Merge pull request #1498 from jedevc/attestation-printing

Improved attestation inspect
2025-05-21 11:17:44 +08:00 · 2023-01-09 11:22:20 -08:00 · 2023-01-09 11:22:20 -08:00 · 8340c40647
commit 8340c40647
parent 6852713121 9818055b0e
3 changed files with 164 additions and 194 deletions
--- a/docs/reference/buildx_imagetools_inspect.md
+++ b/docs/reference/buildx_imagetools_inspect.md
@ -287,22 +287,11 @@ $ docker buildx imagetools inspect moby/buildkit:master --format "{{json .Manife
 Following command provides [SLSA](https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md) JSON output:

 ```console
-$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SLSA}}"
+$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .Provenance}}"
 ```
 ```json
 {
-  "Provenance": {
-    "_type": "https://in-toto.io/Statement/v0.1",
-    "predicateType": "https://slsa.dev/provenance/v0.2",
-    "subject": [
-      {
-        "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
-        }
-      }
-    ],
-    "predicate": {
+  "SLSA": {
    "builder": {
      "id": ""
    },
@ -351,7 +340,6 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SL
      "https://mobyproject.org/buildkit@v1#metadata": {}
    }
  }
-  }
 }
 ```

@ -363,17 +351,6 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SB
 ```json
 {
  "SPDX": {
-    "_type": "https://in-toto.io/Statement/v0.1",
-    "predicateType": "https://spdx.dev/Document",
-    "subject": [
-      {
-        "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
-        "digest": {
-          "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
-        }
-      }
-    ],
-    "predicate": {
    "SPDXID": "SPDXRef-DOCUMENT",
    "creationInfo": {
      "created": "2022-12-01T11:46:48.063400162Z",
@ -389,7 +366,6 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .SB
    "files": [...],
    "spdxVersion": "SPDX-2.2"
  }
-  }
 }
 ```

@ -465,19 +441,8 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}
      }
    ]
  },
-  "SLSA": {
  "Provenance": {
-      "_type": "https://in-toto.io/Statement/v0.1",
-      "predicateType": "https://slsa.dev/provenance/v0.2",
-      "subject": [
-        {
-          "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
-          "digest": {
-            "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
-          }
-        }
-      ],
-      "predicate": {
+    "SLSA": {
      "builder": {
        "id": ""
      },
@ -526,21 +491,9 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}
        "https://mobyproject.org/buildkit@v1#metadata": {}
      }
    }
-    }
  },
  "SBOM": {
    "SPDX": {
-      "_type": "https://in-toto.io/Statement/v0.1",
-      "predicateType": "https://spdx.dev/Document",
-      "subject": [
-        {
-          "name": "pkg:docker/crazymax/buildkit@attest?platform=linux%2Famd64",
-          "digest": {
-            "sha256": "fbd10fe50b4b174bb9ea273e2eb9827fa8bf5c88edd8635a93dc83e0d1aecb55"
-          }
-        }
-      ],
-      "predicate": {
      "SPDXID": "SPDXRef-DOCUMENT",
      "creationInfo": {
        "created": "2022-12-01T11:46:48.063400162Z",
@ -557,7 +510,6 @@ $ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}
      "spdxVersion": "SPDX-2.2"
    }
  }
-  }
 }
 ```

--- a/util/imagetools/loader.go
+++ b/util/imagetools/loader.go
@ -48,7 +48,7 @@ type index struct {
 type asset struct {
 	config     *ocispec.Image
 	sbom       *sbomStub
-	slsa   *slsaStub
+	provenance *provenanceStub
 }

 type result struct {
@ -255,7 +255,8 @@ func (l *loader) scanConfig(ctx context.Context, fetcher remotes.Fetcher, desc o
 }

 type sbomStub struct {
-	SPDX json.RawMessage `json:",omitempty"`
+	SPDX            interface{}   `json:",omitempty"`
+	AdditionalSPDXs []interface{} `json:",omitempty"`
 }

 func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *result, refs []digest.Digest, as *asset) error {
@ -275,8 +276,18 @@ func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *resul
 				if err != nil {
 					return err
 				}
-				as.sbom = &sbomStub{
-					SPDX: dt,
+				var spdx struct {
+					Predicate interface{} `json:"predicate"`
+				}
+				if err := json.Unmarshal(dt, &spdx); err != nil {
+					return err
+				}
+
+				if as.sbom == nil {
+					as.sbom = &sbomStub{}
+					as.sbom.SPDX = spdx.Predicate
+				} else {
+					as.sbom.AdditionalSPDXs = append(as.sbom.AdditionalSPDXs, spdx.Predicate)
 				}
 			}
 		}
@ -284,8 +295,8 @@ func (l *loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *resul
 	return nil
 }

-type slsaStub struct {
-	Provenance json.RawMessage `json:",omitempty"`
+type provenanceStub struct {
+	SLSA interface{} `json:",omitempty"`
 }

 func (l *loader) scanProvenance(ctx context.Context, fetcher remotes.Fetcher, r *result, refs []digest.Digest, as *asset) error {
@ -305,9 +316,16 @@ func (l *loader) scanProvenance(ctx context.Context, fetcher remotes.Fetcher, r
 				if err != nil {
 					return err
 				}
-				as.slsa = &slsaStub{
-					Provenance: dt,
+				var slsa struct {
+					Predicate interface{} `json:"predicate"`
 				}
+				if err := json.Unmarshal(dt, &slsa); err != nil {
+					return err
+				}
+				as.provenance = &provenanceStub{
+					SLSA: slsa.Predicate,
+				}
+				break
 			}
 		}
 	}
@ -328,16 +346,16 @@ func (r *result) Configs() map[string]*ocispec.Image {
 	return res
 }

-func (r *result) SLSA() map[string]slsaStub {
+func (r *result) Provenance() map[string]provenanceStub {
 	if len(r.assets) == 0 {
 		return nil
 	}
-	res := make(map[string]slsaStub)
+	res := make(map[string]provenanceStub)
 	for p, a := range r.assets {
-		if a.slsa == nil {
+		if a.provenance == nil {
 			continue
 		}
-		res[p] = *a.slsa
+		res[p] = *a.provenance
 	}
 	return res
 }
--- a/util/imagetools/printers.go
+++ b/util/imagetools/printers.go
@ -99,7 +99,7 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 	}

 	imageconfigs := res.Configs()
-	slsas := res.SLSA()
+	provenances := res.Provenance()
 	sboms := res.SBOM()
 	format := tpl.Root.String()

@ -146,13 +146,13 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 				Name       string                     `json:"name,omitempty"`
 				Manifest   interface{}                `json:"manifest,omitempty"`
 				Image      map[string]*ocispecs.Image `json:"image,omitempty"`
-				SLSA     map[string]slsaStub        `json:"SLSA,omitempty"`
+				Provenance map[string]provenanceStub  `json:"Provenance,omitempty"`
 				SBOM       map[string]sbomStub        `json:"SBOM,omitempty"`
 			}{
 				Name:       p.name,
 				Manifest:   mfst,
 				Image:      imageconfigs,
-				SLSA:     slsas,
+				Provenance: provenances,
 				SBOM:       sboms,
 			})
 		}
@ -160,9 +160,9 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 		for _, v := range imageconfigs {
 			ic = v
 		}
-		var slsa slsaStub
-		for _, v := range slsas {
-			slsa = v
+		var provenance provenanceStub
+		for _, v := range provenances {
+			provenance = v
 		}
 		var sbom sbomStub
 		for _, v := range sboms {
@ -172,13 +172,13 @@ func (p *Printer) Print(raw bool, out io.Writer) error {
 			Name       string          `json:"name,omitempty"`
 			Manifest   interface{}     `json:"manifest,omitempty"`
 			Image      *ocispecs.Image `json:"image,omitempty"`
-			SLSA     slsaStub        `json:"SLSA,omitempty"`
+			Provenance provenanceStub  `json:"Provenance,omitempty"`
 			SBOM       sbomStub        `json:"SBOM,omitempty"`
 		}{
 			Name:       p.name,
 			Manifest:   mfst,
 			Image:      ic,
-			SLSA:     slsa,
+			Provenance: provenance,
 			SBOM:       sbom,
 		})
 	}