Allow duplicate values for slsa_provenance_v0.2 schema #1534
Conversation
|
/ok-to-test |
|
As an example, Chains created a SLSA Provenance with this for subject: [
{
"name": "quay.io/redhat-user-workloads-stage/ynanavat-tenant/bootc-image-builder/bootc-image-builder",
"digest": {
"sha256": "df93e3976eb26199f3eaaa06cc4cd83f9d6663491aabaf73f67018cbf094dbc8"
}
},
{
"name": "quay.io/redhat-user-workloads-stage/ynanavat-tenant/bootc-image-builder/bootc-image-builder",
"digest": {
"sha256": "91a66493a17b922553468c24ce4d719fa22db3cabac3064c91f8ad9774ff0e91"
}
},
{
"name": "quay.io/redhat-user-workloads-stage/ynanavat-tenant/bootc-image-builder/bootc-image-builder",
"digest": {
"sha256": "929e3d5f989c811078e38d38ccd0708cdc6c18d06064d2a23bddb61b861e3ec2"
}
}
]There's also nothing in the spec that mentions the
That implies the name could be repeated, e.g. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1534 +/- ##
=======================================
Coverage 80.59% 80.59%
=======================================
Files 66 66
Lines 4761 4761
=======================================
Hits 3837 3837
Misses 924 924
Flags with carried forward coverage won't be shown. Click here to find out more. |
yashvardhannanavati
force-pushed
the
slsa_requirements
branch
from
0d42e2b to
66ca31b
Compare
|
/ok-to-test |
|
/retest |
When processing multi-arch images, it is possible for the image index and the index manifests to have the same name. This change enables that. It is also in compliance with https://slsa.dev/spec/v0.2/provenance#schema Signed-off-by: Yashvardhan Nanavati <yashn@bu.edu>
yashvardhannanavati
force-pushed
the
slsa_requirements
branch
from
66ca31b to
476042e
Compare
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
This tells me that whatever is generating the SLSA provenance is not doing it in conformance with the specification:
|
Ah! I didn't check the in-toto spec which actually better defines that field. Well the culprit here is Chains. I also think that a unique name is somewhat shortsighted when it comes to images. Filed an issue on the spec: in-toto/attestation#348 Regardless of the outcome there, I think we should merge this. We don't get any value from enforcing this restricting. Arguably, the uniqueness check also doesn't capture the special meaning of |
|
/retest |
|
Filed EC-558 for the long-term solution to this problem. We discussed this and agreed to go ahead with the merge. |
The github.com/qri-io/jsonschema seems to suffer from thread safety issues, see[1]. This replaces that implementation with github.com/santhosh-tekuri/jsonschema/v5. Note that the `uniqueKeys` functionality that has been disabled in enterprise-contract#1534 has not been ported and since it is now dead code has been removed. [1] https://github.com/enterprise-contract/ec-cli/actions/runs/8777708975/job/24083046629?pr=1544#step:6:5121
The github.com/qri-io/jsonschema seems to suffer from thread safety issues, see[1]. This replaces that implementation with github.com/santhosh-tekuri/jsonschema/v5. Note that the `uniqueKeys` functionality that has been disabled in enterprise-contract#1534 has not been ported and since it is now dead code has been removed. [1] https://github.com/enterprise-contract/ec-cli/actions/runs/8777708975/job/24083046629?pr=1544#step:6:5121
The github.com/qri-io/jsonschema seems to suffer from thread safety issues, see[1]. This replaces that implementation with github.com/santhosh-tekuri/jsonschema/v5. Note that the `uniqueKeys` functionality that has been disabled in enterprise-contract#1534 has not been ported and since it is now dead code has been removed. [1] https://github.com/enterprise-contract/ec-cli/actions/runs/8777708975/job/24083046629?pr=1544#step:6:5121
When processing multi-arch images, it is possible for the image index and the index manifests to have the same name. This change enables that. It is also in compliance with
https://slsa.dev/spec/v0.2/provenance#schema