.github.com/users/slsa-framework/received_events", - "repos_url": "https://api.github.com/users/slsa-framework/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", - "type": "Organization", - "url": "https://api.github.com/users/slsa-framework" - }, - "private": false, - "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1699396985, - "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 88467, - "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 170, - "stargazers_count": 170, - "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", - "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", - "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", - "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", - "svn_url": "https://github.com/slsa-framework/slsa-verifier", - "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", - "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", - "topics": [], - "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-10-17T17:58:10Z", - "url": "https://github.com/slsa-framework/slsa-verifier", - "visibility": "public", - "watchers": 170, - "watchers_count": 170, - "web_commit_signoff_required": true - }, - "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", - "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", - "followers_url": "https://api.github.com/users/laurentsimon/followers", - "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", - "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/laurentsimon", - "id": 64505099, - "login": "laurentsimon", - "node_id": "MDQ6VXNlcjY0NTA1MDk5", - "organizations_url": "https://api.github.com/users/laurentsimon/orgs", - "received_events_url": "https://api.github.com/users/laurentsimon/received_events", - "repos_url": "https://api.github.com/users/laurentsimon/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", - "type": "User", - "url": "https://api.github.com/users/laurentsimon" - } - }, - "github_head_ref": "", - "github_ref": "refs/tags/v2.4.1", - "github_ref_type": "tag", - "github_repository_id": "474162642", - "github_repository_owner": "slsa-framework", - "github_repository_owner_id": "80431187", - "github_run_attempt": "1", - "github_run_id": "6791195934", - "github_run_number": "511", - "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "os": "ubuntu22" - } - }, - "buildConfig": { - "steps": [ - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "mod", - "vendor" - ], - "env": null - }, - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "build", - "-mod=vendor", - "-trimpath", - "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", - "-o", - "slsa-verifier-darwin-arm64" - ], - "env": [ - "GOOS=darwin", - "GOARCH=arm64", - "CGO_ENABLED=0", - "GO111MODULE=on" - ] - } - ], - "version": 1 - }, - "metadata": { - "buildInvocationID": "6791195934-1", - "completeness": { - "parameters": true, - "environment": false, - "materials": false - }, - "reproducible": false - }, - "materials": [ - { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - } - }, - { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" - } - ] - } - }, - { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "slsa-verifier-linux-amd64", - "digest": { - "sha256": "e81900c9f11a44276e1552afb7c1f6ea7b13ad9c6efdb920d97f23a76659e25f" - } - } - ], - "predicate": { - "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" - }, - "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", - "invocation": { - "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "entryPoint": ".github/workflows/release.yml" - }, - "parameters": {}, - "environment": { - "arch": "X64", - "github_actor": "laurentsimon", - "github_actor_id": "64505099", - "github_base_ref": "", - "github_event_name": "push", - "github_event_payload": { - "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "base_ref": "refs/heads/main", - "before": "0000000000000000000000000000000000000000", - "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", - "created": true, - "deleted": false, - "forced": false, - "head_commit": { - "author": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon", - "username": "laurentsimon" - }, - "committer": { - "email": "noreply@github.com", - "name": "GitHub", - "username": "web-flow" - }, - "distinct": true, - "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", - "timestamp": "2023-10-16T13:44:13-07:00", - "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "organization": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "description": "Supply-chain Levels for Software Artifacts", - "events_url": "https://api.github.com/orgs/slsa-framework/events", - "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", - "id": 80431187, - "issues_url": "https://api.github.com/orgs/slsa-framework/issues", - "login": "slsa-framework", - "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", - "repos_url": "https://api.github.com/orgs/slsa-framework/repos", - "url": "https://api.github.com/orgs/slsa-framework" - }, - "pusher": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon" - }, - "ref": "refs/tags/v2.4.1", - "repository": { - "allow_forking": true, - "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", - "archived": false, - "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", - "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", - "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", - "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", - "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", - "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", - "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", - "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", - "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", - "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", - "created_at": 1648242107, - "custom_properties": {}, - "default_branch": "main", - "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", - "description": "Verify provenance from SLSA compliant builders", - "disabled": false, - "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", - "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", - "fork": false, - "forks": 35, - "forks_count": 35, - "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", - "full_name": "slsa-framework/slsa-verifier", - "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", - "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", - "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", - "git_url": "git://github.com/slsa-framework/slsa-verifier.git", - "has_discussions": false, - "has_downloads": true, - "has_issues": true, - "has_pages": false, - "has_projects": true, - "has_wiki": true, - "homepage": "", - "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", - "html_url": "https://github.com/slsa-framework/slsa-verifier", - "id": 474162642, - "is_template": false, - "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", - "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", - "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", - "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", - "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", - "language": "Go", - "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", - "license": { - "key": "apache-2.0", - "name": "Apache License 2.0", - "node_id": "MDc6TGljZW5zZTI=", - "spdx_id": "Apache-2.0", - "url": "https://api.github.com/licenses/apache-2.0" - }, - "master_branch": "main", - "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", - "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", - "mirror_url": null, - "name": "slsa-verifier", - "node_id": "R_kgDOHEMl0g", - "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 123, - "open_issues_count": 123, - "organization": "slsa-framework", - "owner": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "email": null, - "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", - "followers_url": "https://api.github.com/users/slsa-framework/followers", - "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", - "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/slsa-framework", - "id": 80431187, - "login": "slsa-framework", - "name": "slsa-framework", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "organizations_url": "https://api.github.com/users/slsa-framework/orgs", - "received_events_url": "https://api.github.com/users/slsa-framework/received_events", - "repos_url": "https://api.github.com/users/slsa-framework/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", - "type": "Organization", - "url": "https://api.github.com/users/slsa-framework" - }, - "private": false, - "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1699396985, - "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 88467, - "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 170, - "stargazers_count": 170, - "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", - "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", - "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", - "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", - "svn_url": "https://github.com/slsa-framework/slsa-verifier", - "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", - "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", - "topics": [], - "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-10-17T17:58:10Z", - "url": "https://github.com/slsa-framework/slsa-verifier", - "visibility": "public", - "watchers": 170, - "watchers_count": 170, - "web_commit_signoff_required": true - }, - "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", - "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", - "followers_url": "https://api.github.com/users/laurentsimon/followers", - "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", - "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/laurentsimon", - "id": 64505099, - "login": "laurentsimon", - "node_id": "MDQ6VXNlcjY0NTA1MDk5", - "organizations_url": "https://api.github.com/users/laurentsimon/orgs", - "received_events_url": "https://api.github.com/users/laurentsimon/received_events", - "repos_url": "https://api.github.com/users/laurentsimon/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", - "type": "User", - "url": "https://api.github.com/users/laurentsimon" - } - }, - "github_head_ref": "", - "github_ref": "refs/tags/v2.4.1", - "github_ref_type": "tag", - "github_repository_id": "474162642", - "github_repository_owner": "slsa-framework", - "github_repository_owner_id": "80431187", - "github_run_attempt": "1", - "github_run_id": "6791195934", - "github_run_number": "511", - "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "os": "ubuntu22" - } - }, - "buildConfig": { - "steps": [ - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "mod", - "vendor" - ], - "env": null - }, - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "build", - "-mod=vendor", - "-trimpath", - "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", - "-o", - "slsa-verifier-linux-amd64" - ], - "env": [ - "GOOS=linux", - "GOARCH=amd64", - "GO111MODULE=on", - "CGO_ENABLED=0" - ] - } - ], - "version": 1 - }, - "metadata": { - "buildInvocationID": "6791195934-1", - "completeness": { - "parameters": true, - "environment": false, - "materials": false - }, - "reproducible": false - }, - "materials": [ - { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - } - }, - { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" - } - ] - } - }, - { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "slsa-verifier-linux-arm64", - "digest": { - "sha256": "8b9bcc51576a8f962a0f91f50bed8ca769563ef568a2e9997ca4cd59dc2e341a" - } - } - ], - "predicate": { - "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" - }, - "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", - "invocation": { - "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "entryPoint": ".github/workflows/release.yml" - }, - "parameters": {}, - "environment": { - "arch": "X64", - "github_actor": "laurentsimon", - "github_actor_id": "64505099", - "github_base_ref": "", - "github_event_name": "push", - "github_event_payload": { - "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "base_ref": "refs/heads/main", - "before": "0000000000000000000000000000000000000000", - "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", - "created": true, - "deleted": false, - "forced": false, - "head_commit": { - "author": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon", - "username": "laurentsimon" - }, - "committer": { - "email": "noreply@github.com", - "name": "GitHub", - "username": "web-flow" - }, - "distinct": true, - "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", - "timestamp": "2023-10-16T13:44:13-07:00", - "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "organization": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "description": "Supply-chain Levels for Software Artifacts", - "events_url": "https://api.github.com/orgs/slsa-framework/events", - "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", - "id": 80431187, - "issues_url": "https://api.github.com/orgs/slsa-framework/issues", - "login": "slsa-framework", - "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", - "repos_url": "https://api.github.com/orgs/slsa-framework/repos", - "url": "https://api.github.com/orgs/slsa-framework" - }, - "pusher": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon" - }, - "ref": "refs/tags/v2.4.1", - "repository": { - "allow_forking": true, - "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", - "archived": false, - "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", - "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", - "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", - "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", - "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", - "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", - "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", - "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", - "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", - "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", - "created_at": 1648242107, - "custom_properties": {}, - "default_branch": "main", - "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", - "description": "Verify provenance from SLSA compliant builders", - "disabled": false, - "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", - "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", - "fork": false, - "forks": 35, - "forks_count": 35, - "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", - "full_name": "slsa-framework/slsa-verifier", - "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", - "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", - "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", - "git_url": "git://github.com/slsa-framework/slsa-verifier.git", - "has_discussions": false, - "has_downloads": true, - "has_issues": true, - "has_pages": false, - "has_projects": true, - "has_wiki": true, - "homepage": "", - "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", - "html_url": "https://github.com/slsa-framework/slsa-verifier", - "id": 474162642, - "is_template": false, - "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", - "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", - "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", - "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", - "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", - "language": "Go", - "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", - "license": { - "key": "apache-2.0", - "name": "Apache License 2.0", - "node_id": "MDc6TGljZW5zZTI=", - "spdx_id": "Apache-2.0", - "url": "https://api.github.com/licenses/apache-2.0" - }, - "master_branch": "main", - "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", - "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", - "mirror_url": null, - "name": "slsa-verifier", - "node_id": "R_kgDOHEMl0g", - "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 123, - "open_issues_count": 123, - "organization": "slsa-framework", - "owner": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "email": null, - "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", - "followers_url": "https://api.github.com/users/slsa-framework/followers", - "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", - "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/slsa-framework", - "id": 80431187, - "login": "slsa-framework", - "name": "slsa-framework", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "organizations_url": "https://api.github.com/users/slsa-framework/orgs", - "received_events_url": "https://api.github.com/users/slsa-framework/received_events", - "repos_url": "https://api.github.com/users/slsa-framework/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", - "type": "Organization", - "url": "https://api.github.com/users/slsa-framework" - }, - "private": false, - "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1699396985, - "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 88467, - "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 170, - "stargazers_count": 170, - "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", - "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", - "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", - "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", - "svn_url": "https://github.com/slsa-framework/slsa-verifier", - "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", - "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", - "topics": [], - "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-10-17T17:58:10Z", - "url": "https://github.com/slsa-framework/slsa-verifier", - "visibility": "public", - "watchers": 170, - "watchers_count": 170, - "web_commit_signoff_required": true - }, - "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", - "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", - "followers_url": "https://api.github.com/users/laurentsimon/followers", - "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", - "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/laurentsimon", - "id": 64505099, - "login": "laurentsimon", - "node_id": "MDQ6VXNlcjY0NTA1MDk5", - "organizations_url": "https://api.github.com/users/laurentsimon/orgs", - "received_events_url": "https://api.github.com/users/laurentsimon/received_events", - "repos_url": "https://api.github.com/users/laurentsimon/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", - "type": "User", - "url": "https://api.github.com/users/laurentsimon" - } - }, - "github_head_ref": "", - "github_ref": "refs/tags/v2.4.1", - "github_ref_type": "tag", - "github_repository_id": "474162642", - "github_repository_owner": "slsa-framework", - "github_repository_owner_id": "80431187", - "github_run_attempt": "1", - "github_run_id": "6791195934", - "github_run_number": "511", - "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "os": "ubuntu22" - } - }, - "buildConfig": { - "steps": [ - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "mod", - "vendor" - ], - "env": null - }, - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "build", - "-mod=vendor", - "-trimpath", - "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", - "-o", - "slsa-verifier-linux-arm64" - ], - "env": [ - "GOOS=linux", - "GOARCH=arm64", - "GO111MODULE=on", - "CGO_ENABLED=0" - ] - } - ], - "version": 1 - }, - "metadata": { - "buildInvocationID": "6791195934-1", - "completeness": { - "parameters": true, - "environment": false, - "materials": false - }, - "reproducible": false - }, - "materials": [ - { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - } - }, - { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" - } - ] - } - }, - { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "slsa-verifier-windows-amd64.exe", - "digest": { - "sha256": "cda4a71f6e6fbfb32aa5b461b650d807503ad509145dc0df9b68adb9e23e674f" - } - } - ], - "predicate": { - "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" - }, - "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", - "invocation": { - "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "entryPoint": ".github/workflows/release.yml" - }, - "parameters": {}, - "environment": { - "arch": "X64", - "github_actor": "laurentsimon", - "github_actor_id": "64505099", - "github_base_ref": "", - "github_event_name": "push", - "github_event_payload": { - "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "base_ref": "refs/heads/main", - "before": "0000000000000000000000000000000000000000", - "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", - "created": true, - "deleted": false, - "forced": false, - "head_commit": { - "author": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon", - "username": "laurentsimon" - }, - "committer": { - "email": "noreply@github.com", - "name": "GitHub", - "username": "web-flow" - }, - "distinct": true, - "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", - "timestamp": "2023-10-16T13:44:13-07:00", - "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "organization": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "description": "Supply-chain Levels for Software Artifacts", - "events_url": "https://api.github.com/orgs/slsa-framework/events", - "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", - "id": 80431187, - "issues_url": "https://api.github.com/orgs/slsa-framework/issues", - "login": "slsa-framework", - "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", - "repos_url": "https://api.github.com/orgs/slsa-framework/repos", - "url": "https://api.github.com/orgs/slsa-framework" - }, - "pusher": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon" - }, - "ref": "refs/tags/v2.4.1", - "repository": { - "allow_forking": true, - "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", - "archived": false, - "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", - "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", - "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", - "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", - "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", - "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", - "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", - "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", - "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", - "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", - "created_at": 1648242107, - "custom_properties": {}, - "default_branch": "main", - "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", - "description": "Verify provenance from SLSA compliant builders", - "disabled": false, - "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", - "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", - "fork": false, - "forks": 35, - "forks_count": 35, - "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", - "full_name": "slsa-framework/slsa-verifier", - "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", - "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", - "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", - "git_url": "git://github.com/slsa-framework/slsa-verifier.git", - "has_discussions": false, - "has_downloads": true, - "has_issues": true, - "has_pages": false, - "has_projects": true, - "has_wiki": true, - "homepage": "", - "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", - "html_url": "https://github.com/slsa-framework/slsa-verifier", - "id": 474162642, - "is_template": false, - "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", - "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", - "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", - "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", - "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", - "language": "Go", - "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", - "license": { - "key": "apache-2.0", - "name": "Apache License 2.0", - "node_id": "MDc6TGljZW5zZTI=", - "spdx_id": "Apache-2.0", - "url": "https://api.github.com/licenses/apache-2.0" - }, - "master_branch": "main", - "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", - "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", - "mirror_url": null, - "name": "slsa-verifier", - "node_id": "R_kgDOHEMl0g", - "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 123, - "open_issues_count": 123, - "organization": "slsa-framework", - "owner": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "email": null, - "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", - "followers_url": "https://api.github.com/users/slsa-framework/followers", - "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", - "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/slsa-framework", - "id": 80431187, - "login": "slsa-framework", - "name": "slsa-framework", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "organizations_url": "https://api.github.com/users/slsa-framework/orgs", - "received_events_url": "https://api.github.com/users/slsa-framework/received_events", - "repos_url": "https://api.github.com/users/slsa-framework/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", - "type": "Organization", - "url": "https://api.github.com/users/slsa-framework" - }, - "private": false, - "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1699396985, - "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 88467, - "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 170, - "stargazers_count": 170, - "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", - "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", - "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", - "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", - "svn_url": "https://github.com/slsa-framework/slsa-verifier", - "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", - "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", - "topics": [], - "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-10-17T17:58:10Z", - "url": "https://github.com/slsa-framework/slsa-verifier", - "visibility": "public", - "watchers": 170, - "watchers_count": 170, - "web_commit_signoff_required": true - }, - "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", - "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", - "followers_url": "https://api.github.com/users/laurentsimon/followers", - "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", - "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/laurentsimon", - "id": 64505099, - "login": "laurentsimon", - "node_id": "MDQ6VXNlcjY0NTA1MDk5", - "organizations_url": "https://api.github.com/users/laurentsimon/orgs", - "received_events_url": "https://api.github.com/users/laurentsimon/received_events", - "repos_url": "https://api.github.com/users/laurentsimon/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", - "type": "User", - "url": "https://api.github.com/users/laurentsimon" - } - }, - "github_head_ref": "", - "github_ref": "refs/tags/v2.4.1", - "github_ref_type": "tag", - "github_repository_id": "474162642", - "github_repository_owner": "slsa-framework", - "github_repository_owner_id": "80431187", - "github_run_attempt": "1", - "github_run_id": "6791195934", - "github_run_number": "511", - "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "os": "ubuntu22" - } - }, - "buildConfig": { - "steps": [ - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "mod", - "vendor" - ], - "env": null - }, - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "build", - "-mod=vendor", - "-trimpath", - "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", - "-o", - "slsa-verifier-windows-amd64.exe" - ], - "env": [ - "GOOS=windows", - "GOARCH=amd64", - "GO111MODULE=on", - "CGO_ENABLED=0" - ] - } - ], - "version": 1 - }, - "metadata": { - "buildInvocationID": "6791195934-1", - "completeness": { - "parameters": true, - "environment": false, - "materials": false - }, - "reproducible": false - }, - "materials": [ - { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - } - }, - { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" - } - ] - } - }, - { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "slsa-verifier-windows-arm64.exe", - "digest": { - "sha256": "8f0b03c01271c7228e99f21c89b99c0b02dc0cc7bdce0fe842af1dc7554d644f" - } - } - ], - "predicate": { - "builder": { - "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.8.0" - }, - "buildType": "https://github.com/slsa-framework/slsa-github-generator/go@v1", - "invocation": { - "configSource": { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "entryPoint": ".github/workflows/release.yml" - }, - "parameters": {}, - "environment": { - "arch": "X64", - "github_actor": "laurentsimon", - "github_actor_id": "64505099", - "github_base_ref": "", - "github_event_name": "push", - "github_event_payload": { - "after": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "base_ref": "refs/heads/main", - "before": "0000000000000000000000000000000000000000", - "commits": [], - "compare": "https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1", - "created": true, - "deleted": false, - "forced": false, - "head_commit": { - "author": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon", - "username": "laurentsimon" - }, - "committer": { - "email": "noreply@github.com", - "name": "GitHub", - "username": "web-flow" - }, - "distinct": true, - "id": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "message": "docs: update release doc and rm binary (#716)\n\nSigned-off-by: laurentsimon ", - "timestamp": "2023-10-16T13:44:13-07:00", - "tree_id": "b70b194feb7247be9885bfff95f9640c84d0b8f5", - "url": "https://github.com/slsa-framework/slsa-verifier/commit/7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - }, - "organization": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "description": "Supply-chain Levels for Software Artifacts", - "events_url": "https://api.github.com/orgs/slsa-framework/events", - "hooks_url": "https://api.github.com/orgs/slsa-framework/hooks", - "id": 80431187, - "issues_url": "https://api.github.com/orgs/slsa-framework/issues", - "login": "slsa-framework", - "members_url": "https://api.github.com/orgs/slsa-framework/members{/member}", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "public_members_url": "https://api.github.com/orgs/slsa-framework/public_members{/member}", - "repos_url": "https://api.github.com/orgs/slsa-framework/repos", - "url": "https://api.github.com/orgs/slsa-framework" - }, - "pusher": { - "email": "64505099+laurentsimon@users.noreply.github.com", - "name": "laurentsimon" - }, - "ref": "refs/tags/v2.4.1", - "repository": { - "allow_forking": true, - "archive_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/{archive_format}{/ref}", - "archived": false, - "assignees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/assignees{/user}", - "blobs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/blobs{/sha}", - "branches_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/branches{/branch}", - "clone_url": "https://github.com/slsa-framework/slsa-verifier.git", - "collaborators_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/collaborators{/collaborator}", - "comments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/comments{/number}", - "commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/commits{/sha}", - "compare_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/compare/{base}...{head}", - "contents_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contents/{+path}", - "contributors_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/contributors", - "created_at": 1648242107, - "custom_properties": {}, - "default_branch": "main", - "deployments_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/deployments", - "description": "Verify provenance from SLSA compliant builders", - "disabled": false, - "downloads_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/downloads", - "events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/events", - "fork": false, - "forks": 35, - "forks_count": 35, - "forks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/forks", - "full_name": "slsa-framework/slsa-verifier", - "git_commits_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/commits{/sha}", - "git_refs_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/refs{/sha}", - "git_tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/tags{/sha}", - "git_url": "git://github.com/slsa-framework/slsa-verifier.git", - "has_discussions": false, - "has_downloads": true, - "has_issues": true, - "has_pages": false, - "has_projects": true, - "has_wiki": true, - "homepage": "", - "hooks_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/hooks", - "html_url": "https://github.com/slsa-framework/slsa-verifier", - "id": 474162642, - "is_template": false, - "issue_comment_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/comments{/number}", - "issue_events_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues/events{/number}", - "issues_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/issues{/number}", - "keys_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/keys{/key_id}", - "labels_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/labels{/name}", - "language": "Go", - "languages_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/languages", - "license": { - "key": "apache-2.0", - "name": "Apache License 2.0", - "node_id": "MDc6TGljZW5zZTI=", - "spdx_id": "Apache-2.0", - "url": "https://api.github.com/licenses/apache-2.0" - }, - "master_branch": "main", - "merges_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/merges", - "milestones_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/milestones{/number}", - "mirror_url": null, - "name": "slsa-verifier", - "node_id": "R_kgDOHEMl0g", - "notifications_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/notifications{?since,all,participating}", - "open_issues": 123, - "open_issues_count": 123, - "organization": "slsa-framework", - "owner": { - "avatar_url": "https://avatars.githubusercontent.com/u/80431187?v=4", - "email": null, - "events_url": "https://api.github.com/users/slsa-framework/events{/privacy}", - "followers_url": "https://api.github.com/users/slsa-framework/followers", - "following_url": "https://api.github.com/users/slsa-framework/following{/other_user}", - "gists_url": "https://api.github.com/users/slsa-framework/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/slsa-framework", - "id": 80431187, - "login": "slsa-framework", - "name": "slsa-framework", - "node_id": "MDEyOk9yZ2FuaXphdGlvbjgwNDMxMTg3", - "organizations_url": "https://api.github.com/users/slsa-framework/orgs", - "received_events_url": "https://api.github.com/users/slsa-framework/received_events", - "repos_url": "https://api.github.com/users/slsa-framework/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/slsa-framework/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/slsa-framework/subscriptions", - "type": "Organization", - "url": "https://api.github.com/users/slsa-framework" - }, - "private": false, - "pulls_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/pulls{/number}", - "pushed_at": 1699396985, - "releases_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/releases{/id}", - "size": 88467, - "ssh_url": "git@github.com:slsa-framework/slsa-verifier.git", - "stargazers": 170, - "stargazers_count": 170, - "stargazers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/stargazers", - "statuses_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/statuses/{sha}", - "subscribers_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscribers", - "subscription_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/subscription", - "svn_url": "https://github.com/slsa-framework/slsa-verifier", - "tags_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/tags", - "teams_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/teams", - "topics": [], - "trees_url": "https://api.github.com/repos/slsa-framework/slsa-verifier/git/trees{/sha}", - "updated_at": "2023-10-17T17:58:10Z", - "url": "https://github.com/slsa-framework/slsa-verifier", - "visibility": "public", - "watchers": 170, - "watchers_count": 170, - "web_commit_signoff_required": true - }, - "sender": { - "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4", - "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}", - "followers_url": "https://api.github.com/users/laurentsimon/followers", - "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}", - "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}", - "gravatar_id": "", - "html_url": "https://github.com/laurentsimon", - "id": 64505099, - "login": "laurentsimon", - "node_id": "MDQ6VXNlcjY0NTA1MDk5", - "organizations_url": "https://api.github.com/users/laurentsimon/orgs", - "received_events_url": "https://api.github.com/users/laurentsimon/received_events", - "repos_url": "https://api.github.com/users/laurentsimon/repos", - "site_admin": false, - "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}", - "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions", - "type": "User", - "url": "https://api.github.com/users/laurentsimon" - } - }, - "github_head_ref": "", - "github_ref": "refs/tags/v2.4.1", - "github_ref_type": "tag", - "github_repository_id": "474162642", - "github_repository_owner": "slsa-framework", - "github_repository_owner_id": "80431187", - "github_run_attempt": "1", - "github_run_id": "6791195934", - "github_run_number": "511", - "github_sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95", - "os": "ubuntu22" - } - }, - "buildConfig": { - "steps": [ - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "mod", - "vendor" - ], - "env": null - }, - { - "workingDir": "/home/runner/work/slsa-verifier/slsa-verifier/__PROJECT_CHECKOUT_DIR__/cli/slsa-verifier", - "command": [ - "/opt/hostedtoolcache/go/1.20.10/x64/bin/go", - "build", - "-mod=vendor", - "-trimpath", - "-tags=netgo", - "-ldflags=-X sigs.k8s.io/release-utils/version.gitVersion=2.4.1", - "-o", - "slsa-verifier-windows-arm64.exe" - ], - "env": [ - "GOOS=windows", - "GOARCH=arm64", - "CGO_ENABLED=0", - "GO111MODULE=on" - ] - } - ], - "version": 1 - }, - "metadata": { - "buildInvocationID": "6791195934-1", - "completeness": { - "parameters": true, - "environment": false, - "materials": false - }, - "reproducible": false - }, - "materials": [ - { - "uri": "git+https://github.com/slsa-framework/slsa-verifier@refs/tags/v2.4.1", - "digest": { - "sha1": "7e1e47d7d793930ab0082c15c2b971fdb53a3c95" - } - }, - { - "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu22/20231030.2.0" - } - ] - } - } - ], - "Maven Central Registry": [], - "npm Registry": [] - } - }, - "checks": { - "summary": { - "DISABLED": 0, - "FAILED": 2, - "PASSED": 7, - "SKIPPED": 0, - "UNKNOWN": 1 - }, - "results": [ - { - "check_id": "mcn_provenance_expectation_1", - "check_description": "Check whether the SLSA provenance for the produced artifact conforms to the expected value.", - "slsa_requirements": [ - "Provenance conforms with expectations - SLSA Level 3" - ], - "justification": [ - "No expectation defined for this repository." - ], - "result_type": "UNKNOWN" - }, - { - "check_id": "mcn_build_as_code_1", - "check_description": "The build definition and configuration executed by the build service is verifiably derived from text file definitions stored in a version control system.", - "slsa_requirements": [ - "Build as code - SLSA Level 3" - ], - "justification": [ - "Check mcn_build_as_code_1 is set to PASSED because mcn_trusted_builder_level_three_1 PASSED." - ], - "result_type": "PASSED" - }, - { - "check_id": "mcn_build_script_1", - "check_description": "Check if the target repo has a valid build script.", - "slsa_requirements": [ - "Scripted Build - SLSA Level 1" - ], - "justification": [ - "Check mcn_build_script_1 is set to PASSED because mcn_build_service_1 PASSED." - ], - "result_type": "PASSED" - }, - { - "check_id": "mcn_build_service_1", - "check_description": "Check if the target repo has a valid build service.", - "slsa_requirements": [ - "Build service - SLSA Level 2" - ], - "justification": [ - "Check mcn_build_service_1 is set to PASSED because mcn_build_as_code_1 PASSED." - ], - "result_type": "PASSED" - }, - { - "check_id": "mcn_provenance_available_1", - "check_description": "Check whether the target has intoto provenance.", - "slsa_requirements": [ - "Provenance - Available - SLSA Level 1", - "Provenance content - Identifies build instructions - SLSA Level 1", - "Provenance content - Identifies artifacts - SLSA Level 1", - "Provenance content - Identifies builder - SLSA Level 1" - ], - "justification": [ - "Found provenance in release assets:", - "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437052", - "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437111", - "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437099", - "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437059", - "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437166", - "https://api.github.com/repos/slsa-framework/slsa-verifier/releases/assets/134437048" - ], - "result_type": "PASSED" - }, - { - "check_id": "mcn_provenance_level_three_1", - "check_description": "Check whether the target has SLSA provenance level 3.", - "slsa_requirements": [ - "Provenance - Non falsifiable - SLSA Level 3", - "Provenance content - Includes all build parameters - SLSA Level 3", - "Provenance content - Identifies entry point - SLSA Level 3", - "Provenance content - Identifies source code - SLSA Level 2" - ], - "justification": [ - "Successfully verified level 3: ", - "verify passed : slsa-verifier-darwin-amd64,verify passed : slsa-verifier-darwin-arm64,verify passed : slsa-verifier-linux-amd64,verify passed : slsa-verifier-linux-arm64,verify passed : slsa-verifier-windows-amd64.exe,verify passed : slsa-verifier-windows-arm64.exe" - ], - "result_type": "PASSED" - }, - { - "check_id": "mcn_trusted_builder_level_three_1", - "check_description": "Check whether the target uses a trusted SLSA level 3 builder.", - "slsa_requirements": [ - "Hermetic - SLSA Level 4", - "Isolated - SLSA Level 3", - "Parameterless - SLSA Level 4", - "Ephemeral environment - SLSA Level 3" - ], - "justification": [ - { - "Found trusted builder GitHub Actions: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.8.0 triggered by": "https://github.com/slsa-framework/slsa-verifier/blob/7e1e47d7d793930ab0082c15c2b971fdb53a3c95/.github/workflows/release.yml" - }, - { - "The status of the build can be seen at": "https://github.com/slsa-framework/slsa-verifier/actions/runs/6791195934" - } - ], - "result_type": "PASSED" - }, - { - "check_id": "mcn_version_control_system_1", - "check_description": "Check whether the target repo uses a version control system.", - "slsa_requirements": [ - "Version controlled - SLSA Level 2" - ], - "justification": [ - { - "This is a Git repository": "https://github.com/slsa-framework/slsa-verifier" - } - ], - "result_type": "PASSED" - }, - { - "check_id": "mcn_infer_artifact_pipeline_1", - "check_description": "Detects potential pipelines from which an artifact is published.", - "slsa_requirements": [ - "Build as code - SLSA Level 3" - ], - "justification": [ - "Unable to find a publishing timestamp for the artifact." - ], - "result_type": "FAILED" - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "check_description": "Check whether the target has a level-1 witness provenance.", - "slsa_requirements": [ - "Provenance - Available - SLSA Level 1", - "Provenance content - Identifies build instructions - SLSA Level 1", - "Provenance content - Identifies artifacts - SLSA Level 1", - "Provenance content - Identifies builder - SLSA Level 1" - ], - "justification": [ - "Failed to discover any witness provenance." - ], - "result_type": "FAILED" - } - ] - } - }, - "dependencies": { - "analyzed_deps": 0, - "unique_dep_repos": 0, - "checks_summary": [ - { - "check_id": "mcn_build_script_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_build_service_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_trusted_builder_level_three_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_version_control_system_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_build_as_code_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_available_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_expectation_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_infer_artifact_pipeline_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_witness_level_one_1", - "num_deps_pass": 0 - }, - { - "check_id": "mcn_provenance_level_three_1", - "num_deps_pass": 0 - } - ], - "dep_status": [] - } -} From 2f3e53480d5cf0b279659c6d8a4d173193c6790b Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 15:35:22 +1000 Subject: [PATCH 26/30] chore: add instructions to manually inspect the VSA payload Signed-off-by: Nathan Nguyen --- src/macaron/__main__.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/macaron/__main__.py b/src/macaron/__main__.py index 345b67fd5..e5a7aeb73 100644 --- a/src/macaron/__main__.py +++ b/src/macaron/__main__.py @@ -154,6 +154,10 @@ def verify_policy(verify_policy_args: argparse.Namespace) -> int: if vsa is not None: vsa_filepath = os.path.join(global_config.output_path, "vsa.intoto.jsonl") logger.info("Generating the Verification Summary Attestation (VSA) to %s.", vsa_filepath) + logger.info( + "To decode and inspect the payload, run `cat %s | jq -r '.payload' | base64 -d | jq`.", + vsa_filepath, + ) try: with open(vsa_filepath, mode="w", encoding="utf-8") as file: file.write(json.dumps(vsa)) From 977683d96907d33d068d2dfd3791a82a25e20f17 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 15:45:15 +1000 Subject: [PATCH 27/30] chore: fix typo in vsa doc page Signed-off-by: Nathan Nguyen --- docs/source/pages/vsa.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/pages/vsa.rst b/docs/source/pages/vsa.rst index 5d21fbd8d..94c1e6850 100644 --- a/docs/source/pages/vsa.rst +++ b/docs/source/pages/vsa.rst @@ -104,7 +104,7 @@ The following is the schema of the Statement layer: The verification result. The result of ``"PASSED"`` means the subject software component conforms to the policy. * ``verificationResult``: array (`SlsaResult`_), required - Indicates the highest level of each SLSA track verified for the software component (and not its dependencies), or “FAILED” if policy verification failed. + Indicates the highest level of each SLSA track verified for the software component (and not its dependencies), or ``"FAILED"`` if policy verification failed. *Note: For the current version of Macaron, this is left empty.* From d2d8bbf31e8d676035776e73618c64fbc4ab4a88 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 15:47:29 +1000 Subject: [PATCH 28/30] chore: remove reference of 'type' in docstring for special in-toto value type Signed-off-by: Nathan Nguyen --- src/macaron/vsa/vsa.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 6d620677e..4c451aca1 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -109,7 +109,7 @@ class Verifier(TypedDict): This field provides the identity of the verifier, as well as the versioning details of its components. """ - #: The identity of the verifier as a value of type + #: The identity of the verifier as a #: `TypeURI `_. id: str # noqa: A003 From 5d7cd6f1279cd0f82ec366f1423cee756cb8a925 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 15:58:20 +1000 Subject: [PATCH 29/30] chore: fix rst reference errors Signed-off-by: Nathan Nguyen --- docs/source/pages/vsa.rst | 4 ++-- src/macaron/vsa/vsa.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/source/pages/vsa.rst b/docs/source/pages/vsa.rst index 94c1e6850..42c706d43 100644 --- a/docs/source/pages/vsa.rst +++ b/docs/source/pages/vsa.rst @@ -72,7 +72,7 @@ The following is the schema of the Statement layer: * ``subject``: array of `ResourceDescriptor`_ objects Subjects of the VSA. Each entry is a software component being verified by Macaron. - *Note: In the current version of Macaron, this field only contains one single software component, identified by a `PackageURL`_.* + *Note: In the current version of Macaron, this field only contains one single software component, identified by a* `PackageURL`_. * ``predicateType``: string (`TypeURI`_) Identifier for the type of the Predicate. For Macaron-generated VSAs, this is always ``https://slsa.dev/verification_summary/v1``. @@ -92,7 +92,7 @@ The following is the schema of the Statement layer: * ``predicate.resourceUri``: string (`ResourceURI`_) URI identifying the resource associated with the software component being verified. - *Note: In the current version of Macaron, the value of this field is similar to the `PackageURL`_ identifying the only subject software component of the VSA.* + *Note: In the current version of Macaron, the value of this field is similar to the* `PackageURL`_ *identifying the only subject software component of the VSA.* * ``policy``: object Details about the policy that the subject software component was verified against. diff --git a/src/macaron/vsa/vsa.py b/src/macaron/vsa/vsa.py index 4c451aca1..60c704e21 100644 --- a/src/macaron/vsa/vsa.py +++ b/src/macaron/vsa/vsa.py @@ -51,8 +51,8 @@ class VsaStatement(TypedDict): #: Subjects of the VSA. #: Each entry is a software component being verified by Macaron. - #: *Note: In the current version of Macaron, this field only contains one single - #: software component, identified by a `PackageURL`_.* + #: Note: In the current version of Macaron, this field only contains one single + #: software component, identified by a `PackageURL `_. subject: list[dict] #: Identifier for the type of the Predicate. From 3ac8eafe8cd6260a3e991e2e8afdeb39bef97760 Mon Sep 17 00:00:00 2001 From: Nathan Nguyen Date: Thu, 11 Jan 2024 16:55:14 +1000 Subject: [PATCH 30/30] chore: reference the output files for macaron verify-policy section directly Signed-off-by: Nathan Nguyen --- docs/source/pages/output_files.rst | 2 ++ docs/source/pages/vsa.rst | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/source/pages/output_files.rst b/docs/source/pages/output_files.rst index 77d156bf4..05a19b59e 100644 --- a/docs/source/pages/output_files.rst +++ b/docs/source/pages/output_files.rst @@ -133,6 +133,8 @@ to the directory: .. note:: Please see :ref:`pages/using:analyzing a locally cloned repository` to know how to set the directory for analyzing local repositories. +.. _output_files_macaron_verify_policy: + ------------------------------------- Output files of macaron verify-policy ------------------------------------- diff --git a/docs/source/pages/vsa.rst b/docs/source/pages/vsa.rst index 42c706d43..44b14ec27 100644 --- a/docs/source/pages/vsa.rst +++ b/docs/source/pages/vsa.rst @@ -167,4 +167,4 @@ This policy enforces the subject software component to pass 3 Macaron checks: * ``mcn_provenance_level_three_1`` * ``mcn_provenance_available_1`` -For more details on using the Macaron VSA generation feature and inspecting the resulting VSA, please refer to the :ref:`Output File Guide `. +For more details on using the Macaron VSA generation feature and inspecting the resulting VSA, please refer to the :ref:`Output files of macaron verify-policy section `.