From 655e13c5766bc20c1078c3b4dde05d0c988dcdf3 Mon Sep 17 00:00:00 2001
From: Miguel Martinez <miguel@chainloop.dev>
Date: Tue, 15 Apr 2025 13:10:56 +0200
Subject: [PATCH 1/2] feat: add main component info

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
---
 pkg/attestation/renderer/chainloop/chainloop.go | 17 +++++++++++++++++
 pkg/attestation/renderer/chainloop/v02.go       | 17 ++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/pkg/attestation/renderer/chainloop/chainloop.go b/pkg/attestation/renderer/chainloop/chainloop.go
index 3a4655ab0..98894deaa 100644
--- a/pkg/attestation/renderer/chainloop/chainloop.go
+++ b/pkg/attestation/renderer/chainloop/chainloop.go
@@ -75,6 +75,23 @@ type NormalizedMaterial struct {
 	EmbeddedInline bool
 	// Custom annotations
 	Annotations map[string]string
+	// Referenced source component, for SBOMs, SARIF files, etc
+	ReferencedSourceComponent *ReferencedSourceComponent
+}
+
+// Some materials such as SBOMs might have been generated from a source component
+// For example, you might have generated an SBOM for a container image and this is the ifnormation
+// name": "ghcr.io/chainloop-dev/chainloop/cli",
+// type": "container",
+// version": "sha256:bbfd27fcdb15c8082951dc59be2310a2a2e6b95e11002f8411e5918887faa607",
+type ReferencedSourceComponent struct {
+	// i.e container, file
+	Type string `json:"type"`
+	// i.e ghcr.io/chainloop-dev/chainloop/cli
+	Name string `json:"name"`
+	// i.e sha256:bbfd27fcdb15c8082951dc59be2310a2a2e6b95e11002f8411e5918887faa607
+	// or a tag i.e v0.1.0
+	Version string `json:"version"`
 }
 
 type ProvenancePredicateCommon struct {
diff --git a/pkg/attestation/renderer/chainloop/v02.go b/pkg/attestation/renderer/chainloop/v02.go
index bb07de20a..fdf9579e9 100644
--- a/pkg/attestation/renderer/chainloop/v02.go
+++ b/pkg/attestation/renderer/chainloop/v02.go
@@ -395,7 +395,9 @@ func (p *ProvenancePredicateV02) GetPolicyEvaluationStatus() *PolicyEvaluationSt
 
 // Translate a ResourceDescriptor to a NormalizedMaterial
 func normalizeMaterial(material *intoto.ResourceDescriptor) (*NormalizedMaterial, error) {
-	m := &NormalizedMaterial{}
+	m := &NormalizedMaterial{
+		ReferencedSourceComponent: &ReferencedSourceComponent{},
+	}
 
 	// Set custom annotations
 	m.Annotations = make(map[string]string)
@@ -471,6 +473,19 @@ func normalizeMaterial(material *intoto.ResourceDescriptor) (*NormalizedMaterial
 		m.Tag = v.GetStringValue()
 	}
 
+	// Extract the referenced source component
+	if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentName]; ok && v.GetStringValue() != "" {
+		m.ReferencedSourceComponent.Name = v.GetStringValue()
+	}
+
+	if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentVersion]; ok && v.GetStringValue() != "" {
+		m.ReferencedSourceComponent.Version = v.GetStringValue()
+	}
+
+	if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentType]; ok && v.GetStringValue() != "" {
+		m.ReferencedSourceComponent.Type = v.GetStringValue()
+	}
+
 	// In the case of an artifact type or derivative the filename is set and the inline content if any
 	if m.EmbeddedInline || m.UploadedToCAS {
 		m.Filename = material.Name

From 5e0e8634e5a4bc3582b061f58f204dcb0a22eca6 Mon Sep 17 00:00:00 2001
From: Miguel Martinez <miguel@chainloop.dev>
Date: Tue, 15 Apr 2025 13:54:56 +0200
Subject: [PATCH 2/2] feat: add main component info

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
---
 pkg/attestation/renderer/chainloop/v02.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pkg/attestation/renderer/chainloop/v02.go b/pkg/attestation/renderer/chainloop/v02.go
index fdf9579e9..1411097da 100644
--- a/pkg/attestation/renderer/chainloop/v02.go
+++ b/pkg/attestation/renderer/chainloop/v02.go
@@ -395,9 +395,7 @@ func (p *ProvenancePredicateV02) GetPolicyEvaluationStatus() *PolicyEvaluationSt
 
 // Translate a ResourceDescriptor to a NormalizedMaterial
 func normalizeMaterial(material *intoto.ResourceDescriptor) (*NormalizedMaterial, error) {
-	m := &NormalizedMaterial{
-		ReferencedSourceComponent: &ReferencedSourceComponent{},
-	}
+	m := &NormalizedMaterial{}
 
 	// Set custom annotations
 	m.Annotations = make(map[string]string)
@@ -475,15 +473,17 @@ func normalizeMaterial(material *intoto.ResourceDescriptor) (*NormalizedMaterial
 
 	// Extract the referenced source component
 	if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentName]; ok && v.GetStringValue() != "" {
-		m.ReferencedSourceComponent.Name = v.GetStringValue()
-	}
+		m.ReferencedSourceComponent = &ReferencedSourceComponent{
+			Name: v.GetStringValue(),
+		}
 
-	if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentVersion]; ok && v.GetStringValue() != "" {
-		m.ReferencedSourceComponent.Version = v.GetStringValue()
-	}
+		if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentVersion]; ok && v.GetStringValue() != "" {
+			m.ReferencedSourceComponent.Version = v.GetStringValue()
+		}
 
-	if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentType]; ok && v.GetStringValue() != "" {
-		m.ReferencedSourceComponent.Type = v.GetStringValue()
+		if v, ok := mAnnotationsMap[v1.AnnotationsSBOMMainComponentType]; ok && v.GetStringValue() != "" {
+			m.ReferencedSourceComponent.Type = v.GetStringValue()
+		}
 	}
 
 	// In the case of an artifact type or derivative the filename is set and the inline content if any