feat: add v2alpha3 format

docs/config.md

@@ -21,20 +21,21 @@ Supported keys include:
 
 | Key                         | Description                                                                                                                                                                                      | Supported Values                           | Default   |
 | :-------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------- | :-------- |
-| `artifacts.taskrun.format`  | The format to store `TaskRun` payloads in.                                                                                                                                                       | `in-toto`, `slsa/v1`, `slsa/v2alpha2`      | `in-toto` |
+| `artifacts.taskrun.format`  | The format to store `TaskRun` payloads in.                                                                                                                                                       | `in-toto`, `slsa/v1`, `slsa/v2alpha2`, `slsa/v2alpha3`      | `in-toto` |
 | `artifacts.taskrun.storage` | The storage backend to store `TaskRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `TaskRun` artifact input an empty string (""). | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton`  |
 | `artifacts.taskrun.signer`  | The signature backend to sign `TaskRun` payloads with.                                                                                                                                           | `x509`, `kms`                              | `x509`    |
 
 > NOTE:
 >
 > - `slsa/v1` is an alias of `in-toto` for backwards compatibility.
-> - `slsa/v2alpha2` corresponds to the slsav1.0 spec.
+> - `slsa/v2alpha2` corresponds to the slsav1.0 spec. and uses now deprecated [`v1beta1` Tekton Objects](https://tekton.dev/docs/pipelines/pipeline-api/#tekton.dev/v1beta1).
+> - `slsa/v2alpha3` corresponds to the slsav1.0 spec. and uses latest [`v1` Tekton Objects](https://tekton.dev/docs/pipelines/pipeline-api/#tekton.dev/v1).  Recommended format for new chains users who want the slsav1.0 spec.
 
 ### PipelineRun Configuration
 
 | Key                                            | Description                                                                                                                                                                                                                                                                                 | Supported Values                           | Default   |
 | :--------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :----------------------------------------- | :-------- |
-| `artifacts.pipelinerun.format`                 | The format to store `PipelineRun` payloads in.                                                                                                                                                                                                                                              | `in-toto`, `slsa/v1`, `slsa/v2alpha2`      | `in-toto` |
+| `artifacts.pipelinerun.format`                 | The format to store `PipelineRun` payloads in.                                                                                                                                                                                                                                              | `in-toto`, `slsa/v1`, `slsa/v2alpha2`, `slsa/v2alpha3`      | `in-toto` |
 | `artifacts.pipelinerun.storage`                | The storage backend to store `PipelineRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `PipelineRun` artifact input an empty string ("").                                                                                    | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton`  |
 | `artifacts.pipelinerun.signer`                 | The signature backend to sign `PipelineRun` payloads with.                                                                                                                                                                                                                                  | `x509`, `kms`                              | `x509`    |
 | `artifacts.pipelinerun.enable-deep-inspection` | This boolean option will configure whether Chains should inspect child taskruns in order to capture inputs/outputs within a pipelinerun. `"false"` means that Chains only checks pipeline level results, whereas `"true"` means Chains inspects both pipeline level and task level results. | `"true"`, `"false"`                        | `"false"` |
@@ -43,7 +44,9 @@ Supported keys include:
 >
 > - For grafeas storage backend, currently we only support Container Analysis. We will make grafeas server address configurabe within a short time.
 > - `slsa/v1` is an alias of `in-toto` for backwards compatibility.
-> - `slsa/v2alpha2` corresponds to the slsav1.0 spec.
+> - `slsa/v2alpha2` corresponds to the slsav1.0 spec. and uses now deprecated [`v1beta1` Tekton Objects](https://tekton.dev/docs/pipelines/pipeline-api/#tekton.dev/v1beta1)
+> - `slsa/v2alpha3` corresponds to the slsav1.0 spec. and uses latest [`v1` Tekton Objects](https://tekton.dev/docs/pipelines/pipeline-api/#tekton.dev/v1). Recommended format for new chains users who want the slsav1.0 spec.
+
 
 ### OCI Configuration
 
@@ -96,7 +99,7 @@ You can read more about Grafeas notes and occurrences [here](https://github.com/
 > NOTE:
 > Considerations for the builddefinition.buildtype parameter:
 >
-> - It is only valid for `slsa/v2alpha2` configurations (see TaskRun or PipelineRun configuration).
+> - It is only valid for `slsa/v2alpha3` configurations (see TaskRun or PipelineRun configuration).
 > - The parameter can take one of two values:
 >   - `https://tekton.dev/chains/v2/slsa`: This buildType strictly conforms to the slsav1.0 spec.
 >   - `https://tekton.dev/chains/v2/slsa-tekton`: This buildType also conforms to the slsav1.0 spec, but adds additional informaton specific to Tekton. This information includes the PipelinRun/TaskRun labels and annotations as internalParameters. It also includes capturing each pipeline task in a PipelinRun under resolvedDependencies.

docs/slsa-provenance.md

@@ -38,7 +38,7 @@ The following shows the mapping between slsa version and formatter name.
 
 | SLSA Version | Formatter Name         |
 | ------------ | ---------------------- |
-| v1.0         | `slsa/v2alpha2`        |
+| v1.0         | `slsa/v2alpha3`        |
 | v0.2         | `slsa/v1` or `in-toto` |
 
 To configure Task-level provenance version

pkg/chains/formats/all/all.go

@@ -19,4 +19,5 @@ import (
 	_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v1"
 	_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha1"
 	_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha2"
+	_ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3"
 )

pkg/chains/formats/format.go

@@ -34,6 +34,7 @@ const (
 	PayloadTypeSlsav1        config.PayloadType = "slsa/v1"
 	PayloadTypeSlsav2alpha1  config.PayloadType = "slsa/v2alpha1"
 	PayloadTypeSlsav2alpha2  config.PayloadType = "slsa/v2alpha2"
+	PayloadTypeSlsav2alpha3  config.PayloadType = "slsa/v2alpha3"
 )
 
 var (
@@ -42,6 +43,7 @@ var (
 		PayloadTypeSlsav1:       {},
 		PayloadTypeSlsav2alpha1: {},
 		PayloadTypeSlsav2alpha2: {},
+		PayloadTypeSlsav2alpha3: {},
 	}
 	payloaderMap = map[config.PayloadType]PayloaderInit{}
 )

pkg/chains/formats/slsa/internal/external_parameters/external_parameters.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2023 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package externalparameters
+
+import (
+	"fmt"
+
+	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
+)
+
+func BuildConfigSource(provenance *v1.Provenance) map[string]string {
+	ref := ""
+	for alg, hex := range provenance.RefSource.Digest {
+		ref = fmt.Sprintf("%s:%s", alg, hex)
+		break
+	}
+	buildConfigSource := map[string]string{
+		"ref":        ref,
+		"repository": provenance.RefSource.URI,
+		"path":       provenance.RefSource.EntryPoint,
+	}
+	return buildConfigSource
+}

pkg/chains/formats/slsa/internal/external_parameters/external_parameters_test.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2023 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package externalparameters
+
+import (
+	"strings"
+	"testing"
+
+	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
+)
+
+func TestBuildConfigSource(t *testing.T) {
+	digest := map[string]string{"alg1": "hex1", "alg2": "hex2"}
+	provenance := &v1.Provenance{
+		RefSource: &v1.RefSource{
+			Digest:     digest,
+			URI:        "https://tekton.com",
+			EntryPoint: "/path/to/entry",
+		},
+	}
+
+	want := map[string]string{
+		"repository": "https://tekton.com",
+		"path":       "/path/to/entry",
+	}
+
+	got := BuildConfigSource(provenance)
+
+	gotRef := strings.Split(got["ref"], ":")
+	if len(gotRef) != 2 {
+		t.Errorf("buildConfigSource() does not return the proper ref: want one of: %s got: %s", digest, got["ref"])
+	}
+	refValue, ok := digest[gotRef[0]]
+	if !ok {
+		t.Errorf("buildConfigSource() does not contain correct ref: want one of: %s got: %s:%s", digest, gotRef[0], gotRef[1])
+	}
+
+	if refValue != gotRef[1] {
+		t.Errorf("buildConfigSource() does not contain correct ref: want one of: %s got: %s:%s", digest, gotRef[0], gotRef[1])
+	}
+
+	if got["repository"] != want["repository"] {
+		t.Errorf("buildConfigSource() does not contain correct repository: want: %s got: %s", want["repository"], want["repository"])
+	}
+
+	if got["path"] != want["path"] {
+		t.Errorf("buildConfigSource() does not contain correct path: want: %s got: %s", want["path"], got["path"])
+	}
+}