mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-09 10:06:37 +00:00
8bcf1f0525
/cc @mihaimaruseac /cc @laurentsimon Based off the prefix of the BuilderID within the provenance, if the builder use to build the artifact is one of the BYOB builders of slsa-framework/slsa-github-generator repo, the --builderid flag is not need and is handled automatically. This was done to increase access to users since before the automatic pickup of the builder-id would get the delegator. Test cases that cover verifyProvenance will need to be complete after the v1.8.0 release of slsa-framework/slsa-github-generator. The main structure that is changed is the ExpectedBuilderPath is hardcoded now to slsa-framework builders within `/cli/slsa-verifier/verify/verify_artifact.go `. This can later be changed now if needed to be an input like the other fields of `provenanceOpts` populated during `verify_artifact.go`. The added function within `provenance.go`, `verifyBuilderIDPath` is called during `verifyProvenance` to check this path within `provenanceOpts`. Upon failure of this function, expected and received BuilderID's are also outputted. closes #659 makes use of discussion on closed pr #673 --------- Signed-off-by: Noah Elzner <elzner@google.com> Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
37 lines
1.1 KiB
Go
37 lines
1.1 KiB
Go
package options
|
|
|
|
// ProvenanceOpts are the options for checking provenance information.
|
|
type ProvenanceOpts struct {
|
|
// ExpectedBranch is the expected branch (github_ref or github_base_ref) in
|
|
// the invocation parameters.
|
|
ExpectedBranch *string
|
|
|
|
// ExpectedTag is the expected tag, github_ref, in the invocation parameters.
|
|
ExpectedTag *string
|
|
|
|
// ExpectedVersionedTag is the expected versioned tag.
|
|
ExpectedVersionedTag *string
|
|
|
|
// ExpectedDigest is the expected artifact sha included in the provenance.
|
|
ExpectedDigest string
|
|
|
|
// ExpectedSourceURI is the expected source URI in the provenance.
|
|
ExpectedSourceURI string
|
|
|
|
// ExpectedBuilderID is the expected builder ID that is passed from user and verified
|
|
ExpectedBuilderID string
|
|
|
|
// ExpectedWorkflowInputs is a map of key=value inputs.
|
|
ExpectedWorkflowInputs map[string]string
|
|
|
|
ExpectedPackageName *string
|
|
|
|
ExpectedPackageVersion *string
|
|
}
|
|
|
|
// BuildOpts are the options for checking the builder.
|
|
type BuilderOpts struct {
|
|
// ExpectedBuilderID is the builderID passed in from the user to be verified
|
|
ExpectedID *string
|
|
}
|