diff --git a/go.mod b/go.mod index 0dbb3ed36..444e99884 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/sigstore/sigstore v1.8.4 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - github.com/tektoncd/chains v0.21.0 + github.com/tektoncd/chains v0.21.1 github.com/tektoncd/hub v1.17.0 github.com/tektoncd/pipeline v0.60.2 github.com/tektoncd/plumbing v0.0.0-20230907180608-5625252a2de1 diff --git a/go.sum b/go.sum index fd3fc2493..15b06d742 100644 --- a/go.sum +++ b/go.sum @@ -1287,8 +1287,8 @@ github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDd github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= -github.com/tektoncd/chains v0.21.0 h1:ABv2/xFtxPi3rFj0Yd5DVKC4zp5AmswiAxk+XZjdy6Y= -github.com/tektoncd/chains v0.21.0/go.mod h1:iC6MunbSGJrES1RH+zR0gBOCXXr15hi2SPgVBseYq4Y= +github.com/tektoncd/chains v0.21.1 h1:Q3Bw4XS9bImzTplVZZOUD6Yn67sIVSF1oo7WeEFeeY4= +github.com/tektoncd/chains v0.21.1/go.mod h1:iC6MunbSGJrES1RH+zR0gBOCXXr15hi2SPgVBseYq4Y= github.com/tektoncd/hub v1.17.0 h1:BKUDeQoC7PLlJmeNt86eEP4lYBXE5pIUZYlrgHcVwl4= github.com/tektoncd/hub v1.17.0/go.mod h1:8SnC66jMZtYFVuh70U1wN91/tJpi7nQX+7V5YsnWIAE= github.com/tektoncd/pipeline v0.60.2 h1:MrVSuSgmXDU4QHa9N/ubYbRE3AkoafL/S9pyeH2I/Gk= diff --git a/vendor/github.com/tektoncd/chains/pkg/chains/formats/format.go b/vendor/github.com/tektoncd/chains/pkg/chains/formats/format.go index 797240f99..4caabbc88 100644 --- a/vendor/github.com/tektoncd/chains/pkg/chains/formats/format.go +++ b/vendor/github.com/tektoncd/chains/pkg/chains/formats/format.go @@ -25,6 +25,7 @@ type Payloader interface { CreatePayload(ctx context.Context, obj interface{}) (interface{}, error) Type() config.PayloadType Wrap() bool + RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) } const ( diff --git a/vendor/github.com/tektoncd/chains/pkg/chains/formats/simple/simple.go b/vendor/github.com/tektoncd/chains/pkg/chains/formats/simple/simple.go index 10c464f96..108957477 100644 --- a/vendor/github.com/tektoncd/chains/pkg/chains/formats/simple/simple.go +++ b/vendor/github.com/tektoncd/chains/pkg/chains/formats/simple/simple.go @@ -69,3 +69,8 @@ func (i SimpleContainerImage) ImageName() string { func (i *SimpleSigning) Type() config.PayloadType { return formats.PayloadTypeSimpleSigning } + +// RetrieveAllArtifactURIs returns always an error, feature not available for simplesigning formatter. +func (i *SimpleSigning) RetrieveAllArtifactURIs(_ context.Context, _ interface{}) ([]string, error) { + return nil, fmt.Errorf("RetrieveAllArtifactURIs not supported for simeplesining formatter") +} diff --git a/vendor/github.com/tektoncd/chains/pkg/chains/signing.go b/vendor/github.com/tektoncd/chains/pkg/chains/signing.go index 453bad982..ce0bb380a 100644 --- a/vendor/github.com/tektoncd/chains/pkg/chains/signing.go +++ b/vendor/github.com/tektoncd/chains/pkg/chains/signing.go @@ -20,6 +20,7 @@ import ( "fmt" "github.com/hashicorp/go-multierror" + intoto "github.com/in-toto/attestation/go/v1" "github.com/tektoncd/chains/pkg/artifacts" "github.com/tektoncd/chains/pkg/chains/formats" "github.com/tektoncd/chains/pkg/chains/objects" @@ -29,6 +30,7 @@ import ( "github.com/tektoncd/chains/pkg/chains/storage" "github.com/tektoncd/chains/pkg/config" versioned "github.com/tektoncd/pipeline/pkg/client/clientset/versioned" + "google.golang.org/protobuf/encoding/protojson" "k8s.io/apimachinery/pkg/util/sets" "knative.dev/pkg/logging" ) @@ -169,7 +171,7 @@ func (o *ObjectSigner) Sign(ctx context.Context, tektonObj objects.TektonObject) } logger.Infof("Signing object with %s", signerType) - rawPayload, err := json.Marshal(payload) + rawPayload, err := getRawPayload(payload) if err != nil { logger.Warnf("Unable to marshal payload: %v", signerType, obj) continue @@ -248,3 +250,19 @@ func HandleRetry(ctx context.Context, obj objects.TektonObject, ps versioned.Int } return MarkFailed(ctx, obj, ps, annotations) } + +// getRawPayload returns the payload as a json string. If the given payload is a intoto.Statement type, protojson.Marshal +// is used to get the proper labels/field names in the resulting json. +func getRawPayload(payload interface{}) ([]byte, error) { + switch payloadObj := payload.(type) { + case intoto.Statement: + return protojson.Marshal(&payloadObj) + case *intoto.Statement: + if payloadObj == nil { + return json.Marshal(payload) + } + return protojson.Marshal(payloadObj) + default: + return json.Marshal(payload) + } +} diff --git a/vendor/github.com/tektoncd/chains/pkg/chains/storage/grafeas/grafeas.go b/vendor/github.com/tektoncd/chains/pkg/chains/storage/grafeas/grafeas.go index 7f04f3e86..ef86b87ac 100644 --- a/vendor/github.com/tektoncd/chains/pkg/chains/storage/grafeas/grafeas.go +++ b/vendor/github.com/tektoncd/chains/pkg/chains/storage/grafeas/grafeas.go @@ -253,7 +253,7 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject } // create Occurrence_Build for TaskRun - allURIs := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled) + allURIs := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj) for _, uri := range allURIs { occ, err := b.createBuildOccurrence(ctx, obj, payload, signature, uri) if err != nil { @@ -264,6 +264,22 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject return occs, nil } +func (b *Backend) getAllArtifactURIs(ctx context.Context, payloadFormat config.PayloadType, obj objects.TektonObject) []string { + logger := logging.FromContext(ctx) + payloader, err := formats.GetPayloader(payloadFormat, b.cfg) + if err != nil { + logger.Infof("couldn't get payloader for %v format, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat) + return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled) + } + + if uris, err := payloader.RetrieveAllArtifactURIs(ctx, obj); err == nil { + return uris + } + + logger.Infof("couldn't get URIs from payloader %v, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat) + return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled) +} + func (b *Backend) createAttestationOccurrence(ctx context.Context, payload []byte, signature string, uri string) (*pb.Occurrence, error) { occurrenceDetails := &pb.Occurrence_Attestation{ Attestation: &pb.AttestationOccurrence{ @@ -364,7 +380,7 @@ func (b *Backend) getBuildNotePath(obj objects.TektonObject) string { func (b *Backend) getAllOccurrences(ctx context.Context, obj objects.TektonObject, opts config.StorageOpts) ([]*pb.Occurrence, error) { result := []*pb.Occurrence{} // step 1: get all resource URIs created under the taskrun - uriFilters := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled) + uriFilters := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj) // step 2: find all build occurrences if _, ok := formats.IntotoAttestationSet[opts.PayloadFormat]; ok { diff --git a/vendor/modules.txt b/vendor/modules.txt index 7e5da8169..d214aab5c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1328,7 +1328,7 @@ github.com/syndtr/goleveldb/leveldb/opt github.com/syndtr/goleveldb/leveldb/storage github.com/syndtr/goleveldb/leveldb/table github.com/syndtr/goleveldb/leveldb/util -# github.com/tektoncd/chains v0.21.0 +# github.com/tektoncd/chains v0.21.1 ## explicit; go 1.21 github.com/tektoncd/chains/internal/backport github.com/tektoncd/chains/pkg/artifacts