Add build cmd not empty #164
Conversation
internal/endorser/endorser.go
Outdated
| @@ -58,14 +57,14 @@ func loadAndVerifyProvenances(provenanceURIs []string, referenceValues verifier. | |||
| } | |||
|
|
|||
| // load provenances from URIs | |||
| provenances := make([]slsa.ValidatedProvenance, 0, len(provenanceURIs)) | |||
| provenances := make([]amber.ValidatedProvenance, 0, len(provenanceURIs)) | |||
There was a problem hiding this comment.
I intentionally changed this from amber to slsa because we are deprecating amber. Please keep slsa.
There was a problem hiding this comment.
In fact, slsa.ValidatedProvenance and amber.ValidatedProvenance are the same struct, but are located in two different packages. As discussed, it is better to have it (and the ProvenanceIR) in package internal/common.
The reason I did not already put ValidatedProvenance in package internal/common was to avoid a circular dependency, and I thought we'd remove amber anyway. I can think of two ways to avoid the circular dependency:
- add a package common (or a similar name) in
pkg, in addition to the one we currently have ininternal/commom. - Move more code from
amberandslsatointernal/commonto avoid the circular dependency.
Please let me know if you want to discuss more or prefer me to do this refactoring :)
There was a problem hiding this comment.
Perhaps some of this generic provenance-related structure and functionality could go to pkg/provenance, and be made public as well.
There was a problem hiding this comment.
Yes! :) I'll do this this in the next PR.
internal/verifier/verifier.go
Outdated
| @@ -127,7 +127,8 @@ func chdir(dir string) { | |||
| // AmberProvenanceMetadataVerifier verifies Amber provenances by comparing the | |||
| // content of the provenance predicate against a given set of expected values. | |||
| type AmberProvenanceMetadataVerifier struct { | |||
| provenanceFilePath string | |||
| Got *amber.ValidatedProvenance | |||
There was a problem hiding this comment.
Please use slsa.ValidatedProvenance here.
There was a problem hiding this comment.
SG, but AmberProvenanceMetadataVerifier might a bit of a confusing name then. Should I try to add a comment/issue explaining?
There was a problem hiding this comment.
I agree. I think ProvenanceMetadataVerifier is a better name. We will no longer have an Amber provenance.
internal/endorser/endorser.go
Outdated
| provenancesData := make([]amber.ProvenanceData, 0, len(provenanceURIs)) | ||
| for _, uri := range provenanceURIs { | ||
| provenanceBytes, err := getProvenanceBytes(uri) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("couldn't load the provenance file from %s: %v", uri, err) | ||
| } | ||
| provenance, err := slsa.ParseProvenanceData(provenanceBytes) | ||
| provenance, err := amber.ParseProvenanceData(provenanceBytes) |
There was a problem hiding this comment.
I think it would be nicer to also replace this with a generic function that returns a ProvenanceIR. So we don't have an explicit dependency to slsa, amber or any other package. Would that work?
There was a problem hiding this comment.
I think that would be a good idea. I would propose this in a different PR.
| // TODO(#69): Check metadata against the expected values. | ||
| // TODO(#126): Refactor and separate verification logic from the logic for reading the file. |
There was a problem hiding this comment.
Can #126 be closed now? Or are there more references to it?
There was a problem hiding this comment.
Yes, there are: The ReproducibleProvenanceVerifier.
| if err != nil { | ||
| return result, fmt.Errorf("provenance must have exactly one binary SHA256 digest value, got (%v)", verifier.Got.BinarySHA256Digests) | ||
| // Verify HasBuildCmd. | ||
| if verifier.Want.BuildCmds != nil { |
There was a problem hiding this comment.
When we load a toml file of reference values, which does not have a build command, is BuildCmds set to nil or empty array?
There was a problem hiding this comment.
This is a good question! I will need to re-work the logic for reference values and would postpone the answer until than (see #166).
| @@ -232,3 +245,18 @@ func (got *ProvenanceIR) verifyBinarySHA256Digest(want ProvenanceIR) (Verificati | |||
|
|
|||
| return result, nil | |||
| } | |||
|
|
|||
| // verifyHasBuildCmd verifies that the build cmd is not empty. | |||
| func (got *ProvenanceIR) verifyHasBuildCmd() (VerificationResult, error) { | |||
There was a problem hiding this comment.
Should this be renamed to verifyHasOneBuildCmd to be clear?
There was a problem hiding this comment.
I would stick with HasBuildCmd, as this is what we want to check from the provenance. The additonal check (got.BuildCmds) is an internal one, which is an artifact of using lists in ProvenanceIR. I'd like to remove this check when I rework the logic (see #166)
internal/verifier/verifier_test.go
Outdated
| @@ -93,6 +93,48 @@ func TestReproducibleProvenanceVerifier_badCommand(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func TestLoadAndVerifyProvenances_HasBuildCmd(t *testing.T) { | |||
There was a problem hiding this comment.
Perhaps add a test for ProvenanceIRVerifier.Verify() where Want contains an empty array for BuildCmds. I am not sure what we'd expect in that case.
There was a problem hiding this comment.
My vision with #166 would be. If we have an empty array in Want, the ProvenanceIRVerifier does not verify that value.
There was a problem hiding this comment.
Will there be a way to verify that a command does not exist in the provenance?
There was a problem hiding this comment.
What exactly would we want to check?
I would have thought, whether a command exists depends on the format of the provenance, e.g., for SLSA v.02, buildCmd does not exist. So I am not sure what we can check.
The way I imagined we can check on whether the value should exists for a provenance format is through reference values (#166 ).
There was a problem hiding this comment.
Actually I think a valid provenance (amber or slsav1) should always have a command. If the only thing we want to check about the build command is its presence, and not its exact value, then we probably don't even need a reference value for it.
The only thing we should consider in checking hasBuildCommand is the provenance version. In particular, in slsa02 we don't set the build command.
There was a problem hiding this comment.
I would have thought, whether a command exists depends on the format of the provenance, e.g., for SLSA v.02, buildCmd does not exist. So I am not sure what we can check.
True. So I don't think a reference value is very helpful in this case. Unless we want to check the exact value of the build command.
The way I imagined we can check on whether the value should exists for a provenance format is through reference values (#166 ).
I think reference values are one source of information, but the provenance format/version should be taken into account as well. Is there going to be a reference value for the accepted provenance format/version (e.g., slsa02, slsa1)?
There was a problem hiding this comment.
I added a draft PR to show how I thought the check on provenanceFormat/version (version is a better work) could work #167.
NB: Sadly the changes are a bit hidden, because I need to base on this PR. I can submit this PR and we discuss on the next PR.
There was a problem hiding this comment.
I think it is better to add a test for ProvenanceIRVerifier.Verify() where Want contains an empty array for BuildCmds, and merge this PR, and continue the discussion on #167.
| if err != nil { | ||
| return result, fmt.Errorf("provenance must have exactly one binary SHA256 digest value, got (%v)", verifier.Got.BinarySHA256Digests) | ||
| // Verify HasBuildCmd. | ||
| if verifier.Want.BuildCmds != nil { |
There was a problem hiding this comment.
This is a good question! I will need to re-work the logic for reference values and would postpone the answer until than (see #166).
| @@ -232,3 +245,18 @@ func (got *ProvenanceIR) verifyBinarySHA256Digest(want ProvenanceIR) (Verificati | |||
|
|
|||
| return result, nil | |||
| } | |||
|
|
|||
| // verifyHasBuildCmd verifies that the build cmd is not empty. | |||
| func (got *ProvenanceIR) verifyHasBuildCmd() (VerificationResult, error) { | |||
There was a problem hiding this comment.
I would stick with HasBuildCmd, as this is what we want to check from the provenance. The additonal check (got.BuildCmds) is an internal one, which is an artifact of using lists in ProvenanceIR. I'd like to remove this check when I rework the logic (see #166)
internal/verifier/verifier_test.go
Outdated
| @@ -93,6 +93,48 @@ func TestReproducibleProvenanceVerifier_badCommand(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func TestLoadAndVerifyProvenances_HasBuildCmd(t *testing.T) { | |||
There was a problem hiding this comment.
My vision with #166 would be. If we have an empty array in Want, the ProvenanceIRVerifier does not verify that value.
mariaschett
force-pushed
the
add-build-cmd-not-empty
branch
from
4cbc54f to
af5595e
Compare
build_cmdis not empty.ProvenanceMetadataVerifier.parseBuildConfigand addGetBuildCmd.