fix: revert to using resolvedDepdendencies for source verification (#629

) Signed-off-by: Asra Ali <asraa@google.com>
slsa-framework · Jun 1, 2023 · 8fe8ee9 · 8fe8ee9
1 parent 70d23d4
commit 8fe8ee9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 20 deletions.
diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go
@@ -362,8 +362,8 @@ func Test_verifySourceURI(t *testing.T) {
 						// 		"path":       "some/path",
 						// 	},
 						// },
-						ExternalParameters: map[string]interface{}{
-							"source": slsa1.ResourceDescriptor{
+						ResolvedDependencies: []slsa1.ResourceDescriptor{
+							{
 								URI: tt.provMaterialsURI,
 							},
 						},
@@ -372,7 +372,7 @@ func Test_verifySourceURI(t *testing.T) {
 			}
 
 			if tt.provMaterialsURI == "" {
-				prov1.Predicate.BuildDefinition.ExternalParameters = nil
+				prov1.Predicate.BuildDefinition.ResolvedDependencies = nil
 			}
 			err = verifySourceURI(prov1, tt.expectedSourceURI, tt.allowNoMaterialRef)
 			if !errCmp(err, tt.err) {

diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go b/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go
@@ -1,7 +1,6 @@
 package v1
 
 import (
-	"encoding/json"
 	"fmt"
 	"strings"
 	"time"
@@ -39,24 +38,16 @@ func (prov *ProvenanceV1) BuilderID() (string, error) {
 }
 
 func (prov *ProvenanceV1) SourceURI() (string, error) {
-	// Use externalParameters.
-	extParams, ok := prov.Predicate.BuildDefinition.ExternalParameters.(map[string]interface{})
-	if !ok {
-		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters type")
-	}
-	source, ok := extParams["source"]
-	if !ok {
-		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters source not found")
-	}
-	sourceBytes, err := json.Marshal(source)
-	if err != nil {
-		return "", fmt.Errorf("%w: %s", err, "marshalling external parameters source")
+	// Use resolvedDependencies.
+	if len(prov.Predicate.BuildDefinition.ResolvedDependencies) == 0 {
+		return "", fmt.Errorf("%w: empty resovedDependencies", serrors.ErrorInvalidDssePayload)
 	}
-	var sourceResource slsa1.ResourceDescriptor
-	if err := json.Unmarshal(sourceBytes, &sourceResource); err != nil {
-		return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters source type")
+	// For now, we use the first resolvedDependency relying on a GHA builder-verifier contract.
+	uri := prov.Predicate.BuildDefinition.ResolvedDependencies[0].URI
+	if uri == "" {
+		return "", fmt.Errorf("%w: empty uri", serrors.ErrorMalformedURI)
 	}
-	return sourceResource.URI, nil
+	return uri, nil
 }
 
 // TODO(#613): Support for generators.