-
Notifications
You must be signed in to change notification settings - Fork 9
Parse SLSA v1 provenances to the internal representation #227
Conversation
c41f6d4
to
e71086b
Compare
…ce representation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Nice!
pkg/amber/endorsement.go
Outdated
// ProvenanceData contains metadata about a provenance statement, identified by a URI and the | ||
// SHA256 digest of the content of the provenance. | ||
// ProvenanceData contains metadata about a provenance statement. The statement may be wrapped in a | ||
// DSSE envelope, or a Sigstore Bundle. The metadata identifies the provenance via a URI and a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understanding question: Does "the metadata identifie" means "The metadata consists of" or "contains"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm... Don't "consists of" and "contains" mean the same thing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think "consist of" and "contains" mean the same roughly.
I wasn't sure how the metadata relate to the the URI and SHA256 digest.
What do you mean by "metadata identifies the provenance via a URI and SHA256 digest"? Are URI and SHA256 the metadata?
But this is nit :) We can follow up offline!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the text and removed "metadata".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, thanks, I get it now :)
|
||
// ParseContainerBasedSLSAv1Provenance parses the given object as a | ||
// ProvenancePredicate, with its BuildDefinition.ExternalParameters parsed into | ||
// an instance of DockerBasedExternalParameters. Returns an error if any of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: You could drop "Returns an error if any of the conversions is unsuccessful". Or is there anything you want to emphasize which I am missing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We generally document the error case like this.
package v1 | ||
|
||
// For more details about the SLSA v1 provenance format see | ||
// https://github.com/slsa-framework/slsa/blob/8df69c20b6f5a08fc71e8591ee2035a780557182/docs/provenance/schema/v1/provenance.proto |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice :)
DockerBasedBuildType = "https://slsa.dev/container-based-build/v0.1?draft" | ||
) | ||
|
||
// ProvenancePredicate is the provenance predicate definition. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: description does not give a lot of info beyond the name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the comment, with a link to SLSA v1 provenance spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review :)
pkg/amber/endorsement.go
Outdated
// ProvenanceData contains metadata about a provenance statement, identified by a URI and the | ||
// SHA256 digest of the content of the provenance. | ||
// ProvenanceData contains metadata about a provenance statement. The statement may be wrapped in a | ||
// DSSE envelope, or a Sigstore Bundle. The metadata identifies the provenance via a URI and a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm... Don't "consists of" and "contains" mean the same thing?
DockerBasedBuildType = "https://slsa.dev/container-based-build/v0.1?draft" | ||
) | ||
|
||
// ProvenancePredicate is the provenance predicate definition. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the comment, with a link to SLSA v1 provenance spec.
|
||
// ParseContainerBasedSLSAv1Provenance parses the given object as a | ||
// ProvenancePredicate, with its BuildDefinition.ExternalParameters parsed into | ||
// an instance of DockerBasedExternalParameters. Returns an error if any of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We generally document the error case like this.
Ref #145
Adds structs for SLSA v1 provenance format, and functionality for parsing a SLSA v1 to
ProvenanceIR
.