TEP 0122: complete build instuctions: adding taskspec to buildConfig (#…

…663)

This PR introduces a new format `slsa/v2` which contains the complete
build instructions as designed in TEP0122.

Note that we are currently surfacing it for the users as `slsa/v2alpha1` since it is WIP and will undergo updates until we make it available for pipelineruns as well.

docs/config.md

@@ -51,11 +51,12 @@ Supported keys include:
 
 | Key | Description | Supported Values | Default |
 | :--- | :--- | :--- | :--- |
-| `artifacts.taskrun.format` | The format to store `TaskRun` payloads in. | `in-toto`, `slsa/v1`| `in-toto` |
+| `artifacts.taskrun.format` | The format to store `TaskRun` payloads in. | `in-toto`, `slsa/v1`, `slsa/v2alpha1`| `in-toto` |
 | `artifacts.taskrun.storage` | The storage backend to store `TaskRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `TaskRun` artifact input an empty string (""). | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton` |
 | `artifacts.taskrun.signer` | The signature backend to sign `TaskRun` payloads with. | `x509`, `kms` | `x509` |
 
 > NOTE:, `slsa/v1` is an alias of `in-toto` for backwards compatibality.
+> NOTE:, `slsa/v2alpha1` is WIP and is likely to undergo multiple changes. 
 
 ### PipelineRun Configuration
 
@@ -67,6 +68,7 @@ Supported keys include:
 
 > NOTE: For grafeas storage backend, currently we only support Container Analysis. We will make grafeas server address configurabe within a short time.
 > NOTE: `slsa/v1` is an alias of `in-toto` for backwards compatibality.
+> NOTE:, `slsa/v2alpha1` is currently not supported for pipelinerun level provenance. 
 
 ### OCI Configuration
 

examples/taskruns/task-output-image.yaml

@@ -62,4 +62,4 @@ spec:
  type: image
  params:
  - name: url
- value: gcr.io/foo/bar
+ value: gcr.io/foo/bar

pkg/chains/formats/all/all.go

@@ -17,4 +17,5 @@ package all
 import (
  _ "github.com/tektoncd/chains/pkg/chains/formats/simple"
  _ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v1"
+ _ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2"
 )

pkg/chains/formats/format.go

@@ -32,6 +32,7 @@ const (
  PayloadTypeSimpleSigning config.PayloadType = "simplesigning"
  PayloadTypeInTotoIte6 config.PayloadType = "in-toto"
  PayloadTypeSlsav1 config.PayloadType = "slsa/v1"
+ PayloadTypeSlsav2 config.PayloadType = "slsa/v2alpha1"
 )
 
 var (

pkg/chains/formats/slsa/README.md

@@ -12,3 +12,4 @@ Shown below is the mapping between Tekton chains proveance and SLSA predicate.
 |Tekton Chains Provenance Format version | SLSA predicate | Notes |
 |:------------------------------------------|---------------:|------:|
 |**slsa/v1**| **slsa v0.2** | same as currently supported `in-toto` format|
+|**slsa/v2alpha1**| **slsa v0.2** | contains complete build instructions as in [TEP0122](https:/tektoncd/community/pull/820). This is still a WIP and currently only available for taskrun level provenance. |

pkg/chains/formats/slsa/v1/taskrun/material.go → pkg/chains/formats/slsa/internal/material/material.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2022 The Tekton Authors
+Copyright 2023 The Tekton Authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,16 +14,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package taskrun
+package material
 
 import (
+ "encoding/json"
  "fmt"
  "strings"
 
  slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
  "github.com/tektoncd/chains/pkg/artifacts"
  "github.com/tektoncd/chains/pkg/chains/formats/slsa/attest"
- "github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/internal/material"
  "github.com/tektoncd/chains/pkg/chains/objects"
  "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
  "github.com/tektoncd/pipeline/pkg/apis/resource/v1alpha1"
@@ -78,8 +78,8 @@ func AddImageIDToMaterials(imageID string, mats *[]slsa.ProvenanceMaterial) erro
  return nil
 }
 
-// materials constructs `predicate.materials` section by collecting all the artifacts that influence a taskrun such as source code repo and step&sidecar base images.
-func materials(tro *objects.TaskRunObject, logger *zap.SugaredLogger) ([]slsa.ProvenanceMaterial, error) {
+// Materials constructs `predicate.materials` section by collecting all the artifacts that influence a taskrun such as source code repo and step&sidecar base images.
+func Materials(tro *objects.TaskRunObject, logger *zap.SugaredLogger) ([]slsa.ProvenanceMaterial, error) {
  var mats []slsa.ProvenanceMaterial
 
  // add step images
@@ -144,7 +144,7 @@ func materials(tro *objects.TaskRunObject, logger *zap.SugaredLogger) ([]slsa.Pr
  }
 
  // remove duplicate materials
- mats, err := material.RemoveDuplicateMaterials(mats)
+ mats, err := RemoveDuplicateMaterials(mats)
  if err != nil {
  return mats, err
  }
@@ -192,3 +192,25 @@ func gitInfo(tro *objects.TaskRunObject) (commit string, url string) {
  url = attest.SPDXGit(url, "")
  return
 }
+
+// RemoveDuplicateMaterials removes duplicate materials from the slice of materials.
+// Original order of materials is retained.
+func RemoveDuplicateMaterials(mats []slsa.ProvenanceMaterial) ([]slsa.ProvenanceMaterial, error) {
+ out := make([]slsa.ProvenanceMaterial, 0, len(mats))
+
+ // make map to store seen materials
+ seen := map[string]bool{}
+ for _, mat := range mats {
+ m, err := json.Marshal(mat)
+ if err != nil {
+ return nil, err
+ }
+ if seen[string(m)] {
+ continue
+ }
+
+ seen[string(m)] = true
+ out = append(out, mat)
+ }
+ return out, nil
+}

pkg/chains/formats/slsa/v1/taskrun/material_test.go → pkg/chains/formats/slsa/internal/material/material_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2022 The Tekton Authors
+Copyright 2023 The Tekton Authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package taskrun
+package material
 
 import (
  "fmt"
@@ -32,6 +32,8 @@ import (
  logtesting "knative.dev/pkg/logging/testing"
 )
 
+const digest = "sha256:05f95b26ed10668b7183c1e2da98610e91372fa9f510046d4ce5812addad86b7"
+
 func TestMaterialsWithTaskRunResults(t *testing.T) {
  // make sure this works with Git resources
  taskrun := `apiVersion: tekton.dev/v1beta1
@@ -63,7 +65,7 @@ status:
  },
  }
 
- got, err := materials(objects.NewTaskRunObject(taskRun), logtesting.TestLogger(t))
+ got, err := Materials(objects.NewTaskRunObject(taskRun), logtesting.TestLogger(t))
  if err != nil {
  t.Fatalf("Did not expect an error but got %v", err)
  }
@@ -108,7 +110,7 @@ func TestMaterials(t *testing.T) {
  Name: "img1_input" + "-" + artifacts.ArtifactsInputsResultName,
  Value: *v1beta1.NewObject(map[string]string{
  "uri": "gcr.io/foo/bar",
- "digest": digest3,
+ "digest": digest,
  }),
  },
  },
@@ -130,7 +132,7 @@ func TestMaterials(t *testing.T) {
  {
  URI: "gcr.io/foo/bar",
  Digest: slsa.DigestSet{
- "sha256": strings.TrimPrefix(digest3, "sha256:"),
+ "sha256": strings.TrimPrefix(digest, "sha256:"),
  },
  },
  {
@@ -236,7 +238,7 @@ func TestMaterials(t *testing.T) {
  }}
  for _, tc := range tests {
  t.Run(tc.name, func(t *testing.T) {
- mat, err := materials(objects.NewTaskRunObject(tc.taskRun), logtesting.TestLogger(t))
+ mat, err := Materials(objects.NewTaskRunObject(tc.taskRun), logtesting.TestLogger(t))
  if err != nil {
  t.Fatalf("Did not expect an error but got %v", err)
  }
@@ -424,3 +426,139 @@ func TestAddImageIDToMaterials(t *testing.T) {
  }
  }
 }
+
+func TestRemoveDuplicates(t *testing.T) {
+ tests := []struct {
+ name string
+ mats []slsa.ProvenanceMaterial
+ want []slsa.ProvenanceMaterial
+ }{{
+ name: "no duplicate materials",
+ mats: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ }, {
+ URI: "gcr.io/cloud-marketplace-containers/google/bazel",
+ Digest: slsa.DigestSet{
+ "sha256": "010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
+ },
+ }, {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecar-git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "a1234f6e7a69617db57b685893256f978436277094c21d43b153994acd8a09567",
+ },
+ },
+ },
+ want: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ }, {
+ URI: "gcr.io/cloud-marketplace-containers/google/bazel",
+ Digest: slsa.DigestSet{
+ "sha256": "010a1ecd1a8c3610f12039a25b823e3a17bd3e8ae455a53e340dcfdd37a49964",
+ },
+ }, {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/sidecar-git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "a1234f6e7a69617db57b685893256f978436277094c21d43b153994acd8a09567",
+ },
+ },
+ },
+ }, {
+ name: "same uri and digest",
+ mats: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ }, {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ },
+ },
+ want: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ },
+ },
+ }, {
+ name: "same uri but different digest",
+ mats: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ }, {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01248",
+ },
+ },
+ },
+ want: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ }, {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01248",
+ },
+ },
+ },
+ }, {
+ name: "same uri but different digest, swap order",
+ mats: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01248",
+ },
+ }, {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ },
+ },
+ want: []slsa.ProvenanceMaterial{
+ {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01248",
+ },
+ }, {
+ URI: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init",
+ Digest: slsa.DigestSet{
+ "sha256": "b963f6e7a69617db57b685893256f978436277094c21d43b153994acd8a01247",
+ },
+ },
+ },
+ }}
+ for _, tc := range tests {
+ t.Run(tc.name, func(t *testing.T) {
+ mat, err := RemoveDuplicateMaterials(tc.mats)
+ if err != nil {
+ t.Fatalf("Did not expect an error but got %v", err)
+ }
+ if diff := cmp.Diff(tc.want, mat); diff != "" {
+ t.Errorf("materials(): -want +got: %s", diff)
+ }
+ })
+ }
+}