Add support for DSSE envelope for attestation and provenance in image…

…tools Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
docker · Feb 28, 2024 · 184f443 · 184f443
1 parent 78adfc8
commit 184f443
Showing 1 changed file with 41 additions and 2 deletions.
diff --git a/util/imagetools/loader.go b/util/imagetools/loader.go
@@ -4,6 +4,7 @@ package imagetools
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"sort"
 	"strings"
@@ -283,7 +284,9 @@ func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *resul
 				return nil, errors.Errorf("referenced image %s not found", dgst)
 			}
 			for _, layer := range mfst.manifest.Layers {
-				if layer.MediaType == "application/vnd.in-toto+json" && layer.Annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document" {
+				if (layer.MediaType == "application/vnd.in-toto+json" ||
+					layer.MediaType == "application/vnd.in-toto.spdx+dsse") &&
+					layer.Annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document" {
 					_, err := remotes.FetchHandler(l.cache, fetcher)(ctx, layer)
 					if err != nil {
 						return nil, err
@@ -292,6 +295,23 @@ func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *resul
 					if err != nil {
 						return nil, err
 					}
+
+					if layer.MediaType == "application/vnd.in-toto.spdx+dsse" {
+						var dsse struct {
+							Payload string `json:"payload"`
+						}
+						if err := json.Unmarshal(dt, &dsse); err != nil {
+							return nil, err
+						}
+
+						decoded, err := base64.StdEncoding.DecodeString(dsse.Payload)
+						if err != nil {
+							return nil, err
+						}
+
+						dt = decoded
+					}
+
 					var spdx struct {
 						Predicate interface{} `json:"predicate"`
 					}
@@ -327,7 +347,9 @@ func (l *loader) scanProvenance(ctx context.Context, fetcher remotes.Fetcher, r
 				return nil, errors.Errorf("referenced image %s not found", dgst)
 			}
 			for _, layer := range mfst.manifest.Layers {
-				if layer.MediaType == "application/vnd.in-toto+json" && strings.HasPrefix(layer.Annotations["in-toto.io/predicate-type"], "https://slsa.dev/provenance/") {
+				if (layer.MediaType == "application/vnd.in-toto+json" ||
+					layer.MediaType == "application/vnd.in-toto.provenance+dsse") &&
+					strings.HasPrefix(layer.Annotations["in-toto.io/predicate-type"], "https://slsa.dev/provenance/") {
 					_, err := remotes.FetchHandler(l.cache, fetcher)(ctx, layer)
 					if err != nil {
 						return nil, err
@@ -336,6 +358,23 @@ func (l *loader) scanProvenance(ctx context.Context, fetcher remotes.Fetcher, r
 					if err != nil {
 						return nil, err
 					}
+
+					if layer.MediaType == "application/vnd.in-toto.provenance+dsse" {
+						var dsse struct {
+							Payload string `json:"payload"`
+						}
+						if err := json.Unmarshal(dt, &dsse); err != nil {
+							return nil, err
+						}
+
+						decoded, err := base64.StdEncoding.DecodeString(dsse.Payload)
+						if err != nil {
+							return nil, err
+						}
+
+						dt = decoded
+					}
+
 					var slsa struct {
 						Predicate interface{} `json:"predicate"`
 					}