mirror of
https://github.com/anchore/syft.git
synced 2026-02-13 19:16:43 +01:00
feat: attest support for Singularity images (#1201)
This commit is contained in:
Adam Hughes
GitHub
parent
91eece47ff
commit
40d294a89e
@ -10,7 +10,6 @@ import (
|
|||||||
"github.com/google/go-containerregistry/pkg/name"
|
"github.com/google/go-containerregistry/pkg/name"
|
||||||
v1 "github.com/google/go-containerregistry/pkg/v1"
|
v1 "github.com/google/go-containerregistry/pkg/v1"
|
||||||
"github.com/in-toto/in-toto-golang/in_toto"
|
"github.com/in-toto/in-toto-golang/in_toto"
|
||||||
"github.com/pkg/errors"
|
|
||||||
sigopts "github.com/sigstore/cosign/cmd/cosign/cli/options"
|
sigopts "github.com/sigstore/cosign/cmd/cosign/cli/options"
|
||||||
"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
|
"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
|
||||||
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
|
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
|
||||||
@ -108,7 +107,7 @@ func Run(ctx context.Context, app *config.Application, ko sigopts.KeyOpts, args
|
|||||||
subscription := eventBus.Subscribe()
|
subscription := eventBus.Subscribe()
|
||||||
|
|
||||||
return eventloop.EventLoop(
|
return eventloop.EventLoop(
|
||||||
execWorker(app, *si, format, predicateType, sv, app.File),
|
execWorker(app, *si, format, predicateType, sv),
|
||||||
eventloop.SetupSignals(),
|
eventloop.SetupSignals(),
|
||||||
subscription,
|
subscription,
|
||||||
stereoscope.Cleanup,
|
stereoscope.Cleanup,
|
||||||
@ -144,6 +143,7 @@ func parseImageSource(userInput string, app *config.Application) (s *source.Inpu
|
|||||||
switch si.ImageSource {
|
switch si.ImageSource {
|
||||||
case image.UnknownSource, image.OciRegistrySource:
|
case image.UnknownSource, image.OciRegistrySource:
|
||||||
si.ImageSource = image.OciRegistrySource
|
si.ImageSource = image.OciRegistrySource
|
||||||
|
case image.SingularitySource:
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("attest command can only be used with image sources fetch directly from the registry, but discovered an image source of %q when given %q", si.ImageSource, userInput)
|
return nil, fmt.Errorf("attest command can only be used with image sources fetch directly from the registry, but discovered an image source of %q when given %q", si.ImageSource, userInput)
|
||||||
}
|
}
|
||||||
@ -151,7 +151,7 @@ func parseImageSource(userInput string, app *config.Application) (s *source.Inpu
|
|||||||
return si, nil
|
return si, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func execWorker(app *config.Application, sourceInput source.Input, format sbom.Format, predicateType string, sv *sign.SignerVerifier, file string) <-chan error {
|
func execWorker(app *config.Application, sourceInput source.Input, format sbom.Format, predicateType string, sv *sign.SignerVerifier) <-chan error {
|
||||||
errs := make(chan error)
|
errs := make(chan error)
|
||||||
go func() {
|
go func() {
|
||||||
defer close(errs)
|
defer close(errs)
|
||||||
@ -177,36 +177,57 @@ func execWorker(app *config.Application, sourceInput source.Input, format sbom.F
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
err = generateAttestation(app, sbomBytes, src, sv, predicateType, file)
|
signedPayload, err := generateAttestation(sourceInput, sbomBytes, src, sv, predicateType)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errs <- err
|
errs <- err
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = publishAttestation(app, signedPayload, src, sv)
|
||||||
|
if err != nil {
|
||||||
|
errs <- err
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
bus.Publish(partybus.Event{
|
||||||
|
Type: event.Exit,
|
||||||
|
Value: func() error {
|
||||||
|
return nil
|
||||||
|
},
|
||||||
|
})
|
||||||
}()
|
}()
|
||||||
return errs
|
return errs
|
||||||
}
|
}
|
||||||
|
|
||||||
func generateAttestation(app *config.Application, predicate []byte, src *source.Source, sv *sign.SignerVerifier, predicateType string, file string) error {
|
func generateAttestation(si source.Input, predicate []byte, src *source.Source, sv *sign.SignerVerifier, predicateType string) ([]byte, error) {
|
||||||
switch len(src.Image.Metadata.RepoDigests) {
|
var h v1.Hash
|
||||||
case 0:
|
|
||||||
return fmt.Errorf("cannot generate attestation since no repo digests were found; make sure you're passing an OCI registry source for the attest command")
|
|
||||||
case 1:
|
|
||||||
default:
|
|
||||||
return fmt.Errorf("cannot generate attestation since multiple repo digests were found for the image: %+v", src.Image.Metadata.RepoDigests)
|
|
||||||
}
|
|
||||||
|
|
||||||
wrapped := dsse.WrapSigner(sv, intotoJSONDsseType)
|
switch si.ImageSource {
|
||||||
ref, err := name.ParseReference(src.Metadata.ImageMetadata.UserInput)
|
case image.OciRegistrySource:
|
||||||
if err != nil {
|
switch len(src.Image.Metadata.RepoDigests) {
|
||||||
return err
|
case 0:
|
||||||
}
|
return nil, fmt.Errorf("cannot generate attestation since no repo digests were found; make sure you're passing an OCI registry source for the attest command")
|
||||||
|
case 1:
|
||||||
|
d, err := name.NewDigest(src.Image.Metadata.RepoDigests[0])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
digest, err := ociremote.ResolveDigest(ref)
|
h, err = v1.NewHash(d.Identifier())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("cannot generate attestation since multiple repo digests were found for the image: %+v", src.Image.Metadata.RepoDigests)
|
||||||
|
}
|
||||||
|
|
||||||
h, _ := v1.NewHash(digest.Identifier())
|
case image.SingularitySource:
|
||||||
|
var err error
|
||||||
|
h, err = v1.NewHash(src.Image.Metadata.ID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
|
sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
|
||||||
Predicate: bytes.NewBuffer(predicate),
|
Predicate: bytes.NewBuffer(predicate),
|
||||||
@ -214,38 +235,44 @@ func generateAttestation(app *config.Application, predicate []byte, src *source.
|
|||||||
Digest: h.Hex,
|
Digest: h.Hex,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
payload, err := json.Marshal(sh)
|
payload, err := json.Marshal(sh)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(context.Background()))
|
wrapped := dsse.WrapSigner(sv, intotoJSONDsseType)
|
||||||
if err != nil {
|
return wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(context.Background()))
|
||||||
return errors.Wrap(err, "unable to sign SBOM")
|
}
|
||||||
}
|
|
||||||
|
|
||||||
|
// publishAttestation publishes signedPayload to the location specified by the user.
|
||||||
|
func publishAttestation(app *config.Application, signedPayload []byte, src *source.Source, sv *sign.SignerVerifier) error {
|
||||||
|
switch {
|
||||||
// We want to give the option to not upload the generated attestation
|
// We want to give the option to not upload the generated attestation
|
||||||
// if passed or if the user is using local PKI
|
// if passed or if the user is using local PKI
|
||||||
if app.Attest.NoUpload || app.Attest.KeyRef != "" {
|
case app.Attest.NoUpload || app.Attest.KeyRef != "":
|
||||||
bus.Publish(partybus.Event{
|
if app.File != "" {
|
||||||
Type: event.Exit,
|
return os.WriteFile(app.File, signedPayload, 0600)
|
||||||
Value: func() error {
|
}
|
||||||
var err error
|
|
||||||
if file != "" {
|
|
||||||
err = os.WriteFile(file, signedPayload, 0600)
|
|
||||||
} else {
|
|
||||||
_, err = os.Stdout.Write(signedPayload)
|
|
||||||
}
|
|
||||||
return err
|
|
||||||
},
|
|
||||||
})
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
return uploadAttestation(app, signedPayload, digest, sv)
|
_, err := os.Stdout.Write(signedPayload)
|
||||||
|
return err
|
||||||
|
|
||||||
|
default:
|
||||||
|
ref, err := name.ParseReference(src.Metadata.ImageMetadata.UserInput)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
digest, err := ociremote.ResolveDigest(ref)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return uploadAttestation(app, signedPayload, digest, sv)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func trackUploadAttestation() (*progress.Stage, *progress.Manual) {
|
func trackUploadAttestation() (*progress.Stage, *progress.Manual) {
|
||||||
@ -324,12 +351,6 @@ func uploadAttestation(app *config.Application, signedPayload []byte, digest nam
|
|||||||
|
|
||||||
prog.SetCompleted()
|
prog.SetCompleted()
|
||||||
|
|
||||||
bus.Publish(partybus.Event{
|
|
||||||
Type: event.Exit,
|
|
||||||
Value: func() error {
|
|
||||||
return nil
|
|
||||||
},
|
|
||||||
})
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
2
go.mod
2
go.mod
@ -334,7 +334,7 @@ require (
|
|||||||
// we are hinting brotli to latest due to warning when installing archiver v3:
|
// we are hinting brotli to latest due to warning when installing archiver v3:
|
||||||
// go: warning: github.com/andybalholm/brotli@v1.0.1: retracted by module author: occasional panics and data corruption
|
// go: warning: github.com/andybalholm/brotli@v1.0.1: retracted by module author: occasional panics and data corruption
|
||||||
github.com/andybalholm/brotli v1.0.4 // indirect
|
github.com/andybalholm/brotli v1.0.4 // indirect
|
||||||
github.com/pkg/errors v0.9.1
|
github.com/pkg/errors v0.9.1 // indirect
|
||||||
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
|
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user