From 81f8fedf4d524645bc1a809a936c93e6e6a75b80 Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Fri, 20 Jan 2023 14:39:14 -0500 Subject: [PATCH] fix: rouge options surrounding hard PKI Signed-off-by: Christopher Phillips --- cmd/syft/cli/attest.go | 10 ++++++++-- cmd/syft/cli/attest/attest.go | 11 ++++++++++- cmd/syft/cli/commands.go | 3 ++- internal/config/attest.go | 6 ++++-- 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/cmd/syft/cli/attest.go b/cmd/syft/cli/attest.go index b1a602d1108..cf1d0aa40c8 100644 --- a/cmd/syft/cli/attest.go +++ b/cmd/syft/cli/attest.go @@ -21,7 +21,7 @@ const ( ) //nolint:dupl -func Attest(v *viper.Viper, app *config.Application, ro *options.RootOptions, po *options.PackagesOptions) *cobra.Command { +func Attest(v *viper.Viper, app *config.Application, ro *options.RootOptions, po *options.PackagesOptions, ao *options.AttestOptions) *cobra.Command { cmd := &cobra.Command{ Use: "attest --output [FORMAT] ", Short: "Generate an SBOM as an attestation for the given [SOURCE] container image", @@ -50,11 +50,17 @@ func Attest(v *viper.Viper, app *config.Application, ro *options.RootOptions, po }, } - // syft attest is an enhancment of the packages command, so it should have the same flags + // syft attest is an enhancement of the packages command, so it should have the same flags err := po.AddFlags(cmd, v) if err != nil { log.Fatal(err) } + // syft attest has its own options not included as part of the packages command + err = ao.AddFlags(cmd, v) + if err != nil { + log.Fatal(err) + } + return cmd } diff --git a/cmd/syft/cli/attest/attest.go b/cmd/syft/cli/attest/attest.go index b2b31db8eb0..41451228a88 100644 --- a/cmd/syft/cli/attest/attest.go +++ b/cmd/syft/cli/attest/attest.go @@ -131,9 +131,18 @@ func execWorker(app *config.Application, si source.Input, writer sbom.Writer) <- } args := []string{"attest", si.UserInput, "--type", "custom", "--predicate", f.Name()} + if app.Attest.Key != "" { + args = append(args, "--key", app.Attest.Key) + } + execCmd := exec.Command(cmd, args...) execCmd.Env = os.Environ() - execCmd.Env = append(execCmd.Env, "COSIGN_EXPERIMENTAL=1") + if app.Attest.Key != "" { + execCmd.Env = append(execCmd.Env, fmt.Sprintf("COSIGN_PASSWORD=%s", app.Attest.Password)) + } else { + // no key provided, use cosign's keyless mode + execCmd.Env = append(execCmd.Env, "COSIGN_EXPERIMENTAL=1") + } // bus adapter for ui to hook into stdout via an os pipe r, w, err := os.Pipe() diff --git a/cmd/syft/cli/commands.go b/cmd/syft/cli/commands.go index acc18386c40..cc80b97aa34 100644 --- a/cmd/syft/cli/commands.go +++ b/cmd/syft/cli/commands.go @@ -45,12 +45,13 @@ func New() (*cobra.Command, error) { // we also need the command to have information about the `root` options because of this alias ro := &options.RootOptions{} po := &options.PackagesOptions{} + ao := &options.AttestOptions{} packagesCmd := Packages(v, app, ro, po) // root options are also passed to the attestCmd so that a user provided config location can be discovered poweruserCmd := PowerUser(v, app, ro) convertCmd := Convert(v, app, ro, po) - attestCmd := Attest(v, app, ro, po) + attestCmd := Attest(v, app, ro, po, ao) // rootCmd is currently an alias for the packages command rootCmd := &cobra.Command{ diff --git a/internal/config/attest.go b/internal/config/attest.go index 0943cd33ad0..f0493d7bfce 100644 --- a/internal/config/attest.go +++ b/internal/config/attest.go @@ -3,9 +3,11 @@ package config import "github.com/spf13/viper" type attest struct { - key string `yaml:"key" json:"key" mapstructure:"key"` + Key string `yaml:"key" json:"key" mapstructure:"key"` + Password string `yaml:"password" json:"password" mapstructure:"password"` } func (cfg attest) loadDefaultValues(v *viper.Viper) { - v.SetDefault("attest.key", "key.pub") + v.SetDefault("attest.key", "") + v.SetDefault("attest.password", "") }