fix: use ExternalParameters["source"] for the Source URI for SLSA v1.…

…0 provenance (#621) * feat: add support for checking a source annotation when there are multiple resolveddependencies Signed-off-by: Asra Ali <asraa@google.com> * revert to using external parameters source key Signed-off-by: Asra Ali <asraa@google.com> * unused file Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>
slsa-framework · May 27, 2023 · db0560e · db0560e
1 parent 7e2c7ae
commit db0560e
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 13 deletions.
diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go
@@ -24,9 +24,9 @@ var (
 )
 
 var defaultArtifactTrustedReusableWorkflows = map[string]bool{
-	trustedBuilderRepository + "/.github/workflows/generator_generic_slsa3.yml":    true,
-	trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml":           true,
-	trustedBuilderRepository + "/.github/workflows/builder_docker-based_slsa3.yml": true,
+	trustedBuilderRepository + "/.github/workflows/generator_generic_slsa3.yml":       true,
+	trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml":              true,
+	trustedBuilderRepository + "/.github/workflows/builder_container-based_slsa3.yml": true,
 }
 
 var defaultContainerTrustedReusableWorkflows = map[string]bool{

diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go
@@ -362,8 +362,8 @@ func Test_verifySourceURI(t *testing.T) {
 						// 		"path":       "some/path",
 						// 	},
 						// },
-						ResolvedDependencies: []slsa1.ResourceDescriptor{
-							{
+						ExternalParameters: map[string]interface{}{
+							"source": slsa1.ResourceDescriptor{
 								URI: tt.provMaterialsURI,
 							},
 						},
@@ -372,7 +372,7 @@ func Test_verifySourceURI(t *testing.T) {
 			}
 
 			if tt.provMaterialsURI == "" {
-				prov1.Predicate.BuildDefinition.ResolvedDependencies = nil
+				prov1.Predicate.BuildDefinition.ExternalParameters = nil
 			}
 			err = verifySourceURI(prov1, tt.expectedSourceURI, tt.allowNoMaterialRef)
 			if !errCmp(err, tt.err) {

diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go b/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go
@@ -1,6 +1,7 @@
 package v1
 
 import (
+	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -38,15 +39,24 @@ func (prov *ProvenanceV1) BuilderID() (string, error) {
 }
 
 func (prov *ProvenanceV1) SourceURI() (string, error) {
-	// Use resolvedDependencies.
-	if len(prov.Predicate.BuildDefinition.ResolvedDependencies) == 0 {
-		return "", fmt.Errorf("%w: empty resovedDependencies", serrors.ErrorInvalidDssePayload)
+	// Use externalParameters.
+	extParams, ok := prov.Predicate.BuildDefinition.ExternalParameters.(map[string]interface{})
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters type")
+	}
+	source, ok := extParams["source"]
+	if !ok {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters source not found")
+	}
+	sourceBytes, err := json.Marshal(source)
+	if err != nil {
+		return "", fmt.Errorf("%w: %s", err, "marshalling external parameters source")
 	}
-	uri := prov.Predicate.BuildDefinition.ResolvedDependencies[0].URI
-	if uri == "" {
-		return "", fmt.Errorf("%w: empty uri", serrors.ErrorMalformedURI)
+	var sourceResource slsa1.ResourceDescriptor
+	if err := json.Unmarshal(sourceBytes, &sourceResource); err != nil {
+		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters source type")
 	}
-	return uri, nil
+	return sourceResource.URI, nil
 }
 
 // TODO(#613): Support for generators.