Skip to content

fix: use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check #796

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 23, 2024
Merged

fix: use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check #796

merged 6 commits into from
Jul 23, 2024

Conversation

tromai
Copy link
Contributor

@tromai tromai commented Jul 18, 2024

No description provided.

@tromai tromai added the bug Something isn't working label Jul 18, 2024
@tromai tromai self-assigned this Jul 18, 2024
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 18, 2024
@tromai tromai changed the title fix: use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check fix: use artifact filenames as keys for verifying artifactory assets in provenance_witness_l1_check Jul 18, 2024
@tromai tromai changed the title fix: use artifact filenames as keys for verifying artifactory assets in provenance_witness_l1_check fix: use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check Jul 18, 2024
@tromai tromai marked this pull request as ready for review July 19, 2024 07:16
@tromai tromai requested a review from behnazh-w as a code owner July 19, 2024 07:16
@behnazh-w behnazh-w requested a review from nicallen July 22, 2024 04:21
Trong Nhan Mai added 2 commits July 22, 2024 14:41
fix: use artifact filenames as keys for verifying jfrog assets in pro…
2247f74 
…venance_witness_l1_check

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: fix the description of test cases
baf3691 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
@tromai tromai force-pushed the tromai/fix-look-up-table-for-provenance-discovery branch from 2464747 to baf3691 Compare July 22, 2024 04:44
@tromai
Copy link
Contributor Author

tromai commented Jul 22, 2024

Rebase to obtain the changes from #798

nicallen
nicallen reviewed Jul 22, 2024
View reviewed changes
src/macaron/slsa_analyzer/checks/provenance_witness_l1_check.py
look_up[subject["name"]] = {}
look_up[subject["name"]][subject["digest"]["sha256"]] = subject
# Get the artifact name, which should be the last part of the artifact subject value.
_, _, artifact_filename = subject["name"].rpartition("/")
Copy link
Member

@nicallen nicallen Jul 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code splitting this string is assuming that the name is of the form https://witness.dev/attestations/product/v0.1/file:path/to/file. I know that this function is currently only called on a list that comes from extract_build_artifacts_from_witness_subjects, which currently only produces subjects of that form, but if that changes in future this code would silently break. I think it would be safer for this code to validate that it is a witness file subject before extracting the filename and throw an exception if it is not (which currently should never happen).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point. I have added the validation here - c57936b

Trong Nhan Mai added 2 commits July 23, 2024 11:14
chore: add validation of Witness product attestor
c57936b 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
chore: add an unit test case for mismatched sha256_digest of an asset
415da09 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
@behnazh-w
Copy link
Member

@tromai Not sure why mcn_provenance_witness_level_one_1 was originally missing in this witness integration test: tests/integration/cases/behnazh-w_example-maven-app/policy.dl. Anyway, let's add it now.

chore: update an integration test case
fe787b2 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
@tromai
Copy link
Contributor Author

tromai commented Jul 23, 2024

@tromai Not sure why mcn_provenance_witness_level_one_1 was originally missing in this witness integration test: tests/integration/cases/behnazh-w_example-maven-app/policy.dl. Anyway, let's add it now.

Thanks for the catch! I have added it here - fe787b2

chore: update expected reports
01d4672 
Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
@tromai tromai merged commit a001d22 into staging Jul 23, 2024
@tromai tromai deleted the tromai/fix-look-up-table-for-provenance-discovery branch July 23, 2024 06:44
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
fix: use artifact filenames as keys for verifying jfrog assets in pro…
37067c0 
…venance_witness_l1_check (#796)

Signed-off-by: Trong Nhan Mai <trong.nhan.mai@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicallen nicallen nicallen approved these changes

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees

@tromai tromai

Labels
bug Something isn't working OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tromai @behnazh-w @nicallen