Improved attestation inspect#1498
Conversation
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
| type provenanceStub struct { | ||
| SLSA interface{} `json:",omitempty"` | ||
| } |
There was a problem hiding this comment.
Provenance > SLSA? I thought it was SLSA > Provenance to keep common denominator first? Like in the future we can have SLSA > VSA.
There was a problem hiding this comment.
I think it makes sense to have Type > Format. We have SBOM > SPDX, so I think it makes sense to have Provenance > SLSA.
VSA isn't provenance, so we'd have another "type" for that I think.
|
Need changes in docs too I think: https://github.com/docker/buildx/blob/master/docs/reference/buildx_imagetools_inspect.md#examples |
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
crazy-max
left a comment
crazy-max
left a comment
There was a problem hiding this comment.
LGTM! Are we going to document on docs repo advanced use cases to retrieve list of packages in an SBOM for example?
| as.sbom = &sbomStub{ | ||
| SPDX: dt, | ||
| var spdx struct { | ||
| Predicate interface{} `json:"predicate"` |
There was a problem hiding this comment.
Bit concerned that there isn't any way to extract the actual attestation. But I guess we can add some special case/command for that later.
3 participants
⬆️ Follow up to #1444
This includes 3 main changes:
interface{}types instead ofjson.RawMessage; this allows them to be accessed using go template notation, e.g.--format "{{ range .SBOM.SPDX.packages }}{{ println .name .versionInfo }}{{ end }}".Predicatefield to directly access the predicate of the attestation. In the future, we should to sanity check the subject of the attestation against the pulled image, as well as the predicate type - this should be the responsibility of the go-imageinspect library..Attestationsfield, but it seems an edge use-case for now.BUILDKIT_SBOM_SCANargs). The first SPDX document is added to.SPDX, while all documents are appended to.SPDXs- this can allow tools to search through dependencies used in build tooling.