diff --git a/go.mod b/go.mod index b33ac94f31..605cfe979a 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/go-openapi/swag v0.22.3 github.com/google/go-cmp v0.5.9 github.com/google/go-github/v44 v44.1.0 - github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add + github.com/in-toto/in-toto-golang v0.4.0 github.com/secure-systems-lab/go-securesystemslib v0.4.0 github.com/sigstore/cosign v1.12.1 github.com/sigstore/rekor v0.12.2 diff --git a/go.sum b/go.sum index 45b079e6ff..b30483208c 100644 --- a/go.sum +++ b/go.sum @@ -944,6 +944,8 @@ github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add h1:DAh7mHiRT7wc6kKepYdCpH16ElPciMPQWJaJ7H3l/ng= github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add/go.mod h1:DQI8vlV6h6qSY/tCOoYKtxjWrkyiNpJ3WTV/WoBllmQ= +github.com/in-toto/in-toto-golang v0.4.0 h1:9iUcYy6d1nk8TjMzhTmEvO8sMp+oBnbgEq72QdyZ0hQ= +github.com/in-toto/in-toto-golang v0.4.0/go.mod h1:KqmIkX/ZhX3rqGW6TzQK9YGTMHWTFaD3y82u6mxVrfs= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= diff --git a/internal/builders/generic/attest_test.go b/internal/builders/generic/attest_test.go index 314310f7ff..8b7818d604 100644 --- a/internal/builders/generic/attest_test.go +++ b/internal/builders/generic/attest_test.go @@ -10,7 +10,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" intoto "github.com/in-toto/in-toto-golang/in_toto" - slsav02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" + slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" "github.com/slsa-framework/slsa-github-generator/internal/errors" "github.com/slsa-framework/slsa-github-generator/internal/testutil" @@ -33,7 +33,7 @@ func TestParseSubjects(t *testing.T) { expected: []intoto.Subject{ { Name: "hoge", - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2", }, }, @@ -46,7 +46,7 @@ func TestParseSubjects(t *testing.T) { expected: []intoto.Subject{ { Name: "hoge fuga", - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2", }, }, @@ -59,7 +59,7 @@ func TestParseSubjects(t *testing.T) { expected: []intoto.Subject{ { Name: "hoge fuga", - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2", }, }, @@ -73,13 +73,13 @@ func TestParseSubjects(t *testing.T) { expected: []intoto.Subject{ { Name: "hoge", - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2", }, }, { Name: "fuga", - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": "e712aff3705ac314b9a890e0ec208faa20054eee514d86ab913d768f94e01279", }, }, @@ -97,13 +97,13 @@ func TestParseSubjects(t *testing.T) { expected: []intoto.Subject{ { Name: "hoge", - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2", }, }, { Name: "fuga", - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": "e712aff3705ac314b9a890e0ec208faa20054eee514d86ab913d768f94e01279", }, }, diff --git a/internal/builders/generic/generic.go b/internal/builders/generic/generic.go index 69481e23fb..a7afadfc9f 100644 --- a/internal/builders/generic/generic.go +++ b/internal/builders/generic/generic.go @@ -25,7 +25,7 @@ import ( "testing" intoto "github.com/in-toto/in-toto-golang/in_toto" - slsav02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" + slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" "github.com/slsa-framework/slsa-github-generator/internal/errors" "github.com/slsa-framework/slsa-github-generator/slsa" ) @@ -121,7 +121,7 @@ func parseSubjects(b64str string) ([]intoto.Subject, error) { parsed = append(parsed, intoto.Subject{ Name: name, - Digest: slsav02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": shaDigest, }, }) diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go index dacdb24703..1533862621 100644 --- a/internal/builders/go/pkg/provenance.go +++ b/internal/builders/go/pkg/provenance.go @@ -23,7 +23,7 @@ import ( "github.com/slsa-framework/slsa-github-generator/signing" intoto "github.com/in-toto/in-toto-golang/in_toto" - slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" + slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" "github.com/slsa-framework/slsa-github-generator/github" "github.com/slsa-framework/slsa-github-generator/internal/utils" "github.com/slsa-framework/slsa-github-generator/slsa" @@ -93,7 +93,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin GithubActionsBuild: slsa.NewGithubActionsBuild([]intoto.Subject{ { Name: name, - Digest: slsa02.DigestSet{ + Digest: slsacommon.DigestSet{ "sha256": digest, }, }, @@ -157,7 +157,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin invEnv["os"] = os.Getenv("ImageOS") // Add details about the runner's OS to the materials - runnerMaterials := slsa02.ProvenanceMaterial{ + runnerMaterials := slsacommon.ProvenanceMaterial{ // TODO: capture the digest here too URI: fmt.Sprintf("https://github.com/actions/virtual-environments/releases/tag/%s/%s", os.Getenv("ImageOS"), os.Getenv("ImageVersion")), } diff --git a/slsa/buildtype.go b/slsa/buildtype.go index bad8ffd928..fa2c0507c3 100644 --- a/slsa/buildtype.go +++ b/slsa/buildtype.go @@ -22,7 +22,9 @@ import ( "strings" intoto "github.com/in-toto/in-toto-golang/in_toto" + slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" + slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" "github.com/slsa-framework/slsa-github-generator/github" ) @@ -40,13 +42,13 @@ type BuildType interface { BuildConfig(context.Context) (interface{}, error) // Invocation returns an invocation for this build type. - Invocation(context.Context) (slsa.ProvenanceInvocation, error) + Invocation(context.Context) (slsa02.ProvenanceInvocation, error) // Materials returns materials as defined by this build type. - Materials(context.Context) ([]slsa.ProvenanceMaterial, error) + Materials(context.Context) ([]slsacommon.ProvenanceMaterial, error) // Metadata returns a metadata about the build. - Metadata(context.Context) (*slsa.ProvenanceMetadata, error) + Metadata(context.Context) (*slsa02.ProvenanceMetadata, error) } // GithubActionsBuild is a basic build type for builders running in GitHub Actions. @@ -216,7 +218,7 @@ func (b *GithubActionsBuild) Invocation(ctx context.Context) (slsa.ProvenanceInv i.ConfigSource.EntryPoint = entryPoint i.ConfigSource.URI = b.Context.RepositoryURI() if b.Context.SHA != "" { - i.ConfigSource.Digest = slsa.DigestSet{ + i.ConfigSource.Digest = slsacommon.DigestSet{ "sha1": b.Context.SHA, } } @@ -233,12 +235,12 @@ func (b *GithubActionsBuild) Invocation(ctx context.Context) (slsa.ProvenanceInv // Materials implements BuildType.Materials. It returns a list of materials // that includes the repository that triggered the GitHub Actions workflow. -func (b *GithubActionsBuild) Materials(context.Context) ([]slsa.ProvenanceMaterial, error) { - var material []slsa.ProvenanceMaterial +func (b *GithubActionsBuild) Materials(context.Context) ([]slsacommon.ProvenanceMaterial, error) { + var material []slsacommon.ProvenanceMaterial if b.Context.RepositoryURI() != "" { - material = append(material, slsa.ProvenanceMaterial{ + material = append(material, slsacommon.ProvenanceMaterial{ URI: b.Context.RepositoryURI(), - Digest: slsa.DigestSet{ + Digest: slsacommon.DigestSet{ "sha1": b.Context.SHA, }, }) diff --git a/slsa/provenance.go b/slsa/provenance.go index 6669a50645..c9d65e4ab9 100644 --- a/slsa/provenance.go +++ b/slsa/provenance.go @@ -20,7 +20,8 @@ import ( "regexp" intoto "github.com/in-toto/in-toto-golang/in_toto" - slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" + slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" + slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" ) const ( @@ -101,12 +102,12 @@ func (g *HostedActionsGenerator) Generate(ctx context.Context) (*intoto.Provenan return &intoto.ProvenanceStatement{ StatementHeader: intoto.StatementHeader{ Type: intoto.StatementInTotoV01, - PredicateType: slsa.PredicateSLSAProvenance, + PredicateType: slsa02.PredicateSLSAProvenance, Subject: subject, }, - Predicate: slsa.ProvenancePredicate{ + Predicate: slsa02.ProvenancePredicate{ BuildType: g.buildType.URI(), - Builder: slsa.ProvenanceBuilder{ + Builder: slsacommon.ProvenanceBuilder{ ID: builderID, }, Invocation: invocation, diff --git a/slsa/provenance_test.go b/slsa/provenance_test.go index ca90136134..214221bc76 100644 --- a/slsa/provenance_test.go +++ b/slsa/provenance_test.go @@ -7,7 +7,8 @@ import ( "github.com/google/go-cmp/cmp" intoto "github.com/in-toto/in-toto-golang/in_toto" - slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" + slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" + slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" "github.com/slsa-framework/slsa-github-generator/github" ) @@ -49,15 +50,15 @@ func TestHostedActionsProvenance(t *testing.T) { expected: &intoto.ProvenanceStatement{ StatementHeader: intoto.StatementHeader{ Type: intoto.StatementInTotoV01, - PredicateType: slsa.PredicateSLSAProvenance, + PredicateType: slsa02.PredicateSLSAProvenance, }, - Predicate: slsa.ProvenancePredicate{ - Builder: slsa.ProvenanceBuilder{ + Predicate: slsa02.ProvenancePredicate{ + Builder: slsacommon.ProvenanceBuilder{ ID: GithubHostedActionsBuilderID, }, BuildType: testBuildType, BuildConfig: testBuildConfig, - Invocation: slsa.ProvenanceInvocation{ + Invocation: slsa02.ProvenanceInvocation{ Environment: map[string]interface{}{ "github_run_id": "", "github_run_attempt": "", @@ -72,7 +73,7 @@ func TestHostedActionsProvenance(t *testing.T) { "github_sha1": "", }, }, - Metadata: &slsa.ProvenanceMetadata{}, + Metadata: &slsa02.ProvenanceMetadata{}, }, }, }, @@ -99,15 +100,15 @@ func TestHostedActionsProvenance(t *testing.T) { expected: &intoto.ProvenanceStatement{ StatementHeader: intoto.StatementHeader{ Type: intoto.StatementInTotoV01, - PredicateType: slsa.PredicateSLSAProvenance, + PredicateType: slsa02.PredicateSLSAProvenance, }, - Predicate: slsa.ProvenancePredicate{ - Builder: slsa.ProvenanceBuilder{ + Predicate: slsa02.ProvenancePredicate{ + Builder: slsacommon.ProvenanceBuilder{ ID: GithubHostedActionsBuilderID, }, BuildType: testBuildType, BuildConfig: testBuildConfig, - Invocation: slsa.ProvenanceInvocation{ + Invocation: slsa02.ProvenanceInvocation{ Environment: map[string]interface{}{ "github_run_id": "12345", "github_run_attempt": "1", @@ -121,13 +122,13 @@ func TestHostedActionsProvenance(t *testing.T) { "github_run_number": "102937", "github_sha1": "abcde", }, - ConfigSource: slsa.ConfigSource{ - Digest: slsa.DigestSet{ + ConfigSource: slsa02.ConfigSource{ + Digest: slsacommon.DigestSet{ "sha1": "abcde", }, }, }, - Metadata: &slsa.ProvenanceMetadata{ + Metadata: &slsa02.ProvenanceMetadata{ BuildInvocationID: "12345-1", }, },