Skip to content

Introduce Resolved dependencies for SLSA v1.0 predicate#798

Merged
tekton-robot merged 1 commit intotektoncd:mainfrom
chitrangpatel:resolved-dependencies
May 19, 2023
Merged

Introduce Resolved dependencies for SLSA v1.0 predicate#798
tekton-robot merged 1 commit intotektoncd:mainfrom
chitrangpatel:resolved-dependencies

Conversation

@chitrangpatel
Copy link
Contributor

@chitrangpatel chitrangpatel commented May 5, 2023
edited
Loading

Changes

This PR introduces resolved dependencies for the SLSAv1.0 predicate.
It addresses part of issue #797
Related design.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Introduce resolved dependencies for SLSA v1.0 predicate.

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label May 5, 2023
@tekton-robot tekton-robot requested review from chuangw6 and wlynch May 5, 2023 20:27
@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label May 5, 2023
@chitrangpatel chitrangpatel marked this pull request as draft May 5, 2023 20:27
@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 5, 2023
@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from b7b1b89 to 8a9594a Compare May 5, 2023 20:28
@chitrangpatel chitrangpatel mentioned this pull request May 5, 2023
Closed
7 tasks
@tekton-robot
Copy link

tekton-robot commented May 5, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 69.1% -5.0
pkg/chains/formats/slsa/internal/material/material.go 84.1% 84.8% 0.7
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 77.1%

@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch 6 times, most recently from 4ed12fc to 99261ab Compare May 8, 2023 17:59
@chitrangpatel chitrangpatel marked this pull request as ready for review May 8, 2023 17:59
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 8, 2023
@tekton-robot tekton-robot requested a review from lcarva May 8, 2023 18:00
@tekton-robot
Copy link

tekton-robot commented May 8, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 69.1% -5.0
pkg/chains/formats/slsa/internal/material/material.go 84.1% 84.8% 0.7
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 81.1%

@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from 99261ab to 5b4ba18 Compare May 8, 2023 18:12
@tekton-robot
Copy link

tekton-robot commented May 8, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 74.7% 0.6
pkg/chains/formats/slsa/internal/material/material.go 84.1% 84.8% 0.7
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 81.1%

chuangw6
chuangw6 reviewed May 8, 2023
View reviewed changes
Copy link
Member

@chuangw6 chuangw6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @chitrangpatel for kicking off the implementation of SLSA v1.0 support!!!

@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from 5b4ba18 to e238bd2 Compare May 9, 2023 14:31
@tekton-robot
Copy link

tekton-robot commented May 9, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 74.7% 0.6
pkg/chains/formats/slsa/internal/material/material.go 84.1% 84.8% 0.7
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 80.9%

@chitrangpatel chitrangpatel mentioned this pull request May 9, 2023
Merged
6 tasks
@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from e238bd2 to 7cedd97 Compare May 10, 2023 15:37
@tekton-robot
Copy link

tekton-robot commented May 10, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 74.7% 0.6
pkg/chains/formats/slsa/internal/material/material.go 84.1% 84.8% 0.7
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 80.9%

chuangw6
chuangw6 reviewed May 10, 2023
View reviewed changes
wlynch
wlynch requested changes May 15, 2023
View reviewed changes
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 15, 2023
@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from bdd3afe to b81fb75 Compare May 18, 2023 15:45
@tekton-robot tekton-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels May 18, 2023
chuangw6
chuangw6 reviewed May 18, 2023
View reviewed changes
Copy link
Member

@chuangw6 chuangw6 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @chitrangpatel for the refactor! Much cleaner now!

One general comment I have is that it would be great if we can have a consistent way to collect the list of materials/resolvedDependencies throughout the helper functions.

Currently, there are three categories:

  • some functions just receive *[]common.ProvenanceMaterials as an argument and mutate it.
  • some receive the []common.ProvenanceMaterials but also return []common.ProvenanceMaterials
  • som functions just return a new []common.ProvenanceMaterials without receiving a list of materials.

@tekton-robot
Copy link

tekton-robot commented May 18, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 73.8% -0.3
pkg/chains/formats/slsa/internal/material/material.go 84.3% 95.9% 11.6
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.2% 79.6% 2.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 86.2%

@chitrangpatel
Copy link
Contributor Author

chitrangpatel commented May 18, 2023

Thank you @chitrangpatel for the refactor! Much cleaner now!

One general comment I have is that it would be great if we can have a consistent way to collect the list of materials/resolvedDependencies throughout the helper functions.

Currently, there are three categories:

  • some functions just receive []*common.ProvenanceMaterials as an argument and mutate it.
  • some receive the []common.ProvenanceMaterials but also return []common.ProvenanceMaterials
  • som functions just return a new []common.ProvenanceMaterials without receiving a list of materials.

Thats a good idea. Since its a lot of refactoring, I suggest we do this in a followup PR since it does not fit well with this.

@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch 2 times, most recently from da261c3 to d84a8a8 Compare May 18, 2023 17:58
@tekton-robot
Copy link

tekton-robot commented May 18, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 73.8% -0.3
pkg/chains/formats/slsa/internal/material/material.go 84.3% 95.9% 11.7
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.2% 79.6% 2.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 86.8%

@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from d84a8a8 to a458fb2 Compare May 18, 2023 18:28
@tekton-robot
Copy link

tekton-robot commented May 18, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 73.8% -0.3
pkg/chains/formats/slsa/internal/material/material.go 84.3% 95.9% 11.7
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.2% 79.6% 2.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 86.8%

@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from a458fb2 to bd46e56 Compare May 18, 2023 19:05
@tekton-robot
Copy link

tekton-robot commented May 18, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 73.8% -0.3
pkg/chains/formats/slsa/internal/material/material.go 84.3% 95.9% 11.7
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.2% 79.6% 2.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 86.8%

@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from bd46e56 to 2e25eaf Compare May 18, 2023 19:18
@tekton-robot
Copy link

tekton-robot commented May 18, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 73.8% -0.3
pkg/chains/formats/slsa/internal/material/material.go 84.3% 95.9% 11.7
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.2% 79.6% 2.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 86.8%

lcarva
lcarva reviewed May 19, 2023
View reviewed changes
Copy link
Contributor

@lcarva lcarva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Left a couple of minor comments that are non-blocking.

pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go
mats := []common.ProvenanceMaterial{}

// add step and sidecar images
if err := material.AddStepImagesToMaterials(tro.Status.Steps, &mats); err != nil {
Copy link
Contributor

@lcarva lcarva May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit concerned that some of the functions in material take a pointer address to a materials slice, like this one, for two reasons:

  1. It seems bad practice to pass a slice pointer around.
  2. Other functions on the materials package deal with adding things to materials but don't take a pre-existing slice, e.g. AddMaterialsFromTaskParamsAndResults.

How about something like this?

allMaterials := []common.ProvenanceMaterial{}

mats, err := material.FromStepImages(tro.Status.Steps)
if err != nil {...}
allMaterials = append(allMaterials, mats...)

Copy link
Contributor Author

@chitrangpatel chitrangpatel May 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed! @chuangw6 pointed this out as well. But its better left as its own cleanup PR which I will do after this.

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 19, 2023
@chitrangpatel
Introduce Resolved Dependencies for SLSAv1.0 predicate
d814bdf 
This PR introduces resolved dependencies for the SLSAv1.0 predicate.
It addresses part of issue tektoncd#797
@chitrangpatel chitrangpatel force-pushed the resolved-dependencies branch from 2e25eaf to d814bdf Compare May 19, 2023 19:12
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label May 19, 2023
@chitrangpatel
Copy link
Contributor Author

chitrangpatel commented May 19, 2023

@lcarva could you please lgtm it again? I implemented the nits you mentioned. Thanks!

@tekton-robot
Copy link

tekton-robot commented May 19, 2023

The following is the coverage report on the affected files.
Say /test pull-tekton-chains-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/artifacts/signable.go 74.1% 73.8% -0.3
pkg/chains/formats/slsa/internal/material/material.go 84.3% 95.8% 11.5
pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go 77.2% 79.6% 2.4
pkg/chains/formats/slsa/v2alpha2/internal/resolved_dependencies/resolved_dependencies.go Do not exist 86.8%

@lcarva
Copy link
Contributor

lcarva commented May 19, 2023

/lgtm

@wlynch, it looks like your comments have been addressed. Ok to merge this? (I'll hold off my approval for now)

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 19, 2023
wlynch
wlynch approved these changes May 19, 2023
View reviewed changes
Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

final nits, but I'll lgtm so we can get this in since we know there's other cleanup we want to do.

Thanks for making those changes. 🎉

/lgtm

pkg/artifacts/signable.go

func checkDigest(dig string) error {
// ParseDigest parses the digest string and returns the algorithm and hex section of the digest.
func ParseDigest(dig string) (algo_string string, hex string, err error) {
Copy link
Member

@wlynch wlynch May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unexport

pkg/chains/formats/slsa/internal/material/material.go
Comment on lines +109 to +110
for _, input := range tro.Spec.Resources.Inputs { //nolint:all //incompatible with pipelines v0.45
if input.ResourceSpec == nil || input.ResourceSpec.Type != backport.PipelineResourceTypeGit { //nolint:all //incompatible with pipelines v0.45
Copy link
Member

@wlynch wlynch May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit

Suggested change
for _, input := range tro.Spec.Resources.Inputs { //nolint:all //incompatible with pipelines v0.45
if input.ResourceSpec == nil || input.ResourceSpec.Type != backport.PipelineResourceTypeGit { //nolint:all //incompatible with pipelines v0.45
for _, input := range tro.Spec.Resources.Inputs { //nolint:all // needed for pipelines < v0.45
if input.ResourceSpec == nil || input.ResourceSpec.Type != backport.PipelineResourceTypeGit { //nolint:all // needed for pipelines < v0.45

@tekton-robot
Copy link

tekton-robot commented May 19, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 19, 2023
@tekton-robot tekton-robot merged commit b8384e6 into tektoncd:main May 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcarva lcarva lcarva left review comments

@wlynch wlynch wlynch approved these changes

+1 more reviewer

@chuangw6 chuangw6 chuangw6 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@wlynch wlynch

@lcarva lcarva

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@chitrangpatel @tekton-robot @lcarva @wlynch @chuangw6