Parse SLSA v1 provenances to the internal representation #227
Conversation
rbehjati
force-pushed
the
slsav1
branch
2 times, most recently
from
c41f6d4
to
e71086b
Compare
…ce representation
pkg/amber/endorsement.go
Outdated
| // ProvenanceData contains metadata about a provenance statement, identified by a URI and the | ||
| // SHA256 digest of the content of the provenance. | ||
| // ProvenanceData contains metadata about a provenance statement. The statement may be wrapped in a | ||
| // DSSE envelope, or a Sigstore Bundle. The metadata identifies the provenance via a URI and a |
There was a problem hiding this comment.
Understanding question: Does "the metadata identifie" means "The metadata consists of" or "contains"?
There was a problem hiding this comment.
Hmmm... Don't "consists of" and "contains" mean the same thing?
There was a problem hiding this comment.
Yes, I think "consist of" and "contains" mean the same roughly.
I wasn't sure how the metadata relate to the the URI and SHA256 digest.
What do you mean by "metadata identifies the provenance via a URI and SHA256 digest"? Are URI and SHA256 the metadata?
But this is nit :) We can follow up offline!
There was a problem hiding this comment.
Updated the text and removed "metadata".
There was a problem hiding this comment.
Nice, thanks, I get it now :)
|
|
||
| // ParseContainerBasedSLSAv1Provenance parses the given object as a | ||
| // ProvenancePredicate, with its BuildDefinition.ExternalParameters parsed into | ||
| // an instance of DockerBasedExternalParameters. Returns an error if any of the |
There was a problem hiding this comment.
Nit: You could drop "Returns an error if any of the conversions is unsuccessful". Or is there anything you want to emphasize which I am missing?
There was a problem hiding this comment.
We generally document the error case like this.
| package v1 | ||
|
|
||
| // For more details about the SLSA v1 provenance format see | ||
| // https://github.com/slsa-framework/slsa/blob/8df69c20b6f5a08fc71e8591ee2035a780557182/docs/provenance/schema/v1/provenance.proto |
| DockerBasedBuildType = "https://slsa.dev/container-based-build/v0.1?draft" | ||
| ) | ||
|
|
||
| // ProvenancePredicate is the provenance predicate definition. |
There was a problem hiding this comment.
nit: description does not give a lot of info beyond the name.
There was a problem hiding this comment.
Updated the comment, with a link to SLSA v1 provenance spec.
pkg/amber/endorsement.go
Outdated
| // ProvenanceData contains metadata about a provenance statement, identified by a URI and the | ||
| // SHA256 digest of the content of the provenance. | ||
| // ProvenanceData contains metadata about a provenance statement. The statement may be wrapped in a | ||
| // DSSE envelope, or a Sigstore Bundle. The metadata identifies the provenance via a URI and a |
There was a problem hiding this comment.
Hmmm... Don't "consists of" and "contains" mean the same thing?
| DockerBasedBuildType = "https://slsa.dev/container-based-build/v0.1?draft" | ||
| ) | ||
|
|
||
| // ProvenancePredicate is the provenance predicate definition. |
There was a problem hiding this comment.
Updated the comment, with a link to SLSA v1 provenance spec.
|
|
||
| // ParseContainerBasedSLSAv1Provenance parses the given object as a | ||
| // ProvenancePredicate, with its BuildDefinition.ExternalParameters parsed into | ||
| // an instance of DockerBasedExternalParameters. Returns an error if any of the |
There was a problem hiding this comment.
We generally document the error case like this.
Ref #145
Adds structs for SLSA v1 provenance format, and functionality for parsing a SLSA v1 to
ProvenanceIR.