Merge branch 'main' into fixing-ca-path

Signed-off-by: John Kjell <john@testifysec.com>

.github/workflows/codeql.yml

@@ -50,15 +50,15 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
       - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: 1.21.x
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        uses: github/codeql-action/init@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        uses: github/codeql-action/autobuild@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        uses: github/codeql-action/analyze@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # v3.25.4
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -22,6 +22,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2

.github/workflows/fossa.yml

@@ -20,7 +20,7 @@ jobs:
       steps:
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Checkout Code"
-          uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+          uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Run FOSSA Scan"
           uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3

.github/workflows/golangci-lint.yml

@@ -20,9 +20,9 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@38e1018663fa5173f3968ea0777460d3de38f256 # v5.3.0
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
           version: latest
           args: --timeout=3m

.github/workflows/release.yml

@@ -94,7 +94,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           fetch-depth: 0
 

.github/workflows/scorecard.yml

@@ -43,12 +43,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534
         with:
           results_file: results.sarif
           results_format: sarif
@@ -75,6 +75,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # tag=v3.25.3
+        uses: github/codeql-action/upload-sarif@ccf74c947955fd1cf117aef6a0e4e66191ef6f61 # tag=v3.25.4
         with:
           sarif_file: results.sarif

.github/workflows/verify-docgen.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.21.x"

.github/workflows/verify-licence.yml

@@ -12,7 +12,7 @@ jobs:
     name: license boilerplate check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.21.x"

.github/workflows/witness.yml

@@ -50,7 +50,7 @@ jobs:
           contents: read
           id-token: write
         steps:
-          - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+          - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
           - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
             with:
               go-version: 1.21.x

cmd/attestors.go

@@ -15,7 +15,9 @@
 package cmd
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 
@@ -27,21 +29,48 @@ import (
 
 func AttestorsCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:               "attestors",
+		Use:   "attestors",
+		Short: "Get information about available attestors",
+		Long:  "Get information about all the available attestors in Witness",
+	}
+
+	cmd.AddCommand(SchemaCmd())
+	cmd.AddCommand(ListCmd())
+
+	return cmd
+}
+
+func ListCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:               "list",
 		Short:             "List all available attestors",
 		Long:              "Lists all the available attestors in Witness with supporting information",
 		SilenceErrors:     true,
 		SilenceUsage:      true,
 		DisableAutoGenTag: true,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runAttestors(cmd.Context())
+			return runList(cmd.Context())
 		},
 	}
+	return cmd
+}
 
+func SchemaCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:               "schema",
+		Short:             "Show the JSON schema of a specific attestor",
+		Long:              "Print the JSON schema of the predicate that the specified attestor generates",
+		SilenceErrors:     true,
+		SilenceUsage:      true,
+		DisableAutoGenTag: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runSchema(cmd.Context(), args)
+		},
+	}
 	return cmd
 }
 
-func runAttestors(ctx context.Context) error {
+func runList(ctx context.Context) error {
 	items := [][]string{}
 	entries := attestation.RegistrationEntries()
 	for _, entry := range entries {
@@ -73,3 +102,33 @@ func runAttestors(ctx context.Context) error {
 
 	return nil
 }
+
+func runSchema(ctx context.Context, args []string) error {
+	if len(args) == 0 {
+		return fmt.Errorf("You must specify an attestor to view the schema of. Use 'witness attestors' for a list of available attestors.")
+	} else if len(args) > 1 {
+		return fmt.Errorf("You can only get one attestor schema at a time.")
+	}
+
+	attestor, err := attestation.GetAttestor(args[0])
+	if err != nil {
+		return fmt.Errorf("Error getting attestor: %w", err)
+	}
+
+	schema := attestor.Schema()
+	schemaJson, err := schema.MarshalJSON()
+	if err != nil {
+		return fmt.Errorf("Error marshalling JSON schema: %w", err)
+	}
+
+	var indented bytes.Buffer
+	err = json.Indent(&indented, schemaJson, "", "  ")
+	if err != nil {
+		fmt.Println("Error marshalling JSON schema:", err)
+		os.Exit(1)
+	}
+
+	fmt.Print(indented.String())
+
+	return nil
+}

docgen/docs.go

@@ -16,12 +16,18 @@ package main
 
 import (
 	"bytes"
+	"encoding/json"
 	"flag"
 	"fmt"
+	"log"
 	"os"
+	"strings"
 
 	"github.com/in-toto/witness/cmd"
 	"github.com/spf13/cobra/doc"
+
+	_ "github.com/in-toto/go-witness"
+	"github.com/in-toto/go-witness/attestation"
 )
 
 var directory string
@@ -32,6 +38,7 @@ func init() {
 }
 
 func main() {
+	log.Println("Generating CLI Reference documentation")
 	mdContent := "# Witness CLI Reference\n\nThis is the reference for the Witness command line tool, generated by [Cobra](https://cobra.dev/).\n\n"
 	// Generate markdown content for all commands
 	for _, command := range cmd.New().Commands() {
@@ -55,4 +62,64 @@ func main() {
 		fmt.Println("Error writing to file:", err)
 		os.Exit(1)
 	}
+
+	log.Println("Documentation generated successfully")
+
+	entries := attestation.RegistrationEntries()
+	for _, entry := range entries {
+		att := entry.Factory()
+		schema := att.Schema()
+		schemaJson, err := schema.MarshalJSON()
+		if err != nil {
+			fmt.Println("Error marshalling JSON schema:", err)
+			os.Exit(1)
+		}
+
+		var indented bytes.Buffer
+		err = json.Indent(&indented, schemaJson, "", "  ")
+		if err != nil {
+			fmt.Println("Error marshalling JSON schema:", err)
+			os.Exit(1)
+		}
+
+		schemaContent := "## Schema" + "\n```json\n" + indented.String() + "```\n"
+		err = os.WriteFile(fmt.Sprintf("%s/attestors/%s.json", directory, att.Name()), []byte(indented.String()+"\n "), 0644)
+		if err != nil {
+			fmt.Println("Error writing to file:", err)
+			os.Exit(1)
+		}
+		log.Printf("Schema for %s written to %s/attestors/%s.json\n", att.Name(), directory, att.Name())
+		f, err := os.ReadFile(fmt.Sprintf("%s/attestors/%s.md", directory, att.Name()))
+		if err != nil {
+			fmt.Println("Error reading file:", err)
+			os.Exit(1)
+		}
+
+		// Find the index of "## Schema" string
+		index := strings.Index(string(f), "## Schema")
+		if index == -1 {
+			f = append(f, schemaContent...)
+
+			err = os.WriteFile(fmt.Sprintf("%s/attestors/%s.md", directory, att.Name()), f, 0644)
+			if err != nil {
+				fmt.Println("Error writing to file:", err)
+				os.Exit(1)
+			}
+			continue
+		}
+
+		// Truncate the content to remove everything after "## Schema"
+		f = f[:index]
+
+		f = append(f, schemaContent...)
+
+		err = os.WriteFile(fmt.Sprintf("%s/attestors/%s.md", directory, att.Name()), f, 0644)
+		if err != nil {
+			fmt.Println("Error writing to file:", err)
+			os.Exit(1)
+		}
+
+		log.Printf("Schema for %s written to %s/attestors/%s.md\n", att.Name(), directory, att.Name())
+
+	}
 }

docgen/verify.sh

@@ -20,6 +20,10 @@ set -e
 tmpdir=$(mktemp -d)
 tmpdir2=$(mktemp -d)
 cp docs/commands.md "$tmpdir2/"
+mkdir "$tmpdir2/attestors"
+mkdir "$tmpdir/attestors"
+cp docs/attestors/* "$tmpdir2/attestors/"
+cp docs/attestors/*.md "$tmpdir/attestors/"
 go run ./docgen --dir "$tmpdir"
 echo "###########################################"
 echo "If diffs are found, run: make docgen"