feat: add SARIF format support (#362)

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Author: migmartri

README.md

@@ -128,6 +128,7 @@ Chainloop supports the collection of the following pieces of evidence types:
 - [SPDX SBOM](https://spdx.dev/specifications/)
 - [CSAF VEX](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html)
 - [OpenVEX](https://github.com/openvex)
+- [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/)
 - [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format)
 - Generic Artifact Types
 - Key-Value metadata pairs

app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts

@@ -71,6 +71,9 @@ message CraftingSchema {
       OPENVEX = 7;
       // https://docs.oasis-open.org/csaf/csaf/v2.0/cs03/csaf-v2.0-cs03.html
       CSAF_VEX = 8;
+      // Static analysis output format
+      // https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md
+      SARIF = 9;
     }
   }
 }

app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go

@@ -214,6 +214,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/runc v1.1.9 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/owenrumney/go-sarif v1.1.1
 	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect

app/controlplane/api/workflowcontract/v1/crafting_schema.proto

@@ -957,6 +957,8 @@ github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxS
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
+github.com/owenrumney/go-sarif v1.1.1 h1:QNObu6YX1igyFKhdzd7vgzmw7XsWN3/6NMGuDzBgXmE=
+github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
 github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
 github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
@@ -1205,6 +1207,7 @@ github.com/zalando/go-keyring v0.2.2 h1:f0xmpYiSrHtSNAVgwip93Cg8tuF45HJM6rHq/A5R
 github.com/zalando/go-keyring v0.2.2/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0=
 github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
+github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 github.com/zclconf/go-cty v1.13.3 h1:m+b9q3YDbg6Bec5rr+KGy1MzEVzY/jC2X+YX4yqKtHI=
 github.com/zclconf/go-cty v1.13.3/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=

go.mod

@@ -160,6 +160,8 @@ func Craft(ctx context.Context, materialSchema *schemaapi.CraftingSchema_Materia
 		crafter, err = NewOpenVEXCrafter(materialSchema, casBackend, logger)
 	case schemaapi.CraftingSchema_Material_CSAF_VEX:
 		crafter, err = NewCSAFVEXCrafter(materialSchema, casBackend, logger)
+	case schemaapi.CraftingSchema_Material_SARIF:
+		crafter, err = NewSARIFCrafter(materialSchema, casBackend, logger)
 	default:
 		return nil, fmt.Errorf("material of type %q not supported yet", materialSchema.Type)
 	}

go.sum

@@ -0,0 +1,58 @@
+//
+// Copyright 2023 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package materials
+
+import (
+	"context"
+	"fmt"
+
+	api "github.com/chainloop-dev/chainloop/app/cli/api/attestation/v1"
+	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	"github.com/chainloop-dev/chainloop/internal/casclient"
+	"github.com/owenrumney/go-sarif/sarif"
+	"github.com/rs/zerolog"
+)
+
+type SARIFCrafter struct {
+	backend *casclient.CASBackend
+	*crafterCommon
+}
+
+func NewSARIFCrafter(materialSchema *schemaapi.CraftingSchema_Material, backend *casclient.CASBackend, l *zerolog.Logger) (*SARIFCrafter, error) {
+	if materialSchema.Type != schemaapi.CraftingSchema_Material_SARIF {
+		return nil, fmt.Errorf("material type is not SARIF format")
+	}
+
+	return &SARIFCrafter{
+		backend:       backend,
+		crafterCommon: &crafterCommon{logger: l, input: materialSchema},
+	}, nil
+}
+
+func (i *SARIFCrafter) Craft(ctx context.Context, filepath string) (*api.Attestation_Material, error) {
+	i.logger.Debug().Str("path", filepath).Msg("decoding SARIF file")
+	doc, err := sarif.Open(filepath)
+	// parse doesn't fail if the provided file is a valid JSON, but not a valid CSAF VEX file
+	if err != nil || doc.Schema == "" {
+		if err != nil {
+			i.logger.Debug().Err(err).Msg("error decoding file")
+		}
+
+		return nil, fmt.Errorf("invalid SARIF file: %w", ErrInvalidMaterialType)
+	}
+
+	return uploadAndCraft(ctx, i.input, i.backend, filepath, i.logger)
+}

internal/attestation/crafter/materials/materials.go

@@ -0,0 +1,132 @@
+//
+// Copyright 2023 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//nolint:dupl
+package materials_test
+
+import (
+	"context"
+	"testing"
+
+	attestationApi "github.com/chainloop-dev/chainloop/app/cli/api/attestation/v1"
+	contractAPI "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	"github.com/chainloop-dev/chainloop/internal/attestation/crafter/materials"
+	"github.com/chainloop-dev/chainloop/internal/casclient"
+	mUploader "github.com/chainloop-dev/chainloop/internal/casclient/mocks"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSARIFCrafter(t *testing.T) {
+	testCases := []struct {
+		name    string
+		input   *contractAPI.CraftingSchema_Material
+		wantErr bool
+	}{
+		{
+			name: "happy path",
+			input: &contractAPI.CraftingSchema_Material{
+				Type: contractAPI.CraftingSchema_Material_SARIF,
+			},
+		},
+		{
+			name: "wrong type",
+			input: &contractAPI.CraftingSchema_Material{
+				Type: contractAPI.CraftingSchema_Material_CONTAINER_IMAGE,
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := materials.NewSARIFCrafter(tc.input, nil, nil)
+			if tc.wantErr {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func TestSARIFCraft(t *testing.T) {
+	testCases := []struct {
+		name     string
+		filePath string
+		wantErr  string
+	}{
+		{
+			name:     "non-expected json file",
+			filePath: "./testdata/sbom.cyclonedx.json",
+			wantErr:  "unexpected material type",
+		},
+		{
+			name:     "invalid path",
+			filePath: "./testdata/non-existing.json",
+			wantErr:  "unexpected material type",
+		},
+		{
+			name:     "invalid artifact type",
+			filePath: "./testdata/simple.txt",
+			wantErr:  "unexpected material type",
+		},
+		{
+			name:     "valid artifact type",
+			filePath: "./testdata/report.sarif",
+		},
+	}
+
+	assert := assert.New(t)
+	schema := &contractAPI.CraftingSchema_Material{
+		Name: "test",
+		Type: contractAPI.CraftingSchema_Material_SARIF,
+	}
+	l := zerolog.Nop()
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Mock uploader
+			uploader := mUploader.NewUploader(t)
+			if tc.wantErr == "" {
+				uploader.On("UploadFile", context.TODO(), tc.filePath).
+					Return(&casclient.UpDownStatus{
+						Digest:   "deadbeef",
+						Filename: "report.sarif",
+					}, nil)
+			}
+
+			backend := &casclient.CASBackend{Uploader: uploader}
+			crafter, err := materials.NewSARIFCrafter(schema, backend, &l)
+			require.NoError(t, err)
+
+			got, err := crafter.Craft(context.TODO(), tc.filePath)
+			if tc.wantErr != "" {
+				assert.ErrorContains(err, tc.wantErr)
+				return
+			}
+			require.NoError(t, err)
+
+			assert.Equal(contractAPI.CraftingSchema_Material_SARIF.String(), got.MaterialType.String())
+			assert.True(got.UploadedToCas)
+
+			// // The result includes the digest reference
+			assert.Equal(&attestationApi.Attestation_Material_Artifact{
+				Id: "test", Digest: "sha256:c4a63494f9289dd9fd44f841efb4f5b52765c2de6332f2d86e5f6c0340b40a95", Name: "report.sarif",
+			}, got.GetArtifact())
+		})
+	}
+}