-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Add source:URI
under externalParameters
#2186
Comments
source:URI
under externalParameters`source:URI
under externalParameters`
source:URI
under externalParameters`source:URI
under externalParameters
I think it should be a resource descriptor - we get the URI and the hash explicitly, and can also add new fields. I think they should rephrase the migration as
That migration note was made before they switched to ResourceDescriptors. |
I agree with @asraa that source should be a resourceDescriptor. The provenance spec recommends string values in externalParameters, but they aren't required.
Since there's a benefit to using a resourceDescriptor, go for it. Just make sure to keep the fields in sync between the generator and the verifier. |
Can we update the SLSA specs? The source is part of the specs but is under-defined, ie our decision here is not specific to GitHub. I'm on board with making it a resourceDescriptor. |
and maybe also add the digest: "source": {
"uri": old.invocation.configSource.uri,
"digest": old.invocation.configSource.digest,
} |
I support that change. I've opened an issue on the SLSA spec repo to get input. |
Just to be clear, this is a totally separate Resource Descriptor that's separate from the entry in |
I understood it to be duplicated, since it is (1) a user input and (2) a resolved dependency pulled into the environment by the builder. But yeah, actually just the source URI might be a user input, while the resolved dependency may contain the extra info like the digest that's resolved when the builder pulls it. So dupes doesn't really feel right either. |
Ok, so if the source URI only contains the repo as a user input, we might need to look for the digest in the So something like: // let p = <predicate>
let sourceURI = p.externalParameters?.source?.uri;
let sourceDigest = p.externalParameters?.source?.digest;
if (sourceURI && !sourceDigest && p.resolvedDependencies) {
for (let dep of p.resolvedDependencies) {
if (dep.uri == sourceURI) { // Maybe ignore ref if not present in externalParameters?
sourceDigest = dep.digest;
}
}
}
// verify sourceURI and sourceDigest |
well, the user does not provide the |
This is related to #2077. |
We need to add
source
for our BYOB builders.In https://slsa.dev/provenance/v1 "Migrating from 0.2":
which seems to indicate that source is a URI of type string.
In slsa-framework/slsa-verifier#621, the "source" field is currently treated as a
resourceDescriptor
.@asraa @ianlewis wdut?
The text was updated successfully, but these errors were encountered: