Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update attestation code to remove library dependencies and shellout for keyless flow #1442

Merged
merged 20 commits into from
Jan 12, 2023
Merged

fix: update attestation code to remove library dependencies and shellout for keyless flow #1442

merged 20 commits into from
Jan 12, 2023

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Jan 9, 2023
edited
Loading

Summary

When importing cosign library dependencies for attestation support the syft binary grows from 29MB -> 63MB.

This PR shrinks the final binary size back to 29MB by incorporating a shell out alternative for the keyless flow. A second PR will follow that implements custom PKI provided by the user.

Fixes

  • Moves syft attest to use locally available cosign binary
  • Moves attestation flow to device flow
  • Adapts shell out of cosign command to only use the custom predicate format for sbom attestation: see predicate type
  • Any use of a predicate type other than custom for attestations will result in the following when trying to verify the attestation:
Error: none of the attestations matched the predicate type: custom
main.go:62: error during command execution: none of the attestations matched the predicate type: custom
  • Adapts to use keyless non-interactive mode - Users using COSIGN_EXPERIMENTAL=1 will need to interact with the provided URL in the output of the command to create the t-log entry for rekor

Current Example Workflow

Currently, users of syft can use cosign to attest sbom outputs by running the following two commands:

syft -o json caphill4/test:latest > test.json && COSIGN_EXPERIMENTAL=1 cosign attest caphill4/test:latest --type
custom --predicate test.json

# view verification of the attestation
COSIGN_EXPERIMENTAL=1 cosign verify-attestation caphill4/test:latest > validation.json
Verification for caphill4/test:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  christopher.phillips@anchore.com
Certificate issuer URL:  https://github.com/login/oauth

# view sbom that attestation was made against
COSIGN_EXPERIMENTAL=1 cosign verify-attestation caphill4/test:latest | jq -r .payload | base64 --decode | jq -r
.predicate.Data

Note in the above example, the image caphill4/test:latest should be an image the user has write permissions for uploaded in some image registry.

New Syft Attest

Note: off-screen is the device flow of using the generated URL to provide keyless credentials for the attestation

The same verification flow listed above can be used to verify the same attestation
Jan-09-2023 14-41-51

TODO:

  • - Update options to recognize different sbom formats
  • - Validation of cosign installed before running
  • Removal of completion might have been accidental from another wip branch - I'll add it back
  • Old integration tests will no loner work for HARD PKI - keyless was harder to test

Signed-off-by: Christopher Phillips christopher.phillips@anchore.com

spiffcs and others added 9 commits December 23, 2022 10:11
@spiffcs
chore: reset attestation code to remove library dependencies
0f67486 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: update attest command to use new writer code
902dd46 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: start from base attach
84ac82e 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
chore: square one
48564af 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
wip
08357f9 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: parse stdout of cosign pipe
db93148 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: add framework for multi writer
36ee56b 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
Merge branch 'main' into 1370-attestation-failures
3ed6fe6
@spiffcs
feat: add back default attestation values
7a9fd27 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@github-actions
Copy link

github-actions bot commented Jan 9, 2023
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/alpmdb-cataloger-2                    11.4ms ± 1%    12.5ms ± 1%    +9.98%  (p=0.029 n=4+4)
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.25ms ± 1%    1.33ms ± 2%    +6.35%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            3.28ms ± 1%    3.45ms ± 1%    +5.15%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.04ms ± 0%    1.11ms ± 1%    +6.29%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         726µs ± 1%     775µs ± 1%    +6.81%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     831µs ± 1%     894µs ± 1%    +7.56%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                    1.23ms ± 0%    1.30ms ± 0%    +5.75%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      14.4ms ± 0%    14.6ms ± 1%    +1.26%  (p=0.008 n=5+5)
ImagePackageCatalogers/graalvm-native-image-cataloger-2      2.24µs ± 2%    7.24µs ± 3%  +223.40%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      858µs ± 1%     898µs ± 0%    +4.76%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          6.37µs ± 1%   15.47µs ± 0%  +142.82%  (p=0.008 n=5+5)
ImagePackageCatalogers/dotnet-deps-cataloger-2               1.39ms ± 0%    1.42ms ± 2%    +2.35%  (p=0.008 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    681µs ± 0%     719µs ± 1%    +5.58%  (p=0.008 n=5+5)
ImagePackageCatalogers/sbom-cataloger-2                      4.28ms ± 0%    4.36ms ± 0%    +1.85%  (p=0.008 n=5+5)
ImagePackageCatalogers/binary-cataloger-2                    4.13ms ± 0%    5.76ms ± 1%   +39.48%  (p=0.008 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/alpmdb-cataloger-2                    5.26MB ± 0%    5.28MB ± 0%    +0.39%  (p=0.008 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               205kB ± 0%     208kB ± 0%    +1.39%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             963kB ± 0%     971kB ± 0%    +0.91%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     218kB ± 0%     220kB ± 0%    +1.24%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         159kB ± 0%     161kB ± 0%    +1.03%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     200kB ± 0%     203kB ± 0%    +1.42%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                     303kB ± 0%     305kB ± 0%    +0.57%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.49MB ± 0%    3.51MB ± 0%    +0.57%  (p=0.008 n=5+5)
ImagePackageCatalogers/graalvm-native-image-cataloger-2        672B ± 0%     1408B ± 0%  +109.52%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      182kB ± 0%     184kB ± 0%    +1.07%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          1.12kB ± 0%    1.85kB ± 0%   +65.95%  (p=0.008 n=5+5)
ImagePackageCatalogers/dotnet-deps-cataloger-2                375kB ± 0%     382kB ± 0%    +1.85%  (p=0.008 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    139kB ± 0%     140kB ± 0%    +0.86%  (p=0.008 n=5+5)
ImagePackageCatalogers/sbom-cataloger-2                       722kB ± 0%     723kB ± 0%    +0.12%  (p=0.008 n=5+5)
ImagePackageCatalogers/binary-cataloger-2                     722kB ± 0%     984kB ± 0%   +36.40%  (p=0.008 n=5+5)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/alpmdb-cataloger-2                     85.7k ± 0%     85.8k ± 0%    +0.03%  (p=0.008 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               4.25k ± 0%     4.27k ± 0%    +0.46%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             16.5k ± 0%     16.6k ± 0%    +0.14%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     5.50k ± 0%     5.52k ± 0%    +0.37%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         3.33k ± 0%     3.35k ± 0%    +0.54%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     4.47k ± 0%     4.49k ± 0%    +0.47%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                     8.12k ± 0%     8.14k ± 0%    +0.23%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                       57.5k ± 0%     57.6k ± 0%    +0.04%  (p=0.008 n=5+5)
ImagePackageCatalogers/graalvm-native-image-cataloger-2        15.0 ± 0%      32.0 ± 0%  +113.33%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      5.23k ± 0%     5.25k ± 0%    +0.39%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            38.0 ± 0%      55.0 ± 0%   +44.74%  (p=0.008 n=5+5)
ImagePackageCatalogers/dotnet-deps-cataloger-2                7.12k ± 0%     7.14k ± 0%    +0.31%  (p=0.008 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    3.58k ± 0%     3.60k ± 0%    +0.50%  (p=0.016 n=5+4)
ImagePackageCatalogers/sbom-cataloger-2                       24.4k ± 0%     24.4k ± 0%    +0.07%  (p=0.008 n=5+5)
ImagePackageCatalogers/binary-cataloger-2                     24.4k ± 0%     33.2k ± 0%   +36.39%  (p=0.008 n=5+5)

spiffcs added 4 commits January 9, 2023 15:23
@spiffcs
wip
78565cb 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: roll up attestation into single line
8aafb5a 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: check for cosign in path
71edb32 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
chore: static
3e3a4a3 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs marked this pull request as ready for review January 9, 2023 21:18
@spiffcs spiffcs changed the title chore: reset attestation code to remove library dependencies chore: reset attestation code to remove library dependencies - keyless flow Jan 9, 2023
@spiffcs
feat: package options
9a8b288 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs changed the title chore: reset attestation code to remove library dependencies - keyless flow chore: update attestation code to remove library dependencies and shellout for keyless flow Jan 9, 2023
spiffcs
spiffcs commented Jan 9, 2023
View reviewed changes
@spiffcs
feat: update static analysis tooling
54415a7 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs force-pushed the 1370-attestation-failures branch from cff79a9 to 54415a7 Compare January 10, 2023 22:08
spiffcs
spiffcs commented Jan 11, 2023
View reviewed changes
@spiffcs
chore: small cleanup for ux and sa
90e4bf7 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
chore: validation
892b777 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
wagoodman
wagoodman reviewed Jan 11, 2023
View reviewed changes
spiffcs and others added 2 commits January 11, 2023 16:40
@spiffcs
chore: remove bad formatting from help
f5a4322 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@wagoodman
tweak TUI output for attestations
3585f8d 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@spiffcs
chore: linting and docs fix
f9d812f 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs changed the title chore: update attestation code to remove library dependencies and shellout for keyless flow fix: update attestation code to remove library dependencies and shellout for keyless flow Jan 12, 2023
@spiffcs spiffcs enabled auto-merge (squash) January 12, 2023 17:14
@spiffcs spiffcs merged commit 44e8ae2 into main Jan 12, 2023
@spiffcs spiffcs deleted the 1370-attestation-failures branch January 12, 2023 17:22
@tgerla tgerla mentioned this pull request Jan 18, 2023
Closed
This was referenced Jan 26, 2023
Merged
Closed
@Nirusu Nirusu mentioned this pull request Feb 2, 2023
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs @wagoodman
fix: update attestation code to remove library dependencies and shell…
eeae9c4 
…out for keyless flow (anchore#1442)

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spiffcs @wagoodman