Skip to content

feat: show attestation-level policy evaluations on status #1684

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Dec 20, 2024
Merged

feat: show attestation-level policy evaluations on status #1684

merged 5 commits into from
Dec 20, 2024

Conversation

@migmartri
Copy link
Member

@migmartri migmartri commented Dec 19, 2024
edited
Loading

Now, when we run att status or att push, you'll get not only the policy evaluations related to materials but also the attestation-level ones.

I've also lowered the level of some logger entries since now we show the info in the attestation result.

Init has not changed

$ chainloop att init --workflow test-sbom --project test --replace
INF Attestation initialized! now you can check its status or add materials to it
┌────────────────┬──────────────────────────────────────┐
│ Initialized At │ 19 Dec 24 21:45 UTC                  │
├────────────────┼──────────────────────────────────────┤
│ Attestation ID │ 49632035-10b7-4ff2-bd05-550651825b2f │
│ Organization   │ miguel                               │
│ Name           │ test-sbom                            │
│ Project        │ test                                 │
│ Version        │ v0.147.0 (prerelease)                │
│ Contract       │ test-test-sbom (revision 6)          │
└────────────────┴──────────────────────────────────────┘
$ chainloop att add --name sbom-2 --value ~/Desktop/result.cdx
INF uploading result.cdx - sha256:925ed5a789bad4bc2658ba371530bf3b80639be02d7acd9069c0e52690508132
INF material kind detected kind=SBOM_CYCLONEDX_JSON
INF material added to attestation

Status show all the policy information

$ chainloop att status
┌────────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Initialized At │ 19 Dec 24 21:45 UTC                                                     │
├────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Attestation ID │ 49632035-10b7-4ff2-bd05-550651825b2f                                    │
│ Organization   │ miguel                                                                  │
│ Name           │ test-sbom                                                               │
│ Project        │ test                                                                    │
│ Version        │ v0.147.0 (prerelease)                                                   │
│ Contract       │ test-test-sbom (revision 6)                                             │
│ Policies       │ ------                                                                  │
│                │ sbom-present: Ok                                                        │
│                │ material-present: no material found with type CONTAINER_IMAGE (1 times) │
└────────────────┴─────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────┐
│ Materials                                                               │
├──────────┬──────────────────────────────────────────────────────────────┤
│ Name     │ sbom-2                                                       │
│ Type     │ SBOM_CYCLONEDX_JSON                                          │
│ Set      │ Yes                                                          │
│ Required │ No                                                           │
│ Policies │ ------                                                       │
│          │ sbom-ntia:                                                   │
│          │   - missing author                                           │
│          │   - missing supplier for 'alpine'                            │
│          │   - missing unique identifier (PURL, CPE, SWID) for 'alpine' │
│          │ sbom-banned-licenses: Ok                                     │
│          │ sbom-freshness: Ok                                           │
└──────────┴──────────────────────────────────────────────────────────────┘

and also push

$ chainloop att push
INF push completed
┌────────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Initialized At │ 19 Dec 24 21:45 UTC                                                     │
├────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Attestation ID │ 49632035-10b7-4ff2-bd05-550651825b2f                                    │
│ Organization   │ miguel                                                                  │
│ Name           │ test-sbom                                                               │
│ Project        │ test                                                                    │
│ Version        │ v0.147.0 (prerelease)                                                   │
│ Contract       │ test-test-sbom (revision 6)                                             │
│ Policies       │ ------                                                                  │
│                │ sbom-present: Ok                                                        │
│                │ material-present: no material found with type CONTAINER_IMAGE (1 times) │
└────────────────┴─────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────┐
│ Materials                                                                          │
├──────────┬─────────────────────────────────────────────────────────────────────────┤
│ Name     │ sbom-2                                                                  │
│ Type     │ SBOM_CYCLONEDX_JSON                                                     │
│ Set      │ Yes                                                                     │
│ Required │ No                                                                      │
│ Value    │ result.cdx                                                              │
│ Digest   │ sha256:925ed5a789bad4bc2658ba371530bf3b80639be02d7acd9069c0e52690508132 │
│ Policies │ ------                                                                  │
│          │ sbom-ntia:                                                              │
│          │   - missing author                                                      │
│          │   - missing supplier for 'alpine'                                       │
│          │   - missing unique identifier (PURL, CPE, SWID) for 'alpine'            │
│          │ sbom-banned-licenses: Ok                                                │
│          │ sbom-freshness: Ok                                                      │
└──────────┴─────────────────────────────────────────────────────────────────────────┘
Attestation Digest: sha256:90a3619280b63c3f12301a85dd59d754645982ea4dfa2be22e61209d8d66431c

refs #1616

@migmartri
fix tests
98d929d 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
fix tests
a6b5b8a 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
do not show on init
2bf0127 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri requested review from javirln and jiparis December 19, 2024 21:48
migmartri
migmartri commented Dec 19, 2024
View reviewed changes
@migmartri
output json
11fdb99 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
migmartri
migmartri commented Dec 19, 2024
View reviewed changes
app/cli/internal/action/attestation_status.go
Annotations []*Annotation `json:"annotations"`
IsPushed bool `json:"isPushed"`
PolicyEvaluations map[string][]*PolicyEvaluation `json:"policy_evaluations,omitempty"`
HasPolicyViolations bool `json:"hasPolicyViolations"`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This flag is to simplify checks out json output

cat /tmp/foo.json | jq .status.hasPolicyViolations
true

jiparis
jiparis reviewed Dec 20, 2024
View reviewed changes
pkg/attestation/renderer/renderer.go Outdated

// Render the in-toto statement without envelope nor validation so it can be used for example for policy evaluation
func (ab *AttestationRenderer) RenderStatement(ctx context.Context) (*intoto.Statement, error) {
statement, err := ab.renderer.Statement(ctx)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm not wrong, this call is already evaluating policies, there's no need to evaluate them again.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me double check

app/cli/internal/action/attestation_status.go
}

// Add attestation-level policy evaluations
attestationEvaluations, err := c.EvaluateAttestationPolicies(ctx, statement)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If statement comes from renderer.Statement(), then this call is not needed, because policies are already evaluated in that method.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you might be talking about Render which is the final output as DSSE envelope. renderer.statement is a new method that doesn't have the policies yes, afaik

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you were right, see the new change, thanks

jiparis
jiparis reviewed Dec 20, 2024
View reviewed changes
pkg/policies/policies.go

if policyEval.Skipped {
logger.Warn().Msgf("policy evaluation skipped (%s) for %s. Reasons: %s", policyEval.Name, subject, policyEval.SkipReasons)
logger.Debug().Msgf("policy evaluation skipped (%s) for %s. Reasons: %s", policyEval.Name, subject, policyEval.SkipReasons)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will prevent users from seeing these violations when doing an att add

@migmartri
allowlist: add kh
5f3ce71 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri merged commit b1c037d into chainloop-dev:main Dec 20, 2024
13 checks passed
@migmartri migmartri deleted the evaluate-on-status branch December 20, 2024 11:40
aarlint pushed a commit to aarlint/chainloop that referenced this pull request Jan 3, 2025
@migmartri @aarlint
feat: show attestation-level policy evaluations on status (chainloop-…
7df2dd9 
…dev#1684)

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Austin Arlint <aarlint@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiparis jiparis jiparis approved these changes

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@migmartri @jiparis