Fix/finish SLSA ingestion in the in-memory backend (guacsec#566)

* Helpful renames Signed-off-by: Mihai Maruseac <[email protected]> * Remove trailing whitespace Signed-off-by: Mihai Maruseac <[email protected]> * Ensure SLSA subject is read from [memory] backend. When ingesting a SLSA node, we need to make sure we only add the information relevant to the attestation, not create new subject nodes! Signed-off-by: Mihai Maruseac <[email protected]> * Ensure SLSA materials are read from backend Similar to previous commit, materials must not be created if they are not there when SLSA is ingested! Signed-off-by: Mihai Maruseac <[email protected]> * Don't generate a new builder either Signed-off-by: Mihai Maruseac <[email protected]> --------- Signed-off-by: Mihai Maruseac <[email protected]>
astrolemonade · Mar 10, 2023 · 5ef28e4 · 5ef28e4
1 parent fb63f8e
commit 5ef28e4
Show file tree

Hide file tree

Showing 24 changed files with 125 additions and 172 deletions.
diff --git a/SETUP.md b/SETUP.md
@@ -216,14 +216,14 @@ In this example, we will ingest an SPDX SBOM for a custom vulnerable image that
 Running the OSV Certifier will allow all the packages to be evaluated against the OSV database. If a vulnerability
 is found, a vulnerability node will be generated containing the OSV ID that can be queried further for more information.
 Along with the vulnerability node, a vulnerability attestation node is also generated based on a custom predicate defined
-in [pkg/certifier/attestation/attestation_vuln.go](https://github.com/guacsec/guac/blob/main/pkg/certifier/attestation/attestation_vuln.go) and an example defined in 
+in [pkg/certifier/attestation/attestation_vuln.go](https://github.com/guacsec/guac/blob/main/pkg/certifier/attestation/attestation_vuln.go) and an example defined in
 [internal/testing/testdata/exampledata/certify-vuln.json](https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/certify-vuln.json). This attestation is generated
 for all packages that are evaluated, containing a list of vulnerabilities (if they exist). Future plans are that the `certifiers`
 would run periodically (or ad-hoc) to keep the information up to date.
 
-**NOTE:** 
+**NOTE:**
 
-The vulnerability predicate is a work in progress and might eventually be replaced and moved to 
+The vulnerability predicate is a work in progress and might eventually be replaced and moved to
 [in-toto/attestation](https://github.com/in-toto/attestation) repo.
 
 We first ingest the vulnerable SPDX SBOM into GUAC:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -32,7 +32,7 @@ services:
   # the service is ready for incoming requests.
   # TODO(lumjjb): no good way right now to do a healtcheck for nats-server since
   # it doesn't have utilities within it to perform the check from the container
-  # itself. 
+  # itself.
   service-health-1:
     image: "local-healthcheck"
     stdin_open: true
@@ -42,7 +42,7 @@ services:
       - -c
       - |
         echo "checking-for-services";
-        until curl -I http://nats:8222 > /dev/null 2>&1; do sleep 5; done; 
+        until curl -I http://nats:8222 > /dev/null 2>&1; do sleep 5; done;
         echo "nats-up";
         until curl -I http://neo4j:7474> /dev/null 2>&1; do sleep 5; done;
         echo "neo4j-up";

diff --git a/internal/testing/testdata/exampledata/crev-review.json b/internal/testing/testdata/exampledata/crev-review.json
@@ -2,7 +2,7 @@
   "_type": "https://in-toto.io/Statement/v0.1",
   "subject": [
       {
-        "name": "git://github.com/kubernetes/kubernetes", 
+        "name": "git://github.com/kubernetes/kubernetes",
         "digest": {"sha1": "5835544ca568b757a8ecae5c153f317e5736700e"}
       }
   ],

diff --git a/internal/testing/testdata/exampledata/github-review.json b/internal/testing/testdata/exampledata/github-review.json
@@ -2,7 +2,7 @@
   "_type": "https://in-toto.io/Statement/v0.1",
   "subject": [
       {
-        "name": "git://github.com/kubernetes/kubernetes", 
+        "name": "git://github.com/kubernetes/kubernetes",
         "digest": {"sha1": "5835544ca568b757a8ecae5c153f317e5736700e"}
       }
   ],

diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -127,7 +127,7 @@ var (
 			"invocation": {
 			  "configSource": {
 				"uri": "git+https://github.com/curl/curl-docker@master",
-				"digest": { "sha1": "d6525c840a62b398424a78d792f457477135d0cf" },   
+				"digest": { "sha1": "d6525c840a62b398424a78d792f457477135d0cf" },
 				"entryPoint": "build.yaml:maketgz"
 			  }
 			},
@@ -627,7 +627,6 @@ var (
 			  "uri":"osv.dev",
 			  "version":"0.0.14",
 			  "db":{
-				 
 			  },
 			  "result":[
 				 {
@@ -658,7 +657,6 @@ var (
 			  "uri":"osv.dev",
 			  "version":"0.0.14",
 			  "db":{
-				 
 			  },
 			  "result":[
 				 {
@@ -689,7 +687,6 @@ var (
 			  "uri":"osv.dev",
 			  "version":"0.0.14",
 			  "db":{
-				 
 			  },
 			  "result":[
 				 {
@@ -738,7 +735,6 @@ var (
 			  "uri":"osv.dev",
 			  "version":"0.0.14",
 			  "db":{
-				 
 			  },
 			  "result":[
 				 {

diff --git a/pkg/assembler/backends/helper/convert.go → pkg/assembler/backends/helper/conversion.go b/pkg/assembler/backends/helper/convert.go → pkg/assembler/backends/helper/conversion.go
@@ -116,3 +116,11 @@ func ConvertArtInputSpecToArtSpec(artInput *model.ArtifactInputSpec) *model.Arti
 	}
 	return &artSpec
 }
+
+func ConvertBuilderInputSpecToBuilderSpec(input *model.BuilderInputSpec) *model.BuilderSpec {
+	uri := input.URI
+	output := model.BuilderSpec{
+		URI: &uri,
+	}
+	return &output
+}
diff --git a/pkg/assembler/backends/helper/inputCheker.go → pkg/assembler/backends/helper/validation.go b/pkg/assembler/backends/helper/inputCheker.go → pkg/assembler/backends/helper/validation.go