Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add provenance metadata support #5

Merged
merged 1 commit into from
Dec 11, 2022
Merged

Add provenance metadata support #5

merged 1 commit into from
Dec 11, 2022

Conversation

lakshya8066
Copy link

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
    This PR adds support for generating Provenance v0.2 metadata for each step of the Jenkins build.
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@lakshya8066
Copy link
Author

@SantiagoTorres This is the work so far, can you take a look? :)

adityasaky
adityasaky reviewed Aug 29, 2022
View reviewed changes
src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Outdated
setProvenanceMaterials(InTotoWrapper.collectArtifacts(this.cwd));

//setting up Invocation
this.invocation = new BuildInvocation();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why can't this be locally scoped?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing it's because of setProvenanceMaterials etc but I suspect it can be cleaner.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you referring to the BuildInvocation object?
I think there is no need as such for it to be global, we can make it local as well.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I think I agree. The same probably goes for the metadata object as well?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I'll do that

@lakshya8066 lakshya8066 changed the title (WIP) Add provenance metadata support Add provenance metadata support Sep 5, 2022
SantiagoTorres
SantiagoTorres requested changes Sep 6, 2022
View reviewed changes
Copy link
Member

@SantiagoTorres SantiagoTorres left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some minor nits that I'd love to address :)

src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Outdated
setBuilder(initialEnvironment);

//setting up materials
setProvenanceMaterials(InTotoWrapper.collectArtifacts(this.cwd));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably want to reuse the retval on 210 so you don't make two consecutive calls to the same

src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Outdated
invocation.setEnvironments(initialEnvironment);
try {
invocation.setConfigSource(initialEnvironment);
} catch (NoSuchAlgorithmException e) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not entirely sure why setConfigSource throws a NSAE. isn't this for bouncycastle/dsse signature algorithms?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah it's my bad, I used bouncycastle to get the sha256 hash of the git commit and that threw NSAE.
But yes, now the try-catch block is not needed anymore. Will update it...

src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Outdated
return environment;
}

public void setConfigSource(EnvVars initialEnvironment) throws NoSuchAlgorithmException{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment above. Who is throwing this? uriDigest?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not, will remove throws NoSuchAlgorithmException

src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Outdated
private void setProvenanceMaterials(HashMap<String, ArtifactHash> results) {

HashMap<String, ArtifactHash> materials =new HashMap<String, ArtifactHash>();
materials=link.excludeArtifactsByPattern(results,null);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this logic is somewhat convoluted here. You call collectArtifacts twice, in one you implicitly use it here, the other you pass as a parameter. Am I understanding this right? I think we could simplify this code by:

  1. reusing the link as we are doing
  2. not passing the results parameter.
  3. Iterate over th elements on the link itself (not sure why are we filtering)
  4. Form the arraylist using the iterator

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are right, this seems more straightforward. Will implement this...

src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Show resolved Hide resolved
src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Show resolved Hide resolved
@lakshya8066
Copy link
Author

Is it a good idea to remove the import statements that are not used?

@adityasaky
Copy link
Member

@lakshya8066 is this ready for a review again?

@lakshya8066
Copy link
Author

@adityasaky Yes, the updates are ready for review.

adityasaky
adityasaky reviewed Nov 1, 2022
View reviewed changes
Copy link
Member

@adityasaky adityasaky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is mostly in good shape with some TODOs we should ticketize separately. We should open a ticket for Rekor support and another for Archivist support.

src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Show resolved Hide resolved
src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Show resolved Hide resolved
src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Outdated Show resolved Hide resolved
@lakshya8066
Copy link
Author

lakshya8066 commented Nov 6, 2022
edited
Loading

Can we pass in a list of user controlled environment variables to exclude after running through some of the defaults here?

@adityasaky By user controlled, do you mean the user running the plugin through Jenkinsfile?
In that case, we can take in the env variables that need to be excluded from the metadata as input in the Jenkinsfile.

@lakshya8066
Copy link
Author

There is a ticked opened for Rekor already, so opened a ticked for Archivist only.

@adityasaky
Copy link
Member

adityasaky commented Nov 7, 2022
edited
Loading

By user controlled, do you mean the user running the plugin through Jenkinsfile? In that case, we can take in the env variables that need to be excluded from the metadata as input in the Jenkinsfile.

Yes but on second thought, probably okay to open a ticket for a feature request. Probably a good first issue.

@lakshya8066
Copy link
Author

Yes but on second thought, probably okay to open a ticket for a feature request. Probably a good first issue.

I am working on this, but yeah I think let's get this PR merged and I can push a patch for this afterward. Is that okay?

@adityasaky
Copy link
Member

Sounds good, can we still open a ticket for it? You can probably submit that patch directly to jenkinsci as well :)

@lakshya8066
Copy link
Author

Sure!

adityasaky
adityasaky reviewed Nov 23, 2022
View reviewed changes
src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java Outdated
@Override
public String invoke(File f, VirtualChannel channel) {
Gson gson = new Gson();
System.out.println(this.ProvenanceData);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
System.out.println(this.ProvenanceData);

adityasaky
adityasaky approved these changes Nov 23, 2022
View reviewed changes
Copy link
Member

@adityasaky adityasaky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can merge this with in-toto/in-toto-java#40 after the print statement nit.

@lakshya8066
Copy link
Author

@adityasaky This should be ready to merge right?

@adityasaky
Copy link
Member

We want to cut a release of -java and bump up the version here, yes?

@lakshya8066
Copy link
Author

Ah yes, correct. Will update the version here once -java is released...

@adityasaky adityasaky merged commit ccabbc7 into in-toto:master Dec 11, 2022
@adityasaky
Copy link
Member

Thanks for your work, @lakshya8066!

adityasaky added a commit to adityasaky/in-toto-jenkins-plugin that referenced this pull request Dec 12, 2022
@adityasaky
Merge pull request in-toto#5 from lakshya8066/add-provenance
4f0c06a 
Add provenance metadata support
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adityasaky adityasaky adityasaky approved these changes

@SantiagoTorres SantiagoTorres Awaiting requested review from SantiagoTorres

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lakshya8066 @adityasaky @SantiagoTorres